Merge pull request #159 from NetApp/add_secret_rotate

Changed the rotate function to set the secret value to a structure.

Author: kcantrel

EKS/FSxN-as-PVC-for-EKS/README.md

@@ -83,7 +83,7 @@ Variables that can be changed include:
 - aws_region - The AWS region where you want to deploy the resources.
 - aws_secrets_region - The region where the fsx password secret will be created.
 - fsx_name - The name you want applied to the FSx for NetApp ONTAP File System. Must not already exist.
-- fsx_password_secret_name - A base name of the AWS SecretsManager secret that will hold the FSxN password.
+- secret_name_prefix - The base name of the AWS SecretsManager secrets that will be created that will hold the FSxN adminstrator, and SVM, passwords.
 A random string will be appended to this name to ensure uniqueness.
 - fsx_storage_capacity - The storage capacity of the FSx for NetApp ONTAP File System.
 Read the "description" of the variable to see the valid range.
@@ -109,32 +109,23 @@ the following is an example of last part of the output of a successful deploymen
 ```bash
 Outputs:
 
-eks-cluster-name = "fsx-eks-DB0H69vL"
-eks-jump-server = "Instance ID: i-0e99a61431a39d327, Public IP: 54.244.16.198"
-fsx-id = "fs-0887a493cXXXXXXXX"
-fsx-management-ip = "198.19.255.174"
-fsx-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995400000:secret:fsx-eks-secret-3b8bde97-Fst5rj"
-fsx-password-secret-name = "fsx-eks-secret-3b8bde97"
+Outputs:
+
+eks-cluster-name = "eksfs-eks-lutuycvJ"
+eks-jump-server = "Instance ID: i-00de97f46e3c9a617, Public IP: 54.213.93.236"
+fsx-id = "fs-04f1b48f8da639a7f"
+fsx-management-ip = "198.19.255.245"
+fsx-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995470648:secret:keith-eksfs-fsxn-55fd4eb7-4Oy2ab"
+fsx-password-secret-name = "eksfs-fsxn-55fd4eb7"
 fsx-svm-name = "ekssvm"
 region = "us-west-2"
-vpc-id = "vpc-03ed6b1867d76e1a9"
+svm-password-secret-arn = "arn:aws:secretsmanager:us-west-2:759995470648:secret:keith-eksfs-svm-6ad11609-nApoUp"
+svm-password-secret-name = "eksfs-svm-6ad11609"
+vpc-id = "vpc-0791cc0566462082b"
 ```
 :bulb: **Tip:** You will use the values in the commands below, so probably a good idea to copy the output somewhere
 so you can easily reference it later.
 
-> [!IMPORTANT]
-> Note that an FSxN File System was created, with a vserver (a.k.a. SVM). The default username
-> for the FSxN File System is 'fsxadmin'. And the default username for the vserver is 'vsadmin'. The
-> password for both of these users is the same and is what is stored in the AWS SecretsManager secret
-> shown above. Since Terraform was used to create the secret, the password is stored in
-> plain text in its "state" database and therefore it is **HIGHLY** recommended that you change
-> the password to something else by first changing the passwords via the AWS Management Console and
-> then updating the password in the AWS SecretsManager secret. You can update the 'username' key in
-> the secret if you want, but it must be a vserver admin user, not a system level user. This secret
-> is used by Astra Trident and it will always login via the vserver management LIF and therefore it
-> must be a vserver admin user. If you want to create a separate secret for the 'fsxadmin' user,
-> feel free to do so.
-
 ### SSH to the jump server to complete the setup
 Use the following command to 'ssh' to the jump server:
 ```bash
@@ -164,7 +155,7 @@ Note that if you are using an SSO to authenticate with AWS, then the actual user
 you need to add is slightly different than what is output from the above command.
 The following command will take the output from the above command and format it correctly:
 
-:warning: **Warning:** Only run this command if you are using an SSO to authenticate with aws.
+:warning: **Caution:** Only run this command if you are using an SSO to authenticate with aws.
 ```bash
 user_ARN=$(aws sts get-caller-identity | jq -r '.Arn' | awk -F: '{split($6, parts, "/"); printf "arn:aws:iam::%s:role/aws-reserved/sso.amazonaws.com/%s\n", $5, parts[2]}')
 echo $user_ARN
@@ -246,7 +237,7 @@ other files you'll need to complete the setup.
 After making the following substitutions in the commands below:
 - \<fsx-id> with the FSxN ID.
 - \<fsx-svm-name> with the name of the SVM that was created.
-- \<secret-arn> with the ARN of the AWS SecretsManager secret that holds the FSxN password.
+- \<secret-arn> with the ARN of the AWS SecretsManager secret that holds the SVM password (not the FSxN password).
 
