host

README

Getting Started

Refer to Attributes and Secrets for more detail on configuration options for host catalogs and sets.

To create a host catalog (using default scope created by boundary dev):

boundary host-catalogs create plugin \
 -scope-id p_1234567890 \
 -name "Example Plugin-Based Host Catalog" \
 -description "Description for plugin-based host catalog" \
 -plugin-name gcp \
 -attr client_email=CLIENT_EMAIL \
 -attr project_id=PROJECT_ID \
 -attr zone=ZONE \
 -secret private_key_id='PRIVATE_KEY_ID' \
 -secret private_key='PRIVATE_KEY'

To create a host set, filtering the host set based on status value of RUNNING and a label.

boundary host-sets create plugin \
 -host-catalog-id HOST_CATALOG_ID \
 -name "Example Plugin-Based Host Set" \
 -description "Description for plugin-based host set" \
 -attr filters=status=RUNNING \
 -attr filters=labels.env:prod

Required IAM Permissions

The following IAM permissions, at the very least, are required to be attached to a configured service account for this provider:

List Instances

To list instances, the credential requires these permissions:

[
    "compute.instances.list"
]

Rotate Service Account Keys

When GCP service account keys are provided with credential rotation enabled, GCP service account keys will be rotated when requests are made to the plugin. These permissions are required to rotate the service account key:

[
    "iam.serviceAccountKeys.create",
    "iam.serviceAccountKeys.delete",
]

Service Account Impersonation

For the base service account to authenticate by service account impersonation. The base service account needs to have these roles:

[
    "iam.serviceAccountTokenCreator"
]

Attributes and Secrets

Host Catalog

The following attributes are valid on a GCP host catalog resource:

• zone (string, required): The zone to configure the host catalog for. All host sets in this catalog will be configured for this zone.
• project_id (string, required): The project ID associated with the service account. All host sets in this catalog will be configured for this project.
• disable_credential_rotation (bool): If true, credential rotation will not be performed. See the Credentials readme for more information.
• client_email (string): The email address associated with the service account. The email address used to uniquely identify the service account. It is required for authentication and authorization.
• target_service_account_id (string): The unique identifier for the service account that will be impersonate. This is only required when authenticating with service account impersonation.

The following secrets are required on an GCP host catalog resource:

• private_key_id (string): The private key ID for the service account to use with this host catalog.
• private_key (string): The private key for the service account to use with this host catalog.

See the Credentials readme for more information.

Host Set

The following attributes are valid on a GCP host Set resource:

• filters (array of strings): Host Set filters are used to narrow down the list of hosts returned by the plugin. The filter string is expected to be in the format "key operator value". The operator is expected to be one of =, !=, >, <, <=, >=, :, eq, ne. as per GCP API documentation: instances.list reference.

Documentation

Index

• Constants
• type CatalogAttributes
• type HostPlugin
  • func (p *HostPlugin) ListHosts(ctx context.Context, req *pb.ListHostsRequest) (*pb.ListHostsResponse, error)
  • func (p *HostPlugin) NormalizeCatalogData(ctx context.Context, req *pb.NormalizeCatalogDataRequest) (*pb.NormalizeCatalogDataResponse, error)
  • func (p *HostPlugin) NormalizeSetData(ctx context.Context, req *pb.NormalizeSetDataRequest) (*pb.NormalizeSetDataResponse, error)
  • func (p *HostPlugin) OnCreateCatalog(ctx context.Context, req *pb.OnCreateCatalogRequest) (*pb.OnCreateCatalogResponse, error)
  • func (p *HostPlugin) OnCreateSet(ctx context.Context, req *pb.OnCreateSetRequest) (*pb.OnCreateSetResponse, error)
  • func (p *HostPlugin) OnDeleteCatalog(ctx context.Context, req *pb.OnDeleteCatalogRequest) (*pb.OnDeleteCatalogResponse, error)
  • func (p *HostPlugin) OnDeleteSet(ctx context.Context, req *pb.OnDeleteSetRequest) (*pb.OnDeleteSetResponse, error)
  • func (p *HostPlugin) OnUpdateCatalog(ctx context.Context, req *pb.OnUpdateCatalogRequest) (*pb.OnUpdateCatalogResponse, error)
  • func (p *HostPlugin) OnUpdateSet(ctx context.Context, req *pb.OnUpdateSetRequest) (*pb.OnUpdateSetResponse, error)
• type InstancesAPI
• type SetAttributes

