Cloud Foundry Service Broker to manage instances of various AWS services.
- RDS
- AWS Elasticache for Redis
- AWS Elasticsearch
There are important environment variables that should be overriden inside the manifest.yml
file
Note: All environment variables prefixed with
DB_
refer to attributes for the database the broker itself will use for internal uses.
DB_URL
: The hostname / IP address of the database.DB_PORT
: The port number to access the database.DB_NAME
: The database name.DB_USER
: Username to access the database.DB_PASS
: Password to access the database.DB_TYPE
: The type of database. Currently supported types:postgres
andsqlite3
.DB_SSLMODE
: The type of SSL Mode to use when connecting to the database. Supported modes:disabled
,require
andverify-ca
.AWS_ACCESS_KEY_ID
: The id credential (treat like a password) with access to make requests to the Amazon RDS .AWS_SECRET_ACCESS_KEY
: The secret key (treat like a password) credential to access Amazon RDS.AWS_DEFAULT_REGION
: Region you wish to provision services in.AUTH_USER
: The username used by cf to authenticate to the brokerAUTH_PASS
: The password used by cf to authenticate to the brokerENC_KEY
: This is an string that must be 16, 24, or 32 bytes long. It is an AES key that is used to encrypt the password.CF_API_URL
: URL for CloudFoundry API in this environmentCF_API_CLIENT_ID
: UAA client ID that will be used for requests to the CloudFoundry APICF_API_CLIENT_SECRET
: UAA client secret that will be used for requests to the CloudFoundry APIENVIRONMENT
: the current environment name (e.g. "development")
Note the AWS Environment Variables should be generated by following the instructions here
Make sure the account has write access to RDS and EC2 (particularly for VPC and Subnet).
Example of permissions that suffice:
AmazonRDSFullAccess
andAmazonEC2FullAccess
You may need to adjust VPC routing, security groups, public accessibility (DNS names, etc) as well, depending on your needs.
In order to run the app, you will need to create a UAA client application.
To create the client, log in to the jumpbox for the target environment and run:
uaac client add aws_broker \
--authorized_grant_types client_credentials \
--authorities cloud_controller.global_auditor \
-s <my_client_secret>
There are some feature flags that you can turn on as well:
ENABLE_FUNCTIONS
: If this environment variable exists, it will enable users to create mysql databases likecf create-service _servicename_ production my-mysql-service -c '{"enable_functions": true}'
, which will set thelog_bin_trust_function_creators=1
parameter for their db, enabling the creation of functions in their databases.PUBLICLY_ACCESSIBLE
: If this environment variable exists, it will enable users to create databases withPubliclyAccessible: true
by doing something likecf create-service _servicename_ production my-mysql-service -c '{"publicly_accessible": true}'
. This is probably not something you want to set unless you really know what you are doing.
Catalog.yml contains a list of service(s) offered with plans. It contains no secrets. Prior to pushing, complete the catalog.yml for your environment. It is architected where the service name (e.g. rds) is the mapping between it and the service details.
secrets.yml contains the all of the secrets for the different resources.
Make sure you have a valid secrets.yml
and catalog.yml
:
cp catalog-test.yml catalog.yml
cp secrets-test.yml secrets.yml
Once you have these in place, run go test ./...
to run the tests.
-
Copy
.env-sample
to.env
-
Add a value for
POSTGRES_USER
to the.env
file -
Add a value for
POSTGRES_PASSWORD
to the.env
file -
Start the PostgreSQL docker container:
cd docker && docker compose up -d && cd -
-
OPTIONAL: For
.env
file integration with the VSCode Go test runner, create.vscode/settings.json
with:{ "go.testEnvFile": "/path/to/aws-broker/.env" }
-
Run the tests using
godotenv
:go install github.com/joho/godotenv/cmd/godotenv@latest godotenv -f ./.env go test ./...
cf push
cf create-service-broker BROKER_NAME AUTH_USER AUTH_PASS https://BROKER-URL
cf enable-service-access SERVICE_NAME
In this case BROKER_NAME would be aws
and it would contain many service names (one for rds
, one for s3
). Then SERVICE_NAME would be rds
for example.
To use the service you need to create a service instance and bind it:
cf create-service SERVICE_NAME micro-psql MYDB
cf bind-service APP MYDB
When you do that you will have all the credentials in the
VCAP_SERVICES
environment variable with the JSON key rds
.
Also, you will have a DATABASE_URL
environment variable that will
be the connection string to the DB.
This section is primarily for auditors who need to understand how the broker, and related components, handle credentials so that they aren't stored or transmitted in the clear. All calls between entities are made over HTTPS, unless otherwise specified.
The broker is deployed by Concourse CI onto CloudFoundry, using a manifest that is built by the cloud.gov secrets management system to specify the environment variables. When the app is deployed, Concourse registers the broker, specifying the AUTH_USER and AUTH_PASS.
The CF Cloud Controller stores the configuration for the app, including these environment variables, in an encrypted database table on the CCDB, as described in Cloud Foundry security concepts. The aws-broker
app does not write these to static storage since Cloud Foundry makes them available as environment variables.
When an authenticated, authorized CloudFoundry user runs cf create-service aws-rds _plan_name_ _service_name_
, the CloudFoundry platform uses the OSBAPI (open-service broker API) (https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md) to call the registered broker with a PUT
request, /v2/service_instances/:instance_id
where instance_id is a GUID. The request uses BASIC AUTH, e,g.:
curl -X PUT https://username:password@aws-broker..../v2/service_instances/:instance_id
The broker expects the AUTH_PASS
and AUTH_USER
as specified in the environment, which the Platform has provided (see above)
The response indicates if the provisioning request has been accepted.
The broker application calls the AWS API with the AWS Access Key and Secret Key, which were provided as environment variables at instantiation.
When the provisioning is complete, the broker takes the following actions:
- For RDS and Redis, it creates a username/password in the AWS service, and stores the credentials in the broker database
- For AWS Elasticsearch, it creates an IAM user with privileges to the new instance, then stores the credentials in the broker database
The broker uses a dedicated AWS RDS PostgreSQL database. The RDS instance data are encrypted at rest using AWS storage encryption. The communication between the broker and the database is over postgres StartTLS with TLS 1.2 enabled.
The broker is instantiated with encryption key, ENC_KEY
, and all credentials are written to the database encrypted with that key and a random salt, as in the setPassword
function of each _service_instance.go file, e.g.: https://github.com/cloud-gov/aws-broker/blob/20f70bb/services/redis/redisinstance.go#L50
The CloudFoundry applications have access to the credentials only if the user binds
an app to a service instance, as specified at https://github.com/openservicebrokerapi/servicebroker/blob/master/spec.md#binding of the OSBAPI standard. The credentials are fetched from the service broker and are stored in the environment of the application container, and not written the static storage. If the application instance is re-instantiated, the platform fetches the credentials for the application container from the broker.
This project is in the worldwide public domain. As stated in CONTRIBUTING:
This project is in the public domain within the United States, and copyright and related rights in the work worldwide are waived through the CC0 1.0 Universal public domain dedication.
All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest.