fink.lookups plugin¶
The lookups functionality was previously part of the hocon config reader. The lookup functionality was refactored into this fink-lookups plugin and with the refactoring we also pinned the functionality it into a dedicated lifecycle step.
lookup stack output¶
The stack lookup is used to substitute configuration where the value is an output from another cloudformation stack.
format: lookup:stack:<stackname>:<output>
sample: lookup:secret:slack.token
lookup acm certificate¶
format: lookup:acm:<name_1>:...:<name_n>:
sample: lookup:acm:foo.mes.finklabs.cloud:supercars.infra.finklabs.cloud:*.dev.infra.finklabs.cloud
‘acm’ lookup uses the AWS ACM (Certificate Manager) functionality. It is configured as default lookup.
Features of the acm lookup:
- pass a list of hostnames that should be secured.
- check all certificates in ACM if the configured CN (DomainName) or SANs (SubjectAlternativeNames) (including wildcards) if they match for the given list of hostnames
- the chosen certificates STATUS must be ISSUED
- if there are multiple matches, use the one with the most distant expiry date
- return the ARN of the certificate
- wildcards for hosted zone are expressed with “*.”
- ‘ERROR’ in case a certificate matching the specified list of names can not be found
Note: if you use ACM lookup in api / API Gateway you need to deploy the certificates to the us-east-1 region.
lookup secret¶
The secret lookup is used to substitute configuration where the value is a password, or other sensitive information that you can not commit to a sourcecode repository. The keys are stored in credstash (DynamoDB + KMS).
format: lookup:secret:<name>.<subname>
lookup the ‘slack.webhook’ entry from credstash
sample: lookup:secret:slack.webhook
lookup the ‘slack.webhook’ entry from credstash
sample: lookup:secret:slack.webhook:CONTINUE_IF_NOT_FOUND
note in the second example that the slack.webhook lookup does not fail it the accounts credstash does not have the slack.webhook entry.
lookup parameter¶
The parameter lookup is used to substitute configuration where the value is a password, or other sensitive information that you can not commit to a sourcecode repository. The keys are stored in AWS Simple Systems Manager (SSM) parameter store. If you want to replace credstash (see above) you can use type ‘SecureString’ to store your parameters encrypted. Like with credstash your encryption key is stored in KMS.
format: lookup:parameter:<name>.<subname>
lookup the ‘slack.webhook’ entry from SSM parameter store
sample: lookup:parameter:slack.webhook
lookup the ‘slack.webhook’ entry from SSM parameter store
sample: lookup:parameter:slack.webhook:CONTINUE_IF_NOT_FOUND
note in the second example the slack.webhook lookup does not fail it the accounts SSM parameter store does not have the slack.webhook entry.