feat: Core-itn secrets (#2126)

* init core-itn secrets * fix init key for sops * sops.sh clean code * terrasops.sh clean code * sops.sh clean * sops.sh clean code & echo messagges * sops.sh completed clean * removed configs.json * terrasops.sh clean * added sops secrets for dev * added config files * added sops for uat and prod configuration * sops.sh minor fix * terrasops.sh fix terraform communication * moved terrasops.sh and sops.sh to script folder * updated providers * added secrets for prod and uat * minor fix * added symb link for sops.sh terrasops.sh terraform.sh * pre-commit fixs
pagopa · Jun 11, 2024 · bafc3c9 · bafc3c9
1 parent 94457f0
commit bafc3c9
Show file tree

Hide file tree

Showing 32 changed files with 762 additions and 1 deletion.
diff --git a/scripts/sops.sh b/scripts/sops.sh
@@ -0,0 +1,137 @@
+#!/bin/bash
+
+# set -x  # Uncomment this line to enable debug mode
+
+#
+# how to use `sh sops.sh`
+# ℹ️ This script allows you to create a sops file with the relative azure key,
+# it also allows you to edit the secrets and add them with the script.
+# ℹ️ This script also uses an inventory file under the "./secret/<env>/secret.ini"
+# directory to load environment variables.
+#
+
+action=$1
+env=$2
+shift 2
+# shellcheck disable=SC2034
+other=( "$@" )
+
+if [ -z "$action" ]; then
+  helpmessage=$(cat <<EOF
+  ℹ️ Please follow this example on how to use the script
+
+./sops.sh d <env> -> decrypt json file in specified environment
+    example: ./sops.sh d itn-dev
+    example: ./sops.sh decrypt itn-dev
+
+./sops.sh s <env> -> search in enc file in specified environment
+    example: ./sops.sh s itn-dev
+    example: ./sops.sh search itn-dev
+
+./sops.sh n <env> -> create new file enc json template in specified environment
+    example: ./sops.sh n itn-dev
+    example: ./sops.sh new itn-dev
+
+./sops.sh a <env> -> add new secret record to enc json in specified environment
+    example: ./sops.sh a itn-dev
+    example: ./sops.sh add itn-dev
+
+./sops.sh e <env> -> edit enc json record in specified environment
+    example: ./sops.sh e itn-dev
+    example: ./sops.sh edit itn-dev
+
+./sops.sh f <env>  -> enc a json file in a specified environment
+    example: ./sops.sh f itn-dev
+
+EOF
+)
+  echo "$helpmessage"
+  exit 0
+fi
+
+if [ -z "$env" ]; then
+  echo "env should be something like: itn-dev, itn-uat or itn-prod."
+  exit 0
+fi
+
+echo "🔨 Mandatory variables are correct"
+file_crypted=""
+kv_name=""
+kv_sops_key_name=""
+
+# shellcheck disable=SC1090
+source "./secret/$env/secret.ini"
+
+echo "🔨 All variables loaded"
+
+# Check if kv_name and file_crypted variables are not empty
+if [ -z "${kv_name}" ]; then
+  echo "❌ Error: kv_name variable is not defined correctly."
+  exit 1
+fi
+
+if [ -z "$file_crypted" ]; then
+  echo "❌ Error: file_crypted variable is not defined correctly."
+  exit 1
+fi
+
+encrypted_file_path="./secret/$env/$file_crypted"
+
+# Check if the key exists in the Key Vault
+# shellcheck disable=SC2154
+kv_key_url=$(az keyvault key show --vault-name "$kv_name" --name "$kv_sops_key_name" --query "key.kid" -o tsv)
+if [ -z "$kv_key_url" ]; then
+  echo "❌ The key does not exist."
+  exit 1
+fi
+echo "[INFO] Key URL: $kv_key_url"
+
+echo "🔨 Key URL loaded correctly"
+
+if echo "d decrypt a add s search n new e edit f" | grep -w "$action" > /dev/null; then
+  case $action in
+    "d"|"decrypt")
+      sops --decrypt --azure-kv "$kv_key_url" "$encrypted_file_path"
+      if [ $? -eq 1 ]; then
+        echo "❌ File $encrypted_file_path NOT encrypted"
+        exit 0
+      fi
+      ;;
+    "s"|"search")
+      read -r -p 'key: ' key
+      sops --decrypt --azure-kv "$kv_key_url" "$encrypted_file_path" | grep -i "$key"
+      ;;
+    "a"|"add")
+      read -r -p 'key: ' key
+      read -r -p 'value: ' value
+      sops -i --set '["'"$key"'"] "'"$value"'"' --azure-kv "$kv_key_url" "$encrypted_file_path"
+      echo "✅ Added key"
+      ;;
+    "n"|"new")
+      if [ -f "$encrypted_file_path" ]; then
+        echo "⚠️ file $encrypted_file_path already exists"
+        exit 0
+      fi
+      echo "{}" > "$encrypted_file_path"
+      sops --encrypt -i --azure-kv "$kv_key_url" "$encrypted_file_path"
+      echo "✅ created new file for sops"
+      ;;
+    "e"|"edit")
+      if [ ! -f "$encrypted_file_path" ]; then
+        echo "⚠️ file $encrypted_file_path not found"
+        exit 1
+      fi
+
+      sops --azure-kv "$kv_key_url" "$encrypted_file_path"
+      echo "✅ edit file completed"
+
+      ;;
+    "f")
+      read -r -p 'file: ' file
+      sops --encrypt --azure-kv "$kv_key_url" "./secret/$env/$file" > "$encrypted_file_path"
+      ;;
+  esac
+else
+  echo "⚠️ Action not allowed."
+  exit 1
+fi
diff --git a/scripts/terrasops.sh b/scripts/terrasops.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# set -x  # Uncomment this line to enable debug mode
+
+#
+# ℹ️ This script is used by terraform, to decrypt all secrets on sops and export them to json.
+#    This way it can loop through them and use them to insert them inside the KV
+# ⚠️ Do not add additional echos to the script in case of golden path,
+#    as the script only needs to return a json
+#
+
+eval "$(jq -r '@sh "export terrasops_env=\(.env)"')"
+
+# shellcheck disable=SC1090
+source "./secret/$terrasops_env/secret.ini"
+encrypted_file_path="./secret/$terrasops_env/$file_crypted"
+
+if [ -f "$encrypted_file_path" ]; then
+  # Load the values of azure_kv.vault_url and azure_kv.name from the JSON file
+  azure_kv_vault_url=$(jq -r '.sops.azure_kv[0].vault_url' "$encrypted_file_path")
+  azure_kv_name=$(jq -r '.sops.azure_kv[0].name' "$encrypted_file_path")
+
+  if [ -z "$azure_kv_vault_url" ] || [ -z "$azure_kv_name" ]; then
+    echo "❌ Error: Unable to load the values of azure_kv.vault_url and azure_kv.name from the JSON file" >&2
+    exit 1
+  fi
+  sops -d --azure-kv "azure_kv_vault_url" "$encrypted_file_path" | jq -c
+else
+  echo "{}" | jq -c
+fi
diff --git a/src/aks-leonardo/80_vm_debug.tf b/src/aks-leonardo/80_vm_debug.tf
@@ -0,0 +1,26 @@
+
+
+resource "azurerm_linux_virtual_machine" "vm_debug" {
+  name                = "${local.product_location}-aks-vm-debug"
+  resource_group_name = azurerm_resource_group.rg_aks.name
+  location            = azurerm_resource_group.rg_aks.location
+  size                = "Standard_B2ms"
+  admin_username      = "adminuser"
+  admin_password      = "P@ssw0rd1234!"
+  disable_password_authentication = false
+  network_interface_ids = [
+    azurerm_network_interface.example.id,
+  ]
+
+  os_disk {
+    caching              = "ReadWrite"
+    storage_account_type = "Standard_LRS"
+  }
+
+  source_image_reference {
+    publisher = "Canonical"
+    offer     = "0001-com-ubuntu-server-focal"
+    sku       = "22.04-LTS"
+    version   = "latest"
+  }
+}
diff --git a/src/aks-leonardo/99_locals.tf b/src/aks-leonardo/99_locals.tf
@@ -1,7 +1,7 @@
 locals {
   product          = "${var.prefix}-${var.env_short}"
-  project          = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
   product_location = "${var.prefix}-${var.env_short}-${var.location_short}"
+  project          = "${var.prefix}-${var.env_short}-${var.location_short}-${var.domain}"
 
