Upgrades dependencies, adds environment bootstrap

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,20 +1,15 @@
 # Overview
 A high level description of the contribution, including:
 Who the change affects or is for (stakeholders)?
-What is the change? 
+What is the change?
 Why is the change needed?
 How does this change affect the user experience (if at all)?
 
-# Design of Change
-How was this change implemented?
-
 # Related Issues/Pull Requests
-[ ] [Issue #1234](https://github.com/hashicorp/vault/issues/1234)
-[ ] [PR #1234](https://github.com/hashicorp/vault/pr/1234)
+- [ ] [Issue #1234](https://github.com/hashicorp/vault/issues/1234)
+- [ ] [PR #1234](https://github.com/hashicorp/vault/pr/1234)
 
 # Contributor Checklist
-[ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
-[My Docs PR Link](link)
-[Example](https://github.com/hashicorp/vault/commit/2715f5cec982aabc7b7a6ae878c547f6f475bba6)
-[ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
-[ ] Backwards compatible
+- [ ] Add relevant docs to upstream Vault repository, or sufficient reasoning why docs won’t be added yet
+- [ ] Add output for any tests not ran in CI to the PR description (eg, acceptance tests)
+- [ ] Backwards compatible

.github/dependabot.yaml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "monthly"
+    reviewers:
+      - "hashicorp/vault-ecosystem"

.gitignore

@@ -24,3 +24,12 @@
 .DS_Store
 .idea
 .vscode
+
+local_environment_setup.sh
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*

.go-version

@@ -1 +1 @@
-1.17.12
+1.19.2

.release/ci.hcl

@@ -9,7 +9,7 @@ project "vault-plugin-auth-azure" {
     organization = "hashicorp"
     repository = "vault-plugin-auth-azure"
     release_branches = [
-        "main"
+        "main",
         "release/vault-1.8.x",
         "release/vault-1.9.x",
         "release/vault-1.10.x",

CHANGELOG.md

@@ -0,0 +1,17 @@
+## Unreleased
+
+FEATURES:
+
+* Adds support for Virtual Machine Scale Set Flex Authentication [GH-63](https://github.com/hashicorp/vault-plugin-auth-azure/pull/63)
+
+IMPROVEMENTS:
+
+* Updates dependencies [[GH-65](https://github.com/hashicorp/vault-plugin-auth-azure/pull/65)]
+  * `github.com/Azure/azure-sdk-for-go v67.0.0+incompatible`
+  * `github.com/Azure/go-autorest/autorest v0.11.28`
+  * `github.com/hashicorp/go-hclog v1.3.1`
+  * `github.com/hashicorp/vault/api v1.8.2`
+  * `github.com/hashicorp/vault/api v1.8.2`
+  * `github.com/hashicorp/vault/sdk v0.6.1`
+  * `golang.org/x/oauth2 v0.1.0`
+* Upgrades to Go 1.19 [[GH-65](https://github.com/hashicorp/vault-plugin-auth-azure/pull/65)]

Makefile

@@ -1,54 +1,54 @@
-TOOL?=vault-plugin-auth-azure
-TEST?=$$(go list ./...)
-EXTERNAL_TOOLS=
-BUILD_TAGS?=${TOOL}
-GOFMT_FILES?=$$(find . -name '*.go' | grep -v vendor)
-
-# bin generates the releaseable binaries for this plugin
-bin: generate
+REPO_DIR := $(shell basename $(CURDIR))
+PLUGIN_NAME := $(shell command ls cmd/)
+PLUGIN_DIR ?= $$GOPATH/vault-plugins
+PLUGIN_PATH ?= local-auth-azure
+
+# bin generates the releasable binaries for this plugin
+.PHONY: bin
+bin:
 	@CGO_ENABLED=0 BUILD_TAGS='$(BUILD_TAGS)' sh -c "'$(CURDIR)/scripts/build.sh'"
 
+.PHONY: default
 default: dev
 
-# dev creates binaries for testing Vault locally. These are put
-# into ./bin/ as well as $GOPATH/bin, except for quickdev which
-# is only put into /bin/
-quickdev: generate
-	@CGO_ENABLED=0 go build -i -tags='$(BUILD_TAGS)' -o bin/${TOOL}
-dev: generate
+.PHONY: dev
+dev:
 	@CGO_ENABLED=0 BUILD_TAGS='$(BUILD_TAGS)' VAULT_DEV_BUILD=1 sh -c "'$(CURDIR)/scripts/build.sh'"
 
