diff --git a/.evergreen/auth_aws/setup_secrets.py b/.evergreen/auth_aws/setup_secrets.py index fd9d5364..254ad895 100644 --- a/.evergreen/auth_aws/setup_secrets.py +++ b/.evergreen/auth_aws/setup_secrets.py @@ -6,19 +6,34 @@ import json import os import sys +import uuid import boto3 import botocore.exceptions +AWS_ROLE_ARN = "arn:aws:iam::857654397073:role/drivers-test-secrets-role" def get_secrets(vaults, region, profile): """Get the driver secret values.""" # Handle local credentials. profile = profile or os.environ.get("AWS_PROFILE") + kwargs = dict(region_name=region) if "AWS_ACCESS_KEY_ID" not in os.environ and not profile: - raise ValueError("Please provide a profile (typically using AWS_PROFILE)") - session = boto3.Session(profile_name=profile) - client = session.client(service_name='secretsmanager', region_name=region) + session = boto3.Session(profile_name=profile) + client = session.client(service_name='sts', **kwargs) + try: + # This will only fail locally. + resp = client.assume_role(RoleArn=AWS_ROLE_ARN, RoleSessionName=str(uuid.uuid4())) + except Exception as e: + print(e) + raise ValueError("Please provide a profile (typically using AWS_PROFILE)") + + creds = resp['Credentials'] + kwargs.update(aws_access_key_id=creds['AccessKeyId'], + aws_secret_access_key=creds['SecretAccessKey'], + aws_session_token=creds['SessionToken']) + + client = session.client(service_name='secretsmanager', **kwargs) secrets = [] try: diff --git a/.evergreen/auth_aws/setup_secrets.sh b/.evergreen/auth_aws/setup_secrets.sh index 601ef1e4..db362182 100644 --- a/.evergreen/auth_aws/setup_secrets.sh +++ b/.evergreen/auth_aws/setup_secrets.sh @@ -7,6 +7,6 @@ HERE=$(dirname $0) pushd $HERE . ./activate-authawsvenv.sh popd -echo "Getting secrets: $@" -python $HERE/setup_secrets.py $@ +echo "Getting secrets:" "$@" +python $HERE/setup_secrets.py "$@" echo "Got secrets" diff --git a/.evergreen/csfle/azurekms/create-and-setup-vm.sh b/.evergreen/csfle/azurekms/create-and-setup-vm.sh index 1572dda6..b03b73a8 100755 --- a/.evergreen/csfle/azurekms/create-and-setup-vm.sh +++ b/.evergreen/csfle/azurekms/create-and-setup-vm.sh @@ -3,27 +3,34 @@ set -o errexit set -o pipefail set -o nounset -if [ -z "${AZUREKMS_VMNAME_PREFIX:-}" ] || \ - [ -z "${AZUREKMS_CLIENTID:-}" ] || \ - [ -z "${AZUREKMS_TENANTID:-}" ] || \ - [ -z "${AZUREKMS_SECRET:-}" ] || \ - [ -z "${AZUREKMS_DRIVERS_TOOLS:-}" ] || \ - [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \ - [ -z "${AZUREKMS_PUBLICKEYPATH:-}" ] || \ - [ -z "${AZUREKMS_PRIVATEKEYPATH:-}" ] || \ - [ -z "${AZUREKMS_SCOPE:-}" ]; then - echo "Please set the following required environment variables" - echo " AZUREKMS_VMNAME_PREFIX to an identifier string no spaces (e.g. CDRIVER)" - echo " AZUREKMS_CLIENTID" - echo " AZUREKMS_TENANTID" - echo " AZUREKMS_SECRET" - echo " AZUREKMS_DRIVERS_TOOLS" - echo " AZUREKMS_PUBLICKEYPATH" - echo " AZUREKMS_PRIVATEKEYPATH" - echo " AZUREKMS_SCOPE" - exit 1 +AZUREKMS_DRIVERS_TOOLS=${AZUREKMS_DRIVERS_TOOLS:-$DRIVERS_TOOLS} + +if [ -n "${AZUREKMS_PUBLICKEY:-}" ]; then + echo "${AZUREKMS_PUBLICKEY}" > /tmp/testazurekms_publickey + printf -- "${AZUREKMS_PRIVATEKEY}" > /tmp/testazurekms_privatekey + # Set 600 permissions on private key file. Otherwise ssh / scp may error with permissions "are too open". + chmod 600 /tmp/testazurekms_privatekey + export AZUREKMS_PUBLICKEYPATH="/tmp/testazurekms_publickey" + export AZUREKMS_PRIVATEKEYPATH="/tmp/testazurekms_privatekey" fi +VARLIST=( +AZUREKMS_VMNAME_PREFIX +AZUREKMS_CLIENTID +AZUREKMS_TENANTID +AZUREKMS_SECRET +AZUREKMS_RESOURCEGROUP +AZUREKMS_PUBLICKEYPATH +AZUREKMS_PRIVATEKEYPATH +AZUREKMS_SCOPE +) + +# Ensure that all variables required to run the test are set, otherwise throw +# an error. +for VARNAME in ${VARLIST[*]}; do +[[ -z "${!VARNAME}" ]] && echo "ERROR: $VARNAME not set" && exit 1; +done + # Set defaults. export AZUREKMS_IMAGE=${AZUREKMS_IMAGE:-"Debian:debian-11:11:0.20221020.1174"} @@ -45,7 +52,12 @@ fi # Create VM. . "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/create-vm.sh export AZUREKMS_VMNAME="$AZUREKMS_VMNAME" -echo "AZUREKMS_VMNAME: $AZUREKMS_VMNAME" > testazurekms-expansions.yml +# Store items needed for teardown. +cat < testazurekms-expansions.yml +AZUREKMS_VMNAME: $AZUREKMS_VMNAME +AZUREKMS_RESOURCEGROUP: $AZUREKMS_RESOURCEGROUP +AZUREKMS_SCOPE: $AZUREKMS_SCOPE +EOT # Assign role. "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/assign-role.sh # Install dependencies. @@ -59,4 +71,4 @@ AZUREKMS_SRC="$AZUREKMS_DRIVERS_TOOLS/.evergreen/csfle/azurekms/remote-scripts/s AZUREKMS_DST="./" \ "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/copy-file.sh AZUREKMS_CMD="./start-mongodb.sh" \ - "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh \ No newline at end of file + "$AZUREKMS_DRIVERS_TOOLS"/.evergreen/csfle/azurekms/run-command.sh diff --git a/.evergreen/csfle/azurekms/delete-vm.sh b/.evergreen/csfle/azurekms/delete-vm.sh index e87e07ff..433bedad 100755 --- a/.evergreen/csfle/azurekms/delete-vm.sh +++ b/.evergreen/csfle/azurekms/delete-vm.sh @@ -12,6 +12,18 @@ if [ -z "${AZUREKMS_RESOURCEGROUP:-}" ] || \ exit 1 fi +if [ -n "${AZUREKMS_SCOPE:-}" ]; then + echo "Deleting the role from the Virtual Machine $AZUREKMS_VMNAME ... begin" + PRINCIPAL_ID=$(az vm show --show-details --resource-group "$AZUREKMS_RESOURCEGROUP" --name "$AZUREKMS_VMNAME" --query identity.principalId -o tsv) + az role assignment delete \ + --assignee "$PRINCIPAL_ID" \ + --role "Key Vault Crypto User" \ + --scope "$AZUREKMS_SCOPE" \ + -y \ + >/dev/null + echo "Deleting the role from the Virtual Machine $AZUREKMS_VMNAME ... end" +fi + echo "Deleting Virtual Machine $AZUREKMS_VMNAME ... begin" az vm delete \ --resource-group "$AZUREKMS_RESOURCEGROUP" \ diff --git a/.evergreen/make-docs.sh b/.evergreen/make-docs.sh index 2bff9aa0..efd1de8f 100755 --- a/.evergreen/make-docs.sh +++ b/.evergreen/make-docs.sh @@ -5,7 +5,7 @@ set -o errexit # Exit the script with error if any of the commands fail mkdir -p doc/html || true -cat < doc/html/index.html > doc/html/intro.html +cat < doc/html/index.html doc/html/intro.html