hashicorp · NicolasFloquet · May 18, 2021 · sylviamoss · May 18, 2021 · nywilken
@@ -0,0 +1,135 @@
+//go:generate packer-sdc struct-markdown
+//go:generate packer-sdc mapstructure-to-hcl2 -type DatasourceOutput,Config
+package keyvaultsecret
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"net/url"
+
+	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/hashicorp/hcl/v2/hcldec"
+	"github.com/hashicorp/packer-plugin-azure/builder/azure/common/client"
+	"github.com/hashicorp/packer-plugin-sdk/hcl2helper"
+	"github.com/hashicorp/packer-plugin-sdk/template/config"
+	"github.com/zclconf/go-cty/cty"
+
+	packersdk "github.com/hashicorp/packer-plugin-sdk/packer"
+)
+
+type Config struct {
+	// Specifies the name of the Key Vault Secret.
+	Name string `mapstructure:"name" required:"true"`
+
+	// Specifies the ID of the Key Vault instance where the Secret resides.
+	KeyvaultId string `mapstructure:"keyvault_id" required:"true"`
+
+	// Authentication via OAUTH
+	ClientConfig client.Config `mapstructure:",squash"`
+}
+
+type Datasource struct {
+	config Config
+}
+
+type DatasourceOutput struct {
+	// The Key Vault Secret ID.
+	Id string `mapstructure:"id"`
+	// The value of the Key Vault Secret.
+	Value string `mapstructure:"value"`
+	// The content type for the Key Vault Secret.
+	ContentType string `mapstructure:"content_type"`
+	// Any tags assigned to this resource.
+	Tags map[string]*string `mapstructure:"tags"`
+}
+
+func (d *Datasource) ConfigSpec() hcldec.ObjectSpec {
+	return d.config.FlatMapstructure().HCL2Spec()
+}
+
+func (d *Datasource) Configure(raws ...interface{}) error {
+	err := config.Decode(&d.config, nil, raws...)
+	if err != nil {
+		return err
+	}
+
+	var errs *packersdk.MultiError
+	if d.config.Name == "" {
+		errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("a 'name' must be provided"))
+	}
+	if d.config.KeyvaultId == "" {
+		errs = packersdk.MultiErrorAppend(errs, fmt.Errorf("a 'keyvault_id' must be provided"))
+	}
+
+	err = d.config.ClientConfig.SetDefaultValues()
+	if err != nil {
+		errs = packersdk.MultiErrorAppend(errs, err)
+	}
+
+	d.config.ClientConfig.Validate(errs)
+	if errs != nil && len(errs.Errors) > 0 {
+		return errs
+	}
+
+	return nil
+}
+
+func (d *Datasource) OutputSpec() hcldec.ObjectSpec {
+	return (&DatasourceOutput{}).FlatMapstructure().HCL2Spec()
+}
+
+// We need to stub packersdk ui "say" function. UI is not available from this package, I guess this is the best we can do for now
+func logSay(s string) {
+	log.Println("[DEBUG] packer-datasource-azure-keyvaultsecret:", s)
+}
+
+func getVaultUrl(keyvaultURL *url.URL, vaultName string) string {
+	return fmt.Sprintf("%s://%s.%s/", keyvaultURL.Scheme, vaultName, keyvaultURL.Host)
+}
+
+func (d *Datasource) Execute() (cty.Value, error) {
+	err := d.config.ClientConfig.FillParameters()
+	if err != nil {
+		return cty.NullVal(cty.EmptyObject), err
+	}
+
+	keyVaultURL, err := url.Parse(d.config.ClientConfig.CloudEnvironment().KeyVaultEndpoint)
+	if err != nil {
+		return cty.NullVal(cty.EmptyObject), err
+	}
+
+	/* Get token from client configuration */
+	_, servicePrincipalTokenVault, err := d.config.ClientConfig.GetServicePrincipalTokens(logSay)
+	if err != nil {
+		return cty.NullVal(cty.EmptyObject), err
+	}
+
+	/* Configure keyvault client */
+	basicClient := keyvault.New()
+	basicClient.Authorizer = autorest.NewBearerAuthorizer(servicePrincipalTokenVault)
+
+	/* Get secret value */
+	secret, err := basicClient.GetSecret(context.TODO(), getVaultUrl(keyVaultURL, d.config.KeyvaultId), d.config.Name, "")
+	if err != nil {
+		return cty.NullVal(cty.EmptyObject), err
+	}
+
+	/* Build output object */
+	var output DatasourceOutput
+	if secret.Value != nil {
+		output.Value = *secret.Value
+	}
+	if secret.ID != nil {
+		output.Id = *secret.ID
+	}
+	if secret.ContentType != nil {
+		output.ContentType = *secret.ContentType
+	}
+	if secret.Tags != nil {
+		output.Tags = secret.Tags
+	}
+
+	return hcl2helper.HCL2ValueFromConfig(output, d.OutputSpec()), nil
+}
@@ -0,0 +1,124 @@
+package keyvaultsecret
+
+import (
+	"context"
+	_ "embed"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"regexp"
+	"testing"
+
+	"github.com/Azure/azure-sdk-for-go/services/keyvault/auth"
+	"github.com/Azure/azure-sdk-for-go/services/keyvault/v7.1/keyvault"
