Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PFMENG-1371] Feat/vault ent secret sync #1

Merged
merged 14 commits into from
Dec 8, 2023
Merged

[PFMENG-1371] Feat/vault ent secret sync #1

merged 14 commits into from
Dec 8, 2023

Conversation

hazmei
Copy link
Collaborator

@hazmei hazmei commented Dec 7, 2023
edited
Loading

Special thanks to @shisheng10 and @uchinda-sph for the sharing session of their POC, issues faced and use case of secret sync.

This PR adds the following resources:

  1. AWS IAM User
  2. AWS IAM Group
  3. AWS IAM Policy
  4. AWS Access Keys
  5. Time rotating resource for rotating access keys (90 days)
  6. Vault Enterprise Secret Sync Destination
  7. Vault Enterprise Secret Sync Association

Previously tested on web2-platform-infra webcore dev environment.

This setup provide a way to unassociate some vault secret from the secret sync as well as removing the secret sync cleanly (requires 2 step approach for removing the secret sync destination and association).

Current code only supports AWS destination for now. Will add more destinations in the future.

Note

The secret name in aws secrets manager is not configurable. It follows the following format: vault/<vault accessor id>/<vault secret name>.

There's a need to have different vault_generic_endpoint resource for associating and disassociating the vault secret as the endpoint for deleting association doesn't support the DELETE method. See the doc here.

terraform-vault-secret-sync/main.tf

Lines 145 to 178 in 5dddf82

resource "vault_generic_endpoint" "create_association_sync" {
for_each = { for secret in local.associate_secrets : "${secret.app_name}-${secret.secret_name}" => secret }
path = "${local.sync_base_path}/aws-sm/${local.destination_name}/associations/set"
data_json = jsonencode({
mount = each.value.mount
secret_name = each.value.secret_name
})
disable_delete = true
disable_read = true
ignore_absent_fields = true
depends_on = [
time_sleep.wait_5_seconds,
]
}
# Remove Some Vault -> AWS SM association
resource "vault_generic_endpoint" "remove_some_association_sync" {
for_each = { for secret in local.unassociate_secrets : "${secret.app_name}-${secret.secret_name}" => secret }
path = "${local.sync_base_path}/aws-sm/${local.destination_name}/associations/remove"
data_json = jsonencode({
mount = each.value.mount
secret_name = each.value.secret_name
})
disable_delete = true
disable_read = true
ignore_absent_fields = true
}

Creating secret sync destination and association

module "vault_secret_sync"
  source  = "app.terraform.io/sph/terraform-vault-secret-sync" # this is just an example
  version = "0.1.0-alpha" # this is just an example

  name = "webcore-dev"

  associate_secrets = {
    web2 = {
      mount       = "kvv2"
      secret_name = ["secret1","secret2"]
    }
  }

Removing secret association

module "vault_secret_sync"
  source  = "app.terraform.io/sph/terraform-vault-secret-sync" # this is just an example
  version = "0.1.0-alpha" # this is just an example

  name = "webcore-dev"

  associate_secrets = {
    web2 = {
      mount       = "kvv2"
      secret_name = ["secret1"]
    }
  }

  unassociate_secrets = {
    web2 = {
      mount       = "kvv2"
      secret_name = ["secret2"]
    }
  }

Removing the secret sync destination and secret association

This requires a 2 step flow to remove the destination and association. Secret associations must be removed before the destination can be removed.

Step 1

module "vault_secret_sync"
  source  = "app.terraform.io/sph/terraform-vault-secret-sync" # this is just an example
  version = "0.1.0-alpha" # this is just an example

  name = "webcore-dev"

  associate_secrets = {
    web2 = {
      mount       = "kvv2"
      secret_name = ["secret1","secret2"]
    }
  }

  delete_all_secrets_associations = true

Step 2

module "vault_secret_sync"
  source  = "app.terraform.io/sph/terraform-vault-secret-sync" # this is just an example
  version = "0.1.0-alpha" # this is just an example

  name = "webcore-dev"

  associate_secrets = {
    web2 = {
      mount       = "kvv2"
      secret_name = ["secret1","secret2"]
    }
  }

  delete_all_secrets_associations = true
  delete_sync_destination         = true

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

uchinda-sph
uchinda-sph reviewed Dec 8, 2023
View reviewed changes
uchinda-sph
uchinda-sph reviewed Dec 8, 2023
View reviewed changes
uchinda-sph
uchinda-sph reviewed Dec 8, 2023
View reviewed changes
@hazmei hazmei marked this pull request as ready for review December 8, 2023 04:02
@hazmei hazmei changed the title Feat/vault ent secret sync [PFMENG-1371] Feat/vault ent secret sync Dec 8, 2023
shisheng10
shisheng10 approved these changes Dec 8, 2023
View reviewed changes
Copy link

@shisheng10 shisheng10 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

niroz89
niroz89 reviewed Dec 8, 2023
View reviewed changes
Copy link

@niroz89 niroz89 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hazmei add the LICENSE as well, let's publish to public registry.

@hazmei hazmei requested a review from niroz89 December 8, 2023 07:01
@hazmei hazmei merged commit 5a7271f into main Dec 8, 2023
@hazmei hazmei deleted the feat/vault-ent-secret-sync branch December 8, 2023 09:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@shisheng10 shisheng10 shisheng10 approved these changes

@uchinda-sph uchinda-sph uchinda-sph approved these changes

@niroz89 niroz89 Awaiting requested review from niroz89

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hazmei @shisheng10 @niroz89 @uchinda-sph