Implement sanctuary tool
Following the specification in #19 (closed), implement the sanctuary tool. See the doc/sanctuary.md file in the MR for details on running the tool.
This MR is split into some commits which lay the groundwork and implement a stub command line utility called sanctuary
. The actual tool itself is implemented in the final commit.
As some testing, I've used the following configuration to replicate the bootstap configuration from the API Gateway as a test. A reviewer should be able to compare the secrets in the API Gateway meta project to the ones in rjw57-playground-ceroh9th
to check that they match.
sanctuary:
secrets:
lookup-devops-bot-group-prod:
from:
op-cli-item:
item-id: blrpqoma2dryxlefexk73ipnzu
fields: [username, password]
to:
google-secret:
project: &google-project rjw57-playground-ceroh9th
name: lookup-devops-bot-group-prod
iam_policy_bindings: &iam_policy_bindings
- role: "roles/secretmanager.secretAccessor"
members:
- "serviceAccount:terraform-state@api-meta-2555105a.iam.gserviceaccount.com"
lookup-devops-bot-group-test:
from:
op-cli-item:
item-id: 6mruu2cw6zfelmgtgacxqik52q
fields: [username, password]
to:
google-secret:
project: *google-project
name: lookup-devops-bot-group-test
iam_policy_bindings: *iam_policy_bindings
roo-contacts-api-credentials:
from:
op-cli-item:
item-id: 6mruu2cw6zfelmgtgacxqik52q
fields: [username, password]
to:
google-secret:
project: *google-project
name: roo-contacts-api-credentials
iam_policy_bindings: *iam_policy_bindings
roo-contracts-api-credentials:
from:
op-cli-item:
item-id: alnlaxwlujqv2hpqohbdifgpeq
fields: [username, password]
to:
google-secret:
project: *google-project
name: roo-contracts-api-credentials
iam_policy_bindings: *iam_policy_bindings
roo-contacts-api-staging-credentials:
from:
op-cli-item:
item-id: 5rieh3gawggxi6firmqnli7oea
fields: [username, password]
to:
google-secret:
project: *google-project
name: roo-contacts-api-staging-credentials
iam_policy_bindings: *iam_policy_bindings
roo-contracts-api-staging-credentials:
from:
op-cli-item:
item-id: r22qdyt226yxnuhair6zezn4ly
fields: [username, password]
to:
google-secret:
project: *google-project
name: roo-contracts-api-staging-credentials
iam_policy_bindings: *iam_policy_bindings
prod-dev-portal-tls-key:
from:
op-cli-document:
document-id: hgj4uqgsqzdxtlfqozgxj3axoy
to:
google-secret:
project: *google-project
name: prod-dev-portal-tls-key
iam_policy_bindings: *iam_policy_bindings
The format of the secrets matches those returned by our existing 1password terraform module for compatibility reasons.