XL Rules: Custom Integrations With XL Deploy Rules Framework

I was working with a customer recently to prove some concepts one of which involved sourcing a password from Cyberark Password Vault. To do this I used rules and performed an action  in the planning stage.

First I added a new property to all containers called CyberarkId using a type modification within the synthetic.xml file  (..../ext/synthetic.xml)

<type-modification type="udm.BaseContainer">
    <property name="cyberarkId" category="Cyber Ark" required="false"/>
</type-modification>

Then I added a rule to invoke our script (..../ext/xl-rules.xml)

    <rule name="CyberArkPasswordRegistration" scope="plan">
        <planning-script-path>cyberark/cyberark-password-rule.py</planning-script-path>
    </rule>

And created a python script that loops through the deltas, looks for containers with an assigned cyberark variable and uses that to look up a password. In our demo case we are simply parsing a key=value text file, but this could easily be a REST call or some other wrapped API call to cyberark.  We might need to add some additional information to connect to cyberark or to retrieve our credentials by specifying more information, but that's just gravy.

def emptyOrNone(s):
    return s is None or len(s.strip()) == 0
def extract_cyberark_aware_containers(deltas):
    containers = {}
    # Get our deployed containers
    for delta in deltas.deltas:
        delta_op = str(delta.operation)
        deployed = delta.previous if delta_op == "DESTROY" else delta.deployed
        container = deployed.container
        if container.hasProperty("cyberarkId") and not emptyOrNone(container.cyberarkId):
            # Ensure we only add our container once
            if container.name in containers.keys():
                continue
            containers[container.name] = container
    return [containers[ke] for ke in containers.keys()]
def update_passwords_from_cyberark(containers, context):
    f = open('/tmp/password.txt')
    id_pwds = f.readlines()
    f.close()
    for container in containers:
        cyber_ark_id = container.cyberarkId
        #call cyber ark
        # In our example password.txt is a simple key=value file.
        for id_pwd in id_pwds:
            id, pwd = id_pwd.split('=')
            if cyber_ark_id == id:
                container.setProperty("password", pwd)
update_passwords_from_cyberark(extract_cyberark_aware_containers(deltas), context)

This is cool and definitely serves to demonstrate the simple flexibility of XL Deploy, but with respect to this particular use case I would add the following cautionary note: It might be fine for demonstrating the concept, but the idea of having every deployment to every container interact with a centralized tool (that may have been designed and optimized for occasional human access) adds quite an overhead to the deployment.  I suspect as this is scaled out to hundreds of servers we would have to think of another approach (perhaps a bulk update of infrastructure CIs periodically for example using the our Command Line Interface). That said, it is however a good start, and with approximately 6 lines of configuration ( 2 if you like xml on a single line ) and a small python script we have made a powerful but manageable change to our deployment. I think the biggest win for me is to have something tangible that shows us extending the product in a straight forward way and of course meeting one of the requirements of our growing user base.  Also in my context its a very quick way to get to talk about the problem of managing information such as credentials.  The issues of making deployments dependent on another single point of failure for example.

How have you extended XL Deploy and how did you find it?

Expect to see more examples of our rules framework in the coming weeks and months. XL Rules!