Intial commit of secrets management CB

examples/cookbooks/secrets_management/.delivery/project.toml

@@ -0,0 +1,32 @@
+# Delivery for Local Phases Execution
+#
+# This file allows you to execute test phases locally on a workstation or
+# in a CI pipeline. The delivery-cli will read this file and execute the
+# command(s) that are configured for each phase. You can customize them
+# by just modifying the phase key on this file.
+#
+# By default these phases are configured for Cookbook Workflow only
+#
+
+[local_phases]
+unit = "chef exec rspec spec/"
+lint = "chef exec cookstyle"
+# foodcritic has been deprecated in favor of cookstyle so we skip the syntax
+# phase now.
+syntax = "echo skipping syntax phase. Use lint phase instead."
+provision = "chef exec kitchen create"
+deploy = "chef exec kitchen converge"
+smoke = "chef exec kitchen verify"
+# The functional phase is optional, you can define it by uncommenting
+# the line below and running the command: `delivery local functional`
+# functional = ""
+cleanup = "chef exec kitchen destroy"
+
+# Remote project.toml file
+#
+# Instead of the local phases above, you may specify a remote URI location for
+# the `project.toml` file. This is useful for teams that wish to centrally
+# manage the behavior of the `delivery local` command across many different
+# projects.
+#
+# remote_file = "https://url/project.toml"

examples/cookbooks/secrets_management/.gitignore

@@ -0,0 +1,23 @@
+.vagrant
+*~
+*#
+.#*
+\#*#
+.*.sw[a-z]
+*.un~
+
+# Bundler
+Gemfile.lock
+gems.locked
+bin/*
+.bundle/*
+
+# test kitchen
+.kitchen/
+kitchen.local.yml
+.kitchen*
+
+# Chef
+Berksfile.lock
+.zero-knife.rb
+Policyfile.lock.json

examples/cookbooks/secrets_management/CHANGELOG.md

@@ -0,0 +1,10 @@
+# secrets_management CHANGELOG
+
+This file is used to list changes made in each version of the secrets_management cookbook.
+
+## 0.1.0
+
+Initial release.
+
+- change 0
+- change 1

examples/cookbooks/secrets_management/LICENSE

@@ -0,0 +1,3 @@
+Copyright 2020 The Authors
+
+All rights reserved, do not redistribute.

examples/cookbooks/secrets_management/Policyfile.rb

@@ -0,0 +1,17 @@
+# Policyfile.rb - Describe how you want Chef Infra Client to build your system.
+#
+# For more information on the Policyfile feature, visit
+# https://docs.chef.io/policyfile/
+
+# A name that describes what the system you're building with Chef does.
+name 'secrets_management'
+
+# Where to find external cookbooks:
+default_source :supermarket
+
+# run_list: chef-client will run these recipes in the order specified.
+run_list 'secrets_management::default'
+named_run_list :hashi_vault, 'secrets_management::hashi_vault'
+
+# Specify a custom source for a single cookbook:
+cookbook 'secrets_management', path: '.'

examples/cookbooks/secrets_management/README.md

@@ -0,0 +1,45 @@
+# HowTo: Retrieving secrets from a secrets management tool
+This cookbook will store examples on how to grab secrets from tools like Hashicorp Vault. In the future I would like to include examples for Akeyless.io/Aws KMS/Azure
+
+## Before you start
+### Assumptions
+* This guide assumes that you have a working Vault solution up and running that you can interact with
+
+**Note:** The way that the vault token is used in this cookbook is not the way we recommended to store the vault_token. 
+This is just an example on how to communicate with the sercrets management platform. Please consider using encrypted databags or some other means to protect the vault token.
+
+### Tested on chef client version 16+
+
+### Cookbook
+
+#### recipes
+
+* hashi_vault : This is the main recipe that shows how to interact with a vault instance.
+
+#### libraries
+
+* hashi_vault
+
+#### Attributes
+
+* hashi_vault
+
+`default['secrets_managment']['hashi']['vault_address']`
+
+The address to the hashi corp vault *Example*:
+ default['secrets_managment']['hashi']['vault_address'] = 'https://myvault.chefsuccess.io:8200'
+
+`default['secrets_managment']['hashi']['vault_token']`
+
+ The Vault token of the AppRole or Root(not suggested but used to for demo purposes) Example:
+ default['secrets_managment']['hashi']['vault_token'] = 's.xfffffff6666666777777hhh'
+
+`default['secrets_managment']['hashi']['vault_path']`
+
+The path to the secrets Example:
+ default['secrets_managment']['hashi']['vault_path'] = 'secret/my-app'
+
+`default['secrets_managment']['hashi']['vault_role']`
+
+The name of the app role is used. Leave an empty string if a app role is not used Example:
+ default['secrets_managment']['hashi']['vault_role'] = 'web'

