Add examples for secrets providers (pulumi#630)

* Add examples for secrets providers

* Address feedback

Remove copy-paste errors from Azure README.md
Rename Azure project to use keyvault name

secrets-provider/README.md

@@ -0,0 +1,6 @@
+# Setting up secrets providers for Pulumi
+
+Pulumi supports [secrets-providers](https://www.pulumi.com/docs/intro/concepts/config/#configuring-secrets-encryption) which allow you to encrypt the secrets you store in the Pulumi statefile.
+
+This example shows how to set up the secrets for each cloud and walks through initializing your stack using the different secrets providers.
+

secrets-provider/aws/.gitignore

@@ -0,0 +1,3 @@
+/bin/
+/node_modules/
+Pulumi.*.yaml

secrets-provider/aws/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: pulumi-aws-kms
+runtime: nodejs
+description: Minimal config which shows how AWS encryption support works

secrets-provider/aws/README.md

@@ -0,0 +1,108 @@
+# Pulumi AWS KMS Encryption
+
+Pulumi allows you to use KMS encryption from your cloud provider to encrypt any secrets stored in the backend.
+
+This example shows how this might be done for AWS KMS. It creates an S3 bucket with a single file that has a "secret" value.
+
+# Getting Started
+
+To use this example, perform the following steps. This examples assumes you have the pulumi-cli installed and the aws-cli installed.
+
+You should also ensure you have the correct `AWS_PROFILE` set:
+
+```bash
+export AWS_PROFILE="myaccount"
+```
+
+## Create an AWS KMS Key
+
+```bash
+aws kms create-key --tags TagKey=Purpose,TagValue="Pulumi Secret Encryption" --description "Pulumi secret encryption Key"
+
+# Optionally create an alias to this key
+aws kms create-alias --alias-name alias/pulumi-encryption --target-key-id $MY_KEY_ID
+```
+
+_When creating your key, be sure to specify a sane key policy that restricts access to only those that need to use the key_
+
+## Initialize your stack
+
+Initialize your stack with Pulumi and ensure you set the `--secrets-provider` flag:
+
+```bash
+# Using your alias
+pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="awskms:https://alias/pulumi-encryption?region=us-west-2"
+
+# Using your key id
+pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="awskms:https://1234abcd-12ab-34cd-56ef-1234567890ab?region=us-west-2"
+```
+
+## Verify your stack settings
+
+If everything has worked as expected, you should be able to verify in your stack settings that the secretsprovider is set:
+
+```bash
+cat Pulumi.$PULUMI_STACK_NAME.yaml
+secretsprovider: awskms:https://alias/pulumi-encryption?region=us-west-2
+encryptedkey: AQICAHiGajWxHHTBJxo1FU9BOztzLzxEXpr02SgLetPNGfdfLAG7c5ylmHRJJRz5jtaj2LtzAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMT+iyFkgT4bmdja9WAgEQgDuVYN+iLr6sdyFNGXJS8GfjKiqMBXVvwmn9byd3ywCfJwMsuDnpqAWSmquV5eoLBdPEEOY1D/TuBQuCLQ==
+```
+
+## Set your configuration settings
+
+```bash
+pulumi config set aws:region us-west-2
+# Set the bucketname & the secret contents
+pulumi config set bucketName pulumi-lbriggs
+pulumi config set --secret secretValue "correct-horse-battery-stable"
+```
+
+## Create the stack
+
+```bash
+# This will create the stack without prompting, be aware!
+pulumi up --yes
+Previewing update (aws-kms):
+ Type Name Plan
+ + pulumi:pulumi:Stack pulumi-aws-kms-aws-kms create
+ + ├─ aws:s3:Bucket bucket create
+ + └─ aws:s3:BucketObject secret create
+
+Resources:
+ + 3 to create
+
+Updating (aws-kms):
+ Type Name Status
+ + pulumi:pulumi:Stack pulumi-aws-kms-aws-kms created
+ + ├─ aws:s3:Bucket bucket created
+ + └─ aws:s3:BucketObject secret created
+
+Outputs:
+ bucketId: "pulumi-lbriggs"
+ secretId: "[secret]"
+
+Resources:
+ + 3 created
+
+Duration: 8s
+
+Permalink: <redacted>
+```
+
+You'll notice the secret value is also omitted from the output!
+
+## Verify the encryption
+
+A quick way to verify if the encryption is using the AWS KMS key is to remove your `AWS_PROFILE` setting:
+
+```bash
+unset AWS_PROFILE
+pulumi up --yes
+error: getting secrets manager: secrets (code=Unknown): InvalidSignatureException: The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.
+ status code: 400, request id: 35ff51c6-ef88-4c06-9146-361231b8fd4a
+```
+
+
+
+
+
+

