Skip to content

Commit

Permalink
feat: add signing key rotation support (#497)
Browse files Browse the repository at this point in the history
  • Loading branch information
@huayuenh
huayuenh authored Oct 21, 2024
1 parent 04b4401 commit 6842a85
Show file tree
Hide file tree
Showing 14 changed files with 261 additions and 96 deletions.
18 changes: 13 additions & 5 deletions .secrets.baseline
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
"files": "go.sum|^.secrets.baseline$",
"lines": null
},
"generated_at": "2024-09-05T12:51:27Z",
"generated_at": "2024-10-21T11:18:39Z",
"plugins_used": [
{
"name": "AWSKeyDetector"
Expand Down Expand Up @@ -87,17 +87,25 @@
"verified_result": null
}
],
"provider.tf.example": [
"prereqs/scripts/gpg_keys.sh": [
{
"hashed_secret": "91199272d5d6a574a51722ca6f3d1148edb1a0e7",
"hashed_secret": "3b6797d1a3c2c009f750f1ec250b22c49ea9641c",
"is_secret": false,
"is_verified": false,
"line_number": 2,
"line_number": 9,
"type": "Secret Keyword",
"verified_result": null
},
{
"hashed_secret": "c2df5d3d760ff42f33fb38e2534d4c1b7ddde3ab",
"is_secret": false,
"is_verified": false,
"line_number": 28,
"type": "Secret Keyword",
"verified_result": null
}
],
"solutions/kubernetes/provider.tf.example": [
"provider.tf.example": [
{
"hashed_secret": "91199272d5d6a574a51722ca6f3d1148edb1a0e7",
"is_secret": false,
Expand Down
6 changes: 3 additions & 3 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -478,13 +478,12 @@ statement instead the previous block.
| <a name="input_create_ci_toolchain"></a> [create\_ci\_toolchain](#input\_create\_ci\_toolchain) | Flag which determines if the DevSecOps CI toolchain is created. If this toolchain is not created then values must be set for the following variables, evidence\_repo\_url, issues\_repo\_url and inventory\_repo\_url. | `bool` | `true` | no |
| <a name="input_create_code_engine_access_policy"></a> [create\_code\_engine\_access\_policy](#input\_create\_code\_engine\_access\_policy) | Add a Code Engine access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `false` | no |
| <a name="input_create_cos_api_key"></a> [create\_cos\_api\_key](#input\_create\_cos\_api\_key) | Set to `true` to create and add a `cos-api-key` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_git_token"></a> [create\_git\_token](#input\_create\_git\_token) | Set to `true` to create and add the specified personal access token secret to the Secrets Provider. Use `repo_git_token_secret_value` for setting the value. | `bool` | `false` | no |
| <a name="input_create_ibmcloud_api_key"></a> [create\_ibmcloud\_api\_key](#input\_create\_ibmcloud\_api\_key) | Set to `true` to create and add an `ibmcloud-api-key` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_icr_namespace"></a> [create\_icr\_namespace](#input\_create\_icr\_namespace) | Set to `true` to have Terraform create the registry namespace. Setting to `false` will have the CI pipeline create the namespace if it does not already exist. Note: If a Terraform destroy is used, the ICR namespace along with all images will be removed. | `bool` | `false` | no |
| <a name="input_create_kubernetes_access_policy"></a> [create\_kubernetes\_access\_policy](#input\_create\_kubernetes\_access\_policy) | Add a Kubernetes access policy to the generated IAM access key. See `create_ibmcloud_api_key`. | `bool` | `false` | no |
| <a name="input_create_secret_group"></a> [create\_secret\_group](#input\_create\_secret\_group) | Set to `true` to create the specified Secrets Manager secret group. | `bool` | `false` | no |
| <a name="input_create_signing_certificate"></a> [create\_signing\_certificate](#input\_create\_signing\_certificate) | Set to `true` to create and add the `signing-certificate` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_signing_key"></a> [create\_signing\_key](#input\_create\_signing\_key) | Set to `true` to create and add a `signing_key`to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_create_signing_key"></a> [create\_signing\_key](#input\_create\_signing\_key) | Set to `true` to create and add a `signing-key` and the `signing-certificate` to the Secrets Provider. | `bool` | `false` | no |
| <a name="input_enable_key_protect"></a> [enable\_key\_protect](#input\_enable\_key\_protect) | Set to `true` to the enable Key Protect integrations. | `string` | `"false"` | no |
| <a name="input_enable_pipeline_notifications"></a> [enable\_pipeline\_notifications](#input\_enable\_pipeline\_notifications) | When enabled, pipeline run events will be sent to the Event Notifications and Slack integrations in the enclosing toolchain. | `string` | `""` | no |
| <a name="input_enable_secrets_manager"></a> [enable\_secrets\_manager](#input\_enable\_secrets\_manager) | Set to `true` to enable the Secrets Manager integrations. | `string` | `"true"` | no |
Expand Down Expand Up @@ -552,6 +551,7 @@ statement instead the previous block.
| <a name="input_repo_group"></a> [repo\_group](#input\_repo\_group) | Specify the Git user or group for your application. This must be set if the repository authentication type is `pat` (personal access token). | `string` | `""` | no |
| <a name="input_repo_secret_group"></a> [repo\_secret\_group](#input\_repo\_secret\_group) | Secret group in Secrets Manager that contains the secret for the repository. This variable will set the same secret group for all the repositories. Can be overriden on a per secret group basis. Only applies when using Secrets Manager. | `string` | `""` | no |
| <a name="input_repositories_prefix"></a> [repositories\_prefix](#input\_repositories\_prefix) | Prefix name for the cloned compliance repos. For the repositories\_prefix value only a-z, A-Z and 0-9 and the special characters `-_` are allowed. In addition the string must not end with a special character or have two consecutive special characters. | `string` | `"compliance"` | no |
| <a name="input_rotate_signing_key"></a> [rotate\_signing\_key](#input\_rotate\_signing\_key) | Set to `true` to rotate the signing key and signing certificate. It is important to make a back up for the current code signing certificate as pending CD deployments might require image validation against the previous signing key. | `bool` | `false` | no |
| <a name="input_rotation_period"></a> [rotation\_period](#input\_rotation\_period) | The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated. | `number` | `90` | no |
| <a name="input_sample_default_application"></a> [sample\_default\_application](#input\_sample\_default\_application) | The name of the sample application repository. The repository source URL is automatically computed based on the toolchain region. The other currently supported name is `code-engine-compliance-app`. Alternatively an integration can be created that can link to or clone from an existing repository. See `app_repo_existing_url` and `app_repo_clone_from_url` to override the sample application default behavior. | `string` | `"hello-compliance-app"` | no |
| <a name="input_scc_attachment_id"></a> [scc\_attachment\_id](#input\_scc\_attachment\_id) | An attachment ID. An attachment is configured under a profile to define how a scan will be run. To find the attachment ID, in the browser, in the attachments list, click on the attachment link, and a panel appears with a button to copy the attachment ID. This parameter is only relevant when the `scc_use_profile_attachment` parameter is enabled. | `string` | `""` | no |
Expand Down
68 changes: 34 additions & 34 deletions ibm_catalog.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1070,7 +1070,14 @@
"key": "create_git_token",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider.",
"description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider. Use `repo_git_token_secret_value` for setting the value.",
"required": false
},
{
"key": "repo_git_token_secret_value",
"type": "password",
"default_value": "",
"description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
"required": false
},
{
Expand All @@ -1094,18 +1101,11 @@
"description": "Set to `true` to create the specified Secrets Manager secret group.",
"required": false
},
{
"key": "create_signing_certificate",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add the `signing-certificate` to the Secrets Provider.",
"required": false
},
{
"key": "create_signing_key",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add a `signing_key`to the Secrets Provider.",
"description": "Set to `true` to create and add a `signing-key` and the `signing-certificate` to the Secrets Provider.",
"required": false
},
{
Expand Down Expand Up @@ -1493,13 +1493,6 @@
"description": "Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`.",
"required": false
},
{
"key": "repo_git_token_secret_value",
"type": "password",
"default_value": "",
"description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
"required": false
},
{
"key": "repo_group",
"type": "string",
Expand All @@ -1523,11 +1516,18 @@
},
{
"key": "rotation_period",
"type": "string",
"default_value": "90",
"type": "number",
"default_value": 90,
"description": "The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated.",
"required": false
},
{
"key": "rotate_signing_key",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to rotate the signing key and signing certificate. It is important to make a back up for the current code signing certificate as pending CD deployments might require image validation against the previous signing key.",
"required": false
},
{
"key": "sample_default_application",
"type": "string",
Expand Down Expand Up @@ -2866,7 +2866,14 @@
"key": "create_git_token",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider.",
"description": "Set to `true` to create and add the specified personal access token secret to the Secrets Provider. Use `repo_git_token_secret_value` for setting the value.",
"required": false
},
{
"key": "repo_git_token_secret_value",
"type": "password",
"default_value": "",
"description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
"required": false
},
{
Expand All @@ -2890,18 +2897,11 @@
"description": "Set to `true` to create the specified Secrets Manager secret group.",
"required": false
},
{
"key": "create_signing_certificate",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add the `signing-certificate` to the Secrets Provider.",
"required": false
},
{
"key": "create_signing_key",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to create and add a `signing_key`to the Secrets Provider.",
"description": "Set to `true` to create and add a `signing-key` and the `signing-certificate` to the Secrets Provider.",
"required": false
},
{
Expand Down Expand Up @@ -3289,13 +3289,6 @@
"description": "Name of the Git token secret in the secret provider. Specifying a secret name for the Git Token automatically sets the authentication type to `pat`.",
"required": false
},
{
"key": "repo_git_token_secret_value",
"type": "password",
"default_value": "",
"description": "The personal access token that will be added to the `repo_git_token_secret_name` secret in the secrets provider.",
"required": false
},
{
"key": "repo_group",
"type": "string",
Expand Down Expand Up @@ -3324,6 +3317,13 @@
"description": "The number of days until the `ibmcloud-api-key` and the `cos-api-key` are auto rotated.",
"required": false
},
{
"key": "rotate_signing_key",
"type": "boolean",
"default_value": false,
"description": "Set to `true` to rotate the signing key and signing certificate. It is important to make a back up for the current code signing certificate as pending CD deployments might require image validation against the previous signing key.",
"required": false
},
{
"key": "sample_default_application",
"type": "string",
Expand Down
5 changes: 2 additions & 3 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,7 @@ locals {
cd_repositories_prefix = (var.cd_repositories_prefix == "") ? var.repositories_prefix : var.cd_repositories_prefix
cc_repositories_prefix = (var.cc_repositories_prefix == "") ? var.repositories_prefix : var.cc_repositories_prefix

