Skip to content

Commit

Permalink
Add installation docs for Vault from upstream
Browse files Browse the repository at this point in the history
  • Loading branch information
guineveresaenger committed Oct 10, 2024
1 parent 5d5f632 commit b5968fe
Show file tree
Hide file tree
Showing 6 changed files with 1,294 additions and 1 deletion.
1,123 changes: 1,123 additions & 0 deletions docs/_index.md

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions provider/installation-replaces/overview-desired.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
The Vault provider allows Terraform to read from, write to, and configure
[HashiCorp Vault](https://vaultproject.io/).
17 changes: 17 additions & 0 deletions provider/installation-replaces/overview-input.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
The Vault provider allows Terraform to read from, write to, and configure
[HashiCorp Vault](https://vaultproject.io/).

~> **Important** Interacting with Vault from Terraform causes any secrets
that you read and write to be persisted in both Terraform's state file
*and* in any generated plan files. For any Terraform module that reads or
writes Vault secrets, these files should be treated as sensitive and
protected accordingly.

This provider serves two pretty-distinct use-cases, which each have their
own security trade-offs and caveats that are covered in the sections that
follow. Consider these carefully before using this provider within your
Terraform configuration.

-> Visit the [Inject secrets into Terraform using the Vault provider](https://learn.hashicorp.com/tutorials/terraform/secrets-vault?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) Learn tutorial to learn how to use
short-lived credentials from Vault's AWS Secrets Engine to authenticate the
AWS provider.
25 changes: 25 additions & 0 deletions provider/installation-replaces/using-credentials-desired.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
~> **Important** It is important to ensure that the Vault token
has a long enough `time-to-live` to allow for all Vault resources to
be successfully provisioned. In the case where the `TTL` is insufficient,
you may encounter unexpected permission denied errors.
See [Vault Token TTLs](https://vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
for more details.

Most Pulumi providers require credentials to interact with a third-party
service that they wrap. This provider allows such credentials to be obtained
from Vault, which means that operators or systems running Pulumi need
only access to a suitably-privileged Vault token in order to temporarily
lease the credentials for other providers.

To reduce the exposure of secrets, the provider requests a Vault token
with a relatively-short TTL (20 minutes, by default) which in turn means
that where possible Vault will revoke any issued credentials after that
time, but in particular it is unable to retract any static secrets such as
those stored in Vault's "generic" secret backend.

The requested token TTL can be controlled by the `max_lease_ttl_seconds`
provider argument described below.

Except as otherwise noted, the resources that read secrets from Vault
are designed such that they require only the *read* capability on the relevant
resources.
35 changes: 35 additions & 0 deletions provider/installation-replaces/using-credentials-input.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
~> **Important** It is important to ensure that the Vault token
has a long enough `time-to-live` to allow for all Vault resources to
be successfully provisioned. In the case where the `TTL` is insufficient,
you may encounter unexpected permission denied errors.
See [Vault Token TTLs](https://developer.hashicorp.com/vault/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls)
for more details.

Most Terraform providers require credentials to interact with a third-party
service that they wrap. This provider allows such credentials to be obtained
from Vault, which means that operators or systems running Terraform need
only access to a suitably-privileged Vault token in order to temporarily
lease the credentials for other providers.

Currently, Terraform has no mechanism to redact or protect secrets that
are returned via data sources, so secrets read via this provider will be
persisted into the Terraform state, into any plan files, and in some cases
in the console output produced while planning and applying. These artifacts
must therefore all be protected accordingly.

To reduce the exposure of such secrets, the provider requests a Vault token
with a relatively-short TTL (20 minutes, by default) which in turn means
that where possible Vault will revoke any issued credentials after that
time, but in particular it is unable to retract any static secrets such as
those stored in Vault's "generic" secret backend.

The requested token TTL can be controlled by the `max_lease_ttl_seconds`
provider argument described below. It is important to consider that Terraform
reads from data sources during the `plan` phase and writes the result into
the plan. Thus, a subsequent `apply` will likely fail if it is run after the
intermediate token has expired, due to the revocation of the secrets that
are stored in the plan.

Except as otherwise noted, the resources that read secrets from Vault
are designed such that they require only the *read* capability on the relevant
resources.
93 changes: 92 additions & 1 deletion provider/resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@
package provider

import (
"bytes"
"fmt"
"github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfgen"
"os"
"path/filepath"
"strings"
"unicode"
Expand Down Expand Up @@ -547,7 +550,20 @@ func Provider() tfbridge.ProviderInfo {
}

func docEditRules(defaults []tfbridge.DocsEdit) []tfbridge.DocsEdit {
return append(defaults, oktaAuthBackedUserImport)
edits := []tfbridge.DocsEdit{
// These sections would trigger other edit rules so they must run first for discovery.
cleanUpSecretsWarnings,
}
edits = append(edits,
defaults...,
)
return append(edits,
oktaAuthBackedUserImport,
skipConfiguringAndPopulatingSection,
skipBestPracticesSection,
skipTutorialsSection,
skipNamespacesSection,
)
}

var oktaAuthBackedUserImport = tfbridge.DocsEdit{
Expand All @@ -563,3 +579,78 @@ var oktaAuthBackedUserImport = tfbridge.DocsEdit{
}

var missingDocs = &tfbridge.DocInfo{AllowMissing: true}

// Pulumi does encrypt secrets, so redact TF specific warnings.
var cleanUpSecretsWarnings = tfbridge.DocsEdit{
Path: "index.html.markdown",
Edit: func(_ string, content []byte) ([]byte, error) {
files := []string{
"using-credentials",
"overview",
}
for _, file := range files {
input, err := os.ReadFile("provider/installation-replaces/" + file + "-input.md")
if err != nil {
return nil, err
}
replace, err := os.ReadFile("provider/installation-replaces/" + file + "-desired.md")
if err != nil {
return nil, err
}
if bytes.Contains(content, input) {
content = bytes.ReplaceAll(
content,
input,
replace)
} else {
// Hard error to ensure we keep this content up to date
return nil, fmt.Errorf("could not find text in upstream index.html.markdown, "+
"verify file content at %s", "provider/installation-replaces/"+file+"-input.md")
}

}
return content, nil
},
}

// Removes a "Best Practices" section that includes TF-specific recommendations
var skipBestPracticesSection = tfbridge.DocsEdit{
Path: "index.html.markdown",
Edit: func(_ string, content []byte) ([]byte, error) {
return tfgen.SkipSectionByHeaderContent(content, func(headerText string) bool {
return headerText == "Best Practices"
})
},
}

// Removes a "Configuring and Populating Vault" section that talks about secrets only
var skipConfiguringAndPopulatingSection = tfbridge.DocsEdit{
Path: "index.html.markdown",
Edit: func(_ string, content []byte) ([]byte, error) {
return tfgen.SkipSectionByHeaderContent(content, func(headerText string) bool {
return headerText == "Configuring and Populating Vault"
})
},
}

// This part of the documentation is very TF-specific.
// We should consider creating our own tutorial if the need arises.
// See https://github.com/pulumi/pulumi-vault/issues/618.
var skipNamespacesSection = tfbridge.DocsEdit{
Path: "index.html.markdown",
Edit: func(_ string, content []byte) ([]byte, error) {
return tfgen.SkipSectionByHeaderContent(content, func(headerText string) bool {
return headerText == "Namespace support"
})
},
}

// Removes a TF-specific "Tutorials" section
var skipTutorialsSection = tfbridge.DocsEdit{
Path: "index.html.markdown",
Edit: func(_ string, content []byte) ([]byte, error) {
return tfgen.SkipSectionByHeaderContent(content, func(headerText string) bool {
return headerText == "Tutorials"
})
},
}

0 comments on commit b5968fe

Please sign in to comment.