Merge pull request #233 from ovotech/add-circleci-contexts

Add circleci context location

Author: Chris Every

README.md

@@ -7,7 +7,8 @@ ages, and rotating said keys once they pass a specific age threshold.
 The tool can update keys held in the following locations:
 
 * Atlas (mongoDB)
-* CircleCI
+* CircleCI env vars
+* CircleCI contexts
 * GCS
 * Git
 * GoCd
@@ -88,12 +89,14 @@ ultimately be updated with the new keys that are generated.
 
 Currently, the following locations are supported:
 
-* EnvVars in CircleCI
+* Atlas (mongoDB)
+* CircleCI env vars
+* CircleCI contexts
+* GCS
+* Git (files encrypted with [mantle](https://github.com/ovotech/mantle) which
+integrates with KMS))
 * GoCd
-* GCS 
-* Secrets in GKE
-* Files (encrypted via [mantle](https://github.com/ovotech/mantle) which
-integrates with KMS) in Git
+* K8S (GKE only)
 * SSM (AWS Parameter Store)
 
 ## Rotation Process

examples/locations/circleci-contexts/README.md

@@ -0,0 +1,67 @@
+# CircleCI Contexts Example
+
+## Pre-requisites
+
+In order to rotate a key that's stored in CircleCI contexts, you'll need:
+
+1. A GitHub machine user (**not a human user**)
+with write access to the GitHub repository that the CircleCI project is linked
+to. Note: the GitHub user must be part of a team that has access to the context,
+see the CircleCI [docs](https://circleci.com/docs/2.0/contexts/) for more info.
+2. A CircleCI API key for the GitHub user, which can be generated by logging in
+to [circleci.com](circleci.com) as the user, then creating a
+[personal API token](https://circleci.com/account/api).
+3. A CircleCI context, which you can create by visiting
+https://app.circleci.com/settings/organization/github/<org>/contexts. Once
+created, grab the uuid from the url, you'll need it for your config later.
+4. An env var set on the context in CircleCI.
+5. Auth to actually perform the rotation operation with whichever cloud provider
+you're using. This will require a service-account or user (with the
+cloud-provider you're rotating with) that has the required set of permissions.
+Then, auth will need to be given to `cloud-key-rotator` (usually in the form of
+a .json file or env vars).
+
+## Configuration
+
+```json
+  "AccountKeyLocations": [
+    {
+      "ServiceAccountName": "my_aws_machine_user",
+      "CircleCIContext": [
+        {
+          "ContextID": "my-uuid-context-id"
+        }
+      ]
+    }
+  ],
+  "Credentials": {
+    "CircleCIAPIToken": "my_circle_ci_api_token"
+  }
+```
+
+When rotating AWS keys, there are some optional fields,
+`keyIDEnvVar` and `keyEnvVar`, that represent the env var names in CircleCI,
+defaulting to values `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
+respectively.
+
+So, if you store your Key ID and Key values in env vars in CircleCI that're
+named differently, you could set something like this instead:
+
+```json
+    "CircleCIContext": [{
+      "ContextID": "my-uuid-context-id",
+      "KeyIDEnvVar": "AWS_KEY_ID",
+      "KeyEnvVar": "AWS_KEY"
+    }]
+```
+
+When rotating GCP keys, to override the default CircleCI env var name 
+(`GCLOUD_SERVICE_KEY`), you only need to override the `KeyEnvVar` value
+(as only a single value, the key, is needed for GCP)
+
+```json
+    "CircleCI": [{
+      "ContextID": "my-uuid-context-id",
+      "KeyEnvVar": "GCP_KEY"
+    }]
+```

examples/locations/circleci/README.md

@@ -4,11 +4,12 @@
 
 In order to rotate a key that's stored in CircleCI env vars, you'll need:
 
-1. A GitHub user (preferably a dedicated machine-user, rather than a human user)
+1. A GitHub machine user (**not a human user**)
 with write access to the GitHub repository that the CircleCI project is linked to.
 2. A CircleCI API key for the GitHub user, which can be generated by logging in
 to [circleci.com](circleci.com) as the user, then creating a [personal API token](https://circleci.com/account/api).
-3. Auth to actually perform the rotation operation with whichever cloud provider
+3. An env var set on the project in CircleCI.
+4. Auth to actually perform the rotation operation with whichever cloud provider
 you're using. This will require a service-account or user (with the cloud-provider you're rotating with) that has the required set of permissions. Then, auth will
 need to be given to `cloud-key-rotator` (usually in the form of a .json file or
 env vars).

go.mod

@@ -3,31 +3,56 @@ module github.com/ovotech/cloud-key-rotator
 go 1.12
 
 require (
+	cloud.google.com/go v0.61.0 // indirect
+	cloud.google.com/go/bigquery v1.10.0 // indirect
+	cloud.google.com/go/pubsub v1.3.1 // indirect
 	cloud.google.com/go/storage v1.10.0
+	github.com/CircleCI-Public/circleci-cli v0.1.8764
 	github.com/Sectorbob/mlab-ns2 v0.0.0-20171030222938-d3aa0c295a8a
 	github.com/aws/aws-lambda-go v1.17.0
-	github.com/aws/aws-sdk-go v1.32.13
+	github.com/aws/aws-sdk-go v1.33.13
 	github.com/beamly/go-gocd v0.0.0-20190719193049-383d56afbf92
+	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
+	github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354 // indirect
+	github.com/envoyproxy/go-control-plane v0.9.6 // indirect
+	github.com/envoyproxy/protoc-gen-validate v0.4.0 // indirect
+	github.com/google/go-cmp v0.5.1 // indirect
+	github.com/google/gofuzz v1.1.0 // indirect
 	github.com/googleapis/gnostic v0.0.0-20170729233727-0c5108395e2d // indirect
+	github.com/iancoleman/strcase v0.0.0-20191112232945-16388991a334 // indirect
+	github.com/ianlancetaylor/demangle v0.0.0-20200715173712-053cf528c12f // indirect
 	github.com/jszwedko/go-circleci v0.3.0
+	github.com/lyft/protoc-gen-star v0.4.15 // indirect
 	github.com/mongodb/go-client-mongodb-atlas v0.3.0
 	github.com/ovotech/cloud-key-client v0.0.0-20191119224032-d4d5f5354584
-	github.com/ovotech/mantle v0.0.0-20190313113039-b525d8003135
+	github.com/ovotech/mantle v0.0.0-20200728120419-bc55cf6d1d7a
+	github.com/pkg/sftp v1.11.0 // indirect
+	github.com/prometheus/client_model v0.2.0 // indirect
+	github.com/spf13/afero v1.3.2 // indirect
 	github.com/spf13/cobra v0.0.7
 	github.com/spf13/viper v1.7.0
+	github.com/stretchr/objx v0.3.0 // indirect
+	github.com/stretchr/testify v1.6.1 // indirect
+	github.com/yuin/goldmark v1.2.0 // indirect
 	go.uber.org/zap v1.15.0
-	golang.org/x/crypto v0.0.0-20191119213627-4f8c1d86b1ba
+	golang.org/x/crypto v0.0.0-20200709230013-948cd5f35899
+	golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 // indirect
 	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
-	google.golang.org/api v0.28.0
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	golang.org/x/sys v0.0.0-20200728102440-3e129f6d46b1 // indirect
+	golang.org/x/tools v0.0.0-20200727233628-55644ead90ce // indirect
+	google.golang.org/api v0.29.0
+	google.golang.org/genproto v0.0.0-20200728010541-3dc8dca74b7b // indirect
+	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/inf.v0 v0.9.0 // indirect
 	gopkg.in/ini.v1 v1.57.0
 	gopkg.in/src-d/go-git.v4 v4.13.1
 	gopkg.in/yaml.v2 v2.2.7 // indirect
+	gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 // indirect
 	k8s.io/api v0.0.0-20190313235455-40a48860b5ab
 	k8s.io/apimachinery v0.0.0-20190313205120-d7deff9243b1
 	k8s.io/client-go v11.0.0+incompatible
 	k8s.io/klog v0.0.0-20190306015804-8e90cee79f82 // indirect
 	k8s.io/utils v0.0.0-20190308190857-21c4ce38f2a7 // indirect
+	rsc.io/sampler v1.99.99 // indirect
 	sigs.k8s.io/yaml v1.1.0 // indirect
 )