feat: Hashivault module with AWS Secret Engine

Cargo.toml

@@ -30,11 +30,11 @@ reqwest = "0.11.13"
 tracing-subscriber = { version = "0.3.15", features = ["env-filter"] }
 tokio = { version = "1", features = ["full"] }
 convert_case = "0.5.0"
-async-trait = "0.1.56"
+async-trait = "0.1.68"
 anyhow = { version = "1.0", features = ["backtrace"] }
 rand = "0.5"
-# Use specific revision as kv1 has been merged recently but not yet released (https://github.com/jmgilman/vaultrs/pull/46)
-vaultrs = { git = "https://github.com/jmgilman/vaultrs", rev="823c44b898a2990f099cc8737a36a618ae209385" }
+# Use our own version as AWS client is not yet merged in mainstream. See https://github.com/jmgilman/vaultrs/pull/58
+vaultrs = { git = "https://github.com/PierreBeucher/vaultrs", rev="aws-se-2023-05-15" }
 url = "2.3.1"
 schemars = "0.8.10"
 http = "0.2"

docs/modules.md

@@ -4,9 +4,10 @@
   - [Files and Variables](#files-and-variables)
   - [Hashicorp Vault](#hashicorp-vault)
     - [Authentication & Configuration](#authentication--configuration)
+    - [AWS](#aws)
     - [Key Value v2](#key-value-v2)
     - [Key Value v1](#key-value-v1)
-  - [AWS](#aws)
+  - [AWS](#aws-1)
     - [Authentication & Configuration](#authentication--configuration-1)
     - [STS Assume Role](#sts-assume-role)
     - [Systems Manager (SSM) Parameter Store](#systems-manager-ssm-parameter-store)
@@ -97,6 +98,22 @@ export VAULT_TOKEN=xxx
 export VAULT_ADDR=https://vault.mycompany.org:8200
 ```
 
+### AWS 
+
+[AWS Secret Engine](https://developer.hashicorp.com/vault/api-docs/secret/aws) to generate temporary credentials. Maps directly to [Generate Credentials API](https://developer.hashicorp.com/vault/api-docs/secret/aws#generate-credentials). Outputs environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` & `AWS_SESSION_TOKEN` used by most [AWS SDKs and tools](https://docs.aws.amazon.com/sdkref/latest/guide/environment-variables.html):
+
+```yaml
+environments:
+  test:
+    hashivault:
+      aws:
+        mount: aws
+        name: dev_role
+        role_arn: arn:aws:iam::111122223333:role/dev_role
+        role_session_name: dev-session
+        ttl: 2h
+```
+
 ### Key Value v2
 
 Hashicorp Vault [Key Value Version 2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) with variables and files:

src/core.rs

@@ -5,7 +5,12 @@ use anyhow;
 use std::path::PathBuf;
 use schemars::JsonSchema;
 
-use crate::modules::hashivault::{config::HashivaultConfig, kv2::HashiVaultKeyValueV2Input, kv1::HashiVaultKeyValueV1Input};
+use crate::modules::hashivault::{
+    self,
+    config::HashivaultConfig, 
+    kv2::HashiVaultKeyValueV2Input, 
+    kv1::HashiVaultKeyValueV1Input, 
+};
 use crate::modules::bitwarden;
 use crate::modules::aws;
 use crate::modules::gcloud;
@@ -64,7 +69,8 @@ impl Default for NovopsConfigDefault {
 pub struct NovopsEnvironmentInput {
     pub variables: Option<Vec<VariableInput>>,
     pub files: Option<Vec<FileInput>>,
-    pub aws: Option<aws::config::AwsInput>
+    pub aws: Option<aws::config::AwsInput>,
+    pub hashivault: Option<hashivault::config::HashiVaultInput>
 }
 
 /**

src/lib.rs

@@ -185,6 +185,19 @@ pub async fn resolve_environment_inputs(ctx: &NovopsContext, inputs: NovopsEnvir
         None => (),
     }
 
+    match &inputs.hashivault {
+        Some(hashivault) => {
+            let r = hashivault.aws.resolve(&ctx).await
+                .with_context(|| format!("Could not resolve Hashivault input {:?}", hashivault))?;
+
+            for vo in r {
