venafi-vault-wizard, (vvw)This repository is home to the venafi-vault-wizard which can be used to verify the setup of HashiCorp Vault with Venafi as a Service and TPP.
The tool centres around the use of a configuration file to declare what plugins should be installed to HashiCorp Vault, and how they should be configured. This file describes the desired state, and the tool uses it to make the required changes to achieve the desired state. This workflow is similar to that of HashiCorp Terraform.
The tool has two main subcommands: generate-config and apply.
The generate-config command triggers a step-by-step wizard that asks a series of questions in order to generate the configuration file.
The apply command, similarly to Terraform, then performs the plugin installation and configuration, as required by the configuration file.
Both subcommands have a required -f or --configFile flag.
For generate-config, this specifies where the generated configuration will be written to.
For apply, it specifies the configuration to read from, and to apply to the Vault server.
To quickly start exploring the use of the Venafi Vault Wizard, (VVW) a test environment with a VM running Vault can be easily set up using Vagrant. This will provide the VVW tool with a Vault server to install the vault-pki-backend-venafi and vault-pki-monitor-venafi plugins. After they have been installed, certificates can be requested directly from the Vault instance. Either a Venafi TPP instance must be available, or alternatively Venafi as a Service can be used.
First, build the Venafi Vault Wizard, (VVW) tool. The binary will be placed in ./bin at the root of the project.
$ make buildNavigate to the single-node test environment directory.
This directory contains a Vagrantfile and required scripts, as well as a sample vvw.hcl file to configure VVW appropriately.
There is a README.md there which explains the setup in more detail.
$ cd examples/single_node_cluster_vagrantProvision the test Vault server and set the required environment variables using the following commands.
$ vagrant up
$ export VAULT_TOKEN="TOKEN PRINTED FROM VAGRANT HERE"
$ export VAULT_ADDR="http://192.168.33.20:8200"When that has finished, run the VVW tool with the provided configuration file, populating the environment variables with the relevant information.
There are two VVW HCL configuration files: tpp-vvw.hcl for Venafi Trust Protection Platform (TPP) and vaas-vvw.hcl for Venafi as a Service (VaaS).
Choose the appropriate one depending on your requirements.
For TPP:
$ export TPP_URL="YOUR TPP INSTANCE URL HERE"
$ export TPP_USERNAME="YOUR TPP USERNAME HERE"
$ export TPP_PASSWORD="YOUR TPP PASSWORD HERE"
$ ../../bin/vvw apply -f tpp-vvw.hclor for the VaaS configuration:
$ export VENAFI_API_KEY="YOUR VaaS API KEY"
$ ../../bin/vvw apply -f vaas-vvw.hclOnce the VVW tool has successfully completed the installation, a certificate can be requested from either plugin through Vault.
$ vault write pki-monitor/issue/web_server common_name="test.example.com"
$ vault write pki-backend/issue/web_server common_name="test.example.com"or for the VaaS configuration
$ vault write pki-monitor/issue/web_server common_name="test.example.com"
$ vault write pki-backend/issue/web_server common_name="test.example.com"The unit tests can be run with:
$ make testThe VVW tests use a number of pre-generated mocks that can be found under the <repo root>/mocks directory.
These replace the implementation of interfaces used throughout the code, to allow the tests to focus on testing specific areas.
They also provide the advantage that most unit tests run without touching real resources so are much faster and don't cause unwanted side effects.
If any of the interfaces have changed, or new ones added, then the mocks can be regenerated with the following command:
$ make generate-mocksThe command will download the Mockery binary to the <repo root>/bin directory and
then proceed to generate mock implementations of interfaces found within the project.
See the testify/mock package for more details on how to use the mocking framework.