secrets-provider/aws/index.ts

@@ -0,0 +1,28 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as aws from "@pulumi/aws";
+import * as awsx from "@pulumi/awsx";
+import { secret } from "@pulumi/pulumi";
+
+// Import config
+const config = new pulumi.Config();
+
+// Make the bucketName configurable
+const bucketName = config.require('bucketName');
+const secretValue = config.requireSecret('secretValue');
+
+// Create a private bucket
+const bucket = new aws.s3.Bucket("bucket", {
+ bucket: bucketName,
+ acl: "private",
+});
+
+// Create an object from the secret value
+const superSecretObject = new aws.s3.BucketObject("secret", {
+ bucket: bucket.id,
+ key: "secret",
+ content: secretValue,
+})
+
+// Export the name of the bucket and the secretValue
+export const bucketId = bucket.id;
+export const secretId = secretValue;

secrets-provider/aws/package.json

@@ -0,0 +1,11 @@
+{
+ "name": "pulumi-aws-kmstest",
+ "devDependencies": {
+ "@types/node": "^8.0.0"
+ },
+ "dependencies": {
+ "@pulumi/pulumi": "^1.0.0",
+ "@pulumi/aws": "^1.0.0",
+ "@pulumi/awsx": "^0.18.10"
+ }
+}

secrets-provider/aws/tsconfig.json

@@ -0,0 +1,18 @@
+{
+ "compilerOptions": {
+ "strict": true,
+ "outDir": "bin",
+ "target": "es2016",
+ "module": "commonjs",
+ "moduleResolution": "node",
+ "sourceMap": true,
+ "experimentalDecorators": true,
+ "pretty": true,
+ "noFallthroughCasesInSwitch": true,
+ "noImplicitReturns": true,
+ "forceConsistentCasingInFileNames": true
+ },
+ "files": [
+ "index.ts"
+ ]
+}

secrets-provider/azure/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

secrets-provider/azure/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: pulumi-azure-keyvault
+runtime: nodejs
+description: Minimal config which shows how Azure encryption support works

secrets-provider/azure/README.md

@@ -0,0 +1,109 @@
+# Pulumi Azure KMS Encryption
+
+Pulumi allows you to use Azure Keyvault encryption from your cloud provider to encrypt any secrets stored in the backend.
+
+This example shows how this might be done for Azure Keyvault. It creates a storage bucket with a single file that has a "secret" value.
+
+# Getting Started
+
+To use this example, perform the following steps. This examples assumes you have the pulumi-cli installed and the Azure CLI installed.
+
+You should also ensure:
+
+ * You azure command line tool installed
+ * You are logging in via the `az` command line tool.
+ * You have created a resource-group
+ * You must have the environment variable `AZURE_KEYVAULT_AUTH_VIA_CLI` set to `true` eg: `export AZURE_KEYVAULT_AUTH_VIA_CLI=true`
+
+## Create an Azure Keyvault Key
+
+```bash
+# First, create a keyvault
+az keyvault create -l westus -n pulumi --resource-group $RESOURCE_GROUP_NAME
+
+# Then, create a key
+az keyvault key create --name pulumi-secret --vault-name pulumi
+
+# Finally, set the relevant permissions on the keyvault
+az keyvault set-policy --name pulumi --object-id $YOUR_OBJECT_ID --key-permissions decrypt get create delete list update import backup restore recover
+```
+
+_When creating your key, be sure to specify a permissions that restricts access to only those that need to use the key_
+
+## Initialize your stack
+
+Initialize your stack with Pulumi and ensure you set the `--secrets-provider` flag:
+
+```bash
+# Using your vault and key name
+pulumi stack init $PULUMI_ORG_NAME/$PULUMI_STACK_NAME --secrets-provider="azurekeyvault:https://pulumi.vault.azure.net/keys/pulumi-secret"
+```
+
+## Verify your stack settings
+
+If everything has worked as expected, you should be able to verify in your stack settings that the secretsprovider is set:
+
+```bash
+cat Pulumi.$PULUMI_STACK_NAME.yaml
+secretsprovider: azurekeyvault:https://pulumi.vault.azure.net/keys/pulumi-secret/b636b47f2b474b2a8de3526561eae81b
+encryptedkey: Q2U5a1ZuTWsxLXVWOFdhVEdfaGExdWR1SzhzTlVFMldhWGlxU3RJVVdUWFJBcmM4M1ZlYzZOVVlpU3J2dW1NX2RIelMwV1h4el9hSjFibjcwdjVXcEgxZVlFa2c1LTlGUTBwX2ZnamcyNXh0V2RnYXlKaUNWSzd0VmlhY0ZyT2NCNGJ2SG40NkE4OFR2d0NWVzVEOUZOaUpGNm03TTlLUEl4VC0tbG9fYUJSSUlrZDJuUmNxVTJ2cWxDUjYtdVJYYjJKUjFoTlRYYkNaaEVTUzY4dGtNajZNRXBOQ1k4OGc4d0RTeUVBVGhweEswbUVXc3RaaGUtdnpQdktVY2tFUGFCVkdOaHZHOU1SYU91RWJ6QVZnLUtVdExHYlFHd19vUU15T3I4d3ZvajdJQ0liS0QtUTNLY0h4Q0JsMGNjd1A5ZXNWRUNNQ0tQZGhPY1cySTJwU1BR
+
+```
+
+## Set your configuration settings
+
+```bash
+pulumi config set azure:location westus
+# Set the bucketname & the secret contents
+pulumi config set bucketName pulumilbriggs
+pulumi config set --secret secretValue "correct-horse-battery-stable"
+```
+
+## Create the stack
+
+```bash
+# This will create the stack without prompting, be aware!
+Previewing update (azure-keyvault):
+ Type Name Plan
+ pulumi:pulumi:Stack pulumi-azure-keyvault-azure-keyvault
+ + ├─ azure:core:ResourceGroup resourceGroup create
+ + ├─ azure:storage:Account storage create
+ + ├─ azure:storage:Container container create
+ + └─ azure:storage:Blob blob create
+
+Outputs:
+ + connectionString: output<string>
+
+Resources:
+ + 4 to create
+ 1 unchanged
+
+Updating (azure-keyvault):
+ Type Name Status
+ pulumi:pulumi:Stack pulumi-azure-keyvault-azure-keyvault
+ + ├─ azure:core:ResourceGroup resourceGroup created
+ + ├─ azure:storage:Account storage created
+ + ├─ azure:storage:Container container created
+ + └─ azure:storage:Blob blob created
+
+Outputs:
+ + connectionString: "DefaultEndpointsProtocol=https;AccountName=pulumilbriggs;AccountKey=Efa63L/xDstQgyvgsYHZqzl3oIlQA4scS4NeX/O1TeBI3mbwMcKxiHIkAGkwJj21EPzHebiuAUM09i7dVv3f/A==;EndpointSuffix=core.windows.net"
+
+Resources:
+ + 4 created
+ 1 unchanged
+
+Duration: 31s
+
+Permalink: https://app.pulumi.com/jaxxstorm/pulumi-azure-keyvault/azure-keyvault/updates/3
+```
+
+You'll notice the secret value is also omitted from the output!
+
+## Verify the encryption
+
+A quick way to verify if the encryption is using the Azure Keyvault key is to remove your application credentials temporarily:
+
+```
+unset AZURE_KEYVAULT_AUTH_VIA_CLI
+```

