Skip to content

Commit

Permalink
documentation updates
Browse files Browse the repository at this point in the history
  • Loading branch information
@fqjony
fqjony committed Dec 16, 2024
1 parent ca11c63 commit 74f1612
Show file tree
Hide file tree
Showing 6 changed files with 265 additions and 107 deletions.
3 changes: 3 additions & 0 deletions DOCUMENTATION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ You can extend UDX Worker to create custom images tailored to your applications
```shell
FROM usabilitydynamics/udx-worker:latest
# Copy the worker
COPY src/worker.yml /home/${USER}/.cd/configs/worker.yml
# Add your dependencies or scripts
COPY my-app /usr/src/app
```
Expand Down
8 changes: 4 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,11 +49,11 @@ For more details on available commands
make
```

## Detailed Documentation
## Detailed Modules Documentation

- [Secure Environment](src/configs/readme.md)
- [Auth Modules](lib/auth/readme.md)
- [Configuration and Environment Management](lib/secrets/readme.md)
- [Secure Environment Configuration](src/configs/readme.md)
- [Authentication](lib/auth/readme.md)
- [Secrets Management](lib/secrets/readme.md)

## Contributing

Expand Down
51 changes: 14 additions & 37 deletions lib/auth/readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,50 +1,27 @@
# Authentication Modules
# Authentication

This directory contains scripts for setting up authentication modules for various cloud providers. These modules allow the UDX Worker to securely authenticate and perform tasks on behalf of the user.
This directory contains scripts for setting up authentication modules for various cloud providers. These modules allow the worker container to securely authenticate and perform tasks on behalf of the user.

## Prerequisites

- Azure CLI: [Installation Guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
- AWS CLI: [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
- GCP SDK: [Installation Guide](https://cloud.google.com/sdk/docs/install)

## Setup

### Azure Service Principal

#### Create

To create an Azure Service Principal, run the following command:
## Overview

```shell
az ad sp create-for-rbac --name "udx-worker-sp" --role contributor --scopes /subscriptions/YOUR_SUBSCRIPTION_ID
```
Authentication is a critical component for securely managing interactions with various cloud services. The provided authentication modules support cloud providers like `Azure`, `AWS`, `GCP`, and `Bitwarden`. By utilizing these modules, the worker container can securely access and perform tasks with the necessary permissions.

Note the appId, password, and tenant.
These authentication modules not only enable the worker container to authenticate with different cloud providers but also allow it to fetch task-specific or application-specific secrets. This ensures that sensitive information is securely retrieved and used only when necessary.

#### Use
Ensuring proper authentication helps maintain the integrity and security of automated operations in a DevSecOps environment. By adhering to best practices, such as using least privilege and regularly auditing access logs, you can further enhance the security of your workflows.

Update your `worker.yml` configuration file to include the Azure Service Principal credentials:

```yaml
actors:
- type: azure
creds: "${AZURE_CREDS}"
```
### AWS IAM Role (TBD)
Instructions for setting up AWS IAM Role will be provided here.
### GCP Service Account (TBD)
## Prerequisites

Instructions for setting up GCP Service Account will be provided here.
- **Azure CLI**: [Installation Guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
- **AWS CLI**: [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
- **GCP SDK**: [Installation Guide](https://cloud.google.com/sdk/docs/install)
- **Bitwarden CLI**: [Installation Guide](https://bitwarden.com/help/cli/)

### Bitwarden Service Account (TBD)
## How to Use

Instructions for setting up GCP Service Account will be provided here.
Please check [Secure Environment Configuration](src/configs/readme.md) for config details.

## Best Practices

- **Use least privilege**: Assign the minimum required permissions to service accounts and roles.
- **Audit access regularly**: Periodically review access logs and permissions to ensure compliance with security policies.
- **Audit access regularly**: Periodically review access logs and permissions to ensure compliance with security policies.
48 changes: 15 additions & 33 deletions lib/secrets/readme.md
View file
Original file line number Diff line number Diff line change
@@ -1,49 +1,31 @@
# Secrets Management Modules
# Secrets Management

This directory contains scripts for setting up and managing secrets for various cloud providers. These modules enable the UDX Worker to securely fetch and use secrets during its operations.
## Overview

## Prerequisites

- Azure CLI: [Installation Guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
- AWS CLI: [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
- GCP SDK: [Installation Guide](https://cloud.google.com/sdk/docs/install)

## Setup

### Azure Key Vault
Secrets management is a vital component for securely handling sensitive information required by applications and tasks within a containerized environment. The provided secrets management scripts support cloud providers like `Azure`, `AWS`, `GCP`, and `Bitwarden`. These scripts enable the worker container to securely retrieve secrets from different providers and make them available for application logic and task execution.

#### Configure
The scripts ensure that secrets are fetched dynamically at runtime, reducing the risk of exposure and ensuring that applications always have access to the latest sensitive information. By integrating with secure storage solutions and following encryption best practices, these scripts help maintain the confidentiality and integrity of the data used by automated tasks.

Ensure you have set up an Azure Key Vault and added your secrets. You can add secrets using the Azure CLI:
### Importance in DevSecOps

```shell
az keyvault secret set --vault-name "your-vault-name" --name "your-secret-name" --value "your-secret-value"
```
In a DevSecOps environment, proper secrets management is crucial for maintaining the security and integrity of automated workflows. By adhering to best practices, such as using least privilege, regularly auditing access, and monitoring for leaks, organizations can significantly reduce the risk of sensitive information exposure.

#### Use

Update your worker.yml configuration file to include the Azure Key Vault secrets:

```yaml
secrets:
NEW_RELIC_API_KEY: "azure/kv-udx-worker/new-relic-api-key"
HEALTHCHECK_IO_API_KEY: "azure/kv-udx-worker/healthcheck-io-api-key"
```
### AWS IAM Role (TBD)
## Prerequisites

Instructions for setting up AWS IAM Role will be provided here.
- Azure CLI: [Installation Guide](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli)
- AWS CLI: [Installation Guide](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
- GCP SDK: [Installation Guide](https://cloud.google.com/sdk/docs/install)

### GCP Service Account (TBD)
## How to Use

Instructions for setting up GCP Service Account will be provided here.
Please check [Secure Environment Configuration](src/configs/readme.md) for config details.

### Bitwarden Service Account (TBD)
## Secrets Configurations

Instructions for setting up GCP Service Account will be provided here.
You can find details of secrets configurations for each supported service provider here - [Secrets Configurations](lib/secrets/secrets_configurations.md)

## Best Practices

- **Encrypt secrets**: Ensure secrets are encrypted at rest and in transit.
- **Secure storage**: Use secure storage solutions like AWS Secrets Manager, Azure Key Vault, or Google Secret Manager for storing sensitive information.
- **Monitor for leaks**: Use monitoring tools to detect if secrets are accidentally exposed.
- **Monitor for leaks**: Use monitoring tools to detect if secrets are accidentally exposed.
147 changes: 147 additions & 0 deletions lib/secrets/secrets_configurations.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,147 @@
# Secrets Configurations

## Azure Key Vault

### Prerequisites
- Access to an Azure subscription and an Azure Key Vault.
- Azure CLI installed for setup and authentication.

### Setup
1. **Create Key Vault**:
- In the Azure portal, navigate to Key Vaults and select Create.
- Set up the resource group, key vault name, and region.
- Choose Review + Create and then Create.

### Add Secrets
1. Go to Secrets within your Key Vault.
2. Select Generate/Import to add a new secret.
3. Name your secret descriptively and set the secret value.

### Grant Access
1. Go to Access policies in your Key Vault.
2. Add an access policy to grant permissions for Get and List for secrets.
3. Select the Azure AD Application that represents your UDX Worker or create a new one.
4. Save the changes.

### Set Credentials For Environment Authorization
Set Azure credentials in your `.env` file (or set GitHub Action secret), referencing a service principal with access to the Key Vault.