examples/cookbooks/secrets_management/attributes/hashi_vault.rb

@@ -0,0 +1,4 @@
+default['secrets_managment']['hashi']['vault_address'] = 'https://myvault:8200'
+default['secrets_managment']['hashi']['vault_token'] = 's.5GM4NeJmbdfe34refUNWHaNriZ'
+default['secrets_managment']['hashi']['vault_path'] = 'secret/myapp'
+default['secrets_managment']['hashi']['vault_role'] = ''

examples/cookbooks/secrets_management/chefignore

@@ -0,0 +1,115 @@
+# Put files/directories that should be ignored in this file when uploading
+# to a Chef Infra Server or Supermarket.
+# Lines that start with '# ' are comments.
+
+# OS generated files #
+######################
+.DS_Store
+ehthumbs.db
+Icon?
+nohup.out
+Thumbs.db
+.envrc
+
+# EDITORS #
+###########
+.#*
+.project
+.settings
+*_flymake
+*_flymake.*
+*.bak
+*.sw[a-z]
+*.tmproj
+*~
+\#*
+REVISION
+TAGS*
+tmtags
+.vscode
+.editorconfig
+
+## COMPILED ##
+##############
+*.class
+*.com
+*.dll
+*.exe
+*.o
+*.pyc
+*.so
+*/rdoc/
+a.out
+mkmf.log
+
+# Testing #
+###########
+.circleci/*
+.codeclimate.yml
+.delivery/*
+.foodcritic
+.kitchen*
+.mdlrc
+.overcommit.yml
+.rspec
+.rubocop.yml
+.travis.yml
+.watchr
+.yamllint
+azure-pipelines.yml
+Dangerfile
+examples/*
+features/*
+Guardfile
+kitchen.yml*
+mlc_config.json
+Procfile
+Rakefile
+spec/*
+test/*
+
+# SCM #
+#######
+.git
+.gitattributes
+.gitconfig
+.github/*
+.gitignore
+.gitkeep
+.gitmodules
+.svn
+*/.bzr/*
+*/.git
+*/.hg/*
+*/.svn/*
+
+# Berkshelf #
+#############
+Berksfile
+Berksfile.lock
+cookbooks/*
+tmp
+
+# Bundler #
+###########
+vendor/*
+Gemfile
+Gemfile.lock
+
+# Policyfile #
+##############
+Policyfile.rb
+Policyfile.lock.json
+
+# Documentation #
+#############
+CODE_OF_CONDUCT*
+CONTRIBUTING*
+documentation/*
+TESTING*
+UPGRADING*
+
+# Vagrant #
+###########
+.vagrant
+Vagrantfile

examples/cookbooks/secrets_management/kitchen.yml

@@ -0,0 +1,34 @@
+---
+driver:
+  name: vagrant
+
+## The forwarded_port port feature lets you connect to ports on the VM guest via
+## localhost on the host.
+## see also: https://www.vagrantup.com/docs/networking/forwarded_ports.html
+
+#  network:
+#    - ["forwarded_port", {guest: 80, host: 8080}]
+
+provisioner:
+  name: chef_zero
+
+  ## product_name and product_version specifies a specific Chef product and version to install.
+  ## see the Chef documentation for more details: https://docs.chef.io/workstation/config_yml_kitchen/
+  #  product_name: chef
+  #  product_version: 16
+
+verifier:
+  name: inspec
+  chef_license: accept
+
+platforms:
+  - name: ubuntu-16.04
+
+suites:
+  - name: hashi_vault
+    provisioner:
+      named_run_list: hashi_vault 
+    verifier:
+      inspec_tests:
+        - test/integration/default
+    attributes:

examples/cookbooks/secrets_management/libraries/hashi_vault.rb

@@ -0,0 +1,37 @@
+#
+# Chef Infra Documentation
+# https://docs.chef.io/libraries/
+#
+
+#
+# This module name was auto-generated from the cookbook name. This name is a
+# single word that starts with a capital letter and then continues to use
+# camel-casing throughout the remainder of the name.
+#
+require 'vault'
+module SecretsManagement
+  module HashiVaultObjectHelpers
+    def get_hashi_vault_object(vault_path, vault_address, vault_token, vault_role = nil)
+      # Setting the vault address
+      Vault.address = vault_address
+      # Authenticate with the token
+      Vault.token = vault_token
+      Vault.ssl_verify = false
+      if vault_role # Authenticate to Vault using the role_id
+        approle_id = Vault.approle.role_id(vault_role)
+        secret_id = Vault.approle.create_secret_id(vault_role).data[:secret_id]
+        Vault.auth.approle(approle_id, secret_id)
+      end
+      # Attempt to read the secret
+      secret = Vault.logical.read(vault_path)
+      if secret.nil?
+        raise "Could not read secret '#{vault_path}'!"
+      else
+        secret.data
+      end
+    end
+  end
+end
+Chef::Resource.include ::SecretsManagement::HashiVaultObjectHelpers
+Chef::Recipe.include ::SecretsManagement::HashiVaultObjectHelpers
+Chef::Node.include ::SecretsManagement::HashiVaultObjectHelpers

examples/cookbooks/secrets_management/metadata.rb

@@ -0,0 +1,21 @@
+name 'secrets_management'
+maintainer 'Chef Examples'
+maintainer_email 'pbradford@chef.io'
+license 'All Rights Reserved'
+description 'Installs/Configures secrets_management'
+version '0.1.0'
+chef_version '>= 15.0'
+
+gem 'vault'
+
+# The `issues_url` points to the location where issues for this cookbook are
+# tracked.  A `View Issues` link will be displayed on this cookbook's page when
+# uploaded to a Supermarket.
+#
+# issues_url 'https://github.com/<insert_org_here>/secrets_management/issues'
+
+# The `source_url` points to the development repository for this cookbook.  A
+# `View Source` link will be displayed on this cookbook's page when uploaded to
+# a Supermarket.
+#
+# source_url 'https://github.com/<insert_org_here>/secrets_management'

examples/cookbooks/secrets_management/recipes/default.rb

@@ -0,0 +1,5 @@
+#
+# Cookbook:: secrets_management
+# Recipe:: default
+#
+# Copyright:: 2020, The Authors, All Rights Reserved.

examples/cookbooks/secrets_management/recipes/hashi_vault.rb

@@ -0,0 +1,22 @@
+#
+# Cookbook:: secrets_management
+# Recipe:: hashi_vault
+#
+# Copyright:: 2020, The Authors, All Rights Reserved.
+
+# Hashi_vault library. This was written so the out could be used during the converge stage
+vault_data = get_hashi_vault_object(node['secrets_managment']['hashi']['vault_path'], node['secrets_managment']['hashi']['vault_address'], node['secrets_managment']['hashi']['vault_token'])
+
+template '/tmp/config.conf' do
+  source 'app.conf.erb'
+  sensitive true
+  variables(username: vault_data[:username],
+  password: vault_data[:password])
+end
+
+file '/tmp/vault.txt' do
+  content "This is a test and the password is: #{vault_data[:password]}"
+  mode '0755'
+  action :create
+  sensitive true
+end

examples/cookbooks/secrets_management/spec/spec_helper.rb

@@ -0,0 +1,2 @@
+require 'chefspec'
+require 'chefspec/policyfile'