Merge pull request #1605 from mattiasthalen/feature/add-support-for-azure-keyvault

Add Azure Key Vault support as secrets backend

Author: albertobruin

.gitignore

@@ -162,3 +162,5 @@ test-glossary.yml
 .venv
 logs/queries
 *.py[cod]
+
+.devcontainer

cmd/run.go

@@ -587,7 +587,7 @@ func Run(isDebug *bool) *cli.Command {
 			&cli.StringFlag{
 				Name:    "secrets-backend",
 				Sources: cli.EnvVars("BRUIN_SECRETS_BACKEND"),
-				Usage:   "the source of secrets if different from .bruin.yml. Possible values: 'vault', 'doppler', 'aws'",
+				Usage:   "the source of secrets if different from .bruin.yml. Possible values: 'vault', 'doppler', 'aws', 'azure'",
 			},
 			&cli.BoolFlag{
 				Name:  "no-validation",
@@ -969,6 +969,11 @@ func Run(isDebug *bool) *cli.Command {
 				if err != nil {
 					errs = append(errs, errors.Wrap(err, "failed to initialize AWS Secrets Manager client"))
 				}
+			case "azure":
+				connectionManager, err = secrets.NewAzureKeyVaultClientFromEnv(logger)
+				if err != nil {
+					errs = append(errs, errors.Wrap(err, "failed to initialize Azure Key Vault client"))
+				}
 			default:
 				connectionManager, errs = connection.NewManagerFromConfigWithContext(ctx, cm)
 			}

go.mod

@@ -14,6 +14,9 @@ require (
 	cloud.google.com/go/logging v1.13.0
 	cloud.google.com/go/longrunning v0.6.7
 	cloud.google.com/go/storage v1.56.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0
 	github.com/BurntSushi/toml v1.5.0
 	github.com/ClickHouse/clickhouse-go/v2 v2.37.1
 	github.com/DATA-DOG/go-sqlmock v1.5.2
@@ -98,6 +101,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.9.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 // indirect
 	github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 // indirect
 	github.com/ClickHouse/ch-go v0.66.0 // indirect

go.sum

@@ -94,8 +94,10 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.8.0/go.mod h1:DWAciXemNf++PQJLeXUB4HHH5OpsAh12HZnu2wXE1jA=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1 h1:MyVTgWR8qd/Jw1Le0NZebGBUCLbtak3bJ3z1OlqZBpw=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0 h1:D3occbWoio4EBLkbkevetNMAVX197GkzbUMtqjGWn80=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0 h1:WLUIpeyv04H0RCcQHaA4TNoyrQ39Ox7V+re+iaqzTe0=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.3.0/go.mod h1:hd8hTTIY3VmUVPRHNH7GVCHO3SHgXkJKZHReby/bnUQ=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0 h1:eXnN9kaS8TiDwXjoie3hMRLuwdUBUMW9KRgOqB3mCaw=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.0/go.mod h1:XIpam8wumeZ5rVMuhdDQLMfIPDf1WO3IzrCRO3e3e3o=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1 h1:lhZdRq7TIx0GJQvSyX2Si406vrYsov2FXGp/RnSEtcs=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.6.1/go.mod h1:8cl44BDmi+effbARHMQjgOKA2AYvcohNm7KEt42mSV8=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=

pkg/secrets/aws_secretsmanager_test.go

@@ -11,6 +11,8 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+const testGenericSecretJSON = `{"details": {"value": "somevalue"}, "type": "generic"}`
+
 func TestNewAWSSecretsManagerClient(t *testing.T) {
 	t.Parallel()
 	log := &mockLogger{}
@@ -76,7 +78,7 @@ func TestAWSSecretsManagerClient_GetConnection_ReturnsConnection(t *testing.T) {
 
 func TestAWSSecretsManagerClient_GetConnection_ReturnsGenericConnection(t *testing.T) {
 	t.Parallel()
-	secretString := `{"details": {"value": "somevalue"}, "type": "generic"}`
+	secretString := testGenericSecretJSON
 	c := &AWSSecretsManagerClient{
 		client: &mockAWSSecretsManagerClient{
 			response: &secretsmanager.GetSecretValueOutput{
@@ -126,7 +128,7 @@ func TestAWSSecretsManagerClient_GetConnection_ReturnsFromCache(t *testing.T) {
 
 func TestAWSSecretsManagerClient_GetConnectionDetails_ReturnsDetails(t *testing.T) {
 	t.Parallel()
-	secretString := `{"details": {"value": "somevalue"}, "type": "generic"}`
+	secretString := testGenericSecretJSON
 	c := &AWSSecretsManagerClient{
 		client: &mockAWSSecretsManagerClient{
 			response: &secretsmanager.GetSecretValueOutput{

pkg/secrets/azure_keyvault.go

@@ -0,0 +1,288 @@
+package secrets
+
+import (
+	"context"
+	"encoding/json"
+	"net/url"
+	"os"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+	"github.com/bruin-data/bruin/pkg/config"
+	"github.com/bruin-data/bruin/pkg/connection"
+	"github.com/bruin-data/bruin/pkg/logger"
+	"github.com/pkg/errors"
+)
+
+// azureKeyVaultSecretsClient defines the interface for Azure Key Vault operations.
+type azureKeyVaultSecretsClient interface {
+	GetSecret(ctx context.Context, name string, version string, options *azsecrets.GetSecretOptions) (azsecrets.GetSecretResponse, error)
+}
+
+// AzureKeyVaultClient manages secrets from Azure Key Vault.
+type AzureKeyVaultClient struct {
+	client                  azureKeyVaultSecretsClient
+	logger                  logger.Logger
+	cacheMu                 sync.RWMutex
+	cacheConnections        map[string]any
+	cacheConnectionsDetails map[string]any
+}
+
+// NewAzureKeyVaultClientFromEnv creates a new Azure Key Vault client from environment variables.
+func NewAzureKeyVaultClientFromEnv(logger logger.Logger) (*AzureKeyVaultClient, error) {
+	vaultURL := os.Getenv("BRUIN_AZURE_KEYVAULT_URL")
+	if vaultURL == "" {
+		return nil, errors.New("BRUIN_AZURE_KEYVAULT_URL env variable not set")
+	}
+
+	authMethod := os.Getenv("BRUIN_AZURE_AUTH_METHOD")
+	if authMethod == "" {
+		authMethod = "default"
+	}
+
+	switch authMethod {
+	case "client_credentials":
+		tenantID := os.Getenv("BRUIN_AZURE_TENANT_ID")
+		if tenantID == "" {
+			return nil, errors.New("BRUIN_AZURE_TENANT_ID env variable not set for client_credentials auth")
+		}
+		clientID := os.Getenv("BRUIN_AZURE_CLIENT_ID")
+		if clientID == "" {
+			return nil, errors.New("BRUIN_AZURE_CLIENT_ID env variable not set for client_credentials auth")
+		}
+		clientSecret := os.Getenv("BRUIN_AZURE_CLIENT_SECRET")
+		if clientSecret == "" {
+			return nil, errors.New("BRUIN_AZURE_CLIENT_SECRET env variable not set for client_credentials auth")
+		}
+		return NewAzureKeyVaultClient(logger, vaultURL, tenantID, clientID, clientSecret)
+
+	case "managed_identity":
+		clientID := os.Getenv("BRUIN_AZURE_CLIENT_ID") // Optional for user-assigned identity
+		return NewAzureKeyVaultClientWithManagedIdentity(logger, vaultURL, clientID)
+
+	case "cli":
+		return NewAzureKeyVaultClientWithCLI(logger, vaultURL)
+
+	case "default":
+		return NewAzureKeyVaultClientWithDefaultCredential(logger, vaultURL)
+
+	default:
+		return nil, errors.Errorf("unsupported Azure auth method: %s", authMethod)
+	}
+}
+
+// NewAzureKeyVaultClient creates a new Azure Key Vault client with client credentials.
+func NewAzureKeyVaultClient(logger logger.Logger, vaultURL, tenantID, clientID, clientSecret string) (*AzureKeyVaultClient, error) {
+	if err := validateVaultURL(vaultURL); err != nil {
+		return nil, err
+	}
+	if tenantID == "" {
+		return nil, errors.New("tenant ID required for client credentials authentication")
+	}
+	if clientID == "" {
+		return nil, errors.New("client ID required for client credentials authentication")
+	}
+	if clientSecret == "" {
+		return nil, errors.New("client secret required for client credentials authentication")
+	}
+
+	cred, err := azidentity.NewClientSecretCredential(tenantID, clientID, clientSecret, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create Azure client secret credential")
+	}
+
+	return newAzureKeyVaultClientWithCredential(logger, vaultURL, cred)
+}
+
+// NewAzureKeyVaultClientWithManagedIdentity creates client using managed identity.
+func NewAzureKeyVaultClientWithManagedIdentity(logger logger.Logger, vaultURL, clientID string) (*AzureKeyVaultClient, error) {
+	if err := validateVaultURL(vaultURL); err != nil {
+		return nil, err
+	}
+
+	var opts *azidentity.ManagedIdentityCredentialOptions
+	if clientID != "" {
+		opts = &azidentity.ManagedIdentityCredentialOptions{
+			ID: azidentity.ClientID(clientID),
+		}
+	}
+
+	cred, err := azidentity.NewManagedIdentityCredential(opts)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create Azure managed identity credential")
+	}
+
+	return newAzureKeyVaultClientWithCredential(logger, vaultURL, cred)
+}
+
+// NewAzureKeyVaultClientWithCLI creates client using Azure CLI credentials.
+func NewAzureKeyVaultClientWithCLI(logger logger.Logger, vaultURL string) (*AzureKeyVaultClient, error) {
+	if err := validateVaultURL(vaultURL); err != nil {
+		return nil, err
+	}
+
+	cred, err := azidentity.NewAzureCLICredential(nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create Azure CLI credential")
+	}
+
+	return newAzureKeyVaultClientWithCredential(logger, vaultURL, cred)
+}
+
+// NewAzureKeyVaultClientWithDefaultCredential creates client using DefaultAzureCredential.
+func NewAzureKeyVaultClientWithDefaultCredential(logger logger.Logger, vaultURL string) (*AzureKeyVaultClient, error) {
+	if err := validateVaultURL(vaultURL); err != nil {
+		return nil, err
+	}
+
+	cred, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create Azure default credential")
+	}
+
+	return newAzureKeyVaultClientWithCredential(logger, vaultURL, cred)
+}
+
+func validateVaultURL(vaultURL string) error {
+	if vaultURL == "" {
+		return errors.New("empty Azure Key Vault URL provided")
+	}
+	parsed, err := url.Parse(vaultURL)
+	if err != nil || parsed.Scheme != "https" || !strings.HasSuffix(parsed.Host, ".vault.azure.net") {
+		return errors.New("invalid Azure Key Vault URL: must be https://<name>.vault.azure.net")
+	}
+	return nil
+}
+
+func newAzureKeyVaultClientWithCredential(logger logger.Logger, vaultURL string, cred azcore.TokenCredential) (*AzureKeyVaultClient, error) {
+	client, err := azsecrets.NewClient(vaultURL, cred, nil)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to create Azure Key Vault secrets client")
+	}
+
+	return &AzureKeyVaultClient{
+		client:                  client,
+		logger:                  logger,
+		cacheConnections:        make(map[string]any),
+		cacheConnectionsDetails: make(map[string]any),
+	}, nil
+}
+
+// GetConnection retrieves a connection by name from Azure Key Vault.
+func (c *AzureKeyVaultClient) GetConnection(name string) any {
+	c.cacheMu.RLock()
+	if conn, ok := c.cacheConnections[name]; ok {
+		c.cacheMu.RUnlock()
+		return conn
+	}
+	c.cacheMu.RUnlock()
+
+	manager, err := c.getAzureKeyVaultManager(name)
+	if err != nil {
+		c.logger.Errorf("%v", err)
+		return nil
+	}
+
+	conn := manager.GetConnection(name)
+
+	c.cacheMu.Lock()
+	c.cacheConnections[name] = conn
+	c.cacheMu.Unlock()
+
+	return conn
+}
+
+// GetConnectionDetails retrieves connection details by name from Azure Key Vault.
+func (c *AzureKeyVaultClient) GetConnectionDetails(name string) any {
+	c.cacheMu.RLock()
+	if deets, ok := c.cacheConnectionsDetails[name]; ok {
+		c.cacheMu.RUnlock()
+		return deets
+	}
+	c.cacheMu.RUnlock()
+
+	manager, err := c.getAzureKeyVaultManager(name)
+	if err != nil {
+		c.logger.Errorf("%v", err)
+		return nil
+	}
+
+	deets := manager.GetConnectionDetails(name)
+
+	c.cacheMu.Lock()
+	c.cacheConnectionsDetails[name] = deets
+	c.cacheMu.Unlock()
+
+	return deets
+}
+
+func (c *AzureKeyVaultClient) getAzureKeyVaultManager(name string) (config.ConnectionAndDetailsGetter, error) {
+	ctx, cancelFunc := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancelFunc()
+
+	// Empty string for version gets the latest version
+	result, err := c.client.GetSecret(ctx, name, "", nil)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to read secret '%s' from Azure Key Vault", name)
+	}
+
+	if result.Value == nil {
+		return nil, errors.Errorf("secret '%s' has no value", name)
+	}
+
+	var secretData map[string]any
+	if err := json.Unmarshal([]byte(*result.Value), &secretData); err != nil {
+		return nil, errors.Wrap(err, "failed to parse secret as JSON")
+	}
+
+	detailsRaw, okDetails := secretData["details"]
+	secretType, okType := secretData["type"].(string)
+
+	details, detailsIsMap := detailsRaw.(map[string]any)
+	if !okDetails || !detailsIsMap || !okType || secretType == "" {
+		return nil, errors.Errorf("secret '%s' must contain both 'type' (non-empty string) and 'details' (object)", name)
+	}
+
+	details["name"] = name
+
+	connectionsMap := map[string][]map[string]any{
+		secretType: {
+			details,
+		},
+	}
+
+	serialized, err := json.Marshal(connectionsMap)
+	if err != nil {
+		return nil, errors.Wrapf(err, "failed to process secret '%s'", name)
+	}
+
+	var connections config.Connections
+
+	if err := json.Unmarshal(serialized, &connections); err != nil {
+		return nil, errors.Wrapf(err, "failed to parse secret '%s' configuration", name)
+	}
+
+	environment := config.Environment{
+		Connections: &connections,
+	}
+
+	cfg := config.Config{
+		Environments: map[string]config.Environment{
+			"default": environment,
+		},
+		SelectedEnvironmentName: "default",
+		SelectedEnvironment:     &environment,
+		DefaultEnvironmentName:  "default",
+	}
+
+	manager, errs := connection.NewManagerFromConfig(&cfg)
+	if len(errs) > 0 {
+		return nil, errors.Wrapf(errs[0], "failed to configure connection '%s'", name)
+	}
+
+	return manager, nil
+}