Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP - Add HSM support to Key Vault #1717

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from

Conversation

p3ck
Copy link
Collaborator

@p3ck p3ck commented Sep 17, 2024

SUMMARY

Add support for HSM in KeyVault module(s)

ISSUE TYPE
  • Feature Pull Request
  • New Module Pull Request
COMPONENT NAME

plugins/modules/azure_rm_keyvault.py
plugins/modules/azure_rm_keyvault_info.py
plugins/modules/azure_rm_keyvaultsecuritydomain.py

ADDITIONAL INFORMATION

The vendored_sdks is copied directiy from azure-cli. It doesn't seem to be packaged in the azure-python-sdk which is where I think it should go.

@p3ck p3ck added new_feature New feature requirments hold The problem holds for a particular reason labels Sep 17, 2024
@p3ck p3ck force-pushed the keyvault-hsm branch 4 times, most recently from f681b39 to 160e128 Compare September 20, 2024 14:50
@p3ck p3ck requested a review from Fred-sun September 20, 2024 15:15
@p3ck
Copy link
Collaborator Author

p3ck commented Sep 20, 2024

@Fred-sun or @xuzhang3 Can one of you run the integration tests? I've tested as much as my account allows me but I don't have permission to download the security domain file in my org.

az keyvault security-domain download --id https://hsm34330be106.managedhsm.azure.net --security-domain-file "sd_file_name" --sd-quorum 2 --sd-wrapping-keys ./files/cert_0.cer ./files/cert_1.cer ./files/cert_2.cer 
(AccessDenied) Not authorized to perform Security Domain backup. (Activity ID: 8d56a47c-7756-11ef-a729-6045bd7b4c47)

I've also had limited success running this in the pipeline, I either get 5 HSM's are already deployed or a gateway timeout.

ansible-test integration azure_rm_keyvault --allow-destructive

Thanks.

@xuzhang3
Copy link
Collaborator

p3ck

sure, I will running these tests.

@xuzhang3
Copy link
Collaborator

@p3ck can you help migrate the vendor-sdk to azure-keyvault-administration for KV HSM management?

https://learn.microsoft.com/en-us/python/api/overview/azure/keyvault-administration-readme?view=azure-python

@p3ck
Copy link
Collaborator Author

p3ck commented Sep 23, 2024 via email

@p3ck
Copy link
Collaborator Author

p3ck commented Sep 27, 2024

I have been able to test some of this locally..

TASK [azure_rm_keyvault : Lookup service principal object id] ******************                                       
ok: [testhost]                                                                                                         
                                                                                                                       
TASK [azure_rm_keyvault : Create instance of HSM -- check mode] ****************                                       
changed: [testhost]                                                                                                    
                                                                                                                       
TASK [azure_rm_keyvault : Assert the resource instance is well created] ********                                       
ok: [testhost] => {                                                                                                    
    "changed": false,                                                                                                  
    "msg": "All assertions passed"                                                                                     
}                                                                                                                      
                                                                                                                       
TASK [azure_rm_keyvault : Create instance of HSM] ******************************                                       
changed: [testhost]                                                                                                    
                                                                                                                       
TASK [azure_rm_keyvault : Assert the resource instance is well created] ********                                       
ok: [testhost] => {                                                                                                    
    "changed": false,                                                                                                  
    "msg": "All assertions passed"                                                                                     
}                                                                                                                      
                                                                                                                       
TASK [azure_rm_keyvault : Create instance of HSM again] ************************                                       
ok: [testhost]                                                                    

                                                                                                                       
TASK [azure_rm_keyvault : Assert the state has not changed] ********************                                       
ok: [testhost] => {                                                                                                    
    "changed": false,                                                                                                  
    "msg": "All assertions passed"                                                                                     
}                                                                                                                      

TASK [azure_rm_keyvault : Update existing HSM (add tags)] **********************
changed: [testhost]

TASK [azure_rm_keyvault : Assert the state has changed] ************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_keyvault : Get hsm facts] ***************************************
ok: [testhost]

TASK [azure_rm_keyvault : Assert the facts are properly set] *******************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_keyvault : Download the security domain file] *******************
ok: [testhost]

TASK [azure_rm_keyvault : Save the security domain file] ***********************
ok: [testhost] => {
    "output[\"security_domain\"]": {
        "EncData": {
            "data": [
                {
                    "compact_jwe": "eyJhbGci
....
                }
            ],
            "key_algorithm": "shamir_share",
            "required": 2
        },
        "version": 2
    }
}

TASK [azure_rm_keyvault : Create a hsm key] ************************************
fatal: [testhost]: FAILED! => {"changed": false, "msg": "Find the key vault secret got exception, exception as (AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on '/keys' (Activity ID: 86f8b88c-7cdc-1
1ef-b688-6045bdb636b6)\nCode: AccessDenied\nMessage: Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on '/keys' (Activity ID: 86f8b88c-7cdc-11ef-b688-6045bdb636b6)"}

TASK [azure_rm_keyvault : Delete the hsm key] **********************************
fatal: [testhost]: FAILED! => {"changed": false, "msg": "Find the key vault secret got exception, exception as (AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on '/keys' (Activity ID: 8940f78a-7cdc-1
1ef-a902-6045bd7b46a8)\nCode: AccessDenied\nMessage: Not authorized to access Microsoft.KeyVault/managedHsm/keys/read/action on '/keys' (Activity ID: 8940f78a-7cdc-11ef-a902-6045bd7b46a8)"}

As you can see I was able to download the security-domain which involves uploading the public certs and specifying the minimum number for quorum.

I am unable to test the key generation since I don't have permission to do that. I don't think my account has the correct permissions from my org since I tried the following as well:

az keyvault role assignment create --hsm-name hsm34330be702 --role "Managed HSM Crypto User" --assignee-object-id ca413070-9a06-4e0a-8bb8-c167d29fa09e  --scope /keys
(AccessDenied) Not authorized to access Microsoft.KeyVault/managedHsm/roleDefinitions/read/action on /keys (Activity ID: 54356da2-7b7c-11ef-8b0b-6045bdb636b6)
Code: AccessDenied
Message: Not authorized to access Microsoft.KeyVault/managedHsm/roleDefinitions/read/action on /keys (Activity ID: 54356da2-7b7c-11ef-8b0b-6045bdb636b6)

I've also opened an issue in the azure-cli package asking if the vendored_sdks files can be broken out into a separate package.

Azure/azure-cli#29998

#
# azure_rm_hsmsecret tests
#
- name: Create a hsm secret
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Key Vault HSM does not support secret management, this test case can be removed

@p3ck
Copy link
Collaborator Author

p3ck commented Nov 22, 2024

Waiting for Azure/azure-sdk-for-python#37929 to finalize so we can use the SDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
hold The problem holds for a particular reason new_feature New feature requirments
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants