Initial commit

2025-11-30 08:19:59 +08:00
commit 7872cd6ad6
11 changed files with 427 additions and 0 deletions
--- a/skills/secrets-manager-integrator/assets/README.md
+++ b/skills/secrets-manager-integrator/assets/README.md
@@ -0,0 +1,7 @@
+# Assets
+
+Bundled resources for secrets-manager-integrator skill
+
+- [ ] vault_config_template.hcl: A template for Vault configuration files.
+- [ ] aws_iam_policy_template.json: A template for AWS IAM policies for secrets management.
+- [ ] example_secrets.yaml: Example secrets file for demonstration purposes.
--- a/skills/secrets-manager-integrator/assets/aws_iam_policy_template.json
+++ b/skills/secrets-manager-integrator/assets/aws_iam_policy_template.json
@@ -0,0 +1,75 @@
+{
+  "_comment": "AWS IAM Policy Template for Secrets Manager Integrator Plugin",
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "_comment": "Allow access to specific secrets in AWS Secrets Manager. Replace <region>, <account-id>, and <secret-name> with your actual values.",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:GetSecretValue",
+        "secretsmanager:DescribeSecret"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:<region>:<account-id>:secret/<secret-name>-*",
+        "arn:aws:secretsmanager:<region>:<account-id>:secret/<secret-name>"
+      ]
+    },
+    {
+      "_comment": "Allow decryption of secrets encrypted with a specific KMS key. Replace <region>, <account-id>, and <kms-key-alias> with your actual values.",
+      "Effect": "Allow",
+      "Action": [
+        "kms:Decrypt"
+      ],
+      "Resource": [
+        "arn:aws:kms:<region>:<account-id>:key/<kms-key-alias>"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "kms:ViaService": "secretsmanager.<region>.amazonaws.com"
+        }
+      }
+    },
+    {
+      "_comment": "Allow listing of secrets within a specified region. Use with caution as it grants broad access. Consider removing or restricting this for production environments.",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:ListSecrets"
+      ],
+      "Resource": [
+        "*"
+      ]
+    },
+    {
+      "_comment": "Optional: Allow creating secrets.  Remove if not needed. Requires `secretsmanager:CreateSecret` permission.",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:CreateSecret"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:<region>:<account-id>:secret/*"
+      ]
+    },
+    {
+      "_comment": "Optional: Allow deleting secrets. Remove if not needed. Requires `secretsmanager:DeleteSecret` permission.",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:DeleteSecret",
+        "secretsmanager:RestoreSecret"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:<region>:<account-id>:secret/*"
+      ]
+    },
+    {
+      "_comment": "Optional: Allow updating secrets. Remove if not needed. Requires `secretsmanager:UpdateSecret` permission.",
+      "Effect": "Allow",
+      "Action": [
+        "secretsmanager:UpdateSecret",
+        "secretsmanager:PutSecretValue"
+      ],
+      "Resource": [
+        "arn:aws:secretsmanager:<region>:<account-id>:secret/*"
+      ]
+    }
+  ]
+}
--- a/skills/secrets-manager-integrator/assets/example_secrets.yaml
+++ b/skills/secrets-manager-integrator/assets/example_secrets.yaml
@@ -0,0 +1,96 @@
+# Example secrets configuration file for the secrets-manager-integrator plugin.
+# This file demonstrates how to configure connections to different secrets managers.
+
+# Global configuration settings
+global:
+  # Default secrets manager to use if not specified in a specific operation.
+  # Valid options: vault, aws_secrets_manager, azure_key_vault, google_secret_manager, file
+  default_manager: vault
+
+  # Enable debug logging (true/false)
+  debug: false
+
+# Configuration for connecting to HashiCorp Vault
+vault:
+  # Enable or disable Vault integration (true/false)
+  enabled: true
+
+  # Vault server address (e.g., https://vault.example.com:8200)
+  address: "https://REPLACE_ME_VAULT_ADDRESS:8200"
+
+  # Authentication method to use.  Valid options: token, app_role, kubernetes
+  auth_method: token
+
+  # Token-based authentication configuration
+  token:
+    # Vault token to use for authentication
+    token: "YOUR_VAULT_TOKEN_HERE"
+
+  # AppRole-based authentication configuration (if auth_method is app_role)
+  app_role:
+    role_id: "YOUR_VAULT_ROLE_ID_HERE"
+    secret_id: "YOUR_VAULT_SECRET_ID_HERE"
+
+  # Kubernetes-based authentication configuration (if auth_method is kubernetes)
+  kubernetes:
+    role: "YOUR_VAULT_K8S_ROLE_HERE"
+    service_account_path: "/var/run/secrets/kubernetes.io/serviceaccount/token"
+
+  # Path prefix for secrets (e.g., secret/)
+  secret_path_prefix: "secret/"
+
+# Configuration for connecting to AWS Secrets Manager
+aws_secrets_manager:
+  # Enable or disable AWS Secrets Manager integration (true/false)
+  enabled: false
+
+  # AWS region (e.g., us-east-1)
+  region: "YOUR_AWS_REGION_HERE"
+
+  # AWS Access Key ID (optional, if not using IAM role)
+  aws_access_key_id: "REPLACE_ME_AWS_ACCESS_KEY_ID"
+
+  # AWS Secret Access Key (optional, if not using IAM role)
+  aws_secret_access_key: "REPLACE_ME_AWS_SECRET_ACCESS_KEY"
+
+  # ARN of the IAM role to assume (optional, for enhanced security)
+  role_arn: "YOUR_AWS_ROLE_ARN_HERE"
+
+  # Prefix for secrets (e.g., /my-app/)
+  secret_prefix: "/my-app/"
+
+# Configuration for Azure Key Vault
+azure_key_vault:
+  # Enable or disable Azure Key Vault integration (true/false)
+  enabled: false
+
+  # Azure Key Vault URL (e.g., https://my-key-vault.vault.azure.net/)
+  vault_url: "https://YOUR_KEY_VAULT_NAME.vault.azure.net/"
+
+  # Azure Tenant ID
+  tenant_id: "YOUR_AZURE_TENANT_ID_HERE"
+
+  # Azure Client ID (Application ID)
+  client_id: "YOUR_AZURE_CLIENT_ID_HERE"
+
+  # Azure Client Secret (Application Secret)
+  client_secret: "YOUR_AZURE_CLIENT_SECRET_HERE"
+
+# Configuration for Google Cloud Secret Manager
+google_secret_manager:
+  # Enable or disable Google Cloud Secret Manager integration (true/false)
+  enabled: false
+
+  # Google Cloud Project ID
+  project_id: "YOUR_GOOGLE_PROJECT_ID_HERE"
+
+  # Path to the Google Cloud service account key file (JSON)
+  credentials_path: "/path/to/your/google/credentials.json"
+
+# Configuration for File-based secrets (for testing/development only!)
+file:
+  # Enable or disable File integration (true/false)
+  enabled: false
+
+  # Path to the secrets file (YAML or JSON)
+  path: "/path/to/your/secrets.yaml"
--- a/skills/secrets-manager-integrator/assets/vault_config_template.hcl
+++ b/skills/secrets-manager-integrator/assets/vault_config_template.hcl
@@ -0,0 +1,64 @@
+# Vault Configuration File Template
+
+# This file provides a basic template for configuring Vault.
+# Modify the values below to suit your specific environment.
+# Refer to the Vault documentation for detailed explanations of each parameter:
+# https://www.vaultproject.io/docs/configuration
+
+storage "raft" {
+  path    = "/opt/vault/data" # Adjust this path to your desired storage location.
+  node_id = "vault-node-1"  # Unique identifier for this Vault node.
+
+  # Raft configuration options (optional, but recommended for production):
+  #  - retry_join: Attempts to join the cluster on startup if initial join fails.
+  #  - snapshot_threshold: Number of logs before a snapshot is taken.
+  #  - snapshot_interval: Interval between snapshots.
+  #  - leader_transfer_interval: Interval after which a leader will attempt to transfer leadership.
+  #
+  # Example:
+  # retry_join {
+  #   leader_api_addr = "http://vault-node-2:8200" # Address of another Vault node in the cluster.
+  # }
+  # snapshot_threshold   = 8192
+  # snapshot_interval    = "2m"
+  # leader_transfer_interval = "5s"
+}
+
+
+listener "tcp" {
+  address     = "0.0.0.0:8200" # Change to your desired listening address.
+  tls_disable = true        # Disable TLS for development/testing purposes ONLY.
+                             # ENABLE TLS FOR PRODUCTION. See TLS configuration below.
+  # tls_cert_file = "/opt/vault/tls/vault.crt" # Path to the TLS certificate.
+  # tls_key_file  = "/opt/vault/tls/vault.key" # Path to the TLS key.
+}
+
+# Optional: Configure TLS for secure communication.
+# listener "tcp" {
+#   address     = "0.0.0.0:8200" # Change to your desired listening address.
+#   tls_cert_file = "/opt/vault/tls/vault.crt" # Path to the TLS certificate.
+#   tls_key_file  = "/opt/vault/tls/vault.key" # Path to the TLS key.
+# }
+
+
+telemetry {
+  # Enable metrics gathering (optional).  Consider enabling for production environments.
+  #  - StatsD:  A popular open-source metrics aggregator.
+  #  - Prometheus:  A popular open-source monitoring solution.
+  #
+  # Example (StatsD):
+  # statsd_address = "127.0.0.1:9125"
+  # Example (Prometheus):
+  # prometheus_retention_time = "1h"
+  disable_hostname = true # Prevent hostname from being included in metrics.
+}
+
+
+ui = true # Enable the Vault UI.  Disable if you are managing Vault programmatically only.
+
+# Example of an audit log.  Enable for production environments.
+# audit "file" {
+#   path = "/opt/vault/audit.log" # Adjust this path to your desired audit log location.
+#   file_hmac_algorithm = "sha256"
+#   hmac_accessor = true
+# }