First draft, largely copied from github.com/lyraproj

.gitignore

@@ -0,0 +1,9 @@
+**/*.so
+
+# JetBrains user-specific stuff
+.idea/**/workspace.xml
+.idea/**/tasks.xml
+.idea/**/usage.statistics.xml
+.idea/**/dictionaries
+.idea/**/shelf
+.idea/**/contentModel.xml

README.md

@@ -0,0 +1,41 @@
+## AWS SSM Parameter Store parameter lookup
+
+This function allows you to look up single values stored as parameters in AWS SSM Parameter Store. It can optionally specify a KMS key alias for decrypting secrets.
+
+## Installation
+Build the plugin from the root directory of this module:
+```
+go build -o aws_ssm_parameter_store
+```
+Then make the plugin available to Hiera. See
+[Extending Hiera](https://github.com/lyraproj/hiera#Extending-Hiera) for info on how to do that.
+
+#### A Note about debugging
+When debugging remotely from an IDE like JetBrains goland, use `-gcflags 'all=N -l'` to ensure that all symbols are present in the
+final binary.
+```
+go build -o aws_ssm_parameter_store -gcflags 'all=-N -l'
+```
+
+## Examples
+To add the Parameter Store to Hiera's lookup hierarchy, update `hiera.yaml`:
+
+```
+---
+version: 5
+defaults:
+  datadir: hiera
+  data_hash: yaml_data
+
+hierarchy:
+- name: common
+  path: common.yaml
+- name: "aws_ssm_parameter_store"
+  path: "/secrets/"
+  lookup_key: "aws_ssm_parameter_store"
+  options:
+    parameter_name: "my_parameter"
+    kms_key_alias: "alias/my_key"
+    aws_profile_name: "internal.admin"
+```
+

TODO.md

@@ -0,0 +1,3 @@
+- Fix go.sum
+- Fix go.mod
+- Fix README.md

go.mod

@@ -0,0 +1,9 @@
+module github.com/raffraffraff/hiera_aws_ssm_parameter_store
+
+go 1.12
+
+require (
+	github.com/aws/aws-sdk-go v1.44.300
+	github.com/lyraproj/dgo v0.4.4
+	github.com/lyraproj/hierasdk v0.4.4
+)

go.sum

@@ -0,0 +1,49 @@
+github.com/aws/aws-sdk-go v1.44.300 h1:Zn+3lqgYahIf9yfrwZ+g+hq/c3KzUBaQ8wqY/ZXiAbY=
+github.com/aws/aws-sdk-go v1.44.300/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
+github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
+github.com/lyraproj/dgo v0.4.4 h1:e8/Sy38Atkg4MHPjT2ibw7JpWaTSSst7Vnd13YSo6bk=
+github.com/lyraproj/dgo v0.4.4/go.mod h1:O9r/qo0ktKMaYLVBAKModbBKAMCVZFhrkMClfmxdqB0=
+github.com/lyraproj/hierasdk v0.4.4 h1:WBSVNpcmBtt4Qzt/o1ejRyIJQcyL/hIg5iiQUUlzR1g=
+github.com/lyraproj/hierasdk v0.4.4/go.mod h1:K5bXOusg5G263KkXnWnl29x2gOkDWQgYZHOnl3RfV64=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
+golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=

ssmlookupparameter.go

@@ -0,0 +1,80 @@
+package main
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/aws/session"
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go/service/ssm"
+	"github.com/lyraproj/dgo/dgo"
+	"github.com/lyraproj/hierasdk/hiera"
+	"github.com/lyraproj/hierasdk/plugin"
+	"github.com/lyraproj/hierasdk/register"
+)
+
+func main() {
+	register.LookupKey(`aws_ssm_parameter_store`, AWSSSMParameterStoreLookupKey)
+	plugin.ServeAndExit()
+}
+
+// AWSSSMParameterStoreLookupKey looks up a single value from AWS SSM Parameter Store
+func AWSSSMParameterStoreLookupKey(hc hiera.ProviderContext, key string) dgo.Value {
+	if key == `lookup_options` {
+		return nil
+	}
+	parameterName, ok := hc.StringOption(`parameter_name`)
+	if !ok {
+		panic(fmt.Errorf(`missing required provider option 'parameter_name'`))
+	}
+	awsProfileName, _ := hc.StringOption(`aws_profile_name`)
+
+	// Create a new AWS session with the specified profile
+	sess := session.Must(session.NewSessionWithOptions(session.Options{
+		SharedConfigState: session.SharedConfigEnable,
+		Profile:           awsProfileName,
+	}))
+
+	// Create a new AWS SSM client
+	ssmSvc := ssm.New(sess)
+
+	// Call the AWS SSM API to get the parameter value
+	resp, err := ssmSvc.GetParameterWithContext(context.Background(), &ssm.GetParameterInput{
+		Name: &parameterName,
+	})
+	if err != nil {
+		panic(err)
+	}
+
+	// Get the parameter value
+	parameterValue := *resp.Parameter.Value
+
+	// Check if KMS encryption was used
+	if resp.Parameter.KeyId != nil {
+		kmsAlias, ok := hc.StringOption(`kms_key_alias`)
+		if !ok {
+			panic(fmt.Errorf(`missing required provider option 'kms_key_alias' for KMS-encrypted parameter`))
+		}
+
+		// Create a new AWS KMS client
+		kmsSvc := kms.New(sess)
+
+		// Call the AWS KMS API to decrypt the parameter value
+		decryptResp, err := kmsSvc.DecryptWithContext(context.Background(), &kms.DecryptInput{
+			CiphertextBlob: parameterValue,
+			EncryptionContext: map[string]*string{
+				"PARAMETER_NAME": &parameterName,
+			},
+		})
+		if err != nil {
+			panic(err)
+		}
+
+		// Get the decrypted value
+		parameterValue = string(decryptResp.Plaintext)
+	}
+
+	// Return the parameter value
+	return hc.ToData(parameterValue)
+}
+