fix: add helper for AWS (#17)

* fix: add helper for AWS

* fix: pr ci

* feat: add hashivault  AWS IAM Auth
minor CI tweak

* fix: hashivault tests and implementation

* fix: add more tests to hashivault

* fix: add docs to document additional hashicorp features

+semver: feat

Author: dnitsch

.github/workflows/build.yml

@@ -5,7 +5,7 @@ on:
     branches: [ master, main ]
 
 jobs:
-  set-deps-dotnet-poop-here:
+  set-version:
     runs-on: ubuntu-latest
     container:
       image: mcr.microsoft.com/dotnet/sdk:6.0 
@@ -31,10 +31,10 @@ jobs:
     runs-on: ubuntu-latest
     container:
       image: golang:1.19-bullseye
-    needs: set-deps-dotnet-poop-here
+    needs: set-version
     env:
-      SEMVER: ${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
-      GIT_TAG: ${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
+      SEMVER: ${{ needs.set-version.outputs.semVer }}
+      GIT_TAG: ${{ needs.set-version.outputs.semVer }}
       GOVCS: false
     steps:
       - uses: actions/checkout@v3
@@ -65,6 +65,6 @@ jobs:
           # Additional arguments for the sonarcloud scanner
           args:             
             # mandatory
-            -Dsonar.projectVersion=${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
+            -Dsonar.projectVersion=${{ needs.set-version.outputs.semVer }}
             -Dsonar.go.coverage.reportPaths=/github/workspace/.coverage/out
             -Dsonar.go.tests.reportPaths=/github/workspace/.coverage/report-junit.xml

.github/workflows/pr.yml

@@ -5,7 +5,7 @@ on:
     branches: [ master, main ]
 
 jobs:
-  set-deps-dotnet-poop-here:
+  set-version:
     runs-on: ubuntu-latest
     container:
       image: mcr.microsoft.com/dotnet/sdk:6.0 
@@ -22,25 +22,22 @@ jobs:
       - name: Set SemVer Version
         uses: gittools/actions/gitversion/[email protected]
         id: gitversion
-
-      - name: echo VERSIONS
-        run: | 
-          echo "REVISION  -> $GITHUB_SHA"
-          echo "VERSION -> $GITVERSION_SEMVER"
   pr:
     runs-on: ubuntu-latest
     container:
       image: golang:1.19-bullseye
-    needs: set-deps-dotnet-poop-here
+    needs: set-version
     env:
       REVISION: $GITHUB_SHA
-      SEMVER: ${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
+      SEMVER: ${{ needs.set-version.outputs.semVer }}
     steps:
       - uses: actions/checkout@v3
       - name: install deps
         run: |
-          apt update && apt install jq -y
-          make REVISION=$GITHUB_SHA install
+          apt-get update && apt-get install -y jq git
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git config user.email ${{ github.actor }}[email protected]
+          git config user.name ${{ github.actor }}
       - name: make test 
         run: |
           make REVISION=$GITHUB_SHA test
@@ -57,6 +54,6 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
         with:
           args:             
-            -Dsonar.projectVersion=${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
+            -Dsonar.projectVersion=${{ needs.set-version.outputs.semVer }}
             -Dsonar.go.coverage.reportPaths=/github/workspace/.coverage/out
-            -Dsonar.go.tests.reportPaths=/github/workspace/.coverage/report-junit.xml
+            -Dsonar.go.tests.reportPaths=/github/workspace/.coverage/report-junit.xml

.github/workflows/release.yml

@@ -7,7 +7,7 @@ on:
       - completed
 
 jobs:
-  set-deps-dotnet-poop-here:
+  set-version:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     container:
@@ -36,9 +36,9 @@ jobs:
       image: golang:1.19-bullseye
       env:
         FOO: Bar
-    needs: set-deps-dotnet-poop-here
+    needs: set-version
     env:
-      SEMVER: ${{ needs.set-deps-dotnet-poop-here.outputs.semVer }}
+      SEMVER: ${{ needs.set-version.outputs.semVer }}
     steps:
       - uses: actions/checkout@v3
         with:

README.md

@@ -10,17 +10,32 @@
 Package used for retrieving application settings from various sources.
 
 Currently supported variable and secrets implementations:
+<!-- 
+"AWSSECRETS"
+	// AWS Parameter Store prefix
+	ParamStorePrefix ImplementationPrefix = "AWSPARAMSTR"
+	// Azure Key Vault Secrets prefix
+	AzKeyVaultSecretsPrefix ImplementationPrefix = "AZKVSECRET"
+	// Hashicorp Vault prefix
+	HashicorpVaultPrefix ImplementationPrefix = "VAULT"
+	// GcpSecrets
+	GcpSecretsPrefix ImplementationPrefix = "GCPSECRETS" -->
 
 - [AWS SecretsManager](https://aws.amazon.com/secrets-manager/)
+	- Implementation Indicator: `AWSSECRETS`
 - [AWS ParameterStore](https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html)
+	- Implementation Indicator: `AWSPARAMSTR`
 - [AzureKeyvault Secrets](https://azure.microsoft.com/en-gb/products/key-vault/)
+	- Implementation Indicator: `AZKVSECRET`
 	- see [Special consideration for AZKVSECRET](#special-consideration-for-azkvsecret) around how to structure the token in this case.
 - [GCP Secrets](https://cloud.google.com/secret-manager)
+	- Implementation Indicator: `GCPSECRETS`
 - [Hashicorp Vault](https://developer.hashicorp.com/vault/docs/secrets/kv)
-	- using the V2 endpoint
+	- Implementation Indicator: `VAULT`
+	- using the KvV2 engine endpoint
 	- see [special consideration hashivault](#special-consideration-for-hashicorpvault)
 
-The main driver is to use component level configuration objects, if stored in a `"namespaced"` manner e.g. in AWS ParamStore as `/nonprod/component-service-a/configVar`, however this is not a requirement and the param name can be whatever. Though whilst using some sort of a organised manner it will be more straight forward to allow other services to consume certain secrets/params based on resource/access policies. 
+The main driver is to use component level configuration objects, if stored in a `"namespaced"` manner e.g. in AWS ParamStore as `/nonprod/component-service-a/configVar`, however this is not a requirement and the param name can be whatever. Though whilst using some sort of a organised manner it will be more straight forward to allow other services to consume certain secrets/params based on resource/access policies.
 
 > Beware size limitation with certain config/vault implementations. In which case it's best to split certain items up e.g. TLS certs `/nonprod/component-service-a/pub-cert`, `/nonprod/component-service-a/private-cert`, `/nonprod/component-service-a/chain1-cert`, etc... 
 
@@ -46,13 +61,17 @@ ConfigManager comes packaged as a CLI for all major platforms, to see [download/
 
 For more detailed usage you can run -h with each subcommand and additional info can be found [here](./docs/commands.md)
 
-## Config Tokens
+## __Config Tokens__
 
 The token is made up of 3 parts:
 
-- `AWSSECRETS` the strategy identifier to choose at runtime
+### Implementation indicator
 
-- `#` separator - used for separating the implementation indicator and the look up value.
+e.g. `AWSSECRETS` the strategy identifier to choose at runtime
+
+### __Token Separator__
+
+e.g. `#` - used for separating the implementation indicator and the look up value.
 
 > The default is currently `#` - it will change to `://` to allow for a more natural reading of the "token". you can achieve this behaviour now by either specifying the `-s` to the CLI or ConfigManager public methods, like below.
 
