Initial import of fetching a secret

.gitignore

@@ -0,0 +1,19 @@
+**/.terraform/**
+**tfstate*
+**/*.pem
+**/account.json
+**/credentials
+.DS_Store
+.kitchen
+.terraform
+.terraform.tfstate.d
+# Gemfile has occasionally pinned versions of gems that shouldn't be included (e.g. Could not find aws-sdk-core-2.11.92 in any of the sources)
+Gemfile.lock
+*.zip
+# JetBrains - PyCharm, IntelliJ, etc.
+.idea/
+__pycache__/
+*.iml
+*.json
+# Python
+*.pyc

.kitchen.yml

@@ -0,0 +1,23 @@
+driver:
+  name: terraform
+
+provisioner:
+  name: terraform
+
+platforms:
+  - name: gcp
+
+verifier:
+  name: terraform
+  systems:
+  - name: fetch-secret
+    backend: local
+
+suites:
+  - name: "fetch-secret"
+    driver:
+      root_module_directory: test/fixtures/fetch-secret
+      variables:
+        project_name: <%= ENV['PROJECT_NAME'] %>
+        credentials_file_path: <%= ENV['GOOGLE_APPLICATION_CREDENTIALS'] %>
+        random_suffix: <%= ENV['RANDOM_SUFFIX'] %>

Dockerfile

@@ -0,0 +1,60 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM ubuntu:bionic
+
+RUN apt-get update -y && \
+    apt-get install -y software-properties-common && \
+    apt-add-repository -y ppa:rael-gc/rvm && \
+    apt-get update -y && \
+    apt-get install rvm -y && \
+    /bin/bash -l -c "rvm install 2.4.2 && \
+    echo 'gem: --no-ri --no-rdoc' > ~/.gemrc && \
+    gem install bundler --no-ri --no-rdoc"
+
+RUN apt-get install -y unzip wget ssh git && \
+    wget https://releases.hashicorp.com/terraform/0.11.11/terraform_0.11.11_linux_amd64.zip && \
+    unzip terraform_0.11.11_linux_amd64.zip && \
+    mv terraform /usr/local/bin/
+
+RUN export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)" && \
+    echo "deb http://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | tee -a /etc/apt/sources.list.d/google-cloud-sdk.list && \
+    curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - && \
+    apt-get update -y && apt-get install google-cloud-sdk -y
+
+COPY Gemfile ./
+RUN /bin/bash -l -c "bundle install"
+
+ENV WORKDIR /root/static_build
+WORKDIR $WORKDIR
+COPY . .
+
+RUN /bin/bash -l -c "bundle install"
+
+ARG GOOGLE_APPLICATION_CREDENTIALS
+ENV CREDENTIALS_FILE credentials.json
+COPY $GOOGLE_APPLICATION_CREDENTIALS $WORKDIR/$CREDENTIALS_FILE
+ENV GOOGLE_APPLICATION_CREDENTIALS=$WORKDIR/$CREDENTIALS_FILE
+ARG RANDOM_SUFFIX
+ENV RANDOM_SUFFIX=$RANDOM_SUFFIX
+
+RUN echo "alias tf_list=\"/bin/bash -l -c 'bundle exec kitchen list'\"" >> /root/.bashrc && \
+    echo "alias tf_destroy=\"/bin/bash -l -c 'bundle exec kitchen destroy ; bundle exec kitchen list'\"" >> /root/.bashrc && \
+    echo "alias tf_test=\"/bin/bash -l -c 'bundle exec kitchen create && bundle exec kitchen converge && bundle exec kitchen verify ; bundle exec kitchen list'\"" >> /root/.bashrc && \
+    echo "alias tf_test_and_destroy=\"/bin/bash -l -c 'bundle exec kitchen create && bundle exec kitchen test --destroy always'\"" >> /root/.bashrc
+
+ARG PROJECT_NAME
+ENV PROJECT_NAME=$PROJECT_NAME
+RUN /bin/bash -l -c 'bundle exec kitchen create && bundle exec kitchen converge ; bundle exec kitchen converge && bundle exec kitchen verify && bundle exec kitchen destroy'
+#RUN /bin/bash -l

Gemfile

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+ruby '2.4.2'
+
+source 'https://rubygems.org/' do
+  gem 'inspec', '~> 3.1.0'
+  gem 'kitchen-terraform', '~> 4.1'
+  gem "kitchen-google", "~> 2.0"
+end

LICENSE

@@ -1,3 +1,4 @@
+
                                  Apache License
                            Version 2.0, January 2004
                         http://www.apache.org/licenses/
@@ -198,4 +199,4 @@
    distributed under the License is distributed on an "AS IS" BASIS,
    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    See the License for the specific language governing permissions and
-   limitations under the License.
+   limitations under the License.

