poise-citadel 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- data/.gitignore +11 -0
- data/.kitchen.yml +22 -0
- data/.travis.yml +33 -0
- data/CHANGELOG.md +14 -0
- data/Gemfile +32 -0
- data/LICENSE +201 -0
- data/README.md +179 -0
- data/Rakefile +17 -0
- data/chef/attributes/default.rb +24 -0
- data/lib/citadel.rb +80 -0
- data/lib/citadel/chef_dsl.rb +29 -0
- data/lib/citadel/cheftie.rb +37 -0
- data/lib/citadel/error.rb +33 -0
- data/lib/citadel/s3.rb +84 -0
- data/lib/citadel/safe_node.rb +41 -0
- data/lib/citadel/version.rb +21 -0
- data/poise-citadel.gemspec +41 -0
- data/test/cookbooks/citadel_test/attributes/default.rb +17 -0
- data/test/cookbooks/citadel_test/metadata.rb +20 -0
- data/test/cookbooks/citadel_test/recipes/default.rb +19 -0
- data/test/gemfiles/chef-12.0.gemfile +19 -0
- data/test/gemfiles/chef-12.1.gemfile +19 -0
- data/test/gemfiles/chef-12.10.gemfile +19 -0
- data/test/gemfiles/chef-12.2.gemfile +19 -0
- data/test/gemfiles/chef-12.3.gemfile +19 -0
- data/test/gemfiles/chef-12.4.gemfile +21 -0
- data/test/gemfiles/chef-12.5.gemfile +19 -0
- data/test/gemfiles/chef-12.6.gemfile +19 -0
- data/test/gemfiles/chef-12.7.gemfile +19 -0
- data/test/gemfiles/chef-12.8.gemfile +19 -0
- data/test/gemfiles/chef-12.9.gemfile +19 -0
- data/test/gemfiles/chef-12.gemfile +19 -0
- data/test/gemfiles/master.gemfile +22 -0
- data/test/integration/attr/serverspec/default_spec.rb +23 -0
- data/test/integration/iam/serverspec/default_spec.rb +23 -0
- data/test/spec/citadel_spec.rb +70 -0
- data/test/spec/s3_spec.rb +70 -0
- data/test/spec/spec_helper.rb +19 -0
- metadata +149 -0
checksums.yaml
ADDED
@@ -0,0 +1,7 @@
|
|
1
|
+
---
|
2
|
+
SHA1:
|
3
|
+
metadata.gz: ac4db946a9758cb875d6a5c848cfb1eca584b2ad
|
4
|
+
data.tar.gz: 7d4743151abeac769b03a99b2554aea6401b28e7
|
5
|
+
SHA512:
|
6
|
+
metadata.gz: 630446d34747b6e1bf82ae814f938140760741c0fac1ec13070e6bcae8d013ac2503b5d9ee79a7b8a99f9963d2d5cee62054178e874845ec788d6d67de703c5c
|
7
|
+
data.tar.gz: 7351d0bd6f53362f5322ba9aa8d6ad73efb7eb46851ce1fb335734debec9dd3297159ed0731377292299ad6ffbc52ffcd905758cdf3581ffde933b961f3cfb8e
|
data/.gitignore
ADDED
data/.kitchen.yml
ADDED
@@ -0,0 +1,22 @@
|
|
1
|
+
---
|
2
|
+
