FAQ | This is a LIVE service | Changelog

Implement sanctuary tool

Dr Rich Warehamrequested to merge
19-sanctuary into master

Following the specification in #19 (closed), implement the sanctuary tool. See the doc/sanctuary.md file in the MR for details on running the tool.

This MR is split into some commits which lay the groundwork and implement a stub command line utility called sanctuary. The actual tool itself is implemented in the final commit.

As some testing, I've used the following configuration to replicate the bootstap configuration from the API Gateway as a test. A reviewer should be able to compare the secrets in the API Gateway meta project to the ones in rjw57-playground-ceroh9th to check that they match.

sanctuary:
  secrets:
    lookup-devops-bot-group-prod:
      from:
        op-cli-item:
          item-id: blrpqoma2dryxlefexk73ipnzu
          fields: [username, password]
      to:
        google-secret:
          project: &google-project rjw57-playground-ceroh9th
          name: lookup-devops-bot-group-prod
          iam_policy_bindings: &iam_policy_bindings
            - role: "roles/secretmanager.secretAccessor"
              members:
                - "serviceAccount:terraform-state@api-meta-2555105a.iam.gserviceaccount.com"
    lookup-devops-bot-group-test:
      from:
        op-cli-item:
          item-id: 6mruu2cw6zfelmgtgacxqik52q
          fields: [username, password]
      to:
        google-secret:
          project: *google-project
          name: lookup-devops-bot-group-test
          iam_policy_bindings: *iam_policy_bindings
    roo-contacts-api-credentials:
      from:
        op-cli-item:
          item-id: 6mruu2cw6zfelmgtgacxqik52q
          fields: [username, password]
      to:
        google-secret:
          project: *google-project
          name: roo-contacts-api-credentials
          iam_policy_bindings: *iam_policy_bindings
    roo-contracts-api-credentials:
      from:
        op-cli-item:
          item-id: alnlaxwlujqv2hpqohbdifgpeq
          fields: [username, password]
      to:
        google-secret:
          project: *google-project
          name: roo-contracts-api-credentials
          iam_policy_bindings: *iam_policy_bindings
    roo-contacts-api-staging-credentials:
      from:
        op-cli-item:
          item-id: 5rieh3gawggxi6firmqnli7oea
          fields: [username, password]
      to:
        google-secret:
          project: *google-project
          name: roo-contacts-api-staging-credentials
          iam_policy_bindings: *iam_policy_bindings
    roo-contracts-api-staging-credentials:
      from:
        op-cli-item:
          item-id: r22qdyt226yxnuhair6zezn4ly
          fields: [username, password]
      to:
        google-secret:
          project: *google-project
          name: roo-contracts-api-staging-credentials
          iam_policy_bindings: *iam_policy_bindings
    prod-dev-portal-tls-key:
      from:
        op-cli-document:
          document-id: hgj4uqgsqzdxtlfqozgxj3axoy
      to:
        google-secret:
          project: *google-project
          name: prod-dev-portal-tls-key
          iam_policy_bindings: *iam_policy_bindings

The format of the secrets matches those returned by our existing 1password terraform module for compatibility reasons.

Edited by Dr Rich Wareham

Merge request reports