feat(aws): use region if path is full arn (#487)

werne2j · web-flow · commit 2f3a187cc243 · 2023-06-17T23:46:42.000-04:00
diff --git a/docs/backends.md b/docs/backends.md
@@ -241,6 +241,10 @@ documentation](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specify
 supplying AWS credentials. Supported credentials and the order in which they are loaded are
 described [here](https://aws.github.io/aws-sdk-go-v2/docs/configuring-sdk/#specifying-credentials).
 
+**Note About Region**
+If you provide the full AWS ARN as the secret path, ex. `arn:aws:secretsmanager:us-east-1:123123123:secret:some-secret`, 
+the region from the ARN (us-east-1) in this example, will take precedents over the AWS_REGION environment variable listed below. 
+
 These are the parameters for AWS:
 ```
 AVP_TYPE: awssecretsmanager
diff --git a/pkg/backends/awssecretsmanager.go b/pkg/backends/awssecretsmanager.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"regexp"
 
 	"github.com/argoproj-labs/argocd-vault-plugin/pkg/utils"
 	"github.com/aws/aws-sdk-go-v2/aws"
@@ -40,10 +41,21 @@ func (a *AWSSecretsManager) Login() error {
 
 // GetSecrets gets secrets from aws secrets manager and returns the formatted data
 func (a *AWSSecretsManager) GetSecrets(path string, version string, annotations map[string]string) (map[string]interface{}, error) {
+	var opts = func(o *secretsmanager.Options) {}
+
 	input := &secretsmanager.GetSecretValueInput{
 		SecretId: aws.String(path),
 	}
 
+	re := regexp.MustCompile(`(?m)^(?:[^:]+:){3}([^:]+).*`)
+	if re.MatchString(path) {
+		parts := re.FindStringSubmatch(path)
+
+		opts = func(o *secretsmanager.Options) {
+			o.Region = parts[1]
+		}
+	}
+
 	if version != "" {
 		if version == AWS_CURRENT || version == AWS_PREVIOUS {
 			input.VersionStage = aws.String(version)
@@ -53,7 +65,7 @@ func (a *AWSSecretsManager) GetSecrets(path string, version string, annotations
 	}
 
 	utils.VerboseToStdErr("AWS Secrets Manager getting secret %s at version %s", path, version)
-	result, err := a.Client.GetSecretValue(context.TODO(), input)
+	result, err := a.Client.GetSecretValue(context.TODO(), input, opts)
 	if err != nil {
 		return nil, err
 	}