Constants

const (
	// ConstListInstancesFilter refers to a Google Cloud SDK filter to search for instances
	ConstListInstancesFilter = "filters"
)

Types

type CatalogAttributes

type CatalogAttributes struct {
	*cred.CredentialAttributes
}

CatalogAttributes defines a set of attributes for the host catalog

type HostPlugin

type HostPlugin struct {
	pb.UnimplementedHostPluginServiceServer
	// contains filtered or unexported fields
}

HostPlugin implements the HostPluginServiceServer interface for the GCP host service plugin.

func (*HostPlugin) ListHosts

func (p *HostPlugin) ListHosts(ctx context.Context, req *pb.ListHostsRequest) (*pb.ListHostsResponse, error)

ListHosts returns the list of instances based on instance filter.

func (*HostPlugin) NormalizeCatalogData

func (p *HostPlugin) NormalizeCatalogData(ctx context.Context, req *pb.NormalizeCatalogDataRequest) (*pb.NormalizeCatalogDataResponse, error)

NormalizeCatalogData is called to normalize the catalog data.

func (*HostPlugin) NormalizeSetData

func (p *HostPlugin) NormalizeSetData(ctx context.Context, req *pb.NormalizeSetDataRequest) (*pb.NormalizeSetDataResponse, error)

NormalizeSetData currently ensures that "filters" is an array value, even though it's accepted as a string value for CLI UX reasons

func (*HostPlugin) OnCreateCatalog

func (p *HostPlugin) OnCreateCatalog(ctx context.Context, req *pb.OnCreateCatalogRequest) (*pb.OnCreateCatalogResponse, error)

OnCreateCatalog is called when a dynamic host catalog is created.

func (*HostPlugin) OnCreateSet

func (p *HostPlugin) OnCreateSet(ctx context.Context, req *pb.OnCreateSetRequest) (*pb.OnCreateSetResponse, error)

OnCreateSet is called when a dynamic host set is created.

func (*HostPlugin) OnDeleteCatalog

func (p *HostPlugin) OnDeleteCatalog(ctx context.Context, req *pb.OnDeleteCatalogRequest) (*pb.OnDeleteCatalogResponse, error)

OnDeleteCatalog is called when a dynamic host catalog is deleted.

func (*HostPlugin) OnDeleteSet

func (p *HostPlugin) OnDeleteSet(ctx context.Context, req *pb.OnDeleteSetRequest) (*pb.OnDeleteSetResponse, error)

OnDeleteSet is called when a dynamic host set is deleted.

func (*HostPlugin) OnUpdateCatalog

func (p *HostPlugin) OnUpdateCatalog(ctx context.Context, req *pb.OnUpdateCatalogRequest) (*pb.OnUpdateCatalogResponse, error)

OnUpdateCatalog is called when a dynamic host catalog is updated.

func (*HostPlugin) OnUpdateSet

func (p *HostPlugin) OnUpdateSet(ctx context.Context, req *pb.OnUpdateSetRequest) (*pb.OnUpdateSetResponse, error)

OnUpdateSet is called when a dynamic host set is updated.

type InstancesAPI

type InstancesAPI interface {
	List(ctx context.Context, req *computepb.ListInstancesRequest, opts ...gax.CallOption) *compute.InstanceIterator
}

type SetAttributes

type SetAttributes struct {
	Filters []string `mapstructure:"filters"`
}

SetAttributes defines attributes fro the host set