@@ -72,11 +91,12 @@ Alternatively you can use the helper methods for Yaml or Json tagged structs - s
 
 If contents of the `AWSSECRETS#/appxyz/service1-password` are a string then `service1-password` will be the key and converted to UPPERCASE e.g. `SERVICE1_PASSWORD=som3V4lue`
 
-### KeySeparator
+### __Key Separator__
 
 Specifying a key seperator on token items that can be parsed as a K/V map will result in only retrieving the specific key from the map. 
 
 e.g. if contents of the `AWSSECRETS#/appxyz/service1-db-config` are parseable into the below object
+
 ```json
 {
   "host": "db.internal",
@@ -113,7 +133,6 @@ db:
 
 If your config parameter matches the config interface, you can also leave the entire token to point to the `db` key
 
-
 ```yaml
 app:
   name: xyz
@@ -132,6 +151,20 @@ db: {
 }
 ```
 
+### Additional Token Config
+
+Suffixed `[]` with `role:` or `version:` specified inside the brackets and comma separated
+
+order is not important, but the `role:` keyword must be followed by the role string
+
+e.g. `VAULT://baz/bar/123|d88[role:arn:aws:iam::1111111:role/i-orchestration,version:1082313]`
+
+Currently only supporting version and role but may be extended in the future.
+
+- role is used with `VAULT` `aws_iam` auth type. Specifying it on a token level as opposed to globally will ensure that multiple roles can be used provided that the caller has the ability to assume them.
+
+- version can be used within all implementations that support versioned config items e.g. `VAULT`, `GCPSECRETS` , `AWSSECRETS`, `AZKVSECRET`. If omitted it will default to the `LATEST`.
+
 ### Special consideration for AZKVSECRET
 
 For Azure KeyVault the first part of the token needs to be the name of the vault.
@@ -147,12 +180,15 @@ For Azure KeyVault the first part of the token needs to be the name of the vault
 ### Special consideration for HashicorpVault
 
 For HashicorpVault the first part of the token needs to be the name of the mountpath. In Dev Vaults this is `"secret"`,
- e.g.:
+ e.g.: `VAULT://secret___demo/configmanager|test`
 
-`VAULT://secret___demo/configmanager|test`
+or if the secrets are at another location: `VAULT://another/mount/path__config/app1/db`
 
 The hardcoded separator cannot be modified and you must separate your `mountPath` with `___` (3x `_`) followed by the key to the secret.
 
+#### AWS IAM auth to vault
+
+when using Vault in AWS - you can set the value of the `VAULT_TOKEN=aws_iam` this will trigger the AWS Auth login as opposed to using the local token.
 
 The Hashicorp Vault functions in the same exact way as the other implementations. It will retrieve the JSON object and can be looked up within it by using a key separator.
 

go.mod

@@ -24,6 +24,7 @@ require (
 	github.com/AzureAD/microsoft-authentication-library-for-go v0.7.0 // indirect
 	github.com/armon/go-metrics v0.3.9 // indirect
 	github.com/armon/go-radix v1.0.0 // indirect
+	github.com/aws/aws-sdk-go v1.30.27 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.0 // indirect
 	github.com/cenkalti/backoff/v3 v3.0.0 // indirect
 	github.com/fatih/color v1.7.0 // indirect
@@ -42,6 +43,7 @@ require (
 	github.com/hashicorp/go-plugin v1.4.5 // indirect
 	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
+	github.com/hashicorp/go-secure-stdlib/awsutil v0.1.6 // indirect
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
@@ -61,6 +63,7 @@ require (
 	github.com/oklog/run v1.0.0 // indirect
 	github.com/pierrec/lz4 v2.5.2+incompatible // indirect
 	github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.uber.org/atomic v1.9.0 // indirect
@@ -93,6 +96,7 @@ require (
 	github.com/axw/gocov v1.1.0
 	github.com/googleapis/gax-go/v2 v2.7.0
 	github.com/hashicorp/vault/api v1.8.2
+	github.com/hashicorp/vault/api/auth/aws v0.3.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/jstemmer/go-junit-report v1.0.0