Merge pull request pulumi#680 from pulumi/vault-kms

Add vault example
azulus · May 5, 2020 · 9541377 · 9541377
2 parents 94ba6da + a1aa6c2
commit 9541377
Show file tree

Hide file tree

Showing 6 changed files with 178 additions and 0 deletions.
diff --git a/secrets-provider/vault/.gitignore b/secrets-provider/vault/.gitignore
@@ -0,0 +1,3 @@
+/bin/
+/node_modules/
+Pulumi.*.yaml
diff --git a/secrets-provider/vault/Pulumi.yaml b/secrets-provider/vault/Pulumi.yaml
@@ -0,0 +1,3 @@
+name: pulumi-vault-kms
+runtime: nodejs
+description: Minimal config which shows how Vault encryption support works
diff --git a/secrets-provider/vault/README.md b/secrets-provider/vault/README.md
@@ -0,0 +1,115 @@
+# Pulumi Vault Encryption
+
+Pulumi allows you to encrypt any secrets stored in the backend.
+
+This example shows how this might be done for Hashicorp Vault. It creates an S3 bucket with a single file that has a "secret" value.
+
+# Getting Started
+
+To use this example, perform the following steps. This examples assumes you have a working vault server with the [transit secret backend](https://www.vaultproject.io/docs/secrets/transit) enabled.
+
+You should ensure you have an environment variable, `VAULT_SERVER_URL` set to the address of your vault server:
+
+```bash
+export VAULT_SERVER_URL="https://vault.service.consul:8201
+```
+
+You should also have a [Vault token](https://www.vaultproject.io/docs/concepts/tokens) with a [policy](https://www.vaultproject.io/docs/concepts/policies) that is adequately scoped to allow access to the transit backend.
+
+Once you do, set the `VAULT_SERVER_TOKEN` environment variable:
+
+```bash
+export VAULT_SERVER_TOKEN=<token>
+```
+
+## Create a Key
+
+We first need to create a key in the transit backend. Assuming it's been enabled at `/transit` we can create the key like so:
+
+```bash
+
+vault write -f transit/keys/my-stack
+```
+
+## Initialize your stack
+
+Initialize your stack with Pulumi and ensure you set the `--secrets-provider` flag:
+
+```bash
+# Using your alias
+pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="hashivault:https://my-stack"
+
+```
+
+## Verify your stack settings
+
+If everything has worked as expected, you should be able to verify in your stack settings that the secretsprovider is set:
+
+```bash
+cat Pulumi.$PULUMI_STACK_NAME.yaml
+secretsprovider: hashivault:https://my-stack
+encryptedkey: dmF1bHQ6djE6TlhML000T2ZCcWVTSjRmeFhiOVpLeWNmUjErK1k0Wnh6QVhTQm56TXBvZ0dyL2RCQUdEcUFBTHdDUHNIMW8yQkxrVVJNdlNDeDdtbUd2WG0=
+```
+
+## Set your configuration settings
+
+```bash
+pulumi config set aws:region us-west-2
+# Set the bucketname & the secret contents
+pulumi config set bucketName pulumi-lbriggs
+pulumi config set --secret secretValue "correct-horse-battery-stable"
+```
+
+## Create the stack
+
+```bash
+# This will create the stack without prompting, be aware!
+pulumi up --yes
+Previewing update (vault-kms):
+ Type Name Plan
+ + pulumi:pulumi:Stack pulumi-vault-kms-vault-kms create
+ + ├─ aws:s3:Bucket bucket create
+ + └─ aws:s3:BucketObject secret create
+
+Resources:
+ + 3 to create
+
+Updating (aws-kms):
+ Type Name Status
+ + pulumi:pulumi:Stack pulumi-vault-kms-vault-kms created
+ + ├─ aws:s3:Bucket bucket created
+ + └─ aws:s3:BucketObject secret created
+
+Outputs:
+ bucketId: "pulumi-lbriggs"
+ secretId: "[secret]"
+
+Resources:
+ + 3 created
+
+Duration: 8s
+
+Permalink: <redacted>
+```
+
+You'll notice the secret value is also omitted from the output!
+
+## Verify the encryption
+
+A quick way to verify if the encryption is using the Vault key is to remove your `VAULT_SERVER_TOKEN` environment variable setting:
+
+```bash
+unset 
+pulumi up --yes
+error: getting secrets manager: secrets (code=Unknown): Error making API request.
+
+URL: PUT http:https://vault.service.consul:8200/v1/transit/decrypt/my-stack
+Code: 400. Errors:
+
+* missing client token
+```
+
+
+
+
+
diff --git a/secrets-provider/vault/index.ts b/secrets-provider/vault/index.ts
@@ -0,0 +1,28 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { secret } from "@pulumi/pulumi";
+
+// Import config
+const config = new pulumi.Config();
+
+// Make the bucketName configurable
+const bucketName = config.require('bucketName');
+const secretValue = config.requireSecret('secretValue');
+
+// Create a private bucket
+const bucket = new aws.s3.Bucket("bucket", {
+ bucket: bucketName,
+ acl: "private",
+});
+
+// Create an object from the secret value
+const superSecretObject = new aws.s3.BucketObject("secret", {
+ bucket: bucket.id,
+ key: "secret",
+ content: secretValue,
+})
+
+// Export the name of the bucket and the secretValue
+export const bucketId = bucket.id;
+export const secretId = secretValue;
diff --git a/secrets-provider/vault/package.json b/secrets-provider/vault/package.json
@@ -0,0 +1,11 @@
+{
+ "name": "pulumi-aws-kmstest",
+ "devDependencies": {
+ "@types/node": "^8.0.0"
+ },
+ "dependencies": {
+ "@pulumi/pulumi": "^2.0.0",
+ "@pulumi/aws": "^2.0.0",
+ "@pulumi/awsx": "^0.18.10"
+ }
+}
diff --git a/secrets-provider/vault/tsconfig.json b/secrets-provider/vault/tsconfig.json
@@ -0,0 +1,18 @@
+{
+ "compilerOptions": {
+ "strict": true,
+ "outDir": "bin",
+ "target": "es2016",
+ "module": "commonjs",
+ "moduleResolution": "node",
+ "sourceMap": true,
+ "experimentalDecorators": true,
+ "pretty": true,
+ "noFallthroughCasesInSwitch": true,
+ "noImplicitReturns": true,
+ "forceConsistentCasingInFileNames": true
+ },
+ "files": [
+ "index.ts"
+ ]
+}