feat(integrations): Add AWS Secrets Manager IAM Role + Region (#2778)

2025-03-25 14:05:03 +00:00 · 2024-11-23 00:04:33 +01:00
parent 64bfa4f334
commit a692148597
4 changed files with 76 additions and 1 deletions
--- a/backend/src/server/routes/v1/integration-router.ts
+++ b/backend/src/server/routes/v1/integration-router.ts
@ -9,6 +9,7 @@ import { getTelemetryDistinctId } from "@app/server/lib/telemetry";
 import { verifyAuth } from "@app/server/plugins/auth/verify-auth";
 import { AuthMode } from "@app/services/auth/auth-type";
 import { IntegrationMetadataSchema } from "@app/services/integration/integration-schema";
+import { Integrations } from "@app/services/integration-auth/integration-list";
 import { PostHogEventTypes, TIntegrationCreatedEvent } from "@app/services/telemetry/telemetry-types";

 import {} from "../sanitizedSchemas";
@ -206,6 +207,33 @@ export const registerIntegrationRouter = async (server: FastifyZodProvider) => {
        id: req.params.integrationId
      });

+      if (integration.region) {
+        integration.metadata = {
+          ...(integration.metadata || {}),
+          region: integration.region
+        };
+      }
+
+      if (
+        integration.integration === Integrations.AWS_SECRET_MANAGER ||
+        integration.integration === Integrations.AWS_PARAMETER_STORE
+      ) {
+        const awsRoleDetails = await server.services.integration.getIntegrationAWSIamRole({
+          actorId: req.permission.id,
+          actor: req.permission.type,
+          actorAuthMethod: req.permission.authMethod,
+          actorOrgId: req.permission.orgId,
+          id: req.params.integrationId
+        });
+
+        if (awsRoleDetails) {
+          integration.metadata = {
+            ...(integration.metadata || {}),
+            awsIamRole: awsRoleDetails.role
+          };
+        }
+      }
+
      return { integration };
    }
  });
--- a/backend/src/services/integration/integration-service.ts
+++ b/backend/src/services/integration/integration-service.ts
@ -9,6 +9,7 @@ import { TIntegrationAuthDALFactory } from "../integration-auth/integration-auth
 import { TIntegrationAuthServiceFactory } from "../integration-auth/integration-auth-service";
 import { deleteIntegrationSecrets } from "../integration-auth/integration-delete-secret";
 import { TKmsServiceFactory } from "../kms/kms-service";
+import { KmsDataKey } from "../kms/kms-types";
 import { TProjectBotServiceFactory } from "../project-bot/project-bot-service";
 import { TSecretDALFactory } from "../secret/secret-dal";
 import { TSecretQueueFactory } from "../secret/secret-queue";
@ -237,6 +238,46 @@ export const integrationServiceFactory = ({
    return { ...integration, envId: integration.environment.id };
  };

+  const getIntegrationAWSIamRole = async ({ id, actor, actorAuthMethod, actorId, actorOrgId }: TGetIntegrationDTO) => {
+    const integration = await integrationDAL.findById(id);
+
+    if (!integration) {
+      throw new NotFoundError({
+        message: `Integration with ID '${id}' not found`
+      });
+    }
+
+    const { permission } = await permissionService.getProjectPermission(
+      actor,
+      actorId,
+      integration?.projectId || "",
+      actorAuthMethod,
+      actorOrgId
+    );
+    ForbiddenError.from(permission).throwUnlessCan(ProjectPermissionActions.Read, ProjectPermissionSub.Integrations);
+
+    const integrationAuth = await integrationAuthDAL.findById(integration.integrationAuthId);
+
+    const { decryptor: secretManagerDecryptor } = await kmsService.createCipherPairWithDataKey({
+      type: KmsDataKey.SecretManager,
+      projectId: integration.projectId
+    });
+    let awsIamRole: string | null = null;
+    if (integrationAuth.encryptedAwsAssumeIamRoleArn) {
+      const awsAssumeRoleArn = secretManagerDecryptor({
+        cipherTextBlob: Buffer.from(integrationAuth.encryptedAwsAssumeIamRoleArn)
+      }).toString();
+      if (awsAssumeRoleArn) {
+        const [, role] = awsAssumeRoleArn.split(":role/");
+        awsIamRole = role;
+      }
+    }
+
+    return {
+      role: awsIamRole
+    };
+  };
+
  const deleteIntegration = async ({
    actorId,
    id,
@ -329,6 +370,7 @@ export const integrationServiceFactory = ({
    deleteIntegration,
    listIntegrationByProject,
    getIntegration,
+    getIntegrationAWSIamRole,
    syncIntegration
  };
 };
--- a/frontend/src/hooks/api/integrations/types.ts
+++ b/frontend/src/hooks/api/integrations/types.ts
@ -57,6 +57,9 @@ export type TIntegration = {
    shouldMaskSecrets?: boolean;
    shouldProtectSecrets?: boolean;
    shouldEnableDelete?: boolean;
+
+    awsIamRole?: string;
+    region?: string;
  };
 };

--- a/frontend/src/views/IntegrationsPage/IntegrationDetailsPage/components/IntegrationSettingsSection.tsx
+++ b/frontend/src/views/IntegrationsPage/IntegrationDetailsPage/components/IntegrationSettingsSection.tsx
@ -26,7 +26,9 @@ const metadataMappings: Record<keyof NonNullable<TIntegrationWithEnv["metadata"]
  shouldDisableDelete: "AWS Secret Deletion Disabled",
  shouldMaskSecrets: "GitLab Secrets Masking Enabled",
  shouldProtectSecrets: "GitLab Secret Protection Enabled",
-  shouldEnableDelete: "GitHub Secret Deletion Enabled"
+  shouldEnableDelete: "GitHub Secret Deletion Enabled",
+  awsIamRole: "AWS IAM Role",
+  region: "Region"
 } as const;

 export const IntegrationSettingsSection = ({ integration }: Props) => {