-testcompile: generate
-	@for pkg in $(TEST) ; do \
-		go test -v -c -tags='$(BUILD_TAGS)' $$pkg -parallel=4 ; \
-	done
-
-# test runs all tests
-test: generate
-	@if [ "$(TEST)" = "./..." ]; then \
-		echo "ERROR: Set TEST to a specific package"; \
-		exit 1; \
+.PHONY: bootstrap
+bootstrap:
+	@echo "Downloading tools ..."
+	@go generate -tags tools tools/tools.go
+	@if [ "$(PLUGIN_NAME)" != "$(REPO_DIR)" ]; then \
+		echo "Renaming cmd/$(PLUGIN_NAME) to cmd/$(REPO_DIR) ..."; \
+		mv cmd/$(PLUGIN_NAME) to cmd/$(REPO_DIR); \
+		echo "Renaming Go module to github.com/hashicorp/$(REPO_DIR) ..."; \
+        go mod edit -module github.com/hashicorp/$(REPO_DIR); \
 	fi
-	VAULT_ACC=1 go test -tags='$(BUILD_TAGS)' $(TEST) -v $(TESTARGS) -timeout 10m
 
-# generate runs `go generate` to build the dynamically generated
-# source files.
-generate:
-	@go generate $(go list ./...)
+.PHONY: test
+test: fmtcheck
+	CGO_ENABLED=0 go test ./... $(TESTARGS) -timeout=20m
 
-# bootstrap the build by downloading additional tools
-bootstrap:
-	@for tool in $(EXTERNAL_TOOLS) ; do \
-		echo "Installing/Updating $$tool" ; \
-		go install $$tool@latest; \
-	done
+.PHONY: fmtcheck
+fmtcheck:
+	@sh -c "'$(CURDIR)/scripts/gofmtcheck.sh'"
 
+.PHONY: fmt
 fmt:
-	gofmt -w $(GOFMT_FILES)
-
-# deps updates all dependencies for this project.
-deps:
-	@echo "==> Updating deps for ${TOOL}"
-	@dep ensure -update
-
-.PHONY: bin default generate test bootstrap fmt deps
+	gofumpt -l -w .
+
+.PHONY: setup-env
+setup-env:
+	cd bootstrap/terraform && terraform init && terraform apply -auto-approve
+
+.PHONY: teardown-env
+teardown-env:
+	cd bootstrap/terraform && terraform init && terraform destroy -auto-approve
+
+.PHONY: configure
+configure: dev
+	@./bootstrap/configure.sh \
+	$(PLUGIN_DIR) \
+	$(PLUGIN_NAME) \
+	$(PLUGIN_PATH)

README.md

@@ -1,24 +1,25 @@
-# Vault Plugin: Azure Auth Backend [![Build Status](https://travis-ci.org/hashicorp/vault-plugin-auth-azure.svg?branch=master)](https://travis-ci.org/hashicorp/vault-plugin-auth-azure)
-
+# Vault Plugin: Azure Auth Backend
 
 This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault).
 This plugin allows for Azure Managed Service Identities to authenticate with Vault.
 
 **Please note**: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, _please responsibly disclose_ by contacting us at [security@hashicorp.com](mailto:security@hashicorp.com).
 
 ## Quick Links
-    - Vault Website: https://www.vaultproject.io
-    - Azure Auth Docs: https://www.vaultproject.io/docs/auth/azure.html
-    - Main Project Github: https://www.github.com/hashicorp/vault
 
+- [Vault Website](https://www.vaultproject.io)
+- [Vault Project Github](https://www.github.com/hashicorp/vault)
+- [Azure Auth Docs](https://www.vaultproject.io/docs/auth/azure.html)
+- [Azure Auth API Docs](https://www.vaultproject.io/api-docs/auth/azure.html)
 
 ## Getting Started
 
 This is a [Vault plugin](https://www.vaultproject.io/docs/internals/plugins.html)
 and is meant to work with Vault. This guide assumes you have already installed Vault
 and have a basic understanding of how Vault works.
 
-Otherwise, first read this guide on how to [get started with Vault](https://www.vaultproject.io/intro/getting-started/install.html).
+Otherwise, first read this guide on how to [get started with
+Vault](https://www.vaultproject.io/intro/getting-started/install.html).
 
 To learn specifically about how plugins work, see documentation on [Vault plugins](https://www.vaultproject.io/docs/internals/plugins.html).
 
@@ -46,12 +47,11 @@ To see all the supported paths, see the [Azure auth backend docs](https://www.va
 If you wish to work on this plugin, you'll first need
 [Go](https://www.golang.org) installed on your machine.
 
-For local dev first make sure Go is properly installed, including
-setting up a [GOPATH](https://golang.org/doc/code.html#GOPATH).
-Next, clone this repository into
-`$GOPATH/src/github.com/hashicorp/vault-plugin-auth-azure`.
-You can then download any required build tools by bootstrapping your
-environment:
+### Build Plugin
+
+If you're developing for the first time, run `make bootstrap` to install the
+necessary tools. Bootstrap will also update repository name references if that
+has not been performed ever before.
 
 ```sh
 $ make bootstrap
@@ -62,59 +62,130 @@ This will put the plugin binary in the `bin` and `$GOPATH/bin` folders. `dev`
 mode will only generate the binary for your platform and is faster:
 