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/hashicorp/packer-plugin-sdk/acctest"
+)
+
+//go:embed test-fixtures/template.pkr.hcl
+var testDatasourceBasic string
+
+func TestAccAzureKeyvaultSecret(t *testing.T) {
+	testEnv := "dev"
+	secret := &KeyvaultSecret{
+		Name:        "packer-datasource-keyvault-test-secret",
+		Value:       "this_is_the_packer_test_secret_value",
+		ContentType: "text/html",
+		Tags:        map[string]*string{"environment": &testEnv},
+	}
+
+	testCase := &acctest.PluginTestCase{
+		Name: "azure_keyvault_secret_datasource_basic_test",
+		Setup: func() error {
+			return secret.Create()
+		},
+		Teardown: func() error {
+			return secret.Delete()
+		},
+		Template: testDatasourceBasic,
+		Check: func(buildCommand *exec.Cmd, logfile string) error {
+			if buildCommand.ProcessState != nil {
+				if buildCommand.ProcessState.ExitCode() != 0 {
+					return fmt.Errorf("Bad exit code. Logfile: %s", logfile)
+				}
+			}
+
+			logs, err := os.Open(logfile)
+			if err != nil {
+				return fmt.Errorf("Unable find %s", logfile)
+			}
+			defer logs.Close()
+
+			logsBytes, err := ioutil.ReadAll(logs)
+			if err != nil {
+				return fmt.Errorf("Unable to read %s", logfile)
+			}
+			logsString := string(logsBytes)
+
+			valueLog := fmt.Sprintf("null.basic-example: secret value: %s", secret.Value)
+			contentTypeLog := fmt.Sprintf("null.basic-example: secret content_type: %s", secret.ContentType)
+			environmentLog := fmt.Sprintf("null.basic-example: secret environment: %s", *secret.Tags["environment"])
+
+			if matched, _ := regexp.MatchString(valueLog+".*", logsString); !matched {
+				t.Fatalf("logs doesn't contain expected secret value %q", logsString)
+			}
+			if matched, _ := regexp.MatchString(contentTypeLog+".*", logsString); !matched {
+				t.Fatalf("logs doesn't contain expected secret ContentType %q", logsString)
+			}
+			if matched, _ := regexp.MatchString(environmentLog+".*", logsString); !matched {
+				t.Fatalf("logs doesn't contain expected secret tag %q", logsString)
+			}
+
+			return nil
+		},
+	}
+	acctest.TestPlugin(t, testCase)
+}
+
+type KeyvaultSecret struct {
+	Name        string
+	Value       string
+	Id          string
+	ContentType string
+	Tags        map[string]*string
+
+	client keyvault.BaseClient
+}
+
+func getAuthorizer() (autorest.Authorizer, error) {
+	os.Setenv("AZURE_AD_RESOURCE", "https://vault.azure.net")
+	os.Setenv("AZURE_TENANT_ID", os.Getenv("PKR_VAR_tenant_id"))
 // * ARM_CLIENT_ID 
 // * ARM_CLIENT_ID 
+	os.Setenv("AZURE_CLIENT_ID", os.Getenv("PKR_VAR_client_id"))
+	os.Setenv("AZURE_CLIENT_SECRET", os.Getenv("PKR_VAR_client_secret"))
+
+	credAuthorizer, err := auth.NewAuthorizerFromEnvironment()
+	return credAuthorizer, err
+}
+
+func (as *KeyvaultSecret) Create() error {
+	as.client = keyvault.New()
+	authorizer, err := getAuthorizer()
+	if err != nil {
+		return err
+	}
+
+	var parameters keyvault.SecretSetParameters
+	parameters.ContentType = &as.ContentType
+	parameters.Value = &as.Value
+	parameters.Tags = as.Tags
+
+	as.client.Authorizer = authorizer
+
+	_, err = as.client.SetSecret(context.TODO(), "https://"+os.Getenv("PKR_VAR_keyvault_id")+".vault.azure.net", as.Name, parameters)
+	if err != nil {
+		return err
+	}
+	return err
+}
+
+func (as *KeyvaultSecret) Delete() error {
+	var err error
+	_, err = as.client.DeleteSecret(context.TODO(), "https://"+os.Getenv("PKR_VAR_keyvault_id")+".vault.azure.net", as.Name)
+	return err
+}
@@ -0,0 +1,37 @@
+package keyvaultsecret
+
+import (
+	"testing"
+)
+
+func TestDatasourceConfigure_EmptySecretName(t *testing.T) {
+	datasource := Datasource{
+		config: Config{},
+	}
+	if err := datasource.Configure(nil); err == nil {
+		t.Fatalf("Should error if secret name is not specified")
+	}
+}
+
+func TestDatasourceConfigure_KeyvaultID(t *testing.T) {
+	datasource := Datasource{
+		config: Config{
+			Name: "my-secret",
+		},
+	}
+	if err := datasource.Configure(nil); err == nil {
+		t.Fatalf("Should error if keyvault id is not specified")
+	}
+}
+
+func TestDatasourceConfigure_OkConfig(t *testing.T) {
+	datasource := Datasource{
+		config: Config{
+			Name:       "my-secret",
+			KeyvaultId: "my-keyvault",
+		},
+	}
+	if err := datasource.Configure(nil); err != nil {
+		t.Fatalf("Should not issue error if configuration is okay")
+	}
+}