Refactor Vault resources (#210)

* Refactor Vault resources

Co-authored-by: Daniele Pompa <55095241+daniele20tab@users.noreply.github.com>

Author: filippo-20tab

bootstrap/collector.py

@@ -132,7 +132,7 @@ def collect(
     deployment_type = clean_deployment_type(deployment_type)
     # The "digitalocean-k8s" deployment type includes Postgres by default
     if digitalocean_enabled := ("digitalocean" in deployment_type):
-        digitalocean_token = validate_or_prompt_password(
+        digitalocean_token = validate_or_prompt_secret(
             "DigitalOcean token", digitalocean_token
         )
     (
@@ -236,9 +236,9 @@ def collect(
         sentry_org,
         sentry_url,
         sentry_auth_token,
-        backend_type,
+        backend_service_slug,
         backend_sentry_dsn,
-        frontend_type,
+        frontend_service_slug,
         frontend_sentry_dsn,
     )
     (
@@ -394,8 +394,8 @@ def validate_or_prompt_email(message, value=None, default=None, required=True):
     return validate_or_prompt_email(message, None, default, required)
 
 
-def validate_or_prompt_password(message, value=None, default=None, required=True):
-    """Validate the given password or prompt until a valid value is provided."""
+def validate_or_prompt_secret(message, value=None, default=None, required=True):
+    """Validate the given secret or prompt until a valid value is provided."""
     if value is None:
         value = click.prompt(message, default=default, hide_input=True)
     try:
@@ -404,7 +404,7 @@ def validate_or_prompt_password(message, value=None, default=None, required=True
     except validators.ValidationFailure:
         pass
     click.echo(error("Please type at least 8 chars!"))
-    return validate_or_prompt_password(message, None, default, required)
+    return validate_or_prompt_secret(message, None, default, required)
 
 
 def validate_or_prompt_path(message, value=None, default=None, required=True):
@@ -543,7 +543,7 @@ def clean_terraform_backend(
             terraform_cloud_hostname,
             default="app.terraform.io",
         )
-        terraform_cloud_token = validate_or_prompt_password(
+        terraform_cloud_token = validate_or_prompt_secret(
             "Terraform Cloud User token",
             terraform_cloud_token,
         )
@@ -583,16 +583,21 @@ def clean_terraform_backend(
 
 def clean_vault_data(vault_token, vault_url, quiet=False):
     """Return the Vault data, if applicable."""
-    if vault_token or (
-        vault_token is None
+    if vault_url or (
+        vault_url is None
         and click.confirm(
             "Do you want to use Vault for secrets management?",
         )
     ):
-        vault_token = validate_or_prompt_password("Vault token", vault_token)
+        vault_token = validate_or_prompt_secret(
+            "Vault token (leave blank to perform a browser-based OIDC authentication)",
+            vault_token,
+            default="",
+            required=False,
+        )
         quiet or click.confirm(
             warning(
-                "Make sure the Vault token has enough permissions to enable the "
+                "Make sure your Vault permissions allow to enable the "
                 "project secrets backends and manage the project secrets. Continue?"
             ),
             abort=True,
@@ -635,7 +640,7 @@ def clean_kubernetes_credentials(
     kubernetes_host = kubernetes_host or validate_or_prompt_url(
         "Kubernetes host", kubernetes_host
     )
-    kubernetes_token = kubernetes_token or validate_or_prompt_password(
+    kubernetes_token = kubernetes_token or validate_or_prompt_secret(
         "Kubernetes token", kubernetes_token
     )
     return kubernetes_cluster_ca_certificate, kubernetes_host, kubernetes_token
@@ -710,30 +715,49 @@ def clean_letsencrypt_certificate_email(letsencrypt_certificate_email):
     )
 
 
+def clean_sentry_org(sentry_org):
+    """Return the Sentry organization."""
+    return sentry_org if sentry_org is not None else click.prompt("Sentry organization")
+
+
+def clean_sentry_dsn(service_slug, sentry_dsn):
+    """Return the backend Sentry DSN."""
+    if service_slug:
+        return validate_or_prompt_url(
+            f"Sentry DSN of the {service_slug} service (leave blank if unused)",
+            sentry_dsn,
+            default="",
+            required=False,
+        )
+
+
 def clean_sentry_data(
     sentry_org,
     sentry_url,
     sentry_auth_token,
-    backend_type,
+    backend_service_slug,
     backend_sentry_dsn,
-    frontend_type,
+    frontend_service_slug,
     frontend_sentry_dsn,
 ):
     """Return the Sentry configuration data."""
-    if sentry_org or (
-        sentry_org is None
-        and click.confirm(warning("Do you want to use Sentry?"), default=False)
+    if any((backend_service_slug, frontend_service_slug)) and (
+        sentry_org
+        or (
+            sentry_org is None
+            and click.confirm(warning("Do you want to use Sentry?"), default=False)
+        )
     ):
         sentry_org = clean_sentry_org(sentry_org)
         sentry_url = validate_or_prompt_url(
             "Sentry URL", sentry_url, default="https://sentry.io/"
         )
-        sentry_auth_token = validate_or_prompt_password(
+        sentry_auth_token = validate_or_prompt_secret(
             "Sentry auth token", sentry_auth_token
         )
-        backend_sentry_dsn = clean_backend_sentry_dsn(backend_type, backend_sentry_dsn)
-        frontend_sentry_dsn = clean_frontend_sentry_dsn(
-            frontend_type, frontend_sentry_dsn
+        backend_sentry_dsn = clean_sentry_dsn(backend_service_slug, backend_sentry_dsn)
+        frontend_sentry_dsn = clean_sentry_dsn(
+            frontend_service_slug, frontend_sentry_dsn
         )
     else:
         sentry_org = None
@@ -750,37 +774,6 @@ def clean_sentry_data(
     )
 
