wso2 identity server: automate the deploy of policies, claims, and other configs - wso2

I have hundreds of different identity server configurations (policies, claims, service provider, etc)
And i need to repeat the same configuration on several environments: dev, test, prod
To do it by hands through export import in web console - it's a nightmare.
What is the best practice to do an automatic configuration deployment to wso2is?
I'm thinking about the following options:
create a script that will call admin services to import identity server configs
create custom deployer (like a synapse & dataservice deployers, etc) and call admin services or do in-memory api calls
find where and how it's stored in database and do sql script to fill database
Maybe there is something exists for config deployment and I can't find it?

You can create your own scripts or custom methods to manage the deployments. But you have to maintain those scripts by your self.
In that case, you can use deployment automation tools such as Puppet, Chef and etc..
You can use WSO2 Puppet modules to deploy your configuration in different environments.

just in case if somebody need the file-based deployer
created a groovy script deployer that could be used for different purposes.
service-provider deployer
policy deployer

Related

Google Cloud Auth

I'm trying to connect an automated build. In the app I connect to a google api and in Cloud Run I access secrets both using different service accounts. It's just a test app so nothing major but I keep getting hung up with cloud build using the service account that I use to access the api to run the app. Anybody know of a way to dictate which service account is used to run the app while still using the key to access the api. My thinking is it has to be done in the build process with something in my cloudbuild.yaml or maybe can't be done?
The cloud build process is carried out by a special service account that handles everything. You can delegate the auth to other accounts but there really isn't any need. Running the container in cloud run and choosing a service account to access secrets is easy (from Cloud Run choose edit and deploy => security tab) and that service account has no bearing on how you access other api's with creds.json you add at runtime.

Use terraform with Azure or AWS and with custom UI definition

I am looking for a way to create a custom UI definition, which I will use with Terraform to create resources and the terraform arguments/parameters will be provided from the UI. Basically the requirement is like
Creating a customized UI and pass parameters from there ex: Name for Web App Service
Deploy a Web App using terraform which requires name argument and it'll come from the UI input
I'm thinking if that is possible with Azure or AWS.
I'm thinking if that is possible with Azure or AWS.
Yes, its possible with Azure and AWS, or any other cloud provider. Obviously you have to develop a fully custom web application for that with backend running and managing your TF. There is no read-made tools for that.

Do we really need to bind Oracle service in PCF , can't we just use credentials mentioned in service?

I have a question what is the difference if I just use a Oracle/MySQL service provided by PCF without binding it? What difference will it create. I can anyway access DB using the credentials
There are two differences that come to mind:
When you create a service through the Cloud Foundry marketplace, that will create backing resources for the service but in most cases it does not create credentials. The act of binding a service to your app, in most cases with most service brokers, will actually create service credentials for you. When you unbind, again with most brokers, the service credentials are destroyed. This makes it easy to regenerate your service credentials, just unbind/rebind the service and restart your app. The net result is that if you don't bind, there are no credentials.
Most people do not want to include credentials with the actual application (see https://12factor.net/ for details why). They want to be able to provide configuration external to the app. On Cloud Foundry this commonly amounts to binding a service.
Having said that, how do you want to provide the credentials to your application?
Service bindings are there to try and make life as a developer easier but you don't have to use them. If you want to pass in the configuration some other way, like via environment variables, a config file, or using a config service (Spring Cloud Config Server or Vault) those are fine options too.
If you do not want to bind a service to your app, the only thing you'll need to do is to create a service key instead. A service key is like a binding, but not associated with an application. It will also generate a set of unique credentials. You can then take the credentials from your service key and feed them to your app in the way that works best for you.
Ex:
cf create-service-key service-instance key-name
cf service-key service-instance key-name
The first command creates the service key, the second will display its credentials.

How to share configurations of WSO2-IS among servers?

I have multiple wso2-is server set up as my dev, staging and prod environment.
And I would want to have a functionality wherein I can export all the configuration from some server ( say dev ) to some other server ( say staging ) to make both the server identical i.e both the server would have same database configurations, same tenants, same service providers and same identity providers and so on.
From the documentation here, I know that I can create service providers and identity providers using XML files, so in turn, I can share the XML files to sync SPs and IdPs between servers.
But is there a standard way to achieve that? Like, from the management console or so?
It even seems possible that syncing between [IS-HOME]/repository directory would ensure that the servers are identical, But are there any caveats for this approach?
There is no standard way to sync the service provider configurations among different environment, as of now. This issue is reported to track the feature requirement and its a work in progress at the moment and you can expect it in a future release.
One possible solution you can use to achieve your target is, retrieving the service provider from the Admin service and create the same service provider in other environment.
You can use the file based service provider configurations to achieve this target. But with that approach, you will not be able to see the service providers added from the configuration files in the management console. Next limitation you will face is you can add saml based inbound authentication configurations only through the config files ( such as OAuth 2.0 / OIDC inbound authentication configurations)
To answer your last question, you can't sync the [IS-HOME]/repository folder to achieve this. The reason you were able to observe this behavior seems to be you are using the inbuilt H2 database and its in [IS-HOME]/repository/database folder. With your file sync, you have actually synced the databases.

Fetching configuration parameters for an existing config service

I'm looking to delete an app and all the binded services associated with it. And then create the app and recreate all the services and bind them back.
What is the ideal method to retrieve all the binded services to the app?
What is the best way to fetch the configuration parameters for the existing config services?
Ref:
Create App: http://cli.cloudfoundry.org/en-US/cf/push.html
Delete App: http://cli.cloudfoundry.org/en-US/cf/delete.html
Create Service: http://cli.cloudfoundry.org/en-US/cf/create-service.html
Delete Service: http://cli.cloudfoundry.org/en-US/cf/delete-service.html
If you deployed your application with using a manifest file then all the information you need will be in there.
It's possible though that services were bound/unbound from the application via API, CLI or a UI. You can retrieve a list of the services bound to an application by running cf env APP_NAME
Services bound to the application can be found under the VCAP_SERVICES object. You can then parse that object for all services, delete and then recreate them all.