[FEATURE] Remove Bitwarden CLI dependency about terraform-provider-bitwarden HOT 11 OPEN

@larivierec I see :/ I don't know how the Bitwarden CLI is built, but for tf-runner is seems to be rather simple.

What about doing it the other way around then, with something in this direction ?

FROM ubuntu
LABEL org.opencontainers.image.source="https://github.com/weaveworks/tf-controller"

RUN apt-get update -y \
  && apt-get install -y \
    ca-certificates \
    git \
    gnupg \
    libssl-dev \
    openssh-client \
    tini \
    unzip \
    wget

RUN wget https://github.com/bitwarden/clients/releases/download/cli-v2023.1.0/bw-linux-2023.1.0.zip \
  && unzip bw-linux-2023.1.0.zip \
  && chmod +x bw \
  && mv bw /usr/local/bin

COPY --from=ghcr.io/weaveworks/tf-runner:main-19027da5 /usr/local/bin/tf-runner /usr/local/bin/tf-runner 
COPY --from=ghcr.io/weaveworks/tf-runner:main-19027da5 /usr/local/bin/terraform /usr/local/bin/terraform 

RUN echo 'hosts: files dns' > /etc/nsswitch.conf
RUN addgroup --gid 65532 --system runner \
  && adduser --uid 65532 --system runner --group \
  && chmod +x /usr/local/bin/terraform

USER 65532:65532
ENV GNUPGHOME=/tmp
ENTRYPOINT [ "/bin/tini", "--", "tf-runner" ]

I haven't tried the image in a complete setup, but I can at least execute tf-runner, terraform and bw without any crash.

from terraform-provider-bitwarden.

Hi @maxirus !
No serious plans to be honest.

I spent some time working on a partial Go implementation of the Bitwarden CLI because I needed it for testing:
https://github.com/maxlaverse/terraform-provider-bitwarden/tree/main/internal/bitwarden/webapi

There are quite a few cryptographic parameters and initialization processes required, and they most likely have to be done right in order to keep people's Vaults safe. I wouldn't have enough time to spend, to bring such an implementation in a state where I would feel confident people can safely use it.

from terraform-provider-bitwarden.

The lack of this feature means that it won't work with Terraform Cloud as a backend, right? It'll result in:

Error: exec: "bw": executable file not found in $PATH

Just making sure I understand that correctly.

from terraform-provider-bitwarden.

Good question @wscourge !
I think I read that Terraform Cloud allows you to host the runners when you have a business license, which likely opens the possibility to customize their environments. and add the Bitwarden CLI.

I wouldn't know how to run it on Terraform Cloud's free plan right now. I had a quick look in the developer documentation, searching for something that would hint at how to handle external tools, and found nothing. Looking into the Terraform projects I have, it seems all their providers are a single binary using Go SDKs to access external services.

from terraform-provider-bitwarden.

Have you tried a combination of null_resource and provisioner "local-exec" {} @wscourge ?

from terraform-provider-bitwarden.

I haven't, just opted-out of the TF Cloud for various reasons. I guess it could work tho, definitely worth trying by anyone who ends up here.

from terraform-provider-bitwarden.

While I do agree that the dependency should be removed as it removes the ability to use this in GitOps tools like tf-runner/tf-controller.

I recently tried integrating this and stumped onto the issue.
I think the issue here is without the CLI, the RestAPI is not exposed and therefore, we can't interact with our Vaults.

cloudflare

Do you think instead adding support for self-hosting the bitwarden-cli elsewhere and using that URL without credentials could be an alternative? (if yes, I could possibly look at this)

Is it possible to create a second provider that wouldn't require downloading of bw-cli?

provider "bitwarden" {
  internal_api          = "https://bitwarden-cli.bitwarden.svc.cluster.local.:8087"
}

along side the standard ones that are already available in this project?

Another way, would could be to create a docker container with the GitOps tool and the bitwarden-cli, I still haven't figured it out though.

from terraform-provider-bitwarden.

Hi @larivierec,

Do you think instead adding support for self-hosting the bitwarden-cli elsewhere and using that URL without credentials could be an alternative?

It's appealing in a way, because the REST API is a documented interface, and the tests run so fast when you don't have to spawn a process & load the Vault all the time. Have this bw serve API available in a cluster or even locally makes me anxious. It becomes suddenly so easy to leak the Vault, and for now I'd prefer to avoid that. The implementation itself is not too complicated.

Is it possible to create a second provider that wouldn't require downloading of bw-cli?

Potentially there could also be a toggle to enable downloading the binary but I have to see what are the best practices here.

Another way, would could be to create a docker container with the GitOps tool and the bitwarden-cli, I still haven't figured it out though.

That would be my recommended approached at this point. I don't see how we can't get this to work, but I don't know how much effort it is. I have tried it myself, but something like this might work ?

1. Build a custom Docker image for the tf-runner with the Bitwarden CLI inside:

FROM ghcr.io/weaveworks/tf-runner:main-19027da5
RUN wget https://github.com/bitwarden/clients/releases/download/cli-v2023.1.0/bw-linux-2023.1.0.zip \
  && unzip bw-linux-2023.1.0.zip \
  && chmod +x bw \
  && mv bw /usr/local/bin

2. Tell the tf-controller to use that image. If you're using Helm, that would be changing those values here: https://github.com/weaveworks/tf-controller/blob/main/charts/tf-controller/values.yaml#L111-L117

If the approach works, I can document it and parametrize all the versions. There is more documentation here on how to run custom runner Pods here as well: https://weaveworks.github.io/tf-controller/use_tf_controller/to_provision_resources_with_customized_Runner_Pods/

Interestingly, tf-controller has this notion of packages, maybe something we can use to ship the CLI is those environments ? https://weaveworks.github.io/tf-controller/use_tf_controller/with_the_ready_to_use_AWS_package/

from terraform-provider-bitwarden.

Yeah.

point 1, it can be scary but it's the responsibility of the one deploying to keep the vault safe. I do agree that it can be a major security risk even internally. whoever has the url, technically can access the vault.

point 2: ok ✅

point 3:
i tried that, the issue is that tf-runner uses alpine. i tried quite hard to get bw cli running on alpine there's always dependency problems. the closest i got was a segmentation fault. this would also be my preferred option by creating a new alpine image and adding all the proper dependencies from both but alpine and bw seem to be a no go.

also, this is also my preferred solution 💯

https://github.com/larivierec/containers/blob/main/apps/tf-runner-bw/Dockerfile

if you have any ideas, let me know

i also tried just to get bw-cli run in alpine without tf-runner (below).

FROM alpine:3.18

WORKDIR /usr/local/bin
RUN apk update && apk add curl unzip jq

RUN export VER=$(curl -H "Accept: application/vnd.github+json" https://api.github.com/repos/bitwarden/clients/releases | jq  -r 'sort_by(.published_at) | reverse | .[].name | select( index("CLI") )' | sed 's:.*CLI v::' | head -n 1) && \
curl -LO "https://github.com/bitwarden/clients/releases/download/cli-v{$VER}/bw-linux-{$VER}.zip" \
&& unzip *.zip && chmod +x ./bw && rm *.zip

# ATTEMPT #1 

RUN apk add --no-cache libc6-compat \
&& apk add --no-cache gcompat=1.1.0-r1 \
&& apk add --no-cache libstdc++=12.2.1_git20220924-r10 \
&& rm -rf /var/cache/apk/*

# ATTEMPT #2

# RUN export GLIBC_VERSION=2.35-r1 && export GLIBC_REPO=https://github.com/sgerrand/alpine-pkg-glibc && \
#   apk --update add libstdc++ curl ca-certificates && \
#   for pkg in glibc-${GLIBC_VERSION} glibc-bin-${GLIBC_VERSION}; \
#      do curl -sSL ${GLIBC_REPO}/releases/download/${GLIBC_VERSION}/${pkg}.apk -o /tmp/${pkg}.apk; done && \
#   apk add --allow-untrusted /tmp/*.apk && \
#   rm -v /tmp/*.apk


COPY entrypoint.sh /

ENTRYPOINT ["/entrypoint.sh"]

from terraform-provider-bitwarden.

I didn't try it that way around I assumed it couldn't be done. Probably an error on my part!

Ill try and see how it pans out :)

from terraform-provider-bitwarden.

For an idea, Spacelift free tier allows you to specify a custom Docker runner image for the public worker pool - see here.

Dockerfile

from terraform-provider-bitwarden.