 
-def clean_sentry_org(sentry_org):
-    """Return the Sentry organization."""
-    return sentry_org if sentry_org is not None else click.prompt("Sentry organization")
-
-
-def clean_backend_sentry_dsn(backend_type, backend_sentry_dsn):
-    """Return the backend Sentry DSN."""
-    if backend_type:
-        return (
-            backend_sentry_dsn
-            if backend_sentry_dsn is not None
-            else click.prompt(
-                "Backend Sentry DSN (leave blank if unused)",
-                default="",
-            )
-        )
-
-
-def clean_frontend_sentry_dsn(frontend_type, frontend_sentry_dsn):
-    """Return the frontend Sentry DSN."""
-    if frontend_type:
-        return (
-            frontend_sentry_dsn
-            if frontend_sentry_dsn is not None
-            else click.prompt(
-                "Frontend Sentry DSN (leave blank if unused)",
-                default="",
-            )
-        )
-
-
 def clean_digitalocean_options(
     digitalocean_domain_create,
     digitalocean_dns_records_create,
@@ -899,7 +892,7 @@ def clean_pact_broker_data(pact_broker_url, pact_broker_username, pact_broker_pa
         pact_broker_username = pact_broker_username or click.prompt(
             "Pact broker username",
         )
-        pact_broker_password = validate_or_prompt_password(
+        pact_broker_password = validate_or_prompt_secret(
             "Pact broker password", pact_broker_password
         )
     else:
@@ -1008,7 +1001,7 @@ def clean_s3_media_storage_data(
 ):
     """Return S3 media storage data."""
     if media_storage == MEDIA_STORAGE_DIGITALOCEAN_S3:
-        digitalocean_token = validate_or_prompt_password(
+        digitalocean_token = validate_or_prompt_secret(
             "DigitalOcean token", digitalocean_token
         )
         s3_region = s3_region or click.prompt(
@@ -1027,8 +1020,8 @@ def clean_s3_media_storage_data(
         s3_bucket_name = s3_bucket_name or click.prompt(
             "AWS S3 bucket name",
         )
-    s3_access_id = validate_or_prompt_password("S3 Access Key ID", s3_access_id)
-    s3_secret_key = validate_or_prompt_password("S3 Secret Access Key", s3_secret_key)
+    s3_access_id = validate_or_prompt_secret("S3 Access Key ID", s3_access_id)
+    s3_secret_key = validate_or_prompt_secret("S3 Secret Access Key", s3_secret_key)
     return (
         digitalocean_token,
         s3_region,

bootstrap/constants.py

@@ -1,35 +1,72 @@
 """Web project initialization CLI constants."""
 
 from pathlib import Path
+from typing import Dict
 
 DUMPS_DIR = Path(__file__).parent.parent / ".dumps"
 
 # Stacks
 
+# BEWARE: stack names must be suitable for inclusion in Vault paths
+
+DEV_STACK_NAME = "development"
+
 DEV_STACK_SLUG = "dev"
 
+STAGE_STACK_NAME = "staging"
+
 STAGE_STACK_SLUG = "stage"
 
+MAIN_STACK_NAME = "main"
+
 MAIN_STACK_SLUG = "main"
 
+STACKS_CHOICES = {
+    "1": [{"name": MAIN_STACK_NAME, "slug": MAIN_STACK_SLUG}],
+    "2": [
+        {"name": DEV_STACK_NAME, "slug": DEV_STACK_SLUG},
+        {"name": MAIN_STACK_NAME, "slug": MAIN_STACK_SLUG},
+    ],
+    "3": [
+        {"name": DEV_STACK_NAME, "slug": DEV_STACK_SLUG},
+        {"name": STAGE_STACK_NAME, "slug": STAGE_STACK_SLUG},
+        {"name": MAIN_STACK_NAME, "slug": MAIN_STACK_SLUG},
+    ],
+}
+
 # Environments
 
+# BEWARE: environment names must be suitable for inclusion in Vault paths
+
 DEV_ENV_NAME = "development"
 
 DEV_ENV_SLUG = "dev"
 
+DEV_ENV_STACK_CHOICES: Dict[str, str] = {
+    "1": MAIN_STACK_SLUG,
+}
+
 STAGE_ENV_NAME = "staging"
 
 STAGE_ENV_SLUG = "stage"
 
+STAGE_ENV_STACK_CHOICES: Dict[str, str] = {
+    "1": MAIN_STACK_SLUG,
+    "2": DEV_STACK_SLUG,
+}
+
 PROD_ENV_NAME = "production"
 
 PROD_ENV_SLUG = "prod"
 
+PROD_ENV_STACK_CHOICES: Dict[str, str] = {}
+
 # Env vars
 
 GITLAB_TOKEN_ENV_VAR = "GITLAB_PRIVATE_TOKEN"
 
+VAULT_TOKEN_ENV_VAR = "VAULT_TOKEN"
+
 # Subrepos
 
 BACKEND_TEMPLATE_URLS = {