```txt
AZURE_CREDS='{"clientId": "your-client-id", "clientSecret": "your-client-secret", "tenantId": "your-tenant-id"}'
```

### Reference in `worker.yml`

```yml
secrets:
MY_SECRET: "azure/your-vault-name/your-secret-name"
```
- **Vault Reference**: Use "azure/{Vault Name}/{Secret Name}" in the secrets section of `worker.yml`.
- **Secret Reference**: Use the secret's name as defined in Azure Key Vault.

## Google Cloud Secret Manager

### Prerequisites
- Access to a Google Cloud project with Secret Manager API enabled.
- Google Cloud SDK installed for setup and authentication.

### Setup
1. **Enable Secret Manager API**:
- In the Google Cloud Console, go to APIs & Services > Dashboard.
- Select Enable APIs and Services and search for Secret Manager API.
- Enable the API for your project.

### Create Secrets
1. In the Google Cloud Console, go to Secret Manager.
2. Select Create Secret.
3. Provide a descriptive name for the secret and enter the secret value.
4. Click Create Secret to save.

### Grant Access
1. Go to IAM & Admin > IAM in the Google Cloud Console.
2. Add a role to the service account that will be used by UDX Worker to access the secrets.
3. Assign the Secret Manager Secret Accessor role to this service account for access to specific secrets.

### Set Credentials For Environment Authorization
Set Google Cloud credentials in your `.env` file (or set GitHub Action secret), referencing a service account with access to Secret Manager.

```txt
GCP_CREDS='{"type": "service_account", "project_id": "your-project-id", "private_key_id": "your-private-key-id", "private_key": "your-private-key", "client_email": "your-client-email", "client_id": "your-client-id", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "your-cert-url"}'
```

### Reference in `worker.yml`

```yml
secrets:
MY_SECRET: "gcp/your-project-id/your-secret-name"
```

- **Project Reference**: Use "gcp/{Project ID}/{Secret Name}" in the secrets section of `worker.yml`.
- **Secret Reference**: Use the secret's name as defined in Google Cloud Secret Manager.

## AWS Secrets Manager

### Prerequisites
- Access to an AWS account with Secrets Manager enabled.
- AWS CLI installed for setup and configuration.

### Setup
1. **Create Secrets**:
- Go to AWS Secrets Manager in the AWS Management Console.
- Choose Store a new secret and select the secret type (e.g., credentials or plaintext).
- Enter the secret value and give it a descriptive name.
- Complete the setup and store the secret.

### Grant Access
1. Go to IAM in the AWS Management Console and create (or select) a service role that UDX Worker will use.
2. Attach the SecretsManagerReadWrite permission or a custom policy that grants read access to specific secrets.

### Set Credentials For Environment Authorization
Set AWS credentials in your `.env` file (or set GitHub Action secret), referencing an IAM user or role with the necessary permissions to access Secrets Manager.

```txt
AWS_CREDS='{"aws_access_key_id": "your-access-key-id", "aws_secret_access_key": "your-secret-access-key", "region": "your-region"}'
```

### Reference in `worker.yml`

```yml
secrets:
MY_SECRET: "aws/secrets-manager/your-secret-name"
```

- **Path Reference**: Use "aws/secrets-manager/{Secret Name}" in the secrets section of `worker.yml`.
- **Secret Name**: Use the name of the secret as it appears in AWS Secrets Manager.

## Bitwarden

### Prerequisites
- Access to a Bitwarden organization and Bitwarden CLI.

### Enable Secret Manager (Optional for Advanced Features)
1. Go to Settings > Secret Manager in your Bitwarden organization admin portal (requires an enterprise plan).

### Add Secrets
1. Create a Collection in Collections.
2. Add secrets as Secure Notes in this collection, using descriptive names for easy identification.

### Grant Access
1. Ensure the correct users or groups have read access to the collection.

### Set Credentials For Environment Authorization
Add Bitwarden credentials in your `.env` file (or set GitHub Action secret).

```txt
BITWARDEN_CREDS='{"clientId": "your-client-id", "clientSecret": "your-client-secret"}'
```

### Reference in `worker.yml`

```yml
secrets:
MY_SECRET: "bitwarden/your-collection-name/your-secret-name"
```

- **Collection**: Use the Collection Name (or ID if there’s ambiguity).
- **Secret Reference**: Use the format "bitwarden/{Collection Name}/{Secret Name}".
Loading

0 comments on commit 74f1612

Please sign in to comment.