   # AKS
   aks_rg_name      = "${local.project}-aks-rg"

diff --git a/src/core-itn-secrets/.terraform.lock.hcl b/src/core-itn-secrets/.terraform.lock.hcl
diff --git a/src/core-itn-secrets/02_key_secret.tf b/src/core-itn-secrets/02_key_secret.tf
@@ -0,0 +1,47 @@
+data "external" "terrasops" {
+  program = [
+    "bash", "terrasops.sh"
+  ]
+  query = {
+    env = "${var.location_short}-${var.env}"
+  }
+}
+
+locals {
+  all_enc_secrets_value = can(data.external.terrasops.result) ? flatten([
+    for k, v in data.external.terrasops.result : {
+      value = v
+      key   = k
+    }
+  ]) : []
+
+  config_secret_data = jsondecode(file(var.input_file))
+  all_config_secrets_value = flatten([
+    for kc, vc in local.config_secret_data : {
+      value = vc
+      key   = kc
+    }
+  ])
+
+  all_secrets_value = concat(local.all_config_secrets_value, local.all_enc_secrets_value)
+}
+
+## SOPS secrets
+
+## Upload all encrypted secrets
+resource "azurerm_key_vault_secret" "secret" {
+  for_each = { for i, v in local.all_secrets_value : local.all_secrets_value[i].key => i }
+
+  key_vault_id = data.azurerm_key_vault.kv.id
+  name         = local.all_secrets_value[each.value].key
+  value        = local.all_secrets_value[each.value].value
+
+  depends_on = [
+    data.azurerm_key_vault.kv,
+    azurerm_key_vault_key.generate_key_sops,
+    data.external.terrasops,
+  ]
+}
+
+
+# ⚠️ The secrets from resources are set in printit-app to avoid circular dependency
diff --git a/src/core-itn-secrets/0_init_key_sops.tf b/src/core-itn-secrets/0_init_key_sops.tf
@@ -0,0 +1,17 @@
+data "azurerm_key_vault" "kv" {
+  name                = local.key_vault_name
+  resource_group_name = local.key_vault_rg_name
+}
+
+resource "azurerm_key_vault_key" "generate_key_sops" {
+  name         = "${local.product}-${var.domain}-sops-key"
+  key_vault_id = data.azurerm_key_vault.kv.id
+  key_type     = "RSA"
+  key_size     = 2048
+
+  key_opts = [
+    "decrypt",
+    "encrypt",
+  ]
+
+}