Merge pull request #603 from stackbuilders/terraform_aws_vault_wrapper

Implement `aws-vault` integration
cachix · Feb 21, 2024 · 6008f3b · 6008f3b
2 parents bc4602a + 5344a70
commit 6008f3b
Show file tree

Hide file tree

Showing 3 changed files with 92 additions and 0 deletions.
diff --git a/examples/aws-vault/devenv.nix b/examples/aws-vault/devenv.nix
@@ -0,0 +1,10 @@
+{ pkgs, ... }: {
+  languages.terraform.enable = true;
+
+  aws-vault = {
+    enable = true;
+    profile = "aws-profile";
+    awscliWrapper.enable = true;
+    terraformWrapper.enable = true;
+  };
+}
diff --git a/examples/aws-vault/devenv.yaml b/examples/aws-vault/devenv.yaml
@@ -0,0 +1,3 @@
+inputs:
+  nixpkgs:
+    url: github:NixOS/nixpkgs/nixpkgs-unstable
diff --git a/src/modules/integrations/aws-vault.nix b/src/modules/integrations/aws-vault.nix
@@ -0,0 +1,79 @@
+{ pkgs, config, lib, ... }:
+
+let
+  cfg = config.aws-vault;
+in
+{
+  options.aws-vault = {
+    enable = lib.mkEnableOption "aws-vault integration";
+
+    package = lib.mkOption {
+      type = lib.types.package;
+      default = pkgs.aws-vault;
+      defaultText = lib.literalExpression "pkgs.aws-vault";
+      description = "The aws-vault package to use.";
+    };
+
+    profile = lib.mkOption {
+      type = lib.types.str;
+      description = lib.mdDoc ''
+        The profile name passed to `aws-vault exec`.
+      '';
+    };
+
+    awscliWrapper = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption ''
+            Wraps awscli2 binary as `aws-vault exec <profile> -- aws <args>`.
+          '';
+
+          package = lib.mkOption {
+            type = lib.types.package;
+            default = pkgs.awscli2;
+            defaultText = lib.literalExpression "pkgs.awscli2";
+            description = "The awscli2 package to use.";
+          };
+        };
+      };
+      defaultText = lib.literalExpression "pkgs";
+      default = { };
+      description = "Attribute set of packages including awscli2";
+    };
+
+    terraformWrapper = lib.mkOption {
+      type = lib.types.submodule {
+        options = {
+          enable = lib.mkEnableOption ''
+            Wraps terraform binary as `aws-vault exec <profile> -- terraform <args>`.
+          '';
+
+          package = lib.mkOption {
+            type = lib.types.package;
+            default = pkgs.terraform;
+            defaultText = lib.literalExpression "pkgs.terraform";
+            description = "The terraform package to use.";
+          };
+        };
+      };
+      defaultText = lib.literalExpression "pkgs";
+      default = { };
+      description = "Attribute set of packages including terraform";
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf (cfg.enable && cfg.awscliWrapper.enable) {
+      packages = [
+        (pkgs.writeScriptBin "aws" ''
+          ${cfg.package}/bin/aws-vault exec ${cfg.profile} -- ${cfg.awscliWrapper.package}/bin/aws "$@"
+        '')
+      ];
+    })
+    (lib.mkIf (cfg.enable && cfg.terraformWrapper.enable) {
+      languages.terraform.package = pkgs.writeScriptBin "terraform" ''
+        ${cfg.package}/bin/aws-vault exec ${cfg.profile} -- ${cfg.terraformWrapper.package}/bin/terraform "$@"
+      '';
+    })
+  ];
+}