Automatic-Secret-Rotation/Makefile at main · kelleyblackmore/Automatic-Secret-Rotation · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
.PHONY: help build install test clean fmt lint run check all

# Default target
help:
	@echo "Available targets:"
	@echo ""
	@echo "Build & Test:"
	@echo "  make build            - Build the project in debug mode"
	@echo "  make release          - Build the project in release mode"
	@echo "  make install          - Install the binary locally"
	@echo "  make test             - Run all tests"
	@echo "  make check            - Run cargo check"
	@echo "  make fmt              - Format code with rustfmt"
	@echo "  make lint             - Run clippy linter"
	@echo "  make clean            - Clean build artifacts"
	@echo "  make all              - Format, lint, test, and build"
	@echo ""
	@echo "Running:"
	@echo "  make run              - Run the application"
	@echo "  make init-config      - Initialize a sample config file"
	@echo "  make run-example      - Run with example config (needs Vault)"
	@echo "  make demo             - Quick demo with Vault env vars"
	@echo ""
	@echo "Vault Development:"
	@echo "  make vault-docker           - Start Vault in Docker (token: root)"
	@echo "  make vault-docker-stop      - Stop Vault Docker container"
	@echo "  make vault-create-test-secrets - Create test secrets in Vault"
	@echo "  make vault-flag-test-secrets   - Flag test secrets for rotation"
	@echo "  make vault-full-setup       - Complete Vault setup with test data"
	@echo "  make dev-with-vault         - Run scan with temporary Vault"
	@echo "  make install-vault          - Install Vault CLI"
	@echo "  make vault-dev              - Start Vault dev server (CLI)"
	@echo "  make vault-setup            - Show Vault environment setup commands"

# Build in debug mode
build:
	cargo build

# Build in release mode
release:
	cargo build --release

# Install the binary locally
install:
	cargo install --path .

# Run all tests
test:
	cargo test

# Run cargo check
check:
	cargo check

# Format code
fmt:
	cargo fmt

# Run clippy
lint:
	cargo clippy -- -D warnings

# Clean build artifacts
clean:
	cargo clean

# Run the application
run:
	cargo run

# Run in development mode with arguments
run-scan:
	cargo run -- scan

run-auto:
	cargo run -- auto

# Complete workflow: format, lint, test, and build
all: fmt lint test build

# Watch mode for development (requires cargo-watch)
watch:
	@command -v cargo-watch >/dev/null 2>&1 || { echo "cargo-watch not installed. Run: cargo install cargo-watch"; exit 1; }
	cargo watch -x check -x test -x run

# Install development dependencies
dev-deps:
	cargo install cargo-watch
	rustup component add rustfmt clippy

# Generate documentation
docs:
	cargo doc --no-deps --open

# Run with example config
run-example:
	@echo "Note: This requires Vault to be running. Use 'make vault-docker' in another terminal first."
	cargo run -- --config examples/config.toml scan

# Quick demo: run example with Vault environment variables (if Vault is running)
demo:
	@echo "Running demo (ensure Vault is running with 'make vault-docker')..."
	VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='root' cargo run -- scan

# Initialize a config file
init-config:
	cargo run -- init

# Install Vault CLI if not present
install-vault:
	@if command -v vault >/dev/null 2>&1; then \
		echo "Vault CLI already installed: $$(vault version)"; \
	else \
		echo "Installing Vault CLI..."; \
		wget -O- https://apt.releases.hashicorp.com/gpg | gpg --dearmor | sudo tee /usr/share/keyrings/hashicorp-archive-keyring.gpg >/dev/null; \
		echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $$(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list; \
		sudo apt update && sudo apt install -y vault; \
		echo "Vault CLI installed: $$(vault version)"; \
	fi

# Development: start a local Vault server using Docker
vault-docker:
	@if ! command -v docker >/dev/null 2>&1; then \
		echo "Docker not installed. Please install Docker first."; \
		exit 1; \
	fi
	@echo "Starting Vault in Docker..."
	@echo "Root token: root"
	@echo "Vault address: http://127.0.0.1:8200"
	docker run --rm --name vault-dev \
		-p 8200:8200 \
		-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
		-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
		hashicorp/vault:latest

# Stop the Docker Vault container
vault-docker-stop:
	@docker stop vault-dev 2>/dev/null || echo "Vault container not running"

# Development: start a local Vault server using Vault CLI
vault-dev: install-vault
	vault server -dev -dev-root-token-id=root

# Development: setup Vault dev environment in another terminal
vault-setup:
	@echo "Run these commands in your terminal:"
	@echo "export VAULT_ADDR='http://127.0.0.1:8200'"
	@echo "export VAULT_TOKEN='root'"

# Create test secrets in Vault (requires Vault to be running)
vault-create-test-secrets:
	@echo "Creating test secrets in Vault..."
	@docker exec vault-dev vault kv put secret/database/postgres password=old_postgres_pass username=dbuser || \
		VAULT_ADDR='https://127.0.0.1:8200' VAULT_TOKEN='root' vault kv put secret/database/postgres password=old_postgres_pass username=dbuser
	@docker exec vault-dev vault kv put secret/api/github token=ghp_old_token_12345 || \
		VAULT_ADDR='https://127.0.0.1:8200' VAULT_TOKEN='root' vault kv put secret/api/github token=ghp_old_token_12345
	@docker exec vault-dev vault kv put secret/app/secret_key key=old_secret_key_value || \
		VAULT_ADDR='https://127.0.0.1:8200' VAULT_TOKEN='root' vault kv put secret/app/secret_key key=old_secret_key_value
	@echo "Test secrets created!"

# Flag test secrets for rotation
vault-flag-test-secrets:
	@echo "Flagging test secrets for rotation..."
	VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='root' cargo run -- flag secret/database/postgres
	VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='root' cargo run -- flag secret/api/github
	@echo "Test secrets flagged!"

# Complete setup: start Vault, create secrets, flag them
vault-full-setup:
	@echo "Starting Vault in background..."
	@docker run -d --rm --name vault-dev \
		-p 8200:8200 \
		-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
		-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
		hashicorp/vault:latest >/dev/null 2>&1 || echo "Vault already running"
	@echo "Waiting for Vault to be ready..."
	@sleep 3
	@$(MAKE) vault-create-test-secrets
	@$(MAKE) vault-flag-test-secrets
	@echo ""
	@echo "✓ Vault is ready with test secrets!"
	@echo "  Run: make demo"

# Development: run with Vault Docker container (starts vault, runs command, stops vault)
dev-with-vault:
	@echo "Starting Vault in background..."
	@docker run -d --rm --name vault-dev-tmp \
		-p 8200:8200 \
		-e 'VAULT_DEV_ROOT_TOKEN_ID=root' \
		-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
		hashicorp/vault:latest >/dev/null
	@echo "Waiting for Vault to be ready..."
	@sleep 3
	@echo "Running command with Vault..."
	@VAULT_ADDR='http://127.0.0.1:8200' VAULT_TOKEN='root' cargo run -- scan || true
	@echo "Stopping Vault..."
	@docker stop vault-dev-tmp >/dev/null