Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SMTP brokerpak and supporting #5

Merged
merged 66 commits into from
Sep 10, 2024
Merged

Add SMTP brokerpak and supporting #5

merged 66 commits into from
Sep 10, 2024

Conversation

jameshochadel
Copy link
Contributor

Changes proposed in this pull request:

  • I've been developing on a topic branch to avoid a PR workflow while in early stages of development, but I'm going to start PRing changes for each issue I resolve now.
  • Adds the SMTP brokerpak, including provision and bind code, manifest and service definition yaml files, and a Go client for testing service instances.
  • Adds local development tools for working with the CSB and brokerpaks locally.

Things to check

  • For any logging statements, is there any chance that they could be logging sensitive data?
  • Are log statements using a logging library with a logging level set? Setting a logging level means that log statements "below" that level will not be written to the output. For example, if the logging level is set to INFO and debugging statements are written with log.debug or similar, then they won't be written to the otput, which can prevent unintentional leaks of sensitive data.

Security considerations

Follows standard practices to avoid credential disclosure.

@jameshochadel
oci-build step only supports settings args, not envs
19e0c96
@jameshochadel
Stop failing when zscaler.crt is not present by copying entire repo
15f7a19
@jameshochadel
Switch to OpenTofu, which upstream CSB now uses instead of Terraform
afa819d
@jameshochadel
Copy datagov-smtp-brokerpak verbatim
bedf1f8 
Also update the Dockerfile to build it.

Source: https://github.com/GSA-TTS/datagov-brokerpak-smtp
@jameshochadel
Ignore compiled brokerpaks
ec020d6
@jameshochadel
Debug failing COPY step
b762c3d
@jameshochadel
Brokerpak is using name from yaml, not directory
d8e0ccd
@jameshochadel
Regenerate cg-smtp using 'csb pak init' for new plan GUIDs
b153c75
@jameshochadel
Drop 'empty' buildpack
548a2dc
@jameshochadel
Fix using deprecated version constraint in provider block
f9c2fea
@jameshochadel
Allow granular DMARC reporting and update policy to p=reject
bcc6aa3
@jameshochadel
Make output usage more obvious by splitting username and access key ID
0695396 
They're the same underlying value, but looking at the outputs alone, you wouldn't know that.
@jameshochadel
Update manifest to match new outputs
32ada9e
@jameshochadel
Switch to providers from the HashiCorp registry, per CSB docs
21b1477 
https://github.com/cloudfoundry/cloud-service-broker/blob/main/docs/brokerpak-dissection.md
@jameshochadel
Drop debugging lines
49a6590
@jameshochadel
Try GitHub release URLs from OpenTofu
2833bc5
@jameshochadel
Make changes based on OpenTofu migration guide
87b18fe 
https://github.com/cloudfoundry/cloud-service-broker/blob/main/docs/opentofu_migration_guide.md#specifying-providers
@jameshochadel
CSB is not yet compatible with OpenTofu providers
a1b2d4e 
Download the Terraform provider from GitHub to follow Hashi registry ToS
@jameshochadel
Match example provider configuration exactly
74ee00d
@jameshochadel
Specify registry source in bind
82298ea
@jameshochadel
Try with replacements section
5c55d02 
https://github.com/cloudfoundry/csb-brokerpak-aws/blob/799ab69e6439da1bcef542c9fafa9393af2dd7a5/manifest.yml#L11C1-L12C77
@jameshochadel
Match up AWS provider versions
15a8366
@jameshochadel
Test with terraform_upgrade_path set
d9a89d4
@jameshochadel
Add required default field
12153b6
@jameshochadel
Test with upstream terraform provider
cc5d57b
@jameshochadel
Migration guide recommends specifying url_template
10a41c9 
And Dockerfiles are unused
@jameshochadel
Test brokerpak unzip with file later than versions.tf
5b6c9f0
@jameshochadel
Try again
877de0b
@jameshochadel
Add missing reference to versions.tf
372903d 
<oh my god>
@jameshochadel
Add required 'sensitive' attributes to bind output
b93b38b
@jameshochadel
Revert IAM changes to troubleshoot
6032299
@jameshochadel
Switch to sesv2 module to support tagging SES identity
c64a1ba 
- Remove txt_verification_record which is redundant with DKIM records
- Mirror tags from https://github.com/cloud-gov/go-broker-tags/blob/main/tags.go#L10
@jameshochadel
Could not find space_name in context; try without
c2954f2
@jameshochadel
Revert "Could not find space_name in context; try without"
a4aa64a 
This reverts commit c2954f2.
@jameshochadel
Try with map indexing syntax
278c1c0
@jameshochadel
Temporarily remove unusable tags
28e4b77 
See: cloud-gov/product#3107 (comment)
@jameshochadel
Remove likely-unusable IP condition
19ff5fd
@jameshochadel
IAM user needs permission on the Configuration Set to send mail
5c3d466
@jameshochadel
Add empty placeholder tags
7448d37
@jameshochadel
Tag all resources created by brokerpak with provider default_tags
2de6a1c
@jameshochadel
Add Makefile to support local development
98b7df2 
Related to cloud-gov/product#3118
@jameshochadel
Return FIPS endpoint in binding credentials
900667c 
Resolves cloud-gov/product#3120
@jameshochadel
Prevent destruction of resources whose ARNs would change
c204e10 
Goal is to minimize disruption of updates.

Resolves: cloud-gov/product#3123
@jameshochadel
Add Go client for local or CF testing of SMTP interface
a3aec67
@jameshochadel
Improve descriptions and documentation in smtp plan
3f3d246
@jameshochadel
Improve documentation and variable naming
37f356b
@jameshochadel
Bump OpenTofu version to latest
df7c373
@jameshochadel
Extract tags from context in Terraform instead of service definition
722729a 
Uses workaround to HIL parser limitation here: cloudfoundry/cloud-service-broker#1086 (comment)
@jameshochadel
Add final tags, meeting parity with go tagging library
012a2e5 
Resolves cloud-gov/product#3107
@jameshochadel
Remove unused import
ac1c88f
@jameshochadel
Add scripts for creating and deleting resources locally
b714f7f 
Resolves cloud-gov/product#3118
@jameshochadel jameshochadel requested a review from a team as a code owner September 10, 2024 14:49
markdboyd
markdboyd reviewed Sep 10, 2024
View reviewed changes
brokerpaks/cg-smtp/terraform/bind/outputs.tf Outdated
value = aws_iam_access_key.access_key.id
}

# TODO should we only expose the SMTP interface?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What would this mean?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The binding provides a set of SMTP credentials and an AWS access key to the IAM user, which allows customers to use the AWS SES APIs instead of the SMTP interface. I'll take this TODO out, though; it's a desirable behavior so they can use the AWS SDK if they want, and the security impact is the same since the user has privileges limited to their identity only.

markdboyd
markdboyd reviewed Sep 10, 2024
View reviewed changes
brokerpaks/cg-smtp/terraform/bind/provider.tf Outdated
tags = {
"broker" = "Cloud Service Broker"
"client" = "Cloud Foundry"
"environment" = "local" # todo, parameterize at CSB level
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I assume we'll follow up on this later

Copy link
Contributor Author

@jameshochadel jameshochadel Sep 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep, that's probably in my next issue, which is tackling Terraform for deploying the broker itself.

@jameshochadel jameshochadel merged commit fde3dd9 into main Sep 10, 2024
@jameshochadel jameshochadel deleted the brokerpak-topic branch September 10, 2024 20:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markdboyd markdboyd markdboyd approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jameshochadel @markdboyd