From 8876e8661aca2feb4b0eecf73658db46bcf0df99 Mon Sep 17 00:00:00 2001 From: Tone Def Date: Fri, 17 Jun 2022 23:29:47 -0700 Subject: [PATCH 1/5] Added Apache 2.0 license --- LICENSE | 13 +++++++++++++ terraform/variables.tf | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 LICENSE diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..23ff6e0 --- /dev/null +++ b/LICENSE @@ -0,0 +1,13 @@ + Copyright 2022 Anthony Owens + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/terraform/variables.tf b/terraform/variables.tf index cd08575..b842cf7 100644 --- a/terraform/variables.tf +++ b/terraform/variables.tf @@ -12,7 +12,7 @@ variable "location" { variable "keyvault_only" { type = bool - default = true + default = false description = "Create only the Azure Key Vault resources and not any VMs" } From dd39fa2eb1591e4cfa8a6832d8deee0f4a3348b8 Mon Sep 17 00:00:00 2001 From: Tone Def Date: Fri, 17 Jun 2022 23:59:49 -0700 Subject: [PATCH 2/5] Updating readme with quicklinks and verbiage --- README.md | 45 ++++++++++++++++++++++++++++++++++++--------- 1 file changed, 36 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 5bff467..793274d 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ # Terracreds -A credential helper for Terraform Automation and Collaboration Software, or to store any other secrets, securely in the operating system's credential vault or through a third party vault provider. No longer keep secrets in a plain text configuration file! +A credential helper for Terraform Cloud or Enterprise Software, or to store any other secrets, securely in the operating system's credential vault or through a third party vault provider. No longer keep secrets in a plain text configuration file! We all know storing secrets in plain text can pose major security threats, and Terraform doesn't come pre-packaged with a credential helper, so we decided to create one and to share it with the greater Terraform/DevOps community to help enable stronger security practices. @@ -18,13 +18,40 @@ We all know storing secrets in plain text can pose major security threats, and T - [x] Google Secret Manager - [x] HashiCorp Vault -#### Currently Supported Terraform Automation and Collaboration Software: +#### Currently Supported Terraform Cloud or Enterprise Software: - [x] env0 - [x] Scalr - [x] Spacelift - [x] Terraform Cloud - [x] Terraform Enterprise +## Quick Links +- InstallConfigure + - [Windows](https://github.com/tonedefdev/terracreds#windows-install-via-chocolatey) + - [macOS](https://github.com/tonedefdev/terracreds#macos-install) + - [Linux](https://github.com/tonedefdev/terracreds#linux-install) + - [From Source](https://github.com/tonedefdev/terracreds#install-from-source) + - [Upgrading](https://github.com/tonedefdev/terracreds#upgrading) + - [Initial Configuration](https://github.com/tonedefdev/terracreds#initial-configuration) +- Usage + - [Storing](https://github.com/tonedefdev/terracreds#storing-credentials) + - [Verifying](https://github.com/tonedefdev/terracreds#storing-credentials) + - [Updating](https://github.com/tonedefdev/terracreds#updating-credentials) + - [Forgetting](https://github.com/tonedefdev/terracreds#forgetting-credentials) + - [Listing](https://github.com/tonedefdev/terracreds#list-credentials) +- Vault Providers + - [General Setup](https://github.com/tonedefdev/terracreds#setting-up-a-vault-provider) + - [AWS Secrets Manager](https://github.com/tonedefdev/terracreds#aws-secrets-manager) + - [Azure Key Vault](https://github.com/tonedefdev/terracreds#azure-key-vault) + - [Google Secret Manager](https://github.com/tonedefdev/terracreds#google-secret-manager) + - [HashiCorp Vault](https://github.com/tonedefdev/terracreds#hashicorp-vault) +- Miscellaneous + - [Protection](https://github.com/tonedefdev/terracreds#protection) + - [Logging](https://github.com/tonedefdev/terracreds#logging) +- Troubleshooting + - [Known Issues](https://github.com/tonedefdev/terracreds#known-issues) + - [Linux](https://github.com/tonedefdev/terracreds#linux) + ## Windows Install via Chocolatey The fastest way to install `terracreds` on Windows is via our Chocolatey package: ```powershell @@ -125,16 +152,16 @@ credentials_helper "terracreds" { } ``` -Once you have moved all of your tokens from this file to the `Windows Credential Manager` or `KeyChain` via `terracreds` you can remove the tokens from the file. If you don't remove the tokens, and you add the `credentials_helper` block to this file, Terraform will still use the tokens instead of `terracreds` to retreive the tokens, so be sure to remove your tokens from this file once you have used the `create` or `terraform login` command to create the credentials in `terracreds` so you can actually leverage the credential helper. +Once you have moved all of your tokens from this file to your preferred vault provider via `terracreds` you can remove the tokens from the file. If you don't remove them, but you add the `credentials_helper` block to this file, Terraform will still use the token from this file instead of from the vault configured with `terracreds`. ## Storing Credentials -For Terraform to properly use the credentials stored in your credential manager they need to be stored a specific way. The name of the credential object must be the domain name of the Terraform Automation and Collaboration server. For instance `app.terraform.io` which is the default name `terraform login` will leverage. +For Terraform to properly use the credentials stored in your credential manager they need to be stored a specific way. The name of the credential object must be the domain name of the Terraform Cloud or Enterprise server. For instance `app.terraform.io` which is the default name `terraform login` will leverage. -The value for the password will correspond to the API token associated for that specific Terraform Automation and Collaboration server. +The value for the password will correspond to the API token associated for that specific Terraform Cloud or Enterprise server. -The entire process is kicked off directly from the Terraform CLI. Run `terraform login` to start the login process with Terraform Cloud. If you're using Terraform Enterprise or another Terraform Automation and Collaboration Software solution you'll need to pass the hostname of the server as an additional argument `terraform login my.tacos.com`. +The entire process is kicked off directly from the Terraform CLI. Run `terraform login` to start the login process with Terraform Cloud. If you're using Terraform Enterprise you'll need to pass the hostname of the server as an additional argument `terraform login my.tfe.com`. -You'll be sent to your Terraform Automation and Collaboration Software instance where you'll be requested to sign-in with your account, and then sent to create an API token. Create the API token with any name you'd like for this example we'll use `terracreds`. +You'll be sent to your Terraform Cloud or Enterprise Software instance where you'll be requested to sign-in with your account, and then sent to create an API token. Create the API token with any name you'd like for this example we'll use `terracreds`. Once completed, copy the generated token, paste it into your terminal, and then hit enter. Terraform will then leverage `terracreds` to store the credentials in the operating system's credential manager. If all went well you should receive the following success message: @@ -148,7 +175,7 @@ In the background `terraform` calls `terracreds` as its credential helper, `terr terraform-credentials-terracreds store app.terraform.io ``` -If you prefer, you can also perform creating credentials manually by running: +If you prefer, you can also create credentials manually by running: ```bash terracreds create -n app.terraform.io -v ``` @@ -233,7 +260,7 @@ The above example would maintain the dash `[-]` in the outuput of the formatted Additionally, you can use `--as-json` to return the secret names and values as a JSON string. This is printed to standard output so you can make use of shell pipes and other commands to ingest the data. ## Setting Up a Vault Provider -> You can reference example configs in our [repo](https://github.com/tonedefdev/terracreds/blob/main/config.yaml) plus we have example [terraform](https://github.com/tonedefdev/terracreds/tree/main/terraform) code you can reference in order to setup your `AWS` or `Azure` VMs to use `terracreds` for a CI/CD piepline agent or a development workstation. +> We have example [terraform](https://github.com/tonedefdev/terracreds/tree/main/terraform) code you can reference in order to setup your `AWS` or `Azure` VMs to use `terracreds` for a CI/CD piepline agent or a development workstation. > New in version `2.1.0` From 4a8037b07f294d55c1ebfe1034b69e8b785bab1b Mon Sep 17 00:00:00 2001 From: Tone Def Date: Sat, 18 Jun 2022 00:00:59 -0700 Subject: [PATCH 3/5] Fixing typo in list error message --- main.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.go b/main.go index b21ec11..571046a 100644 --- a/main.go +++ b/main.go @@ -646,7 +646,7 @@ func main() { }, Action: func(c *cli.Context) error { if len(os.Args) == 2 { - fmt.Fprintf(color.Output, "%s: No list command was specified. Use 'terracreds create -h' to print help info\n", color.RedString("ERROR")) + fmt.Fprintf(color.Output, "%s: No list command was specified. Use 'terracreds list -h' to print help info\n", color.RedString("ERROR")) return nil } From a4d2a72a48daaaff8b6eb31344a2fd5e254d4cd4 Mon Sep 17 00:00:00 2001 From: Tone Def Date: Sat, 18 Jun 2022 00:03:49 -0700 Subject: [PATCH 4/5] Fixed typo in readme --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 793274d..3239802 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ We all know storing secrets in plain text can pose major security threats, and T - [x] Terraform Enterprise ## Quick Links -- InstallConfigure +- Install & Configure - [Windows](https://github.com/tonedefdev/terracreds#windows-install-via-chocolatey) - [macOS](https://github.com/tonedefdev/terracreds#macos-install) - [Linux](https://github.com/tonedefdev/terracreds#linux-install) From 93c7fb8ad662aa57eb597263fc551e296ebb3ce6 Mon Sep 17 00:00:00 2001 From: Tone Def Date: Sat, 18 Jun 2022 00:08:03 -0700 Subject: [PATCH 5/5] More readme fixes... --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3239802..2b62d45 100644 --- a/README.md +++ b/README.md @@ -3,7 +3,7 @@ # Terracreds -A credential helper for Terraform Cloud or Enterprise Software, or to store any other secrets, securely in the operating system's credential vault or through a third party vault provider. No longer keep secrets in a plain text configuration file! +A credential helper for Terraform Automation and Collaboration Software, or to store any other secrets, securely in the operating system's credential vault or through a third party vault provider. No longer keep secrets in a plain text configuration file! We all know storing secrets in plain text can pose major security threats, and Terraform doesn't come pre-packaged with a credential helper, so we decided to create one and to share it with the greater Terraform/DevOps community to help enable stronger security practices. @@ -18,7 +18,7 @@ We all know storing secrets in plain text can pose major security threats, and T - [x] Google Secret Manager - [x] HashiCorp Vault -#### Currently Supported Terraform Cloud or Enterprise Software: +#### Currently Supported Terraform Automation and Collaboration Software: - [x] env0 - [x] Scalr - [x] Spacelift