Feature/gh 618 vault dynamic secrets for gcp

[Loic-R]

Pull Request description

Description of the change

Make google location now able to read dynamic secrets in a vault.

What I did

I made Yorc capable to read dynamic secrets in a google cloud secret engine. It is now capable to read a OAuth token used by Terraform to provision Google infrastructure.

How I did it

• Refactored hashivault
• Add tests
• Made a new configuration for google location : oauth tokens

How to verify it

The easiest way to demonstrate this issue, is to run a dev Vault server in 1.3.2 version, configure it, and run the corresponding Yorc server of the pull request on the same machine.

Setup

Vault

Start a vault dev server :

vault server -dev -dev-root-token-id="root"

In another terminal, configure the Vault server (don't forget to replace your-project-id with your actual project id). The vault service account should have a set of permissions listed here https://www.vaultproject.io/docs/secrets/gcp#required-permissions

export VAULT_ADDR='http://127.0.0.1:8200'
export GCP_PROJECT="<your-project-id>"
# Backend configuration
vault secrets enable gcp 
vault write gcp/config credentials=@vault-sa.json #vault service account credentials file
vault write gcp/roleset/yorc-token-roleset project=$GCP_PROJECT secret_type="access_token" token_scopes="https://www.googleapis.com/auth/cloud-platform" bindings=-<<EOF
  resource "//cloudresourcemanager.googleapis.com/projects/$GCP_PROJECT" {
           roles = ["roles/compute.instanceAdmin.v1"]
  }
EOF
vault kv put secret/yorc/credentials  project=$GCP_PROJECT

# Check if everything works, get a token
vault read gcp/token/yorc-token-roleset
#Key                   Value
#---                   -----
#expires_at_seconds    1586863740
#token                 <token>
#token_ttl             59m58s

Yorc

You'll need:

• Yorc PR binary : https://ystia.jfrog.io/ystia/yorc-bin-dev-local/ystia/yorc/dist/PR-632/yorc-4.0.0-SNAPSHOT.tgz
• Consul 1.7.2
• Terraform google plugin version: 2.20.3
• Sample topology : simple-gcp-compute.zip

Start a consul server dev as well as a Yorc server with this vault configuration:

vault:
  type: hashicorp
  token: root
  tls_skip_verify: true
  address: http://127.0.0.1:8200

Create a google location:
./yorc locations add --data '{"name": "GoogleCloud", "type": "google", "properties" :{ "project" : "{{ (secret \"/secret/data/yorc/credentials\" \"data=project\").String }}","oauth_access_token" : "{{ (secret \"/gcp/token/yorc-token-roleset\" \"data=token\").String }}" }}

Replace in the sample topology, the location of your ssh-key for your google resources as well as the user used to connect to the VM. For example:

[...]
credentials:
    user: loic
    keys:
        0: "~/.ssh/google_compute_engine"
[...]

Save and deploy/undeploy the app

# Deploy the app
./yorc d deploy --id gcp-compute ~/simple-gcp-compute.zip

# Undeploy the app
./yorc d undeploy gcp-compute

What to check ?

• Application deployed correctly using a dynamic token to create the VM
• Application successfully undeployed

Tear down

# Delete the roleset and so the service account created on your GCP
vault delete gcp/roleset/yorc-token-roleset

Delete also all the files downloaded

Description for the changelog

Applicable Issues

closes #618

[sonarqubecloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities (and 0 Security Hotspots to review)
2 Code Smells

No Coverage information
No Duplication information