[feature] Read KMS Signer public keys in openssh authorized keys form…

…at (#32)

.travis.yml

@@ -1,7 +1,7 @@
 dist: trusty
 language: go
 go:
-  - "1.13.1"
+  - '1.14'
 install:
   - make setup
 jobs:

Makefile

@@ -1,4 +1,3 @@
-export GOFLAGS=-mod=vendor
 export GO111MODULE=on
 
 setup: ## setup development dependencies
@@ -35,7 +34,6 @@ test-ci: packr
 
 deps:
 	go mod tidy
-	go mod vendor
 .PHONY: deps
 
 packr: clean
@@ -54,4 +52,4 @@ release: ## run a release
 	./bin.bff bump
 	git push
 	goreleaser release --rm-dist
-.PHONY: release
+.PHONY: release

go.mod

@@ -1,12 +1,12 @@
 module github.com/chanzuckerberg/terraform-provider-bless
 
-go 1.12
+go 1.14
 
 require (
-	github.com/aws/aws-sdk-go v1.23.10
+	github.com/aws/aws-sdk-go v1.30.23
 	github.com/gobuffalo/packr v1.30.1
-	github.com/hashicorp/terraform-plugin-sdk v1.0.0
-	github.com/pkg/errors v0.8.1
-	github.com/stretchr/testify v1.4.0
-	golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586
+	github.com/hashicorp/terraform-plugin-sdk v1.12.0
+	github.com/pkg/errors v0.9.1
+	github.com/stretchr/testify v1.5.1
+	golang.org/x/crypto v0.0.0-20200429183012-4b2356b1ed79
 )

pkg/provider/data_kms_public_key.go

@@ -0,0 +1,73 @@
+package provider
+
+import (
+	"crypto/x509"
+	"fmt"
+
+	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/chanzuckerberg/terraform-provider-bless/pkg/aws"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/ssh"
+)
+
+const ()
+
+func KMSPublicKey() *schema.Resource {
+	kmsPublicKey := newDataKMSPublicKey()
+
+	return &schema.Resource{
+		Read: kmsPublicKey.Read,
+
+		Schema: map[string]*schema.Schema{
+			schemaKmsKeyID: {
+				Type:        schema.TypeString,
+				Required:    true,
+				Description: "The kms key we should get the public key",
+			},
+
+			// computed
+			schemaPublicKey: {
+				Type:        schema.TypeString,
+				Computed:    true,
+				Description: "This is the CA public key in openssh format",
+			},
+		},
+	}
+}
+
+func newDataKMSPublicKey() *dataKMSPublicKey {
+	return &dataKMSPublicKey{}
+}
+
+type dataKMSPublicKey struct{}
+
+func (l *dataKMSPublicKey) Read(d *schema.ResourceData, meta interface{}) error {
+	awsClient, ok := meta.(*aws.Client)
+	if !ok {
+		return errors.New("meta is not of type *aws.Client")
+	}
+	kmsKeyID := d.Get(schemaKmsKeyID).(string)
+
+	svc := awsClient.KMS.Svc
+
+	fmt.Printf("nil svc: %#v", svc == nil)
+
+	output, err := svc.GetPublicKey(
+		&kms.GetPublicKeyInput{KeyId: &kmsKeyID},
+	)
+	if err != nil {
+		return errors.Wrap(err, "error getting kms public key")
+	}
+	pub, err := x509.ParsePKIXPublicKey(output.PublicKey)
+	if err != nil {
+		return errors.Wrap(err, "could not parse kms public key")
+	}
+	sshPub, err := ssh.NewPublicKey(pub)
+	if err != nil {
+		return errors.Wrap(err, "could not ssh parse kms public key")
+	}
+	d.SetId(*output.KeyId)                                           //nolint
+	d.Set(schemaPublicKey, string(ssh.MarshalAuthorizedKey(sshPub))) //nolint
+	return nil
+}

pkg/provider/data_kms_public_key_test.go

@@ -0,0 +1,64 @@
+package provider_test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"regexp"
+	"testing"
+
+	"github.com/aws/aws-sdk-go/aws"
+	"github.com/aws/aws-sdk-go/service/kms"
+	tf "github.com/hashicorp/terraform-plugin-sdk/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/terraform"
+	"github.com/stretchr/testify/mock"
+	"github.com/stretchr/testify/require"
+)
+
+func TestKMSPublicKey(t *testing.T) {
+	r := require.New(t)
+	providers, kmsMock := getTestProviders()
+
+	priv, err := ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
+	r.NoError(err)
+
+	derBytes, err := x509.MarshalPKIXPublicKey(priv.Public())
+	r.NoError(err)
+	output := &kms.GetPublicKeyOutput{
+		PublicKey: derBytes,
+		KeyId:     aws.String("key id"),
+	}
+
+	kmsMock.On("GetPublicKey", mock.Anything).Return(output, nil)
+
+	tf.Test(t, tf.TestCase{
+		Providers: providers,
+		Steps: []tf.TestStep{
+			tf.TestStep{
+				Config: `
+				provider "bless" {
+					region = "us-east-1"
+				}
+
+				data "bless_kms_public_key" "bless" {
+					kms_key_id = "testo"
+				}
+
+				output "public_key" {
+					value = "${data.bless_kms_public_key.bless.public_key}"
+				}
+			`,
+				Check: func(s *terraform.State) error {
+					publicSSHUntyped := s.RootModule().Outputs["public_key"].Value
+					publicSSH, ok := publicSSHUntyped.(string)
+					r.True(ok)
+					r.Regexp(
+						regexp.MustCompile("^ecdsa-sha2-nistp384 "),
+						string(publicSSH))
+					return nil
+				},
+			},
+		},
+	})
+}

pkg/provider/data_lambda.go

@@ -240,6 +240,9 @@ func (l *resourceLambda) archive(d *schema.ResourceData, meta interface{}) error
 		files = append(files, path)
 		return nil
 	})
+	if err != nil {
+		return errors.Wrap(err, "could not walk zip")
+	}
 
 	// Sort so stable adding of files to zip
 	sort.Strings(files)
@@ -275,7 +278,7 @@ func (l *resourceLambda) Read(d *schema.ResourceData, meta interface{}) error {
 	if err != nil {
 		return err
 	}
-	d.Set(SchemaOutputBase64Sha256, fileHash)
-	d.SetId(fileHash)
+	d.Set(SchemaOutputBase64Sha256, fileHash) //nolint
+	d.SetId(fileHash) //nolint
 	return err
 }

pkg/provider/provider.go

@@ -29,7 +29,8 @@ func Provider() *schema.Provider {
 			"bless_ecdsa_ca": ECDSACA(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
-			"bless_lambda": Lambda(),
+			"bless_lambda":         Lambda(),
+			"bless_kms_public_key": KMSPublicKey(),
 		},
 		ConfigureFunc: configureProvider,
 	}

pkg/provider/provider_test.go

@@ -3,8 +3,8 @@ package provider_test
 import (
 	"testing"
 
-	"github.com/aws/aws-sdk-go/service/kms/kmsiface"
 	"github.com/aws/aws-sdk-go/service/kms"
+	"github.com/aws/aws-sdk-go/service/kms/kmsiface"
 	"github.com/chanzuckerberg/terraform-provider-bless/pkg/aws"
 	"github.com/chanzuckerberg/terraform-provider-bless/pkg/provider"
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
@@ -24,6 +24,12 @@ func (k *KMSMock) Encrypt(input *kms.EncryptInput) (*kms.EncryptOutput, error) {
 	return output, args.Error(1)
 }
 
+func (k *KMSMock) GetPublicKey(input *kms.GetPublicKeyInput) (*kms.GetPublicKeyOutput, error) {
+	args := k.Called(input)
+	output := args.Get(0).(*kms.GetPublicKeyOutput)
+	return output, args.Error(1)
+}
+
 func getTestProviders() (map[string]terraform.ResourceProvider, *KMSMock) {
 	ca := provider.Provider()
 	kmsMock := &KMSMock{}

pkg/provider/resource_ca.go

@@ -80,9 +80,9 @@ func (ca *resourceCA) Create(d *schema.ResourceData, meta interface{}) error {
 		return err
 	}
 
-	d.Set(schemaEncryptedPrivateKey, keyPair.B64EncryptedPrivateKey)
-	d.Set(schemaPublicKey, keyPair.PublicKey)
-	d.Set(schemaEncryptedPassword, encryptedPassword)
+	d.Set(schemaEncryptedPrivateKey, keyPair.B64EncryptedPrivateKey) // nolint
+	d.Set(schemaPublicKey, keyPair.PublicKey) // nolint
+	d.Set(schemaEncryptedPassword, encryptedPassword) // nolint
 	d.SetId(util.HashForState(keyPair.PublicKey))
 	return nil
 }

pkg/provider/resource_ca_test.go

@@ -18,7 +18,8 @@ func TestCreate(t *testing.T) {
 	providers, kmsMock := getTestProviders()
 
 	ciphertext := make([]byte, 10)
-	rand.Read(ciphertext)
+	_, err := rand.Read(ciphertext)
+	a.NoError(err)
 	output := &kms.EncryptOutput{
 		CiphertextBlob: ciphertext,
 	}

pkg/provider/resource_ecdsa_ca.go

@@ -72,9 +72,9 @@ func (ca *resourceECDSACA) Create(d *schema.ResourceData, meta interface{}) erro
 		return err
 	}
 
-	d.Set(schemaEncryptedPrivateKey, keyPair.B64EncryptedPrivateKey)
-	d.Set(schemaPublicKey, keyPair.PublicKey)
-	d.Set(schemaEncryptedPassword, encryptedPassword)
+	d.Set(schemaEncryptedPrivateKey, keyPair.B64EncryptedPrivateKey) // nolint
+	d.Set(schemaPublicKey, keyPair.PublicKey) // nolint
+	d.Set(schemaEncryptedPassword, encryptedPassword) // nolint
 	d.SetId(util.HashForState(keyPair.PublicKey))
 	return nil
 }

pkg/provider/resource_ecdsa_ca_test.go

@@ -18,7 +18,8 @@ func TestCreateECDSA(t *testing.T) {
 	providers, kmsMock := getTestProviders()
 
 	ciphertext := make([]byte, 10)
-	rand.Read(ciphertext)
+	_, err := rand.Read(ciphertext)
+	a.NoError(err)
 	output := &kms.EncryptOutput{
 		CiphertextBlob: ciphertext,
 	}