feat: add policy subcommand to render a vault policy without an approle backend (#38)

fix: add concept of policy definition without approle to support policy creation
fix: update allowed operations to include sudo
---------

Signed-off-by: Ben Stickel <[email protected]>

Author: fin09pcap

terraformer/cmd/harp-terraformer/internal/cmd/policy.go

@@ -0,0 +1,79 @@
+// Licensed to Elasticsearch B.V. under one or more contributor
+// license agreements. See the NOTICE file distributed with
+// this work for additional information regarding copyright
+// ownership. Elasticsearch B.V. licenses this file to you under
+// the Apache License, Version 2.0 (the "License"); you may
+// not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied.  See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package cmd
+
+import (
+	"io"
+
+	"github.com/spf13/cobra"
+	"go.uber.org/zap"
+
+	"github.com/elastic/harp-plugins/terraformer/pkg/terraformer"
+	"github.com/elastic/harp/pkg/sdk/cmdutil"
+	"github.com/elastic/harp/pkg/sdk/log"
+)
+
+var (
+	terraformerPolicyInputSpec   string
+	terraformerPolicyOutputPath  string
+	terraformerPolicyEnvironment string
+)
+
+// -----------------------------------------------------------------------------
+
+var terraformerPolicyCmd = func() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "policy",
+		Short: "Policy generator for Harp CSO Vault",
+		Run:   runTerraformerPolicy,
+	}
+
+	// Parameters
+	cmd.Flags().StringVar(&terraformerPolicyInputSpec, "spec", "-", "AppRole specification path ('-' for stdin or filename)")
+	cmd.Flags().StringVar(&terraformerPolicyOutputPath, "out", "-", "Output file ('-' for stdout or a filename)")
+	cmd.Flags().StringVar(&terraformerPolicyEnvironment, "env", "production", "Target environment")
+
+	return cmd
+}
+
+func runTerraformerPolicy(cmd *cobra.Command, _ []string) {
+	ctx, cancel := cmdutil.Context(cmd.Context(), "harp-terraformer-policy", conf.Debug.Enable, conf.Instrumentation.Logs.Level)
+	defer cancel()
+
+	var (
+		reader io.Reader
+		err    error
+	)
+
+	// Create input reader
+	reader, err = cmdutil.Reader(terraformerPolicyInputSpec)
+	if err != nil {
+		log.For(ctx).Fatal("unable to open input specification", zap.Error(err), zap.String("path", terraformerPolicyInputSpec))
+	}
+
+	// Create output writer
+	writer, err := cmdutil.Writer(terraformerPolicyOutputPath)
+	if err != nil {
+		log.For(ctx).Fatal("unable to create output writer", zap.Error(err), zap.String("path", terraformerPolicyOutputPath))
+	}
+
+	// Run terraformer
+	if err := terraformer.Run(ctx, reader, terraformerPolicyEnvironment, true, terraformer.PolicyTemplate, writer); err != nil {
+		log.For(ctx).Fatal("unable to process specification", zap.Error(err), zap.String("path", terraformerPolicyInputSpec))
+	}
+}

terraformer/cmd/harp-terraformer/internal/cmd/root.go

@@ -57,6 +57,7 @@ var mainCmd = func() *cobra.Command {
 
 	// Add subcommands
 	cmd.AddCommand(terraformerAgentCmd())
+	cmd.AddCommand(terraformerPolicyCmd())
 	cmd.AddCommand(terraformerServiceCmd())
 
 	// Return command

terraformer/pkg/terraformer/compiler.go

@@ -209,6 +209,7 @@ var allowedCapabilities = types.StringArray{
 	"read",
 	"update",
 	"delete",
+	"sudo",
 }
 
 // filterCapabilities removes useless capabilities

terraformer/pkg/terraformer/templates.go

@@ -19,7 +19,7 @@ package terraformer
 
 import terraformerv1 "github.com/elastic/harp-plugins/terraformer/api/gen/go/harp/terraformer/v1"
 
-// ServiceTemplate is the TF 0.12 Service template.
+// ServiceTemplate is the TF >=0.12 Service template.
 const ServiceTemplate = `# Generated with Harp Terraformer, Don't modify.
 # https://github.com/elastic/harp-plugins/tree/main/cmd/harp-terraformer
 # ---
@@ -74,7 +74,7 @@ resource "vault_approle_auth_backend_role" "{{.ObjectName}}" {
 }
 `
 
-// AgentTemplate is the TF 0.12 Agent template.
+// AgentTemplate is the TF >=0.12 Agent template.
 const AgentTemplate = `# Generated with Harp Terraformer, Don't modify.
 # https://github.com/elastic/harp-plugins/tree/main/cmd/harp-terraformer
 # ---
@@ -127,6 +127,47 @@ resource "vault_approle_auth_backend_role" "agent-{{.ObjectName}}" {
 }
 `
 
+// PolicyTemplate is the TF >=0.12 Agent template.
+const PolicyTemplate = `# Generated with Harp Terraformer, Don't modify.
+# https://github.com/elastic/harp-plugins/tree/main/cmd/harp-terraformer
+# ---
+# SpecificationHash: "{{.SpecHash}}"
+# Owner: "{{.Meta.Owner}}"
+# Date: "{{.Date}}"
+# Description: "{{.Meta.Description}}"
+# Issues:{{range .Meta.Issues}}
+# - {{.}}{{ end }}
+# ---
+#
+# ------------------------------------------------------------------------------
+
+# Create the policy
+data "vault_policy_document" "policy-{{.ObjectName}}" {
+{{- range $ns, $secrets := .Namespaces }}
+  # {{ $ns }} secrets{{ range $k, $item := $secrets }}
+  rule {
+	description  = "{{$item.Description}}"
+	path         = "{{$item.Path}}"
+    capabilities = [{{range $i, $v := $item.Capabilities}}{{if $i}} ,{{end}}{{printf "%q" $v}}{{end}}]
+  }
+  {{end -}}
+{{end}}{{if .CustomRules }}
+  # Custom secret paths{{ range $k, $item := .CustomRules }}
+  rule {
+	description  = "{{$item.Description}}"
+	path         = "{{$item.Path}}"
+    capabilities = [{{range $i, $v := $item.Capabilities}}{{if $i}} ,{{end}}{{printf "%q" $v}}{{end}}]
+  }
+  {{end}}{{end -}}
+}
+
+# Register the policy
+resource "vault_policy" "policy-{{.ObjectName}}" {
+  name   = "policy-{{.ObjectName}}"
+  policy = data.vault_policy_document.policy-{{.ObjectName}}.hcl
+}
+`
+
 // -----------------------------------------------------------------------------
 
 type tmplModel struct {