From d8a2fdf2718e29c52c70e9d2ec18b54e010f6245 Mon Sep 17 00:00:00 2001 From: Matthew Bystedt Date: Mon, 22 Jul 2024 10:40:25 -0700 Subject: [PATCH] feat: improve docs and fix .gitignore (#72) --- .gitignore | 3 -- README-config.md | 22 ++++++++++--- README-dev.md | 12 +++++-- README.md | 12 +++---- config/envconsul/env.hcl | 20 ++++++++++++ package-lock.json | 68 ++++++++++++++++++++-------------------- package.json | 6 ++-- 7 files changed, 88 insertions(+), 55 deletions(-) create mode 100644 config/envconsul/env.hcl diff --git a/.gitignore b/.gitignore index 2b7c196..3431de1 100644 --- a/.gitignore +++ b/.gitignore @@ -9,9 +9,6 @@ node_modules npm-debug.log VAULT_ROOT_TOKEN VAULT_UNSEAL_KEY -/setenv-local.sh .DS_Store /intention.json -/config/envconsul/env.hcl -/config/config.json /setenv/* \ No newline at end of file diff --git a/README-config.md b/README-config.md index efa5f86..8193ea3 100644 --- a/README-config.md +++ b/README-config.md @@ -1,18 +1,28 @@ # Vault Sync Tool - Configuration +Back: [README.md](README.md) + This document is aimed at Vault Administrators looking to alter the policies and access the Vault Sync Tool configures. -For users, the Vault Sync Tool maps client roles coming from OIDC to internal groups with policies that manage what the group can do. For services, it maps App Roles to policies that manage what the service can do. +For users, the Vault Sync Tool maps client roles coming from OIDC to internal groups with policies that manage what the group can do. For services, it maps [AppRoles](https://developer.hashicorp.com/vault/docs/auth/approle) to policies that manage what the service can do. + +## Configuring OIDC + +Configuring OIDC is out of scope for the Vault Sync Tool. The tool assumes there is another process (manual or automated) that maps end users to the roles included in their token. + +It is extremely important that roles are correctly mapped. ## Defined Groups -The 'group' here refers to a grouping of policies and not a Vault group. This allows for the syncing of a specific group of policies (like apps or system) by themselves. A group is a collection of policies aimed at solving a class of access. +A group is a collection of policies aimed at solving a class of access. This allows for the syncing of a specific group of policies (like apps or system) by themselves. + +The 'group' here is not a Vault group which is a separate thing. | Group | Definition | Examples | Typical Usage | | --- | --- | --- | --- | -| system | Policies that provide broad access of Vault or a specific part. | system/admin-super | Admin users | -| apps | Policies that an individual application needs for itself. | apps/fidq/prod-kv-read | Applications or developers of an application | -| groups | Policies for a group of end users (humans) | groups/appdelivery-user | A group of end users (application delivery, DBA, etc) | +| system | Policies that provide broad access to Vault. | system/admin-super | Admin users; Generic access | +| apps | Policies required by an individual application for its own use. | apps/fidq/prod-kv-read | Applications or developers of an application | +| groups | Policies for a group of end users (humans) | groups/appdelivery-user | A group of end users (developers, operations, security, auditors, management) | ### Policy Naming Pattern @@ -24,6 +34,8 @@ The tool uses a naming pattern that Vault admins need to be aware of. The patter This repo includes a generic configuration in [./config](./config/). If you have specific needs, you can copy this folder to another repository and make your changes there. +If required, copy (or mount) your configuration to the config folder before you run the tool. + ## File: config.json This is a key value object. Each of the root keys will be described in a separate section. diff --git a/README-dev.md b/README-dev.md index 298141e..041e8f3 100644 --- a/README-dev.md +++ b/README-dev.md @@ -27,13 +27,13 @@ podman build . -t vsync ### With NR Broker -NR Broker's local setup will start a Vault container and run a setup script. No further setup should be required. +Setting up NR Broker locally involves starting a Vault container and executing a setup script. This process enables the Vault Sync Tool to operate seamlessly with the local installation, requiring no additional setup. This is currently the only practical way to run the Vault Sync Tool because NR Broker is the only implemented data source for applications. ### Without NR Broker -The following will start up Vault in Podman. The Vault Sync Tool defaults to localhost:8200 for the address and myroot for the token. +The following will start up Vault in Podman. The Vault Sync Tool defaults to 'localhost:8200' for the address and 'myroot' for the token. `podman run --rm -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault` @@ -47,6 +47,12 @@ vault secrets enable -path=apps -version=2 kv vault secrets enable -path=groups -version=2 kv ``` -## Running with Broker +## Running Vault Sync Tool + +### With NR Broker See: [Running Vault Sync Tool](https://bcgov-nr.github.io/nr-broker/#/development?id=running-vault-sync-tool) + +### Without NR Broker + +This is unsupported currently. diff --git a/README.md b/README.md index 6b1e2d4..644199f 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Vault Sync Tool -The Vault Sync Tool configures HashiCorp Vault using data sources to allow applications and users to access Vault securely. It can read a static configuration or read dynamic data from the business intelligence tool, [NR Broker](https://github.com/bcgov-nr/nr-broker). It can monitor for changes in its datasources or be run on-demand. +The Vault Sync Tool configures HashiCorp Vault by utilizing data sources, enabling secure access for applications and users. It can either read a static configuration or dynamically retrieve data from the business intelligence tool, [NR Broker](https://github.com/bcgov-nr/nr-broker). Additionally, it can monitor data source changes or be run on-demand. * [Vault Sync Tool](#vault-sync-tool) @@ -10,23 +10,21 @@ The Vault Sync Tool configures HashiCorp Vault using data sources to allow appli ## Running -The tool can be run from the source using Node.js or a release container image by using Podman or Docker. +The tool can be run from the source using Node.js or a container image by using Podman or Docker. ``` ./bin/dev health ``` ``` -podman run --rm ghcr.io/bcgov-nr/vault-sync-app:v1.0.4 health +podman run --rm ghcr.io/bcgov-nr/vault-sync-app:v2.0.1 health ``` -The sample command runs the health command. All the commands will probably require some arguments set up to work with your Vault. - -The container expects to recieve a VAULT_ADDR and VAULT_TOKEN to load +The sample command runs the health command. All the commands will probably require some arguments set up to work with your installation of Hashicorp Vault. With no arguments set, it will try to use a local Vault installation with a static token. ## Environment Variables -The tool can use environment variables in place of most command arguments. It is recommended that all confidential paramaters (tokens, etc.) be set using environment variables. +The tool can utilize environment variables instead of most command arguments. It is recommended to set all confidential parameters (such as tokens) using environment variables. Specifically, the argument 'vault-token' should always be configured with the environment variable 'VAULT_TOKEN'. These can be found by looking in the [src/flags.ts](src/flags.ts) file. diff --git a/config/envconsul/env.hcl b/config/envconsul/env.hcl new file mode 100644 index 0000000..056d20d --- /dev/null +++ b/config/envconsul/env.hcl @@ -0,0 +1,20 @@ +vault { + renew_token = false + retry { + enabled = false + attempts = 12 + backoff = "250ms" + max_backoff = "1m" + } +} +secret { + no_prefix = true + path = "apps/prod/vault/vsync" +} +exec { + splay = "0s" + env { + pristine = false + } + kill_timeout = "5s" +} diff --git a/package-lock.json b/package-lock.json index c722df2..8b39976 100644 --- a/package-lock.json +++ b/package-lock.json @@ -8,9 +8,9 @@ "name": "vstool", "version": "1.0.0", "dependencies": { - "@oclif/core": "^4.0.12", + "@oclif/core": "^4.0.13", "@oclif/plugin-help": "^6.2.6", - "@oclif/plugin-plugins": "^5.3.7", + "@oclif/plugin-plugins": "^5.3.8", "axios": "^1.7.2", "ejs": "^3.1.10", "inversify": "^6.0.2", @@ -36,7 +36,7 @@ "eslint-plugin-jest": "^28.6.0", "eslint-plugin-prettier": "^5.2.1", "jest": "^29.7.0", - "oclif": "^4.14.6", + "oclif": "^4.14.8", "rimraf": "^3.0.2", "shx": "^0.3.4", "ts-jest": "^29.2.3", @@ -1803,26 +1803,26 @@ "dev": true }, "node_modules/@inquirer/confirm": { - "version": "3.1.15", - "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-3.1.15.tgz", - "integrity": "sha512-CiLGi3JmKGEsia5kYJN62yG/njHydbYIkzSBril7tCaKbsnIqxa2h/QiON9NjfwiKck/2siosz4h7lVhLFocMQ==", + "version": "3.1.17", + "resolved": "https://registry.npmjs.org/@inquirer/confirm/-/confirm-3.1.17.tgz", + "integrity": "sha512-qCpt/AABzPynz8tr69VDvhcjwmzAryipWXtW8Vi6m651da4H/d0Bdn55LkxXD7Rp2gfgxvxzTdb66AhIA8gzBA==", "dev": true, "dependencies": { - "@inquirer/core": "^9.0.3", - "@inquirer/type": "^1.5.0" + "@inquirer/core": "^9.0.5", + "@inquirer/type": "^1.5.1" }, "engines": { "node": ">=18" } }, "node_modules/@inquirer/core": { - "version": "9.0.3", - "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-9.0.3.tgz", - "integrity": "sha512-p2BRZv/vMmpwlU4ZR966vKQzGVCi4VhLjVofwnFLziTQia541T7i1Ar8/LPh+LzjkXzocme+g5Io6MRtzlCcNA==", + "version": "9.0.5", + "resolved": "https://registry.npmjs.org/@inquirer/core/-/core-9.0.5.tgz", + "integrity": "sha512-QWG41I7vn62O9stYKg/juKXt1PEbr/4ZZCPb4KgXDQGwgA9M5NBTQ7FnOvT1ridbxkm/wTxLCNraUs7y47pIRQ==", "dev": true, "dependencies": { - "@inquirer/figures": "^1.0.4", - "@inquirer/type": "^1.5.0", + "@inquirer/figures": "^1.0.5", + "@inquirer/type": "^1.5.1", "@types/mute-stream": "^0.0.4", "@types/node": "^20.14.11", "@types/wrap-ansi": "^3.0.0", @@ -1866,9 +1866,9 @@ } }, "node_modules/@inquirer/figures": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/@inquirer/figures/-/figures-1.0.4.tgz", - "integrity": "sha512-R7Gsg6elpuqdn55fBH2y9oYzrU/yKrSmIsDX4ROT51vohrECFzTf2zw9BfUbOW8xjfmM2QbVoVYdTwhrtEKWSQ==", + "version": "1.0.5", + "resolved": "https://registry.npmjs.org/@inquirer/figures/-/figures-1.0.5.tgz", + "integrity": "sha512-79hP/VWdZ2UVc9bFGJnoQ/lQMpL74mGgzSYX1xUqCVk7/v73vJCMw1VuyWN1jGkZ9B3z7THAbySqGbCNefcjfA==", "dev": true, "engines": { "node": ">=18" @@ -1904,9 +1904,9 @@ } }, "node_modules/@inquirer/type": { - "version": "1.5.0", - "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-1.5.0.tgz", - "integrity": "sha512-L/UdayX9Z1lLN+itoTKqJ/X4DX5DaWu2Sruwt4XgZzMNv32x4qllbzMX4MbJlz0yxAQtU19UvABGOjmdq1u3qA==", + "version": "1.5.1", + "resolved": "https://registry.npmjs.org/@inquirer/type/-/type-1.5.1.tgz", + "integrity": "sha512-m3YgGQlKNS0BM+8AFiJkCsTqHEFCWn6s/Rqye3mYwvqY6LdfUv12eSwbsgNzrYyrLXiy7IrrjDLPysaSBwEfhw==", "dev": true, "dependencies": { "mute-stream": "^1.0.0" @@ -2360,12 +2360,12 @@ } }, "node_modules/@oclif/core": { - "version": "4.0.12", - "resolved": "https://registry.npmjs.org/@oclif/core/-/core-4.0.12.tgz", - "integrity": "sha512-o2dfPtmi2uBGHgpvHr+GNfoRKysKgQGiffONoMN3R+qBVNeIkJIZhVk31HreDkAI9LAzS92BWNgp/l7lXDxdvg==", + "version": "4.0.13", + "resolved": "https://registry.npmjs.org/@oclif/core/-/core-4.0.13.tgz", + "integrity": "sha512-xZAOTK6f0Dk+DidDI7SvmbMpmBXYmzRA1YrAw5g+/cMTSmmOojq/DGNCgdUf2i+S/DEMIOs0uEUIUidYBnIfkQ==", "dependencies": { "ansi-escapes": "^4.3.2", - "ansis": "^3.2.1", + "ansis": "^3.3.1", "clean-stack": "^3.0.1", "cli-spinners": "^2.9.2", "debug": "^4.3.5", @@ -2422,9 +2422,9 @@ } }, "node_modules/@oclif/plugin-plugins": { - "version": "5.3.7", - "resolved": "https://registry.npmjs.org/@oclif/plugin-plugins/-/plugin-plugins-5.3.7.tgz", - "integrity": "sha512-z911JJUj/7eZ7L3GXYTJHDIe35Qm1TFQ/4CVMf1YyEBLhO3yktbzcys2+ncmdlphyoJCYwOsnfSPV09oBtT4ZA==", + "version": "5.3.8", + "resolved": "https://registry.npmjs.org/@oclif/plugin-plugins/-/plugin-plugins-5.3.8.tgz", + "integrity": "sha512-mAPCIKKCtUeSPecUFLWLHOxlG2W1xogzV1s9JByHduPvriaUi1HIy7s5vsm/fbtY5XNQjQykG4MltJ468H9shQ==", "dependencies": { "@oclif/core": "^4", "ansis": "^3.2.1", @@ -2433,7 +2433,7 @@ "npm-package-arg": "^11.0.2", "npm-run-path": "^5.3.0", "object-treeify": "^4.0.1", - "semver": "^7.6.2", + "semver": "^7.6.3", "validate-npm-package-name": "^5.0.1", "which": "^4.0.0", "yarn": "^1.22.22" @@ -9780,14 +9780,14 @@ } }, "node_modules/oclif": { - "version": "4.14.6", - "resolved": "https://registry.npmjs.org/oclif/-/oclif-4.14.6.tgz", - "integrity": "sha512-pfyrDzzETLrGh2D4E+DDTfZetjP0N5DeZLLaNPcZ0ENuZPVC54XvW0q5OSDDYavzxD9y97z3SKh6qRyMPRwXLQ==", + "version": "4.14.8", + "resolved": "https://registry.npmjs.org/oclif/-/oclif-4.14.8.tgz", + "integrity": "sha512-dJplgtnF2eQ+c06aJHm8xtjKitpvgx5DLf1qU/yrRjREYE+BTcXaOZa7cIskAcFiEz/86I0rBeovEoQTI3G+zA==", "dev": true, "dependencies": { "@aws-sdk/client-cloudfront": "^3.609.0", "@aws-sdk/client-s3": "^3.614.0", - "@inquirer/confirm": "^3.1.14", + "@inquirer/confirm": "^3.1.16", "@inquirer/input": "^2.2.1", "@inquirer/select": "^2.3.10", "@oclif/core": "^4", @@ -10546,9 +10546,9 @@ "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, "node_modules/semver": { - "version": "7.6.2", - "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.2.tgz", - "integrity": "sha512-FNAIBWCx9qcRhoHcgcJ0gvU7SN1lYU2ZXuSfl04bSC5OpvDHFyJCjdNHomPXxjQlCBU67YW64PzY7/VIEH7F2w==", + "version": "7.6.3", + "resolved": "https://registry.npmjs.org/semver/-/semver-7.6.3.tgz", + "integrity": "sha512-oVekP1cKtI+CTDvHWYFUcMtsK/00wmAEfyqKfNdARm8u1wNVhSgaX7A8d4UuIlUI5e84iEwOhs7ZPYRmzU9U6A==", "bin": { "semver": "bin/semver.js" }, diff --git a/package.json b/package.json index 6e0ff34..613152b 100644 --- a/package.json +++ b/package.json @@ -37,9 +37,9 @@ ] }, "dependencies": { - "@oclif/core": "^4.0.12", + "@oclif/core": "^4.0.13", "@oclif/plugin-help": "^6.2.6", - "@oclif/plugin-plugins": "^5.3.7", + "@oclif/plugin-plugins": "^5.3.8", "axios": "^1.7.2", "ejs": "^3.1.10", "inversify": "^6.0.2", @@ -62,7 +62,7 @@ "eslint-plugin-jest": "^28.6.0", "eslint-plugin-prettier": "^5.2.1", "jest": "^29.7.0", - "oclif": "^4.14.6", + "oclif": "^4.14.8", "rimraf": "^3.0.2", "shx": "^0.3.4", "ts-jest": "^29.2.3",