+                variable_outputs.insert(vo.name.clone(), vo);
+            }
+
+        },
+        None => (),
+    }
+
     Ok((variable_outputs, file_outputs))
 
 }

src/modules/hashivault/aws.rs

@@ -0,0 +1,45 @@
+use crate::core::{ResolveTo, NovopsContext};
+use super::client::get_client;
+use crate::modules::variables::VariableOutput;
+
+use anyhow::Context;
+use serde::Deserialize;
+use async_trait::async_trait;
+use schemars::JsonSchema;
+
+#[derive(Debug, Deserialize, Clone, PartialEq, JsonSchema)]
+pub struct HashiVaultAWSInput {
+    pub mount: Option<String>,
+    pub name: String,
+    pub role_arn: Option<String>,
+    pub role_session_name: Option<String>,
+    pub ttl: Option<String>
+}
+
+#[async_trait]
+impl ResolveTo<Vec<VariableOutput>> for HashiVaultAWSInput {
+  async fn resolve(&self, ctx: &NovopsContext) -> Result<Vec<VariableOutput>, anyhow::Error> {
+
+    let client = get_client(ctx)?;
+
+    let creds = client.aws_creds(
+      &Some(self.mount.clone().unwrap_or("aws".to_string())), 
+      &self.name,
+      &self.role_arn,
+      &self.role_session_name,
+      &self.ttl
+    )
+    .await.with_context(|| format!("Couldn't generate Hashivault AWS credentials for {:}", self.name))?;
+
+    let mut result = vec![
+      VariableOutput{ name: "AWS_ACCESS_KEY_ID".to_string(), value: creds.access_key },
+      VariableOutput{ name: "AWS_SECRET_ACCESS_KEY".to_string(), value: creds.secret_key }
+    ];
+
+    if creds.security_token.is_some() {
+      result.push(VariableOutput{ name: "AWS_SESSION_TOKEN".to_string(), value: creds.security_token.unwrap() })
+    }
+
+    Ok(result)
+  }
+}

src/modules/hashivault/client.rs

@@ -5,13 +5,30 @@ use vaultrs::client::{VaultClient, VaultClientSettingsBuilder};
 use url::Url;
 use async_trait::async_trait;
 use std::collections::HashMap;
-use vaultrs::{kv2, kv1};
+use vaultrs::{kv2, kv1, aws, api::aws::requests::GenerateCredentialsRequest};
 
 
 #[async_trait]
 pub trait HashivaultClient {
-    async fn kv2_read(&self, mount: &Option<String>, path: &str, key: &str) -> Result<String, anyhow::Error>;
-    async fn kv1_read(&self, mount: &Option<String>, path: &str, key: &str) -> Result<String, anyhow::Error>;
+    async fn kv2_read(&self, 
+        mount: &Option<String>, 
+        path: &str, 
+        key: &str
+    ) -> Result<String, anyhow::Error>;
+
+    async fn kv1_read(&self, 
+        mount: &Option<String>, 
+        path: &str, 
+        key: &str
+    ) -> Result<String, anyhow::Error>;
+
+    async fn aws_creds(&self, 
+        mount: &Option<String>, 
+        role: &str, 
+        role_arn: &Option<String>,
+        role_session_name: &Option<String>,
+        ttl: &Option<String>
+    ) -> Result<Creds, anyhow::Error>;
 }
 
 pub struct DefaultHashivaultClient{
@@ -20,6 +37,13 @@ pub struct DefaultHashivaultClient{
 
 pub struct DryRunHashivaultClient{}
 
+pub struct Creds{
+    pub access_key: String,
+    pub secret_key: String,
+    pub security_token: Option<String>,
+    pub arn: String
+}
+
 #[async_trait]
 impl HashivaultClient for DefaultHashivaultClient {
     async fn kv2_read(&self, mount: &Option<String>, path: &str, key: &str) -> Result<String, anyhow::Error>{
@@ -50,6 +74,39 @@ impl HashivaultClient for DefaultHashivaultClient {
             .map(|s| s.clone());
     }
 
+    async fn aws_creds (&self, mount: &Option<String>, role: &str, 
+        role_arn: &Option<String>, role_session_name: &Option<String>, ttl: &Option<String>
+    ) -> Result<Creds, anyhow::Error>{
+
+        let mut opts = GenerateCredentialsRequest::builder();
+
+        if role_arn.is_some() {
+            opts.role_arn(role_arn.clone().unwrap().to_string());
+        }
+
+        if role_session_name.is_some() {
+            opts.role_session_name(role_session_name.clone().unwrap().to_string());
+        }
+
+        if ttl.is_some() {
+            opts.ttl(ttl.clone().unwrap().to_string());
+        }
+
+        let result = aws::roles::credentials(&self.client, 
+            &mount.clone().unwrap_or("aws".to_string()), 
+            role, 
+            Some(&mut opts)
+        ).await.with_context(|| format!("Couldn't generate Hashivault AWS creds for {:}", role))?;
+
+        Ok(Creds {
+            access_key: result.access_key,
+            secret_key: result.secret_key,
+            security_token: result.security_token,
+            arn: result.arn
+        })
+
+    }
+
 }
 
 
@@ -70,6 +127,25 @@ impl HashivaultClient for DryRunHashivaultClient {
 
         Ok(result)
     }
+
+    async fn aws_creds (&self, _mount: &Option<String>, role: &str, 
+        _role_arn: &Option<String>, role_session_name: &Option<String>, _ttl: &Option<String>
+    ) -> Result<Creds, anyhow::Error>{
+
+        // use role to generate dummy role-arn is not passed
+        let session_arn = role_session_name.clone().map_or(
+            format!("arn:aws:sts::123456789012:assumed-role/{:}/{:}", role, "dummy-session"), 
+            |r| format!("arn:aws:sts::123456789012:assumed-role/{:}/{:}", role, r), );
+
+        let result = Creds {
+            access_key: "AKIADRYRUNACCESSKEY".to_string(),
+            secret_key: "s3cret".to_string(),
+            security_token: Some("securityToken".to_string()),
+            arn: session_arn
+        };
+
+        Ok(result)
+    }
 }
 
 

src/modules/hashivault/config.rs

@@ -1,6 +1,13 @@
 use serde::Deserialize;
 use schemars::JsonSchema;
 
+use super::aws::HashiVaultAWSInput;
+
+#[derive(Debug, Deserialize, Clone, PartialEq, JsonSchema)]
+pub struct HashiVaultInput {
+    pub aws: HashiVaultAWSInput
+}
+
 
 #[derive(Debug, Deserialize, Clone, PartialEq, JsonSchema)]  
 pub struct HashivaultConfig {

src/modules/hashivault/mod.rs

@@ -1,3 +1,4 @@
+pub mod aws;
 pub mod config;
 pub mod client;
 pub mod kv2;

tests/.novops.hvault_aws.yml

@@ -0,0 +1,23 @@
+# The unique application name
+name: test-app
+
+environments:
+  dev:
+    # Generate AWS creds
+    # Output variables AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN
+    hashivault:
+      aws:
+        mount: test_aws
+        name: test_role
+        role_arn: arn:aws:iam::111122223333:role/test_role
+        role_session_name: test-session
+        ttl: 2h
+
+config:
+  default:
+    environment: dev
+  hashivault:
+    # Hashivault from docker-compose.yml service
+    # Alternatively, use VAULT_ADDR and VAULT_TOKEN env var
+    address: http://localhost:8200
+    token: novops

tests/docker-compose.yml

@@ -13,13 +13,12 @@ services:
   # Adapted from https://github.com/localstack/localstack/blob/master/docker-compose.yml
   localstack:
     container_name: "${LOCALSTACK_DOCKER_NAME-localstack_main}"
-    image: localstack/localstack
+    image: localstack/localstack:2.0.2
     ports:
       - "127.0.0.1:4566:4566"            # LocalStack Gateway
       - "127.0.0.1:4510-4559:4510-4559"  # external services port range
     environment:
       - DEBUG=${DEBUG-}
-      - LAMBDA_EXECUTOR=${LAMBDA_EXECUTOR-}
       - DOCKER_HOST=unix:///var/run/docker.sock
     volumes:
       - novops-localstack:/var/lib/localstack