 ```sh
-$ make
 $ make dev
 ```
 
 Put the plugin binary into a location of your choice. This directory
-will be specified as the [`plugin_directory`](https://www.vaultproject.io/docs/configuration/index.html#plugin_directory)
-in the Vault config used to start the server.
+will be specified as the [`plugin_directory`](https://www.vaultproject.io/docs/configuration#plugin_directory)
+in the Vault config used to start the server. It may also be specified
+via [`-dev-plugin-dir`](https://developer.hashicorp.com/vault/docs/commands/server#dev-plugin-dir)
+if running Vault in dev mode.
 
-```json
-...
+```hcl
+# config.hcl
 plugin_directory = "path/to/plugin/directory"
 ...
 ```
 
+### Register Plugin
+
 Start a Vault server with this config file:
+
 ```sh
-$ vault server -config=path/to/config.json ...
+$ vault server -dev -config=path/to/config.hcl ...
 ...
 ```
 
-Once the server is started, register the plugin in the Vault server's [plugin catalog](https://www.vaultproject.io/docs/internals/plugins.html#plugin-catalog):
+Or start a Vault server in dev mode:
 
 ```sh
-$ vault write sys/plugins/catalog/azure \
-        sha_256=<expected SHA256 Hex value of the plugin binary> \
-        command="vault-plugin-auth-azure"
-...
-Success! Data written to: sys/plugins/catalog/azure
+$ vault server -dev -dev-root-token-id=root -dev-plugin-dir="path/to/plugin/directory"
 ```
 
-Note you should generate a new sha256 checksum if you have made changes
-to the plugin. Example using openssl:
+Once the server is started, register the plugin in the Vault server's [plugin catalog](https://www.vaultproject.io/docs/plugins/plugin-architecture#plugin-catalog):
 
 ```sh
-openssl dgst -sha256 $GOPATH/vault-plugin-auth-azure
+$ SHA256=$(openssl dgst -sha256 bin/vault-plugin-auth-azure | cut -d ' ' -f2)
+$ vault plugin register \
+        -sha256=$SHA256 \
+        -command="vault-plugin-auth-azure" \
+        auth azure-plugin
 ...
-SHA256(.../go/bin/vault-plugin-auth-azure)= 896c13c0f5305daed381952a128322e02bc28a57d0c862a78cbc2ea66e8c6fa1
+Success! Data written to: sys/plugins/catalog/azure-plugin
 ```
 
-Enable the auth plugin backend using the Azure auth plugin:
+Finally, enable the auth method to use this plugin:
 
 ```sh
-$ vault auth enable -plugin-name='azure' plugin
+$ vault auth enable azure-plugin
 ...
 
-Successfully enabled 'plugin' at 'azure'!
+Successfully enabled 'plugin' at 'azure-plugin'!
+```
+
+### Azure Environment Setup
+
+A Terraform [configuration](bootstrap/terraform) is included in this repository that
+automates provisioning of Azure resources necessary to configure and authenticate
+using the auth method. By default, the resources are created in `westus2`. See 
+[variables.tf](bootstrap/terraform/variables.tf) for the available variables.
+
+Before applying the Terraform configuration, you'll need to:
+
+1. [Authenticate](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure)
+   the Terraform provider to Azure
+2. Provide an SSH public key for access to the Azure VM via the `TF_VAR_ssh_public_key_path`
+   variable (defaults to `~/.ssh/id_rsa.pub`)
+
+The Terraform configuration will create:
+
+* A service principal with necessary role assignments
+* A virtual network, subnet, and security group with only SSH access from your local 
+  machine's public IP address
+* A linux virtual machine instance
+
+To provision the Azure resources, run the following:
+
+```sh
+$ make setup-env   
+```
+
+The `local_environment_setup.sh` file will be created in the `bootstrap/terraform`
+directory as a result of running `make setup-env`. This file contains environment
+variables needed to configure the auth method. The values can also be accessed
+via `terraform output`.
+
+To access the virtual machine via SSH:
+
+```sh
+ssh adminuser@${VM_IP_ADDRESS}
+```
+
+Once you're finished with plugin development, you can run the following to
+destroy the Azure resources:
+
+```sh
+$ make teardown-env   
+```
+
+### Configure Plugin
+
+A [scripted configuration](bootstrap/configure.sh) of the plugin is provided in
+this repository. You can use the script or manually configure the auth method
+using documentation.
+
+To apply the scripted configuration, first source the environment variables generated by
+the Azure environment setup:
+
+```sh
+$ source ./bootstrap/terraform/local_environment_setup.sh
+```
+
+Next, run the `make configure` target to register, enable, and configure the plugin with
+your local Vault instance. You can specify the plugin name, plugin directory, and mount
+path. Default values from the Makefile will be used if arguments aren't provided.
+
+```sh
+$ PLUGIN_NAME=vault-plugin-auth-azure \
+  PLUGIN_DIR=$GOPATH/vault-plugins \
+  PLUGIN_PATH=local-auth-azure \
+  make configure
 ```
 
-#### Tests
+### Tests
 
 If you are developing this plugin and want to verify it is still
-functioning (and you haven't broken anything else), we recommend
-running the tests.
+functioning, we recommend running the tests.
 
 To run the tests, invoke `make test`: