Skip to content

hashicorp-dev-advocates/waypoint-plugin-access-control

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

.github/workflows

.github/workflows

 
 

builder

builder

 
 

platform

platform

 
 

release

release

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

Dockerfile.odr

Dockerfile.odr

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

clone.sh

clone.sh

 
 

go.mod

go.mod

 
 

go.mod.bak

go.mod.bak

 
 

go.sum

go.sum

 
 

go.sum.bak

go.sum.bak

 
 

main.go

main.go

 
 

print_arch

print_arch

 
 

Repository files navigation

Waypoint Plugin Vault policy

This plugin for HashiCorp Waypoint creates policies for HashiCorp Vault so security teams can configure Vault roles to assist developer with incident response. The idea behind this plugin is that developers can specify which underlying pieces of infrastructure they would need access to in the event of an incident or outage. Security teams can then take these policies and create Vault roles according to their organisation's security posture.

The plugin has two main constructs:

  1. Triggers - This specifies what should trigger access to the underlying infrastructure. This could be event driven for specific environments, manual for other environments and automatic for any scenarios that your organisation sees fit. It also specifies which teams should be granted access to the underlying infrastructure for the event driven options.
  2. Access - This specifies what pieces of underlying infrastructure that developers will need access to in an incident scenario.

Example usage

project = "hello-world"

app "access" {
  deploy {
    use "access-control" {
      # Which event should trigger the access configurator?
      trigger {
        config {
          platform = "pager-duty"
          event    = "hello-world-down" # Event to listen out
          teams = [
            "hello-world-devs", # The person that deployed app
            "hello-world-ops",
          ]

        }
        environment = "production"
        approval = "alert"
      
      }

      trigger {
        config {}
        approval = "manual" # Manual, automatic or alert
        environment = "dev"
      
      }
  
      #What access should be granted

      access {
        database = "bye-world-db"
        role     = "bye-world-db-read"
      }

      access {
        database = "hello-world-db"
        role     = "hello-world-db-read"
      }

      access {
        cloud = "aws"
        role = "aws-cloud-read"
      }

    }
  }

  build {
    use "noop" {}
  }
}

The above example will create and write the following policies to Vault:

# bye-world-db-read.hcl

path "bye-world-db/creds/bye-world-db-read" {
   capabilities = [
      "read"
   ]
}
# hello-world-db-read.hcl

path "hello-world-db/creds/hello-world-db-read" {
   capabilities = [
      "read"
   ]
}
# aws-cloud-read.hcl

path "aws-cloud/creds/aws-cloud-read" {
   capabilities = [
      "read"
   ]
}

Waypoint runner dependencies

This plugin will need to be able to authenticate with Vault to write these policies so it will need the Vault address and an access token with the below policy attached:

# waypoint-runner.hcl

path "/sys/policy/*" {
   capabilities = [
      "write"
   ]
}

Once you have created a Vault token with the above policy, you will need to pass the following environment variables to the Waypoint runner:

  • VAULT_ADDR
  • VAULT_TOKEN
  • VAULT_NAMESPACE (optional)

The Waypoint runner can also be configured using our Terraform Provider for Waypoint.

About

No description, website, or topics provided.

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 2

v0.1.0 initial release Latest
Jun 17, 2022
+ 1 release

Packages

No packages published

Languages