Categorygithub.com/elastic/harp-plugins/cmd/harp-terraformer
modulepackage
0.2.4
Repository: https://github.com/elastic/harp-plugins.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
4
Dependents
0
Files
19 SLOC

# README

Harp - Terraformer

A harp plugin used to generate Terraform files for agent and service in CSO context.

UseCases

  • Generate multiple TF approles/policies based on cluster environment settings;
  • Make all settings consistent and technologic stack agnostic;
  • Add information links.

Build

export PATH=<harp-repository-path>/tools/bin:$PATH
$ mage

Sample

Request

apiVersion: harp.elastic.co/terraformer/v1
kind: AppRoleDefinition
meta:
  name: "harp-aws-deployer"
  owner: "[email protected]"
  description: "Generate AWS service account"
  issues:
    - https://github.com/elastic/harp-plugins/issues/123456
    - https://github.com/elastic/harp-plugins/issues/123459
spec:
  selector:
    platform: "security"
    product: "harp"
    version: "v1.0.0"
    component: "s3-publisher"
  namespaces:
    # CSO Compliant paths
    application:
      - suffix: "containers/identities/recovery"
        description: "Container sealing recovery key"
        capabilities: ["read"]
      - suffix: "containers/identities/harp-server"
        description: "Container sealing consumer key"
        capabilities: ["read"]

  # No generated paths
  custom:
  - suffix: "{{.Values.aws.backend}}/sts/harp-deploy"
    description: "Retrieve ephemeral AWS credentials for Harp container deployment"
    capabilities: ["read"]

Values

If you have multiple clusters, you can use the template engine to render the final request.

Production values :

aws:
  backend: aws-123456789-production

Staging values :

aws:
  backend: aws-918273654-staging

Compilation

Agent

Agents are trusted identity allowed to generate ephemeral Vault (secret_id) credentials for service

harp template --in request.yaml --values production.yaml \
  | harp terraformer agent

It will generate agent terraform :

# Generated with Harp Terraformer, Don't modify.
# https://github.com/elastic/harp-plugins/tree/main/cmd/harp-terraformer
# ---
# SpecificationHash: "ofDpeXC4JswbVKJFiAB+p/6EnaM8XocmhAWPnFoJQck="
# Owner: "[email protected]"
# Date: "2021-02-18T08:52:03Z"
# Description: "Generate AWS service account"
# Issues:
# - https://github.com/elastic/harp-plugins/issues/123456
# - https://github.com/elastic/harp-plugins/issues/123459
# ---
#
# ------------------------------------------------------------------------------

# Create the policy
data "vault_policy_document" "agent-harp-aws-deployer-production" {

  rule {
    description  = "Allow agent to retrieve service role-id"
    path         = "auth/service/role/harp-aws-deployer-production/role-id"
    capabilities = ["read"]
  }

  rule {
    description      = "Allow agent to retrieve secret-id"
    path             = "auth/service/role/harp-aws-deployer-production/secret-id"
    capabilities     = ["create", "update"]
    min_wrapping_ttl = "1s"  # minimum allowed TTL that clients can specify for a wrapped response
    max_wrapping_ttl = "90s" # maximum allowed TTL that clients can specify for a wrapped response
  }
}

# Register the policy
resource "vault_policy" "agent-harp-aws-deployer-production" {
  name   = "agent-harp-aws-deployer-production"
  policy = data.vault_policy_document.agent-harp-aws-deployer-production.hcl
}

# ------------------------------------------------------------------------------
#
# Register the backend role
resource "vault_approle_auth_backend_role" "agent-harp-aws-deployer-production" {
  backend   = "agent"
  role_name = "harp-aws-deployer-production"

  token_policies = [
    "agent-default",
    "agent-harp-aws-deployer-production",
  ]
}

Service

Services are concrete secret consumers

harp template --in request.yaml --values production.yaml \
  | harp terraformer service

# Generated with Harp Terraformer, Don't modify.
# https://github.com/elastic/harp-plugins/tree/main/cmd/harp-terraformer
# ---
# SpecificationHash: "ofDpeXC4JswbVKJFiAB+p/6EnaM8XocmhAWPnFoJQck="
# Owner: "[email protected]"
# Date: "2021-02-18T08:52:40Z"
# Description: "Generate AWS service account"
# Issues:
# - https://github.com/elastic/harp-plugins/issues/123456
# - https://github.com/elastic/harp-plugins/issues/123459
# ---
#
# ------------------------------------------------------------------------------

# Create the policy
data "vault_policy_document" "service-harp-aws-deployer-production" {
  # Application secrets
  rule {
    description  = "Container sealing recovery key"
    path         = "app/data/production/security/harp/v1.0.0/s3-publisher/containers/identities/recovery"
    capabilities = ["read"]
  }

  rule {
    description  = "Container sealing consumer key"
    path         = "app/data/production/security/harp/v1.0.0/s3-publisher/containers/identities/harp-server"
    capabilities = ["read"]
  }

  # Custom secret paths
  rule {
    description  = "Retrieve ephemeral AWS credentials for Harp container deployment"
    path         = "aws-123456789-production/sts/harp-deploy"
    capabilities = ["read"]
  }
}

# Register the policy
resource "vault_policy" "service-harp-aws-deployer-production" {
  name   = "service-harp-aws-deployer-production"
  policy = data.vault_policy_document.service-harp-aws-deployer-production.hcl
}

# ------------------------------------------------------------------------------
#
# Register the backend role
resource "vault_approle_auth_backend_role" "harp-aws-deployer-production" {
  backend   = "service"
  role_name = "harp-aws-deployer-production"

  token_policies = [
    "service-default",
    "service-harp-aws-deployer-production",
  ]
}

# Packages

No description provided by the author
No description provided by the author