Merge pull request #3 from dasmeta/DMVP-3754-main-modules

feat(DMVP-3754): Added modules - gcp-secret, keeper-to-secret-manager

.github/workflows/checkov.yaml

@@ -17,7 +17,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/checkov@4.2.0
       with:

.github/workflows/terraform-test.yaml

@@ -16,7 +16,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/terraform-test@4.2.0
       with:

.github/workflows/tflint.yaml

@@ -18,7 +18,7 @@ jobs:
       matrix:
         path:
           - /
-     
+
     steps:
     - uses: dasmeta/reusable-actions-workflows/tflint@4.2.0
       with:

.gitignore

@@ -10,8 +10,8 @@ crash.log
 crash.*.log
 
 # Exclude all .tfvars files, which are likely to contain sensitive data, such as
-# password, private keys, and other secrets. These should not be part of version 
-# control as they are data points which are potentially sensitive and subject 
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 *.tfvars
 *.tfvars.json

modules/external-secret-store/README.md

@@ -0,0 +1,63 @@
+# How to use
+
+```
+module "secret-store" {
+  source = "dasmeta/external-secrets/any//modules/external-secret-store"
+
+  name = "store-name"
+}
+```
+
+This is going to create AWS IAM User and restric access to Secret Manager keys starting with store-name (e.g. store-name-\*).
+Any secret created in Secret Manager matching the prefix can be requested via that External Secret Store and be populated as a Secret.
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13 |
+| <a name="requirement_kubectl"></a> [kubectl](#requirement\_kubectl) | >= 1.7.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_kubectl"></a> [kubectl](#provider\_kubectl) | >= 1.7.0 |
+| <a name="provider_kubernetes"></a> [kubernetes](#provider\_kubernetes) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_iam-user"></a> [iam-user](#module\_iam-user) | terraform-aws-modules/iam/aws//modules/iam-user | 4.6.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_user_policy_attachment.test-attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
+| [kubectl_manifest.main](https://registry.terraform.io/providers/gavinbunney/kubectl/latest/docs/resources/manifest) | resource |
+| [kubernetes_secret.store-secret](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/secret) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_access_key_id"></a> [aws\_access\_key\_id](#input\_aws\_access\_key\_id) | The key store will be using to pull secrets from AWS Secret Manager. | `string` | `""` | no |
+| <a name="input_aws_access_secret"></a> [aws\_access\_secret](#input\_aws\_access\_secret) | The secret store will be using to pull secrets from AWS Secret Manager. | `string` | `""` | no |
+| <a name="input_aws_role_arn"></a> [aws\_role\_arn](#input\_aws\_role\_arn) | Role ARN used to pull secrets from Secret Manager. | `string` | `""` | no |
+| <a name="input_controller"></a> [controller](#input\_controller) | Not sure what is this for yet. | `string` | `"dev"` | no |
+| <a name="input_create_user"></a> [create\_user](#input\_create\_user) | Create IAM user to read credentials or aws\_access\_key\_id / aws\_access\_secret combination should be used. | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | Secret store name. | `string` | n/a | yes |
+| <a name="input_namespace"></a> [namespace](#input\_namespace) | n/a | `string` | `"default"` | no |
+| <a name="input_prefix"></a> [prefix](#input\_prefix) | This value is going be used as uniq prefix for secret store AWS resources like iam policy/user as for multi region setups we having collision | `string` | `""` | no |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/external-secret-store/iam-policy.tf

@@ -0,0 +1,28 @@
+data "aws_caller_identity" "current" {}
+data "aws_region" "current" {}
+
+resource "aws_iam_policy" "policy" {
+  count = var.create_user ? 1 : 0
+
+  name        = "${var.prefix}external-secrets-access-policy-for-store-${local.sanitized-name}"
+  path        = "/"
+  description = "Policy gives external secrets store access to ${var.name}* secrets"
+
+  policy = jsonencode({
+    "Version" : "2012-10-17",
+    "Statement" : [
+      {
+        "Effect" : "Allow",
+        "Action" : [
+          "secretsmanager:GetResourcePolicy",
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:ListSecretVersionIds"
+        ],
+        "Resource" : [
+          "arn:aws:secretsmanager:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:secret:${var.name}*",
+        ]
+      }
+    ]
+  })
+}

modules/external-secret-store/iam-user.tf

@@ -0,0 +1,23 @@
+module "iam-user" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-user"
+  version = "4.6.0"
+
+  name  = "${var.prefix}${local.sanitized-name}-secret-manager"
+  count = var.create_user ? 1 : 0
+
+  create_iam_access_key         = true
+  create_user                   = true
+  create_iam_user_login_profile = false
+  upload_iam_user_ssh_key       = false
+}
+
+resource "aws_iam_user_policy_attachment" "test-attach" {
+  count = var.create_user ? 1 : 0
+
+  user       = module.iam-user[0].iam_user_name
+  policy_arn = aws_iam_policy.policy[0].arn
+
+  depends_on = [
+    module.iam-user
+  ]
+}

modules/external-secret-store/locals.tf

@@ -0,0 +1,3 @@
+locals {
+  sanitized-name = replace(var.name, "/", "-")
+}

modules/external-secret-store/secret-store.tmpl

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: ${name}
+  namespace: ${namespace}
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: ${region}
+      auth:
+        secretRef:
+          accessKeyIDSecretRef:
+            name: ${name}-awssm-secret
+            key: access-key
+          secretAccessKeySecretRef:
+            name: ${name}-awssm-secret
+            key: secret-access-key

modules/external-secret-store/secret.tf

@@ -0,0 +1,11 @@
+resource "kubernetes_secret" "store-secret" {
+  metadata {
+    name      = "${local.sanitized-name}-awssm-secret"
+    namespace = var.namespace
+  }
+
+  data = {
+    access-key        = var.create_user ? module.iam-user[0].iam_access_key_id : var.aws_access_key_id
+    secret-access-key = var.create_user ? module.iam-user[0].iam_access_key_secret : var.aws_access_secret
+  }
+}

modules/external-secret-store/store.tf

@@ -0,0 +1,12 @@
+resource "kubectl_manifest" "main" {
+  yaml_body = templatefile("${path.module}/secret-store.tmpl", {
+    name       = local.sanitized-name
+    namespace  = var.namespace
+    region     = data.aws_region.current.name
+    controller = var.controller
+  })
+
+  depends_on = [
+    module.iam-user
+  ]
+}

modules/external-secret-store/variables.tf

@@ -0,0 +1,45 @@
+variable "name" {
+  type        = string
+  description = "Secret store name."
+}
+
+variable "controller" {
+  type        = string
+  default     = "dev"
+  description = "Not sure what is this for yet."
+}
+
+variable "aws_access_key_id" {
+  type        = string
+  default     = ""
+  description = "The key store will be using to pull secrets from AWS Secret Manager."
+}
+
+variable "aws_access_secret" {
+  type        = string
+  default     = ""
+  description = "The secret store will be using to pull secrets from AWS Secret Manager."
+}
+
+variable "aws_role_arn" {
+  type        = string
+  default     = ""
+  description = "Role ARN used to pull secrets from Secret Manager."
+}
+
+variable "create_user" {
+  type        = bool
+  default     = true
+  description = "Create IAM user to read credentials or aws_access_key_id / aws_access_secret combination should be used."
+}
+
+variable "namespace" {
+  type    = string
+  default = "default"
+}
+
+variable "prefix" {
+  type        = string
+  default     = ""
+  description = "This value is going be used as uniq prefix for secret store AWS resources like iam policy/user as for multi region setups we having collision"
+}

modules/external-secret-store/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13"
+
+  required_providers {
+    kubectl = {
+      source  = "gavinbunney/kubectl"
+      version = ">= 1.7.0"
+    }
+  }
+}