 Run them to configure Trident to use the FSxN file system that was
 created earlier using the `terraform --apply` command:
@@ -281,7 +272,7 @@ kubectl get tridentbackendconfig -n trident --output=json | jq '.items[] | .stat
 ```
 Once you have resolved any issues, you can remove the failed backend by running:
 
-:warning: **Warning:** Only run this command if the backend is in a failed state and you are ready to get rid of it.
+:warning: **Caution:** Only run this command if the backend is in a failed state and you are ready to get rid of it.
 ```bash
 kubectl delete -n trident -f temp/backend-tbc-ontap-nas.yaml
 ```

Management-Utilities/fsxn-rotate-secret/README.md

@@ -71,6 +71,10 @@ Note that the Lambda function can only manage one password, so either set the va
 
 :warning: **Warning:** If both the `fsx_id` and `svm_id` tags are set, the `svm_id` tag will be used and the fsx_id will be silently ignored.
 
+Also note that the secret value will be a JSON object with the following fields:
+- `username` - The username will either be set to 'fsxadmin' or 'vsadmin' depending on whether the `fsx_id` or `svm_id` tag is set.
+- `password` - The password associated with the username.
+
 ##### Step 3.2 - Enable rotation feature
 Click on the Rotation tab and then click on the "Edit rotation" button. That should bring up a 
 pop-up window. Click on the "Automatic rotation" slider to enable the feature and then configure
@@ -185,6 +189,10 @@ The following are the outputs for the module:
 | role_arn | The ARN of the IAM role created. |
 | role_name | The name of the IAM role created. |
 
+Note that the secret value will be a JSON object with the following fields:
+- `username` - The username will either be set to 'fsxadmin' or 'vsadmin' depending on whether the `fsx_id` or `svm_id` tag is set.
+- `password` - The password associated with the username.
+
 ## Author Information
 
 This repository is maintained by the contributors listed on [GitHub](https://github.com/NetApp/FSx-ONTAP-samples-scripts/graphs/contributors).

Management-Utilities/fsxn-rotate-secret/fsxn_rotate_secret.py

@@ -10,6 +10,7 @@
 import boto3
 import logging
 import os
+import json
 
 charactersToExcludeInPassword = '/"\'\\'
 
@@ -46,8 +47,27 @@ def create_secret(secretsClient, arn, token):
         # Generate a random password.
         passwd = secretsClient.get_random_password(ExcludeCharacters=charactersToExcludeInPassword, PasswordLength=8, IncludeSpace=False)
         #
+        # Get the FSx file system ID, SVM ID and region from the secret's tags so we can figure out if this password
+        # is for the FSx file system or the SVM.
+        secretMetadata = secretsClient.describe_secret(SecretId=arn)
+        tags = secretMetadata['Tags']
+        fsxId = getTagValue(tags, 'fsx_id')
+        fsxRegion = getTagValue(tags, 'region')
+        svmId = getTagValue(tags, 'svm_id')
+        logging.info(f"fsxId={fsxId}, svmId={svmId}, fsxRegion={fsxRegion}")
+
+        if (fsxId is None and svmId is None) or fsxRegion is None:
+            message=f"Error, tags 'fsxId' or 'svmId' and the 'region' have to be set on the secret's ({arn}) resource."
+            logger.error(message)
+            raise Exception(message)   # Signal to the Secrets Manager that the rotation failed.
+
+        if svmId is None or svmId == "":
+            username="fsxadmin"
+        else:
+            username="vsadmin"
+        #
         # Put the secret.
-        secretsClient.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString=passwd['RandomPassword'], VersionStages=['AWSPENDING'])
+        secretsClient.put_secret_value(SecretId=arn, ClientRequestToken=token, SecretString='{"username": "' + username + '", "password": "' + passwd["RandomPassword"] + '"}', VersionStages=['AWSPENDING'])
         logger.info(f"create_secret: Successfully put secret for ARN {arn} with ClientRequestToken {token} and VersionStage = 'AWSPENDING'.")
 
 ################################################################################
@@ -66,7 +86,7 @@ def set_secret(secretsClient, arn, token):
         # Pass the exception on so the Secret Manager will know that the rotate failed.
         raise e
 
-    password = secretValueResponse['SecretString']
+    password = json.loads(secretValueResponse['SecretString'])['password']
     #
     # Get the FSx file system ID, SVM ID and region from the secret's tags.
     secretMetadata = secretsClient.describe_secret(SecretId=arn)

Terraform/deploy-fsx-ontap/module/README.md

@@ -34,12 +34,16 @@ Calling this terraform module will result the following:
     - **Ingress** allow ssh port 22
     - **Ingress** allow https port 443
     - **Egress** allow all traffic
+
+* Two new AWS secrets. One that contains the fsxadmin password and another that contains the SVM admin password.
+
 * Create a new FSx for Netapp ONTAP file-system in your AWS account named "_terraform-fsxn_". The file-system will be created with the following configuration parameters:
     * 1024Gb of storage capacity
     * Multi AZ deployment type
     * 128Mbps of throughput capacity 
 
 * Create a Storage Virtual Maching (SVM) in this new file-system named "_first_svm_"
+
 * Create a new FlexVol volume in this SVM named "_vol1_" with the following configuration parameters:
     * Size of 1024Mb
     * Storage efficiencies mechanism enabled
@@ -283,14 +287,16 @@ terraform apply
 
 | Name | Description |
 |------|-------------|
+| filesystem_id | The ID of the FSxN Filesystem |
+| filesystem_management_ip | The management IP of the FSxN Filesystem. |
 | fsxn_secret_arn | The ARN of the secret |
 | fsxn_secret_name | The Name of the secret |
-| my_filesystem_id | The ID of the FSxN Filesystem |
-| my_fsx_ontap_security_group_id | The ID of the FSxN Security Group |
-| my_svm_id | The ID of the FSxN Storage Virtual Machine |
-| my_vol_id | The ID of the ONTAP volume in the File System |
+| security_group_id | The ID of the FSxN Security Group |
+| svm_id | The ID of the FSxN Storage Virtual Machine |
+| svm_management_ip | The management IP of the Storage Virtual Machine. |
 | svm_secret_arn | The Name of the secret |
 | svm_secret_name | The Name of the secret |
+| vol_id | The ID of the ONTAP volume in the File System |
 
 ## Author Information
 

Terraform/deploy-fsx-ontap/module/output.tf

@@ -1,19 +1,19 @@
-output "my_fsx_ontap_security_group_id" {
+output "security_group_id" {
   description = "The ID of the FSxN Security Group"
   value       = var.create_sg ? [element(aws_security_group.fsx_sg[*].id, 0)] : []
 }
 
-output "my_filesystem_id" {
+output "filesystem_id" {
   description = "The ID of the FSxN Filesystem"
   value       = aws_fsx_ontap_file_system.terraform-fsxn.id
 }
 
-output "my_svm_id" {
+output "svm_id" {
   description = "The ID of the FSxN Storage Virtual Machine"
   value       = aws_fsx_ontap_storage_virtual_machine.mysvm.id
 }
 
-output "my_vol_id" {
+output "vol_id" {
   description = "The ID of the ONTAP volume in the File System"
   value       = aws_fsx_ontap_volume.myvol.id
 }
@@ -37,3 +37,13 @@ output "svm_secret_name" {
   description = "The Name of the secret"
   value       = module.svm_rotate_secret.secret_name
 }
+
+output "filesystem_management_ip" {
+  description = "The management IP of the FSxN Filesystem."
+  value       =  format(join("", aws_fsx_ontap_file_system.terraform-fsxn.endpoints[0].management[0].ip_addresses))
+}
+
+output "svm_management_ip" {
+  description = "The management IP of the Storage Virtual Machine."
+  value       =  format(join("", aws_fsx_ontap_storage_virtual_machine.mysvm.endpoints[0].management[0].ip_addresses))
+}

Terraform/deploy-fsx-ontap/standalone-module/README.md

@@ -37,21 +37,22 @@ Running this terraform sample will result the following:
     - **Ingress** allow ssh port 22
     - **Ingress** allow https port 443
     - **Egress** allow all traffic
+
+* Two new AWS secrets. One that contains the fsxadmin password and another that contains the SVM admin password.
+
 * Create a new FSx for Netapp ONTAP file-system in your AWS account named "_terraform-fsxn_". The file-system will be created with the following configuration parameters:
     * 1024Gb of storage capacity
     * Multi AZ deployment type
     * 128Mbps of throughput capacity 
 
 * Create a Storage Virtual Maching (SVM) in this new file-system named "_first_svm_"
+
 * Create a new FlexVol volume in this SVM named "_vol1_" with the following configuration parameters:
     * Size of 1024Mb
     * Storage efficiencies mechanism enabled
     * Auto tiering policy with 31 cooling days
     * post-delete backup disabled 
 
-> [!NOTE]
-> Even though this Terraform code is set up to use AWS SecretsManager to retrieve the FSxN password, it will store the password in its `state database`. Therefore, it is assumed you have properly secured that database so that unauthorized personal can't access the password.
-
 ## Prerequisites
 
 1. [Terraform prerequisites](#terraform)
@@ -122,12 +123,28 @@ terraform init
 
 A succesfull initialization should display the following output:
 ```shell
-
 Initializing the backend...
+Initializing modules...
+Downloading git::https://github.com/Netapp/FSx-ONTAP-samples-scripts.git for fsxn_rotate_secret...
+- fsxn_rotate_secret in .terraform/modules/fsxn_rotate_secret/Management-Utilities/fsxn-rotate-secret/terraform
+Downloading git::https://github.com/Netapp/FSx-ONTAP-samples-scripts.git for svm_rotate_secret...
+- svm_rotate_secret in .terraform/modules/svm_rotate_secret/Management-Utilities/fsxn-rotate-secret/terraform
 
