forked from pulumi/examples
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request pulumi#680 from pulumi/vault-kms
Add vault example
- Loading branch information
Showing
6 changed files
with
178 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
/bin/ | ||
/node_modules/ | ||
Pulumi.*.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
name: pulumi-vault-kms | ||
runtime: nodejs | ||
description: Minimal config which shows how Vault encryption support works |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,115 @@ | ||
# Pulumi Vault Encryption | ||
|
||
Pulumi allows you to encrypt any secrets stored in the backend. | ||
|
||
This example shows how this might be done for Hashicorp Vault. It creates an S3 bucket with a single file that has a "secret" value. | ||
|
||
# Getting Started | ||
|
||
To use this example, perform the following steps. This examples assumes you have a working vault server with the [transit secret backend](https://www.vaultproject.io/docs/secrets/transit) enabled. | ||
|
||
You should ensure you have an environment variable, `VAULT_SERVER_URL` set to the address of your vault server: | ||
|
||
```bash | ||
export VAULT_SERVER_URL="https://vault.service.consul:8201 | ||
``` | ||
You should also have a [Vault token](https://www.vaultproject.io/docs/concepts/tokens) with a [policy](https://www.vaultproject.io/docs/concepts/policies) that is adequately scoped to allow access to the transit backend. | ||
Once you do, set the `VAULT_SERVER_TOKEN` environment variable: | ||
```bash | ||
export VAULT_SERVER_TOKEN=<token> | ||
``` | ||
## Create a Key | ||
We first need to create a key in the transit backend. Assuming it's been enabled at `/transit` we can create the key like so: | ||
```bash | ||
vault write -f transit/keys/my-stack | ||
``` | ||
## Initialize your stack | ||
Initialize your stack with Pulumi and ensure you set the `--secrets-provider` flag: | ||
```bash | ||
# Using your alias | ||
pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="hashivault:https://my-stack" | ||
``` | ||
## Verify your stack settings | ||
If everything has worked as expected, you should be able to verify in your stack settings that the secretsprovider is set: | ||
```bash | ||
cat Pulumi.$PULUMI_STACK_NAME.yaml | ||
secretsprovider: hashivault:https://my-stack | ||
encryptedkey: dmF1bHQ6djE6TlhML000T2ZCcWVTSjRmeFhiOVpLeWNmUjErK1k0Wnh6QVhTQm56TXBvZ0dyL2RCQUdEcUFBTHdDUHNIMW8yQkxrVVJNdlNDeDdtbUd2WG0= | ||
``` | ||
## Set your configuration settings | ||
```bash | ||
pulumi config set aws:region us-west-2 | ||
# Set the bucketname & the secret contents | ||
pulumi config set bucketName pulumi-lbriggs | ||
pulumi config set --secret secretValue "correct-horse-battery-stable" | ||
``` | ||
## Create the stack | ||
```bash | ||
# This will create the stack without prompting, be aware! | ||
pulumi up --yes | ||
Previewing update (vault-kms): | ||
Type Name Plan | ||
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms create | ||
+ ├─ aws:s3:Bucket bucket create | ||
+ └─ aws:s3:BucketObject secret create | ||
Resources: | ||
+ 3 to create | ||
Updating (aws-kms): | ||
Type Name Status | ||
+ pulumi:pulumi:Stack pulumi-vault-kms-vault-kms created | ||
+ ├─ aws:s3:Bucket bucket created | ||
+ └─ aws:s3:BucketObject secret created | ||
Outputs: | ||
bucketId: "pulumi-lbriggs" | ||
secretId: "[secret]" | ||
Resources: | ||
+ 3 created | ||
Duration: 8s | ||
Permalink: <redacted> | ||
``` | ||
You'll notice the secret value is also omitted from the output! | ||
## Verify the encryption | ||
A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting: | ||
```bash | ||
unset | ||
pulumi up --yes | ||
error: getting secrets manager: secrets (code=Unknown): Error making API request. | ||
URL: PUT http:https://vault.service.consul:8200/v1/transit/decrypt/my-stack | ||
Code: 400. Errors: | ||
* missing client token | ||
``` | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
import * as pulumi from "@pulumi/pulumi"; | ||
import * as aws from "@pulumi/aws"; | ||
import * as awsx from "@pulumi/awsx"; | ||
import { secret } from "@pulumi/pulumi"; | ||
|
||
// Import config | ||
const config = new pulumi.Config(); | ||
|
||
// Make the bucketName configurable | ||
const bucketName = config.require('bucketName'); | ||
const secretValue = config.requireSecret('secretValue'); | ||
|
||
// Create a private bucket | ||
const bucket = new aws.s3.Bucket("bucket", { | ||
bucket: bucketName, | ||
acl: "private", | ||
}); | ||
|
||
// Create an object from the secret value | ||
const superSecretObject = new aws.s3.BucketObject("secret", { | ||
bucket: bucket.id, | ||
key: "secret", | ||
content: secretValue, | ||
}) | ||
|
||
// Export the name of the bucket and the secretValue | ||
export const bucketId = bucket.id; | ||
export const secretId = secretValue; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
{ | ||
"name": "pulumi-aws-kmstest", | ||
"devDependencies": { | ||
"@types/node": "^8.0.0" | ||
}, | ||
"dependencies": { | ||
"@pulumi/pulumi": "^2.0.0", | ||
"@pulumi/aws": "^2.0.0", | ||
"@pulumi/awsx": "^0.18.10" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
{ | ||
"compilerOptions": { | ||
"strict": true, | ||
"outDir": "bin", | ||
"target": "es2016", | ||
"module": "commonjs", | ||
"moduleResolution": "node", | ||
"sourceMap": true, | ||
"experimentalDecorators": true, | ||
"pretty": true, | ||
"noFallthroughCasesInSwitch": true, | ||
"noImplicitReturns": true, | ||
"forceConsistentCasingInFileNames": true | ||
}, | ||
"files": [ | ||
"index.ts" | ||
] | ||
} |