|
| 1 | +# Rotate FSxN File System Passwords |
| 2 | + |
| 3 | +## Introduction |
| 4 | +This sample provides a way to rotate a Secrets Manager secret that is used to manage FSxN file system. |
| 5 | +It is a Lambda function that is expected to be triggered by the Secrets Manager rotation feature. |
| 6 | +The Secrets Manager should invoke the function four times, each time with the `stage` field, in the `event` dictionary passed in, set to one of the following values: |
| 7 | + |
| 8 | +| Stage | Description | |
| 9 | +|------------|-------------| |
| 10 | +|createSecret|The function will create a new version of the secret with a "Version Staging ID" of "AWSPENDING". At this point the original secret is still be left as is, and will be the default secret returned if no versionStagingID is provided.| |
| 11 | +|setSecret |The function will update the password for the FSxN file system using the new version of the secret.| |
| 12 | +|testSecret |Currently no testing is performed. The Lambda function would have to be attached to the same VPC as the FSxN file system to test the password. Since that would potentially make it where you'd have to have a separate function for each FSxN deployment, and potentially have to setup AWS Endpoints for AWS services, a decision was made to not do that. If the Lambda function fails to set the password correctly, you can always use the AWS console, or API, to set it to whatever you need.| |
| 13 | +|finishSecret|The function will promote the new password to the "AWSCURRENT" Version Staging ID. This will set the Version Staging ID of the old password to "AWSPREVIOUS".| |
| 14 | + |
| 15 | +## Set Up |
| 16 | +There are a couple way to you can leverage this sample. Either by manually creating a Lambda function with the appropriate permissions and setting up the Secrets Manager rotation service to use it, or by using the Terraform module provided in the `terraform` directory. |
| 17 | +### Manual Method |
| 18 | + |
| 19 | +#### Step 1 - Create a role for the Lambda function |
| 20 | +The first step is to create a role for the Lambda function with the following permissions. It should have a trust |
| 21 | +relationship with the AWS Lambda service. |
| 22 | + |
| 23 | +| Permission | Minimal Scope | Notes |
| 24 | +|:------------------------|:----------------|:----------------| |
| 25 | +| secretsManager:GetSecretValue | \<secretARN> | \<secretARN> is the AWS ARN of the secret to rotate. | |
| 26 | +| secretsManager:PutSecretValue | \<secretARN> | \<secretARN> is the AWS ARN of the secret to rotate. | |
| 27 | +| secretsManager:UpdateSecretVersionStage | \<secretARN> | \<secretARN> is the AWS ARN of the secret to rotate. | |
| 28 | +| secretsManager:DescribeSecret | \<secretARN> | \<secretARN> is the AWS ARN of the secret to rotate. | |
| 29 | +| secretsmanager:GetRandomPassword | \* | The scope doesn't matter, since this function doesn't have anything to do with any AWS resources. | |
| 30 | +| fsx:UpdateFileSystem | \<fileSystemARN> | \<fileSytemARN> is the AWS ARN of the FSxN file system to manage. | |
| 31 | +| logs:CreateLogGroup | arn:aws:logs:\<region>:\<accountID>:\* | This allows the Lambda function to create a log group in CloudWatch. This is optional, but allows you to get diagnostic information from the Lambda function. | |
| 32 | +| logs:CreateLogStream | arn:aws:logs:\<region>:\<accountID>:log-group:/aws/lambda/\<Lambda_function_name>:\* | This allows the Lambda function to create a log streams in CloudWatch. This is optional, but allows you to get diagnostic information from the function.| |
| 33 | +| logs:PutLogEvents | arn:aws:logs:\<region>:\<accountID>:log-group:/aws/lambda/\<Lambda_function_name>:\* | This allows the Lambda function to write log events to a log stream in CloudWatch. This is optional, but allows you to get diagnostic information from the function.| |
| 34 | + |
| 35 | +#### Step 2 - Create the Lambda Function |
| 36 | +##### Step 2.1 |
| 37 | +Create a Lambda function with the following parameters: |
| 38 | +- Authored from scratch. |
| 39 | +- Uses the Python runtime. |
| 40 | +- Set the permissions to the role created above. |
| 41 | + |
| 42 | +##### Step 2.2 - Insert code |
| 43 | +After you create the function, you will be able to insert the code included with this |
| 44 | +sample into the code box and click "Deployed" to save it. |
| 45 | + |
| 46 | +##### Step 2.3 - Change permisisons |
| 47 | +Change to the `Configuration` tab and select `Permissions` and add a `Resource-based policy` statement that will allow the |
| 48 | +secretsmanager AWS service to invoke the Lambda function. Do that do the following: |
| 49 | + |
| 50 | +- Click on Add Permission |
| 51 | +- Then select "AWS Service" |
| 52 | +- Put "Allow SecretsManager" in the StatementID (although, it doesn't really matter what you put there) |
| 53 | +- The principal should already be set to `secretsmanager.amazonaws.com` |
| 54 | +- Set action to `lambda:InvokeFunction` |
| 55 | + |
| 56 | +##### Step 2.4 - Enable Secrets Manager Rotation |
| 57 | +To enable rotation of the secret, you will need to go to the Secrets Manager console and |
| 58 | +select the secret you want to rotate. Click on the "Edit rotation" button and select the |
| 59 | +Lambda function you created above. You can also set the rotation schedule to whatever you |
| 60 | +want. The default is 30 days. |
| 61 | + |
| 62 | +### Terraform Method |
| 63 | +The Terraform module provided in the `terraform` directory can be used to create the Secrets Manager |
| 64 | +secret setup to use a rotation policy that uses the Lambda function. It will create the following resources: |
| 65 | +- Lambda function used to rotate the secret. |
| 66 | +- IAM role that allows the Lambda function to rotate the secret. |
| 67 | +- A Secrets Manager secret with a rotation schedule of 30 days. |
| 68 | + |
| 69 | +#### Prerequisites |
| 70 | + |
| 71 | +1. [Terraform prerequisites](#terraform) |
| 72 | +2. [AWS prerequisites](#aws-account-setup) |
| 73 | + |
| 74 | +##### Terraform |
| 75 | + |
| 76 | +| Name | Version | |
| 77 | +|------|---------| |
| 78 | +| terraform | >= 1.6.6 | |
| 79 | +| aws provider | >= 5.25 | |
| 80 | + |
| 81 | +##### AWS Account Setup |
| 82 | + |
| 83 | +- You must have an AWS Account with necessary permissions to create and manage resources. |
| 84 | +- Configure your AWS Credentials on the server running this Terraform module. This can be derived from |
| 85 | +several sources, which are applied in the following order: |
| 86 | + 1. Parameters in the provider configuration |
| 87 | + 2. Environment variables |
| 88 | + 3. Shared credentials files |
| 89 | + 4. Shared configuration files |
| 90 | + 5. Container credentials |
| 91 | + 6. Instance profile credentials and Region |
| 92 | + |
| 93 | + This order matches the precedence used by the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html#cli-configure-quickstart-precedence) and the [AWS SDKs](https://aws.amazon.com/tools/). |
| 94 | + |
| 95 | +> [!NOTE] |
| 96 | +> In this sample, the AWS Credentials were configured through [AWS CLI](https://aws.amazon.com/cli/), which adds them to a shared configuration file (option 4 above). Therefore, this documentation only provides guidance on setting-up the AWS credentials with shared configuration file using AWS CLI. |
| 97 | +
|
| 98 | +#### Usage |
| 99 | + |
| 100 | +This directory contains a shared Terraform module that can be referenced remotely. **No need to clone the repository in order to use it!** |
| 101 | +To reference this module, create a new terraform folder in your local environment, add a main.tf file and modify it according to the instructions below. |
| 102 | + |
| 103 | +##### AWS provider block |
| 104 | + |
| 105 | +Add the AWS provider block to your local root `main.tf` file with the required configuration. For more information check [the docs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs) |
| 106 | + |
| 107 | +Example: |
| 108 | +```hcl |
| 109 | +terraform { |
| 110 | + required_providers { |
| 111 | + aws = { |
| 112 | + source = "hashicorp/aws" |
| 113 | + version = ">=5.25" |
| 114 | + } |
| 115 | + } |
| 116 | +} |
| 117 | +
|
| 118 | +provider "aws" { |
| 119 | + region = "us-west-2" |
| 120 | +} |
| 121 | +``` |
| 122 | +##### Reference this module |
| 123 | + |
| 124 | +Add the following module block to your local `main.tf` file. |
| 125 | +Make sure to replace all values within `< >` with your own variables. |
| 126 | + |
| 127 | +```hcl |
| 128 | +module "fsxn_rotate_secret" { |
| 129 | + source = "github.com/NetApp/FSx-ONTAP-samples-scripts/Management-Utilities/fsxn-rotate-secret/terraform" |
| 130 | +
|
| 131 | + region = <region> |
| 132 | + awsAccountId = <aws_account_id> |
| 133 | + fsxId = <fsx_id> |
| 134 | + secretNamePrefix = "fsx_admin_secret" |
| 135 | +} |
| 136 | +``` |
| 137 | +That's all there is to it! |
| 138 | + |
| 139 | +## Author Information |
| 140 | + |
| 141 | +This repository is maintained by the contributors listed on [GitHub](https://github.com/NetApp/FSx-ONTAP-samples-scripts/graphs/contributors). |
| 142 | + |
| 143 | +## License |
| 144 | + |
| 145 | +Licensed under the Apache License, Version 2.0 (the "License"). |
| 146 | + |
| 147 | +You may obtain a copy of the License at [apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0). |
| 148 | + |
| 149 | +Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an _"AS IS"_ basis, without WARRANTIES or conditions of any kind, either express or implied. |
| 150 | + |
| 151 | +See the License for the specific language governing permissions and limitations under the License. |
| 152 | + |
| 153 | +© 2024 NetApp, Inc. All Rights Reserved. |
0 commit comments