 Initializing provider plugins...
-- Reusing previous version of hashicorp/aws from the dependency lock file
-- Using previously-installed hashicorp/aws v5.25.0
+- Finding hashicorp/aws versions matching ">= 5.25.0"...
+- Finding latest version of hashicorp/random...
+- Finding latest version of hashicorp/archive...
+- Installing hashicorp/aws v5.59.0...
+- Installed hashicorp/aws v5.59.0 (signed by HashiCorp)
+- Installing hashicorp/random v3.6.2...
+- Installed hashicorp/random v3.6.2 (signed by HashiCorp)
+- Installing hashicorp/archive v2.4.2...
+- Installed hashicorp/archive v2.4.2 (signed by HashiCorp)
+
+Terraform has created a lock file .terraform.lock.hcl to record the provider
+selections it made above. Include this file in your version control repository
+so that Terraform can guarantee to make the same selections by default when
+you run "terraform init" in the future.
 
 Terraform has been successfully initialized!
 
@@ -210,6 +227,7 @@ terraform apply
 | my_fsx_ontap_security_group_id | The ID of the FSxN Security Group |
 | my_fsxn_secret_name | The name of the secret containing the ONTAP admin password |
 | my_svm_id | The ID of the FSxN Storage Virtual Machine |
+| my_svm_management_ip | The management IP of the Storage Virtual Machine. |
 | my_svm_secret_name | The name of the secret containing the SVM admin password |
 | my_vol_id | The ID of the ONTAP volume in the File System |
 

Terraform/deploy-fsx-ontap/standalone-module/output.tf

@@ -18,6 +18,11 @@ output "my_svm_id" {
   value       = aws_fsx_ontap_storage_virtual_machine.mysvm.id
 }
 
+output "my_svm_management_ip" {
+  description = "The management IP of the Storage Virtual Machine."
+  value       =  format(join("", aws_fsx_ontap_storage_virtual_machine.mysvm.endpoints[0].management[0].ip_addresses))
+}
+
 output "my_vol_id" {
   description = "The ID of the ONTAP volume in the File System"
   value       = aws_fsx_ontap_volume.myvol.id