From 61bbe17e1ee48f87a556eca88ebcdf883e455e27 Mon Sep 17 00:00:00 2001
From: Domenico Testa <domenico.testa@gmail.com>
Date: Wed, 5 Oct 2022 23:22:10 +0200
Subject: [PATCH] Initial revision

---
 .gitignore                      |  2 ++
 Makefile                        | 18 ++++++++++++++++++
 README.md                       | 26 ++++++++++++++++++++++++++
 docker-compose.yml              | 14 ++++++++++++++
 scripts/download_plugin.sh      | 11 +++++++++++
 scripts/read_role_cred.sh       |  9 +++++++++
 scripts/revoke_all_leases.sh    |  4 ++++
 scripts/write_grafana_config.sh | 21 +++++++++++++++++++++
 8 files changed, 105 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 Makefile
 create mode 100644 README.md
 create mode 100644 docker-compose.yml
 create mode 100755 scripts/download_plugin.sh
 create mode 100755 scripts/read_role_cred.sh
 create mode 100755 scripts/revoke_all_leases.sh
 create mode 100755 scripts/write_grafana_config.sh

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..ed50b94
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+plugins
+*.env
\ No newline at end of file
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..5a21b6a
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,18 @@
+.PHONY: up
+up: plugins/vault-plugin-secrets-grafanacloud
+	docker-compose up
+
+plugins/vault-plugin-secrets-grafanacloud:
+	scripts/download_plugin.sh
+
+.PHONY: init
+init: plugins/vault-plugin-secrets-grafanacloud
+	scripts/write_grafana_config.sh
+
+.PHONY: revoke-all
+revoke-all: plugins/vault-plugin-secrets-grafanacloud
+	scripts/revoke_all_leases.sh
+
+.PHONY: clean
+clean:
+	rm plugins/vault-plugin-secrets-grafanacloud
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..9e8150f
--- /dev/null
+++ b/README.md
@@ -0,0 +1,26 @@
+# Using the Form3 Grafana cloud Vault secrets backend 
+
+This project demonstrate the usage of the custom plugin, to issue short lived API tokens
+that applications can use to access the [Grafana Cloud API](https://grafana.com/docs/grafana-cloud/reference/cloud-api/).
+
+The `vault` server is launched in `dev` mode, so it starts unsealed and automatically
+registers the [`vault-plugin-secrets-grafanacloud`](https://github.com/form3tech-oss/vault-plugin-secrets-grafanacloud) plugin.
+
+## Demo script
+
+Run the `make` command with no arguments to launch vault and initialize the 
+plugin.
+
+In another terminal, run the `make init` to create an example `Viewer` role.
+
+To fetch a new short lived token, launch: `scripts/read_sole_cred.sh`.
+
+To revoke all the credentials issued during the demo, run the `make revoke-all` command.
+
+## Use case: pushing metrics to a Grafana Cloud prometheus instance
+
+TODO
+
+## Use case: pushing traces to a Grafana Cloud Tempo instance
+
+TODO
diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 0000000..ba8cf20
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,14 @@
+version: "3.8"
+services:
+  vault-server:
+    image: vault:latest
+    ports:
+      - "8200:8200"
+    environment:
+      VAULT_DEV_LISTEN_ADDRESS: "0.0.0.0:8200"
+      VAULT_DEV_ROOT_TOKEN_ID: "vault-plaintext-root-token"
+    cap_add:
+      - IPC_LOCK
+    volumes:
+      - ./plugins:/vault/plugins
+    command: vault server -dev -dev-plugin-dir=/vault/plugins
diff --git a/scripts/download_plugin.sh b/scripts/download_plugin.sh
new file mode 100755
index 0000000..157ec49
--- /dev/null
+++ b/scripts/download_plugin.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -ue
+
+SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
+
+RELEASE_URL=$(curl -s https://api.github.com/repos/form3tech-oss/vault-plugin-secrets-grafanacloud/releases/latest | \
+    jq --raw-output '.assets[] | select(.content_type=="application/octet-stream") | .browser_download_url')
+
+PLUGIN=$SCRIPT_DIR/../plugins/vault-plugin-secrets-grafanacloud
+curl -L -o $PLUGIN $RELEASE_URL
+chmod +x $PLUGIN
diff --git a/scripts/read_role_cred.sh b/scripts/read_role_cred.sh
new file mode 100755
index 0000000..fe493cd
--- /dev/null
+++ b/scripts/read_role_cred.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -ue
+
+vault write grafanacloud/roles/examplerole \
+    gc_role="Viewer" \
+    ttl="60s"       \
+    max_ttl="600s"   
+
+vault read grafanacloud/creds/examplerole
diff --git a/scripts/revoke_all_leases.sh b/scripts/revoke_all_leases.sh
new file mode 100755
index 0000000..a8f320f
--- /dev/null
+++ b/scripts/revoke_all_leases.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -ue
+
+vault lease revoke -prefix grafanacloud/creds
diff --git a/scripts/write_grafana_config.sh b/scripts/write_grafana_config.sh
new file mode 100755
index 0000000..9d032c5
--- /dev/null
+++ b/scripts/write_grafana_config.sh
@@ -0,0 +1,21 @@
+#!/bin/bash
+set -e
+
+if [[ -z "$GRAFANA_ORG" ]]; then
+    echo "Must provide GRAFANA_ORG in environment" 1>&2
+    exit 1
+fi
+
+if [[ -z "$GRAFANA_ADMIN_TOKEN" ]]; then
+    echo "Must provide GRAFANA_ADMIN_TOKEN in environment" 1>&2
+    exit 1
+fi
+
+vault secrets enable -path=grafanacloud vault-plugin-secrets-grafanacloud
+
+vault write grafanacloud/config \
+    organisation=$GRAFANA_ORG \
+    key=$GRAFANA_ADMIN_TOKEN \
+    ttl=300 \
+    max_ttl=3600 \
+    url=https://grafana.com/api/