Skip to content
/ vault-sync-app Public

NodeJS Tool that updates vault policies, groups and appRoles

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

bcgov-nr/vault-sync-app

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

234 Commits
.github/workflows
.github/workflows
 
 
bin
bin
 
 
config
config
 
 
e2e
e2e
 
 
src
src
 
 
.dockerignore
.dockerignore
 
 
.editorconfig
.editorconfig
 
 
.eslintignore
.eslintignore
 
 
.eslintrc.json
.eslintrc.json
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
.prettierrc
.prettierrc
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
jest.config.cjs
jest.config.cjs
 
 
jest.e2e.config.cjs
jest.e2e.config.cjs
 
 
jest.setup.ts
jest.setup.ts
 
 
oclif.manifest.json
oclif.manifest.json
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
setenv-dev.sh
setenv-dev.sh
 
 
setenv-local.sh
setenv-local.sh
 
 
setenv-prod.sh
setenv-prod.sh
 
 
setenv-test.sh
setenv-test.sh
 
 
tsconfig.eslint.json
tsconfig.eslint.json
 
 
tsconfig.json
tsconfig.json
 
 
vault-policy.hcl
vault-policy.hcl
 
 

Repository files navigation

Vault Sync Tool

The Vault Sync tool or VST is for generating and syncing vault policies, groups and appRoles.

See: Confluence Documentation

Building the Docker image

podman build . -t vsync

Environment Variables

The tool can use the following environment variables in place of command arguments. The default is in the brackets. The defaults are for testing with a local Vault instance.

  • VAULT_ADDR - The address of the vault server ('http://127.0.0.1:8200')
  • VAULT_TOKEN - The token to use when connecting to vault (myroot)

To set the environment variables, source the target environment's setenv-*.sh file. For example, to set the address and token for the dev environment, run the following command:

source setenv-dev.sh

You will need vault and jq installed to run the above.

Supported npm commands

  • npm start - deploy configuration to provided vault instance
  • npm run lint - lint source code
  • npm run test - Run unit tests
  • npm run e2e - Run end-to-end tests

Configuration

See: Confluence Documentation

Local testing

The following will start up vault in docker. The Vault Sync Tool defaults for the address and token should work with it.

podman run --rm -e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' -e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' --name=dev-vault -p 8200:8200 vault

You will need to add an OIDC authentication method to do local testing of group syncs.

source setenv-local.sh
vault auth enable oidc
vault auth enable -path=vs_apps_approle approle
vault secrets enable -path=apps -version=2 kv

Usage

$ npm install -g vstool
$ vstool COMMAND
running command...
$ vstool (--version)
vstool/1.0.0 darwin-arm64 node-v22.1.0
$ vstool --help [COMMAND]
USAGE
  $ vstool COMMAND
...

The script /bin/dev can run the code without installing it.

$ ./bin/dev COMMAND
running command...
$ ./bin/dev (-v|--version|version)
...

Commands

vstool approle-sync

Syncs approles in Vault

USAGE
  $ vstool approle-sync [-h] [--broker-api-url <value>] [--broker-token <value>] [--vault-token <value>]
    [--vault-addr <value>]

FLAGS
  -h, --help                    Show CLI help.
      --broker-api-url=<value>  [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
      --broker-token=<value>    The broker JWT
      --vault-addr=<value>      [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>     [default: myroot] The vault token

DESCRIPTION
  Syncs approles in Vault

vstool find

Find Vault creds

USAGE
  $ vstool find [-h] [--vault-token <value>] [--vault-addr <value>]

FLAGS
  -h, --help                 Show CLI help.
      --vault-addr=<value>   [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>  [default: myroot] The vault token

DESCRIPTION
  Find Vault creds

vstool group-sync

Syncs external groups in Vault to connect roles with Vault policies

USAGE
  $ vstool group-sync [-h] [--broker-api-url <value>] [--broker-token <value>] [--vault-token <value>]
    [--vault-addr <value>]

FLAGS
  -h, --help                    Show CLI help.
      --broker-api-url=<value>  [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
      --broker-token=<value>    The broker JWT
      --vault-addr=<value>      [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>     [default: myroot] The vault token

DESCRIPTION
  Syncs external groups in Vault to connect roles with Vault policies

vstool health

Display Vault health

USAGE
  $ vstool health [-h] [--vault-token <value>] [--vault-addr <value>]

FLAGS
  -h, --help                 Show CLI help.
      --vault-addr=<value>   [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>  [default: myroot] The vault token

DESCRIPTION
  Display Vault health

vstool help [COMMAND]

Display help for vstool.

USAGE
  $ vstool help [COMMAND...] [-n]

ARGUMENTS
  COMMAND...  Command to show help for.

FLAGS
  -n, --nested-commands  Include all nested commands in the output.

DESCRIPTION
  Display help for vstool.

See code: @oclif/plugin-help

vstool init

Initialize a Vault instance and save root token and unseal keys.

USAGE
  $ vstool init [-h] [--secret-shares <value>] [--secret-threshold <value>] [--vault-token <value>]
    [--vault-addr <value>]

FLAGS
  -h, --help                      Show CLI help.
      --secret-shares=<value>     [default: 1] The number of shares to split the master key into
      --secret-threshold=<value>  [default: 1] The number of shares required to reconstruct the master key
      --vault-addr=<value>        [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>       [default: myroot] The vault token

DESCRIPTION
  Initialize a Vault instance and save root token and unseal keys.

vstool monitor

Monitor for changes to sync to vault

USAGE
  $ vstool monitor [-h] [--broker-api-url <value>] [--broker-token <value>] [--vault-token <value>]
    [--vault-addr <value>] [--root <value>...]

FLAGS
  -h, --help                    Show CLI help.
      --broker-api-url=<value>  [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
      --broker-token=<value>    The broker JWT
      --root=<value>...         [default: ] The root to constrict the policy sync to. Some roots can be further
                                constricted such as -root=apps -root=cool-app-war
      --vault-addr=<value>      [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>     [default: myroot] The vault token

DESCRIPTION
  Monitor for changes to sync to vault

vstool plugins

List installed plugins.

USAGE
  $ vstool plugins [--json] [--core]

FLAGS
  --core  Show core plugins.

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  List installed plugins.

EXAMPLES
  $ vstool plugins

See code: @oclif/plugin-plugins

vstool plugins:add PLUGIN

Installs a plugin into vstool.

USAGE
  $ vstool plugins:add PLUGIN... [--json] [-f] [-h] [-s | -v]

ARGUMENTS
  PLUGIN...  Plugin to install.

FLAGS
  -f, --force    Force npm to fetch remote resources even if a local copy exists on disk.
  -h, --help     Show CLI help.
  -s, --silent   Silences npm output.
  -v, --verbose  Show verbose npm output.

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Installs a plugin into vstool.

  Uses npm to install plugins.

  Installation of a user-installed plugin will override a core plugin.

  Use the VSTOOL_NPM_LOG_LEVEL environment variable to set the npm loglevel.
  Use the VSTOOL_NPM_REGISTRY environment variable to set the npm registry.

ALIASES
  $ vstool plugins:add

EXAMPLES
  Install a plugin from npm registry.

    $ vstool plugins:add myplugin

  Install a plugin from a github url.

    $ vstool plugins:add https://github.com/someuser/someplugin

  Install a plugin from a github slug.

    $ vstool plugins:add someuser/someplugin

vstool plugins:inspect PLUGIN...

Displays installation properties of a plugin.

USAGE
  $ vstool plugins:inspect PLUGIN...

ARGUMENTS
  PLUGIN...  [default: .] Plugin to inspect.

FLAGS
  -h, --help     Show CLI help.
  -v, --verbose

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Displays installation properties of a plugin.

EXAMPLES
  $ vstool plugins:inspect myplugin

See code: @oclif/plugin-plugins

vstool plugins:install PLUGIN

Installs a plugin into vstool.

USAGE
  $ vstool plugins:install PLUGIN... [--json] [-f] [-h] [-s | -v]

ARGUMENTS
  PLUGIN...  Plugin to install.

FLAGS
  -f, --force    Force npm to fetch remote resources even if a local copy exists on disk.
  -h, --help     Show CLI help.
  -s, --silent   Silences npm output.
  -v, --verbose  Show verbose npm output.

GLOBAL FLAGS
  --json  Format output as json.

DESCRIPTION
  Installs a plugin into vstool.

  Uses npm to install plugins.

  Installation of a user-installed plugin will override a core plugin.

  Use the VSTOOL_NPM_LOG_LEVEL environment variable to set the npm loglevel.
  Use the VSTOOL_NPM_REGISTRY environment variable to set the npm registry.

ALIASES
  $ vstool plugins:add

EXAMPLES
  Install a plugin from npm registry.

    $ vstool plugins:install myplugin

  Install a plugin from a github url.

    $ vstool plugins:install https://github.com/someuser/someplugin

  Install a plugin from a github slug.

    $ vstool plugins:install someuser/someplugin

See code: @oclif/plugin-plugins

vstool plugins:link PATH

Links a plugin into the CLI for development.

USAGE
  $ vstool plugins:link PATH [-h] [--install] [-v]

ARGUMENTS
  PATH  [default: .] path to plugin

FLAGS
  -h, --help          Show CLI help.
  -v, --verbose
      --[no-]install  Install dependencies after linking the plugin.

DESCRIPTION
  Links a plugin into the CLI for development.
  Installation of a linked plugin will override a user-installed or core plugin.

  e.g. If you have a user-installed or core plugin that has a 'hello' command, installing a linked plugin with a 'hello'
  command will override the user-installed or core plugin implementation. This is useful for development work.


EXAMPLES
  $ vstool plugins:link myplugin

See code: @oclif/plugin-plugins

vstool plugins:remove [PLUGIN]

Removes a plugin from the CLI.

USAGE
  $ vstool plugins:remove [PLUGIN...] [-h] [-v]

ARGUMENTS
  PLUGIN...  plugin to uninstall

FLAGS
  -h, --help     Show CLI help.
  -v, --verbose

DESCRIPTION
  Removes a plugin from the CLI.

ALIASES
  $ vstool plugins:unlink
  $ vstool plugins:remove

EXAMPLES
  $ vstool plugins:remove myplugin

vstool plugins:reset

Remove all user-installed and linked plugins.

USAGE
  $ vstool plugins:reset [--hard] [--reinstall]

FLAGS
  --hard       Delete node_modules and package manager related files in addition to uninstalling plugins.
  --reinstall  Reinstall all plugins after uninstalling.

See code: @oclif/plugin-plugins

vstool plugins:uninstall [PLUGIN]

Removes a plugin from the CLI.

USAGE
  $ vstool plugins:uninstall [PLUGIN...] [-h] [-v]

ARGUMENTS
  PLUGIN...  plugin to uninstall

FLAGS
  -h, --help     Show CLI help.
  -v, --verbose

DESCRIPTION
  Removes a plugin from the CLI.

ALIASES
  $ vstool plugins:unlink
  $ vstool plugins:remove

EXAMPLES
  $ vstool plugins:uninstall myplugin

See code: @oclif/plugin-plugins

vstool plugins:unlink [PLUGIN]

Removes a plugin from the CLI.

USAGE
  $ vstool plugins:unlink [PLUGIN...] [-h] [-v]

ARGUMENTS
  PLUGIN...  plugin to uninstall

FLAGS
  -h, --help     Show CLI help.
  -v, --verbose

DESCRIPTION
  Removes a plugin from the CLI.

ALIASES
  $ vstool plugins:unlink
  $ vstool plugins:remove

EXAMPLES
  $ vstool plugins:unlink myplugin

vstool plugins:update

Update installed plugins.

USAGE
  $ vstool plugins:update [-h] [-v]

FLAGS
  -h, --help     Show CLI help.
  -v, --verbose

DESCRIPTION
  Update installed plugins.

See code: @oclif/plugin-plugins

vstool policy-sync

Syncs policies to Vault

USAGE
  $ vstool policy-sync [-h] [--broker-api-url <value>] [--broker-token <value>] [--vault-token <value>]
    [--vault-addr <value>] [--root <value>...]

FLAGS
  -h, --help                    Show CLI help.
      --broker-api-url=<value>  [default: https://nr-broker.apps.silver.devops.gov.bc.ca/] The broker api base url
      --broker-token=<value>    The broker JWT
      --root=<value>...         [default: ] The root to constrict the policy sync to. Some roots can be further
                                constricted such as -root=apps -root=cool-app-war
      --vault-addr=<value>      [default: http://127.0.0.1:8200] The vault address
      --vault-token=<value>     [default: myroot] The vault token

DESCRIPTION
  Syncs policies to Vault

About

NodeJS Tool that updates vault policies, groups and appRoles

Resources

Readme

Code of conduct

Code of conduct
Activity
Custom properties

Stars

0 stars

Watchers

3 watching

Forks

0 forks
Report repository

Releases 3

v1.0.2 Latest
Jun 17, 2024
+ 2 releases

Packages 1

 

Contributors 9

Languages