modules/keeper-to-secret-manager/README.md

@@ -0,0 +1,70 @@
+## Keeper-to-Secret-Manager Module
+The `keeper-to-secret-manager` Terraform module transfers secrets from Keeper Security to Cloud Secret Manager. It automates the retrieval of secrets stored in Keeper and their subsequent storage in Cloud Secret Manager.
+
+## Configuration
+The module uses 2 modules.
+
+1. Keeper Reader Module
+This submodule is responsible for fetching secrets from Keeper Security. It requires API credentials and a list of secrets to fetch, identified by their UIDs and types.
+
+2. Cloud Secret Module
+After secrets are fetched from Keeper, this submodule handles the creation or updating of secrets in Cloud Secret Manager.
+
+Currently, only GCP Secret Manager is supported.
+`secret_manager` variable is used to specify the cloud for Secret Manager.
+
+### Usage Example
+```
+module "keeper_to_gcp" {
+  source              = "dasmeta/external-secrets/any//modules/keeper-to-secret-manager"
+
+  keeper_credentials  = "/path/to/keeper/config.json"
+  secret_manager     = "gcp"
+  secrets = [
+    {
+      secret_type = "db"
+      uid         = "YwIOVhxwBBONenOZ6ZlPkg"
+      field       = "db_type"
+      secret_name = "my-db-type"
+    },
+    {
+      secret_type = "login"
+      uid         = "bBdstZ0jCpoA8tZbg1Q8zQ"
+      field       = "login"
+      secret_name = "my-username"
+    }
+  ]
+}
+```
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_keeper-reader"></a> [keeper-reader](#module\_keeper-reader) | dasmeta/shared/any//modules/keeper-reader | n/a |
+| <a name="module_secret"></a> [secret](#module\_secret) | dasmeta/modules/google//modules/secret | 1.4.0 |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_keeper_credentials"></a> [keeper\_credentials](#input\_keeper\_credentials) | Credentials for accessing Keeper. | `string` | n/a | yes |
+| <a name="input_secret_manager"></a> [secret\_manager](#input\_secret\_manager) | The secret manager to use. Currently only `gcp` is supported | `string` | `"gcp"` | no |
+| <a name="input_secrets"></a> [secrets](#input\_secrets) | Secrets to fetch from Keeper and create in Cloud Secret Manager | <pre>list(object({<br>    secret_type = string<br>    uid         = string<br>    secret_name = string<br>    field       = string<br>  }))</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

modules/keeper-to-secret-manager/examples/to-gcp/0-setup.tf

@@ -0,0 +1,18 @@
+terraform {
+  required_providers {
+    secretsmanager = {
+      source  = "Keeper-Security/secretsmanager"
+      version = "1.1.3"
+    }
+  }
+}
+
+provider "google" {
+  project     = "my-project"
+  region      = "us-east1"
+  credentials = file("/path/to/gcp/config.json")
+}
+
+provider "secretsmanager" {
+  credential = file("/path/to/keeper/config.json")
+}

modules/keeper-to-secret-manager/examples/to-gcp/1-example.tf

@@ -0,0 +1,32 @@
+module "this" {
+  source = "../../"
+
+  keeper_credentials = "/path/to/keeper/config.json"
+  secret_manager     = "gcp"
+  secrets = [
+    {
+      secret_type = "db"
+      uid         = "YwIOVhxwBBONenOZ6ZlPkg"
+      field       = "db_type"
+      secret_name = "my-db-type"
+    },
+    {
+      secret_type = "login"
+      uid         = "bBdstZ0jCpoA8tZbg1Q8zQ"
+      field       = "login"
+      secret_name = "my-username"
+    },
+    {
+      secret_type = "login"
+      uid         = "bBdstZ0jCpoA8tZbg1Q8zQ"
+      field       = "password"
+      secret_name = "my-password"
+    },
+    {
+      secret_type = "db"
+      uid         = "YwIOVhxwBBONenOZ6ZlPkg"
+      field       = "password"
+      secret_name = "my-db-password"
+    },
+  ]
+}