secrets-provider/azure/index.ts

@@ -0,0 +1,40 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as azure from "@pulumi/azure";
+
+const config = new pulumi.Config();
+
+// Make the bucketName configurable
+const bucketName = config.require('bucketName');
+const secretValue = config.requireSecret('secretValue');
+
+// Create an Azure Resource Group
+const resourceGroup = new azure.core.ResourceGroup("resourceGroup", {
+ name: "lbriggs-pulumi"
+});
+
+// Create an Azure resource (Storage Account)
+const account = new azure.storage.Account("storage", {
+ name: bucketName,
+ // The location for the storage account will be derived automatically from the resource group.
+ resourceGroupName: resourceGroup.name,
+ accountTier: "Standard",
+ accountReplicationType: "LRS",
+});
+
+const container = new azure.storage.Container("container", {
+ name: bucketName,
+ storageAccountName: account.name,
+})
+
+const blob = new azure.storage.Blob("blob", {
+ storageAccountName: account.name,
+ storageContainerName: container.name,
+ sourceContent: secretValue,
+ type: "Block",
+})
+
+
+// Export the connection string for the storage account
+export const connectionString = account.primaryConnectionString;
+
+

secrets-provider/azure/package.json

@@ -0,0 +1,10 @@
+{
+ "name": "pulumi-azure-keyvault",
+ "devDependencies": {
+ "@types/node": "^8.0.0"
+ },
+ "dependencies": {
+ "@pulumi/pulumi": "^1.0.0",
+ "@pulumi/azure": "^2.0.0"
+ }
+}

secrets-provider/azure/tsconfig.json

@@ -0,0 +1,18 @@
+{
+ "compilerOptions": {
+ "strict": true,
+ "outDir": "bin",
+ "target": "es2016",
+ "module": "commonjs",
+ "moduleResolution": "node",
+ "sourceMap": true,
+ "experimentalDecorators": true,
+ "pretty": true,
+ "noFallthroughCasesInSwitch": true,
+ "noImplicitReturns": true,
+ "forceConsistentCasingInFileNames": true
+ },
+ "files": [
+ "index.ts"
+ ]
+}

secrets-provider/gcloud/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

secrets-provider/gcloud/Pulumi.yaml

@@ -0,0 +1,3 @@
+name: pulumi-gcloud-kms
+runtime: nodejs
+description: Minimal config to check gcloud encryption support