enable_prereqs = ((var.create_signing_certificate == true) || (var.create_secret_group == true) ||
(var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) ? true : false
enable_prereqs = ((var.create_secret_group == true) || (var.create_ibmcloud_api_key == true) || (var.create_cos_api_key == true) || (var.create_signing_key == true)) ? true : false

registry_namespace_suffix = (var.add_container_name_suffix) ? format("%s-%s", var.registry_namespace, random_string.resource_suffix[0].result) : var.registry_namespace
registry_namespace = (var.prefix == "") ? local.registry_namespace_suffix : format("%s-%s", var.prefix, local.registry_namespace_suffix)
Expand Down Expand Up @@ -234,7 +233,6 @@ module "prereqs" {
create_cos_api_key = var.create_cos_api_key
create_git_token = var.create_git_token
create_signing_key = var.create_signing_key
create_signing_certificate = var.create_signing_certificate
service_name_pipeline = var.service_name_pipeline
service_name_cos = var.service_name_cos
sm_name = var.sm_name
Expand All @@ -249,6 +247,7 @@ module "prereqs" {
repo_git_token_secret_name = var.repo_git_token_secret_name
repo_git_token_secret_value = var.repo_git_token_secret_value
rotation_period = var.rotation_period
rotate_signing_key = var.rotate_signing_key
sm_secret_expiration_period = var.sm_secret_expiration_period
sm_exists = var.enable_secrets_manager
sm_endpoint_type = var.sm_endpoint_type
Expand Down
15 changes: 11 additions & 4 deletions prereqs/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,19 @@ data "ibm_sm_secret_groups" "secret_groups" {

#################### SECRETS #######################
data "external" "signing_keys" {
count = ((var.create_signing_key == true) || (var.create_signing_certificate == true)) ? 1 : 0
count = (var.create_signing_key) ? 1 : 0
program = ["bash", "${path.module}/scripts/gpg_keys.sh"]

query = {
name = var.gpg_name
email = var.gpg_email
name = var.gpg_name
email = var.gpg_email
apikey = var.ibmcloud_api_key
instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
region = var.sm_location
secret_group_id = (var.create_secret_group == false) ? data.ibm_sm_secret_group.existing_sm_secret_group[0].secret_group_id : ibm_sm_secret_group.sm_secret_group[0].secret_group_id
signing_key_name = var.signing_key_secret_name
signing_cert_name = var.signing_certifcate_secret_name
rotate_signing_key = var.rotate_signing_key
}
}

Expand Down Expand Up @@ -178,7 +185,7 @@ resource "ibm_sm_arbitrary_secret" "secret_signing_key" {
}

resource "ibm_sm_arbitrary_secret" "secret_signing_certifcate" {
count = ((var.create_signing_certificate == true) && (var.sm_exists == true)) ? 1 : 0
count = ((var.create_signing_key == true) && (var.sm_exists == true)) ? 1 : 0
depends_on = [ibm_sm_secret_group.sm_secret_group, data.external.signing_keys]
region = var.sm_location
instance_id = (local.sm_instance_id != "") ? local.sm_instance_id : var.sm_instance_id
Expand Down
Loading

0 comments on commit 6842a85

Please sign in to comment.