#<% IO.read('test/ec2/env').split.map{|s| s.split(/=/)}.each{|(k, v)| ENV[k] = v} if ::File.exist?('test/ec2/env') %>
|
3
|
+
#<% require 'poise_boiler' %>
|
4
|
+
<%= PoiseBoiler.kitchen(platforms: %w{ubuntu-14.04}, driver: 'ec2') %>
|
5
|
+
|
6
|
+
transport:
|
7
|
+
name: sftp
|
8
|
+
ssh_key: test/ec2/citadel-kitchen.key
|
9
|
+
|
10
|
+
suites:
|
11
|
+
- name: iam
|
12
|
+
run_list:
|
13
|
+
- recipe[citadel_test]
|
14
|
+
driver:
|
15
|
+
iam_profile_name: citadel-role
|
16
|
+
- name: attr
|
17
|
+
run_list:
|
18
|
+
- recipe[citadel_test]
|
19
|
+
attributes:
|
20
|
+
citadel:
|
21
|
+
access_key_id: <%= ENV['CITADEL_ACCESS_KEY_ID'] %>
|
22
|
+
secret_access_key: <%= ENV['CITADEL_SECRET_ACCESS_KEY'] %>
|
data/.travis.yml
ADDED
@@ -0,0 +1,33 @@
|
|
1
|
+
sudo: false
|
2
|
+
cache: bundler
|
3
|
+
language: ruby
|
4
|
+
rvm:
|
5
|
+
- '2.2'
|
6
|
+
env:
|
7
|
+
global:
|
8
|
+
- AWS_SECURITY_GROUP_ID=sg-accb7ad7
|
9
|
+
- AWS_SUBNET_ID=subnet-ca674af7
|
10
|
+
- AWS_SSH_KEY_ID=citadel-kitchen
|
11
|
+
- secure: G68O+EByjjbIZZmMVV2xQvYlAFqW8LHBj/j82E5mspvVxwhpqn5JdEUpPjR9GeD5Cjt2V13l0353hI9/KyZKwx2iuBR3lQQkyAZIb147bUpYT/yQuXLSYEmt7HxyPOrWCZ2aP0253WPGamKX+bK/OUh1PAbOq5EbTh+2qYvWXAE=
|
12
|
+
- secure: xXfMmQd6zQ7GUDH2+uGHukNW6ZvJQKIiDVi1rlqTF2IHCcgFzkKGR4Pb9JwEA2c8S0z/KSZ6+3F9o66735Oe53Yvoat18WfdFNrp7q8nPk68hZY2IVA6La7/g3SUhHXvija6d8ywRMwIH3ms6r3aVk2/vQnFxojRzbgxMf54XQg=
|
13
|
+
- secure: rwKhSzXKW1WAmofn+Z3Z9PfSQVU5/O84qjQjfVw0H3Cq7+vky4/ES+lnQqiMigY0E8MtxUHCidThPGMKE9rJzeLr/ARrJ+9D5xd927Pm5P+nnWsIdh8m38db914henn7AXDZzjbP+l+sbut5EdO2Hixl/qWgzoojSic276MSy9Q=
|
14
|
+
- secure: T0/zwIemVsXxxqhmIPqdp62TOH+ydZ1F/Fjvz2rEfal976UAfqAOZXnE3OHXOWYC2K/JIJmB+uaFh2Cv8M+lrYa/R3KjB5SYAVwdC6R55kYTRHz7m9XO0XToSoWRi7hjssbPaVsd/v2S3lO78sdn+Ormw6Ksr2IAl8pgxVzE/YI=
|
15
|
+
- secure: lvJZ2kkD32TPQg8loH5Jd5hGUzfBoL8WqfYdMyghYxe8+j+9915nz6xIiudQTEsxfh/KDvhbsR4xSqRvISsx8etTmzZ2M9HlNFFW0rHIQLrbvPNynlrOGZ88Tj2V1b7KgRXdXthLMi/fWwAmJMUsllUYE7i5QLLx2Ylf8iz1FEM=
|
16
|
+
before_install: gem install bundler
|
17
|
+
bundler_args: "--binstubs=$PWD/bin --jobs 3 --retry 3"
|
18
|
+
script:
|
19
|
+
- "openssl rsa -in test/ec2/citadel-kitchen.pem -passin env:KITCHEN_KEY_PASS -out test/ec2/citadel-kitchen.key"
|
20
|
+
- "./bin/rake travis"
|
21
|
+
gemfile:
|
22
|
+
- test/gemfiles/chef-12.gemfile
|
23
|
+
- test/gemfiles/chef-12.1.gemfile
|
24
|
+
- test/gemfiles/chef-12.2.gemfile
|
25
|
+
- test/gemfiles/chef-12.3.gemfile
|
26
|
+
- test/gemfiles/chef-12.4.gemfile
|
27
|
+
- test/gemfiles/chef-12.5.gemfile
|
28
|
+
- test/gemfiles/chef-12.6.gemfile
|
29
|
+
- test/gemfiles/chef-12.7.gemfile
|
30
|
+
- test/gemfiles/chef-12.8.gemfile
|
31
|
+
- test/gemfiles/chef-12.9.gemfile
|
32
|
+
- test/gemfiles/chef-12.10.gemfile
|
33
|
+
- test/gemfiles/master.gemfile
|
data/CHANGELOG.md
ADDED
data/Gemfile
ADDED
@@ -0,0 +1,32 @@
|
|
1
|
+
#
|
2
|
+
# Copyright 2016, Noah Kantrowitz
|
3
|
+
#
|
4
|
+
# Licensed under the Apache License, Version 2.0 (the "License");
|
5
|
+
# you may not use this file except in compliance with the License.
|
6
|
+
# You may obtain a copy of the License at
|
7
|
+
#
|
8
|
+
# http://www.apache.org/licenses/LICENSE-2.0
|
9
|
+
#
|
10
|
+
# Unless required by applicable law or agreed to in writing, software
|
11
|
+
# distributed under the License is distributed on an "AS IS" BASIS,
|
12
|
+
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
13
|
+
# See the License for the specific language governing permissions and
|
14
|
+
# limitations under the License.
|
15
|
+
#
|
16
|
+
|
17
|
+
source 'https://rubygems.org/'
|
18
|
+
|
19
|
+
gemspec path: File.expand_path('..', __FILE__)
|
20
|
+
|
21
|
+
def dev_gem(name, path: File.join('..', name), github: nil)
|
22
|
+
path = File.expand_path(File.join('..', path), __FILE__)
|
23
|
+
if File.exist?(path)
|
24
|
+
gem name, path: path
|
25
|
+
elsif github
|
26
|
+
gem name, github: github
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
dev_gem 'halite'
|
31
|
+
dev_gem 'poise-boiler', github: 'poise/poise-boiler'
|
32
|
+
dev_gem 'poise-profiler'
|
data/LICENSE
ADDED
@@ -0,0 +1,201 @@
|
|
1
|
+
Apache License
|
2
|
+
Version 2.0, January 2004
|
3
|
+
http://www.apache.org/licenses/
|
4
|
+
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
6
|
+
|
7
|
+
1. Definitions.
|
8
|
+
|
9
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
10
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
11
|
+
|
12
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
13
|
+
the copyright owner that is granting the License.
|
14
|
+
|
15
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
16
|
+
other entities that control, are controlled by, or are under common
|
17
|
+
control with that entity. For the purposes of this definition,
|
18
|
+
"control" means (i) the power, direct or indirect, to cause the
|
19
|
+
direction or management of such entity, whether by contract or
|
20
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
21
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
22
|
+
|
23
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
24
|
+
exercising permissions granted by this License.
|
25
|
+
|
26
|
+
"Source" form shall mean the preferred form for making modifications,
|
27
|
+
including but not limited to software source code, documentation
|
28
|
+
source, and configuration files.
|
29
|
+
|
30
|
+
"Object" form shall mean any form resulting from mechanical
|
31
|
+
transformation or translation of a Source form, including but
|
32
|
+
not limited to compiled object code, generated documentation,
|
33
|
+
and conversions to other media types.
|
34
|
+
|
35
|
+
"Work" shall mean the work of authorship, whether in Source or
|
36
|
+
Object form, made available under the License, as indicated by a
|
37
|
+
copyright notice that is included in or attached to the work
|
38
|
+
(an example is provided in the Appendix below).
|
39
|
+
|
40
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
41
|
+
form, that is based on (or derived from) the Work and for which the
|
42
|
+
editorial revisions, annotations, elaborations, or other modifications
|
43
|
+
represent, as a whole, an original work of authorship. For the purposes
|
44
|
+
of this License, Derivative Works shall not include works that remain
|
45
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
46
|
+
the Work and Derivative Works thereof.
|
47
|
+
|
48
|
+
"Contribution" shall mean any work of authorship, including
|
49
|
+
the original version of the Work and any modifications or additions
|
50
|
+
to that Work or Derivative Works thereof, that is intentionally
|
51
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
52
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
53
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
54
|
+
means any form of electronic, verbal, or written communication sent
|
55
|
+
to the Licensor or its representatives, including but not limited to
|
56
|
+
communication on electronic mailing lists, source code control systems,
|
57
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
58
|
+
Licensor for the purpose of discussing and improving the Work, but
|
59
|
+
excluding communication that is conspicuously marked or otherwise
|
60
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
61
|
+
|
62
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
63
|
+
on behalf of whom a Contribution has been received by Licensor and
|
64
|
+
subsequently incorporated within the Work.
|
65
|
+
|
66
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
67
|
+
this License, each Contributor hereby grants to You a perpetual,
|
68
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
69
|
+
copyright license to reproduce, prepare Derivative Works of,
|
70
|
+
publicly display, publicly perform, sublicense, and distribute the
|
71
|
+
Work and such Derivative Works in Source or Object form.
|
72
|
+
|
73
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
74
|
+
this License, each Contributor hereby grants to You a perpetual,
|
75
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
76
|
+
(except as stated in this section) patent license to make, have made,
|
77
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
78
|
+
where such license applies only to those patent claims licensable
|
79
|
+
by such Contributor that are necessarily infringed by their
|
80
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
81
|
+
with the Work to which such Contribution(s) was submitted. If You
|
82
|
+
institute patent litigation against any entity (including a
|
83
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
84
|
+
or a Contribution incorporated within the Work constitutes direct
|
85
|
+
or contributory patent infringement, then any patent licenses
|
86
|
+
granted to You under this License for that Work shall terminate
|
87
|
+
as of the date such litigation is filed.
|
88
|
+
|
89
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
90
|
+
Work or Derivative Works thereof in any medium, with or without
|
91
|
+
modifications, and in Source or Object form, provided that You
|
92
|
+
meet the following conditions:
|
93
|
+
|
94
|
+
(a) You must give any other recipients of the Work or
|
95
|
+
Derivative Works a copy of this License; and
|
96
|
+
|
97
|
+
(b) You must cause any modified files to carry prominent notices
|
98
|
+
stating that You changed the files; and
|
99
|
+
|
100
|
+
(c) You must retain, in the Source form of any Derivative Works
|
101
|
+
that You distribute, all copyright, patent, trademark, and
|
102
|
+
attribution notices from the Source form of the Work,
|
103
|
+
excluding those notices that do not pertain to any part of
|
104
|
+
the Derivative Works; and
|
105
|
+
|
106
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
107
|
+
distribution, then any Derivative Works that You distribute must
|
108
|
+
include a readable copy of the attribution notices contained
|
109
|
+
within such NOTICE file, excluding those notices that do not
|
110
|
+
pertain to any part of the Derivative Works, in at least one
|
111
|
+
of the following places: within a NOTICE text file distributed
|
112
|
+
as part of the Derivative Works; within the Source form or
|
113
|
+
documentation, if provided along with the Derivative Works; or,
|
114
|
+
within a display generated by the Derivative Works, if and
|
115
|
+
wherever such third-party notices normally appear. The contents
|
116
|
+
of the NOTICE file are for informational purposes only and
|
117
|
+
do not modify the License. You may add Your own attribution
|
118
|
+
notices within Derivative Works that You distribute, alongside
|
119
|
+
or as an addendum to the NOTICE text from the Work, provided
|
120
|
+
that such additional attribution notices cannot be construed
|
121
|
+
as modifying the License.
|
122
|
+
|
123
|
+
You may add Your own copyright statement to Your modifications and
|
124
|
+
may provide additional or different license terms and conditions
|
125
|
+
for use, reproduction, or distribution of Your modifications, or
|
126
|
+
for any such Derivative Works as a whole, provided Your use,
|
127
|
+
reproduction, and distribution of the Work otherwise complies with
|
128
|
+
the conditions stated in this License.
|
129
|
+
|
130
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
131
|
+
any Contribution intentionally submitted for inclusion in the Work
|
132
|
+
by You to the Licensor shall be under the terms and conditions of
|
133
|
+
this License, without any additional terms or conditions.
|
134
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
135
|
+
the terms of any separate license agreement you may have executed
|
136
|
+
with Licensor regarding such Contributions.
|
137
|
+
|
138
|
+
6. Trademarks. This License does not grant permission to use the trade
|
139
|
+
names, trademarks, service marks, or product names of the Licensor,
|
140
|
+
except as required for reasonable and customary use in describing the
|
141
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
142
|
+
|
143
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
144
|
+
agreed to in writing, Licensor provides the Work (and each
|
145
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
146
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
147
|
+
implied, including, without limitation, any warranties or conditions
|
148
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
149
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
150
|
+
appropriateness of using or redistributing the Work and assume any
|
151
|
+
risks associated with Your exercise of permissions under this License.
|
152
|
+
|
153
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
154
|
+
whether in tort (including negligence), contract, or otherwise,
|
155
|
+
unless required by applicable law (such as deliberate and grossly
|
156
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
157
|
+
liable to You for damages, including any direct, indirect, special,
|
158
|
+
incidental, or consequential damages of any character arising as a
|
159
|
+
result of this License or out of the use or inability to use the
|
160
|
+
Work (including but not limited to damages for loss of goodwill,
|
161
|
+
work stoppage, computer failure or malfunction, or any and all
|
162
|
+
other commercial damages or losses), even if such Contributor
|
163
|
+
has been advised of the possibility of such damages.
|
164
|
+
|
165
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
166
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
167
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
168
|
+
or other liability obligations and/or rights consistent with this
|
169
|
+
License. However, in accepting such obligations, You may act only
|
170
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
171
|
+
of any other Contributor, and only if You agree to indemnify,
|
172
|
+
defend, and hold each Contributor harmless for any liability
|
173
|
+
incurred by, or claims asserted against, such Contributor by reason
|
174
|
+
of your accepting any such warranty or additional liability.
|
175
|
+
|
176
|
+
END OF TERMS AND CONDITIONS
|
177
|
+
|
178
|
+
APPENDIX: How to apply the Apache License to your work.
|
179
|
+
|
180
|
+
To apply the Apache License to your work, attach the following
|
181
|
+
boilerplate notice, with the fields enclosed by brackets "[]"
|
182
|
+
replaced with your own identifying information. (Don't include
|
183
|
+
the brackets!) The text should be enclosed in the appropriate
|
184
|
+
comment syntax for the file format. We also recommend that a
|
185
|
+
file or class name and description of purpose be included on the
|
186
|
+
same "printed page" as the copyright notice for easier
|
187
|
+
identification within third-party archives.
|
188
|
+
|
189
|
+
Copyright [yyyy] [name of copyright owner]
|
190
|
+
|
191
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
192
|
+
you may not use this file except in compliance with the License.
|
193
|
+
You may obtain a copy of the License at
|
194
|
+
|
195
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
196
|
+
|
197
|
+
Unless required by applicable law or agreed to in writing, software
|
198
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
199
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
200
|
+
See the License for the specific language governing permissions and
|
201
|
+
limitations under the License.
|
data/README.md
ADDED
@@ -0,0 +1,179 @@
|
|
1
|
+
# Citadel Cookbook
|
2
|
+
|
3
|
+
[![Build Status](https://img.shields.io/travis/poise/citadel.svg)](https://travis-ci.org/poise/citadel)
|
4
|
+
[![Gem Version](https://img.shields.io/gem/v/poise-citadel.svg)](https://rubygems.org/gems/poise-citadel)
|
5
|
+
[![Cookbook Version](https://img.shields.io/cookbook/v/citadel.svg)](https://supermarket.chef.io/cookbooks/citadel)
|
6
|
+
[![Coverage](https://img.shields.io/codecov/c/github/poise/citadel.svg)](https://codecov.io/github/poise/citadel)
|
7
|
+
[![Gemnasium](https://img.shields.io/gemnasium/poise/citadel.svg)](https://gemnasium.com/poise/citadel)
|
8
|
+
[![License](https://img.shields.io/badge/license-Apache_2-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
|
9
|
+
|
10
|
+
Using a combination of IAM roles, S3 buckets, and EC2 it is possible to use AWS
|
11
|
+
as a trusted-third-party for distributing secret or otherwise sensitive data.
|
12
|
+
|
13
|
+
## Overview
|
14
|
+
|
15
|
+
IAM roles allow specifying snippets of IAM policies in a way that can be used
|
16
|
+
from an EC2 virtual machine. Combined with a private S3 bucket, this can be
|
17
|
+
used to authorize specific hosts to specific files.
|
18
|
+
|
19
|
+
IAM Roles can be created [in the AWS Console](https://console.aws.amazon.com/iam/home#roles).
|
20
|
+
While the policies applied to a role can be changed later, the name cannot so
|
21
|
+
be careful when choosing them.
|
22
|
+
|
23
|
+
## Requirements
|
24
|
+
|
25
|
+
This cookbook requires Chef 12 or newer. It also requires the EC2 ohai plugin
|
26
|
+
to be active. If you are using a VPC, this may require setting the hint file
|
27
|
+
depending on your version of Ohai/Chef:
|
28
|
+
|
29
|
+
```bash
|
30
|
+
$ mkdir -p /etc/chef/ohai/hints
|
31
|
+
$ touch /etc/chef/ohai/hints/ec2.json
|
32
|
+
```
|
33
|
+
|
34
|
+
If you use knife-ec2 to start the instance, the hint file is already set for you.
|
35
|
+
|
36
|
+
## IAM Policy
|
37
|
+
|
38
|
+
By default, your role will not be able to access any files in your private S3
|
39
|
+
bucket. You can create IAM policies that whitelist specific keys for each role:
|
40
|
+
|
41
|
+
```json
|
42
|
+
{
|
43
|
+
"Version": "2008-10-17",
|
44
|
+
"Id": "<policy name>",
|
45
|
+
"Statement": [
|
46
|
+
{
|
47
|
+
"Sid": "<statement name>",
|
48
|
+
"Effect": "Allow",
|
49
|
+
"Principal": {
|
50
|
+
"AWS": "arn:aws:iam::<AWS account number>:role/<role name>"
|
51
|
+
},
|
52
|
+
"Action": "s3:GetObject",
|
53
|
+
"Resource": "arn:aws:s3:::<bucket name>/<key pattern>"
|
54
|
+
}
|
55
|
+
]
|
56
|
+
}
|
57
|
+
```
|
58
|
+
|
59
|
+
The key pattern can include `*` and `?` metacharacters, so for example
|
60
|
+
`arn:aws:s3:::myapp.citadel/deploy_keys/*` to allow access to all files in the
|
61
|
+
`deploy_keys` folder.
|
62
|
+
|
63
|
+
This policy can be attached to either the IAM role or the S3 bucket with equal
|
64
|
+
effect.
|
65
|
+
|
66
|
+
## Limitations
|
67
|
+
|
68
|
+
Each EC2 VM can only be assigned a single IAM role. This can complicate situations
|
69
|
+
where some secrets need to be shared by overlapping subsets of your servers. A
|
70
|
+
possible improvement to this would be to make a script to create all needed
|
71
|
+
composite IAM roles, possibly driven by Chef roles or other metadata.
|
72
|
+
|
73
|
+
## Attributes
|
74
|
+
|
75
|
+
* `node['citadel']['bucket']` – The default S3 bucket to use.
|
76
|
+
|
77
|
+
## Recipe Usage
|
78
|
+
|
79
|
+
You can access secret data via the `citadel` method.
|
80
|
+
|
81
|
+
```ruby
|
82
|
+
file '/etc/secret' do
|
83
|
+
owner 'root'
|
84
|
+
group 'root'
|
85
|
+
mode '600'
|
86
|
+
content citadel['keys/secret.pem']
|
87
|
+
end
|
88
|
+
```
|
89
|
+
|
90
|
+
By default the node attribute `node['citadel']['bucket']` is used to find the
|
91
|
+
S3 bucket to query, however you can override this:
|
92
|
+
|
93
|
+
```ruby
|
94
|
+
template '/etc/secret' do
|
95
|
+
owner 'root'
|
96
|
+
group 'root'
|
97
|
+
mode '600'
|
98
|
+
variables secret: citadel('mybucket')['id_rsa']
|
99
|
+
end
|
100
|
+
```
|
101
|
+
|
102
|
+
## Developing with Vagrant
|
103
|
+
|
104
|
+
While developing in a local VM, you can use the node attributes
|
105
|
+
`node['citadel']['access_key_id']` and `node['citadel']['secret_access_key']`
|
106
|
+
to provide credentials. The recommended way to do this is via environment variables
|
107
|
+
so that the Vagrantfile itself can still be kept in source control without
|
108
|
+
leaking credentials:
|
109
|
+
|
110
|
+
```ruby
|
111
|
+
config.vm.provision :chef_solo do |chef|
|
112
|
+
chef.json = {
|
113
|
+
citadel: {
|
114
|
+
access_key_id: ENV['ACCESS_KEY_ID'],
|
115
|
+
secret_access_key: ENV['SECRET_ACCESS_KEY'],
|
116
|
+
},
|
117
|
+
}
|
118
|
+
end
|
119
|
+
```
|
120
|
+
|
121
|
+
**WARNING:** Use of these attributes in production should be considered a likely
|
122
|
+
security risk as they will end up visible in the node data, or in the role/environment/cookbook
|
123
|
+
that sets them. This can be mitigated using Enterprise Chef ACLs, however such
|
124
|
+
configurations are generally error-prone due to the defaults being wide open.
|
125
|
+
|
126
|
+
### Testing with Test-Kitchen
|
127
|
+
|
128
|
+
Similarly you can use the same attributes with Test-Kitchen
|
129
|
+
|
130
|
+
```yaml
|
131
|
+
provisioner:
|
132
|
+
name: chef_solo
|
133
|
+
attributes:
|
134
|
+
citadel:
|
135
|
+
access_key_id: <%= ENV['AWS_ACCESS_KEY_ID'] %>
|
136
|
+
secret_access_key: <%= ENV['AWS_SECRET_ACCESS_KEY'] %>
|
137
|
+
```
|
138
|
+
|
139
|
+
## Recommended S3 Layout
|
140
|
+
|
141
|
+
Within your S3 bucket I recommend you create one folder for each group of
|
142
|
+
secrets, and in your IAM policies have one statement per group. Each group of
|
143
|
+
secrets is a set of data with identical security requirements. Many groups will
|
144
|
+
start out only containing a single file, however having the flexibility to
|
145
|
+
change this in the future allows for things like key rotation without rewriting
|
146
|
+
all of your IAM policies.
|
147
|
+
|
148
|
+
An example of an IAM policy resource would be:
|
149
|
+
|
150
|
+
```
|
151
|
+
"Resource": "arn:aws:s3:::mybucket/myfolder/*"
|
152
|
+
```
|
153
|
+
|
154
|
+
## Creating and Updating Secrets
|
155
|
+
|
156
|
+
You can use any S3 client you prefer to manage your secrets, however make sure
|
157
|
+
that new files are set to private (accessible only to the creating user) by
|
158
|
+
default.
|
159
|
+
|
160
|
+
## Sponsors
|
161
|
+
|
162
|
+
The Poise test server infrastructure is sponsored by [Rackspace](https://rackspace.com/).
|
163
|
+
|
164
|
+
## License
|
165
|
+
|
166
|
+
Copyright 2013-2016, Balanced, Inc.
|
167
|
+
Copyright 2016, Noah Kantrowitz
|
168
|
+
|
169
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
170
|
+
you may not use this file except in compliance with the License.
|
171
|
+
You may obtain a copy of the License at
|
172
|
+
|
173
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
174
|
+
|
175
|
+
Unless required by applicable law or agreed to in writing, software
|
176
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
177
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
178
|
+
See the License for the specific language governing permissions and
|
179
|
+
limitations under the License.
|