Makefile

@@ -0,0 +1,100 @@
+# Copyright 2018 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Make will use bash instead of sh
+SHELL := /usr/bin/env bash
+
+all: check_shell check_python check_terraform check_docker check_base_files test_check_headers check_headers check_trailing_whitespace generate_docs ## Run all linters and update documentation
+
+# The .PHONY directive tells make that this isn't a real target and so
+# the presence of a file named 'check_shell' won't cause this target to stop
+# working
+.PHONY: check_shell
+check_shell: ## Lint shell scripts
+	@source test/make.sh && check_shell
+
+.PHONY: check_python
+check_python: ## Lint Python source files
+	@source test/make.sh && check_python
+
+.PHONY: check_golang
+check_golang: ## Lint Go source files
+	@source test/make.sh && golang
+
+.PHONY: check_terraform
+check_terraform: ## Lint Terraform source files
+	@source test/make.sh && check_terraform
+
+.PHONY: check_docker
+check_docker: ## Lint Dockerfiles
+	@source test/make.sh && docker
+
+.PHONY: check_base_files
+check_base_files:
+	@source test/make.sh && basefiles
+
+.PHONY: check_shebangs
+check_shebangs: ## Check that scripts have correct shebangs
+	@source test/make.sh && check_bash
+
+.PHONY: check_trailing_whitespace
+check_trailing_whitespace:
+	@source test/make.sh && check_trailing_whitespace
+
+.PHONY: test_check_headers
+test_check_headers:
+	@echo "Testing the validity of the header check"
+	@python test/test_verify_boilerplate.py
+
+.PHONY: check_headers
+check_headers: ## Check that source files have appropriate boilerplate
+	@echo "Checking file headers"
+	@python test/verify_boilerplate.py
+
+.PHONY: generate_docs
+generate_docs: ## Update README documentation for Terraform variables and outputs
+	@source test/make.sh && generate_docs
+
+# Versioning
+.PHONY: version
+version:
+	@source helpers/version-repo.sh
+
+
+.PHONY: test_integration check-env
+.ONESHELL:
+test_integration: check-env  ## Run a full integration test cycle
+	@echo "Copying service-account-credentials.json to test dirs"
+	cp service-account-credentials.json gcs-object/.
+	cp service-account-credentials.json secret-infrastructure/.
+	@echo Creating random string
+	@echo "Running gcs-object integration test"
+	cd gcs-object
+	docker build . -f Dockerfile -t ubuntu-test-kitchen-terraform --build-arg RANDOM_SUFFIX=$(shell openssl rand -hex 5) --build-arg PROJECT_NAME=${PROJECT_NAME} --build-arg GOOGLE_APPLICATION_CREDENTIALS=service-account-credentials.json
+	cd ..
+	@echo "Running secret-infrastructure integration test"
+	cd secret-infrastructure
+	docker build . -f Dockerfile -t ubuntu-test-kitchen-terraform --build-arg RANDOM_SUFFIX=$(shell openssl rand -hex 5) --build-arg PROJECT_NAME=${PROJECT_NAME} --build-arg GOOGLE_APPLICATION_CREDENTIALS=service-account-credentials.json
+	cd ..
+
+	@echo "Running overall test-kitchen in docker"
+	docker build . -f Dockerfile -t ubuntu-test-kitchen-terraform --build-arg RANDOM_SUFFIX=$(shell openssl rand -hex 5) --build-arg PROJECT_NAME=${PROJECT_NAME} --build-arg GOOGLE_APPLICATION_CREDENTIALS=service-account-credentials.json
+
+help: ## Prints help for targets with comments
+	@grep -E '^[a-zA-Z._-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
+
+check-env:
+ifndef PROJECT_NAME
+	$(error PROJECT_NAME is undefined)
+endif