Potential Policy workflow for Synchronizer leader election

[jvanderhoof]

Desired Outcome

Please describe the desired outcome for this PR. Said another way, what was
the original request that resulted in these code changes? Feel free to copy
this information from the connected issue.

Implemented Changes

Describe how the desired outcome above has been achieved with this PR. In
particular, consider:

• What's changed? Why were these changes made?
• How should the reviewer approach this PR, especially if manual tests are required?
• Are there relevant screenshots you can add to the PR description?

Connected Issue/Story

Resolves #[relevant GitHub issue(s), e.g. 76]

CyberArk internal issue link: insert issue ID

Definition of Done

At least 1 todo must be completed in the sections below for the PR to be
merged.

Changelog

• The CHANGELOG has been updated, or
• This PR does not include user-facing changes and doesn't require a
  CHANGELOG update

Test coverage

• This PR includes new unit and integration tests to go with the code
  changes, or
• The changes in this PR do not require tests

Documentation

• Docs (e.g. READMEs) were updated in this PR
• A follow-up issue to update official docs has been filed here: insert issue ID
• This PR does not require updating any documentation

Behavior

• This PR changes product behavior and has been reviewed by a PO, or
• These changes are part of a larger initiative that will be reviewed later, or
• No behavior was changed with this PR

Security

• Security architect has reviewed the changes in this PR,
• These changes are part of a larger initiative with a separate security review, or
• There are no security aspects to these changes

[GrzegorzK-CA]

How can I do that?
I see a few use cases here

1. First installation

• Synchronizer installer creates this policy
• Synchronizer installer creates another policy for safes, lobs etc altogether with Synchronizer host
• Synchronizer installer needs to update this policy - with host how?

2. Installation of second instance of Synchronizer

• Synchronizer installer updates another policy for safes, lobs etc altogether with new Synchronizer host
• Synchronizer installer needs to update this policy - with host how?

3. A few Synchronizer installers already exists - manual update needed

• This policy is created manually
• How to add already existing hosts here

4. Synchronizer uninstall

• How to remove host from this group

[jvanderhoof]

@GrzegorzK-CA, I put together a working example in the Conjur Intro project: https://github.com/conjurdemos/conjur-intro/blob/vault-synchronizer/bin/dap#L428.

The only thing missing here is setting the JSON document with safe names and last updated dates. Bash does not like the double quotes of JSON. Because the JSON is passed through so many functions, I was not able to get it escaped correctly. I updated the variable via the UI to make sure it worked as expected. You should have no problem doing this with the .NET SDK.

[GrzegorzK-CA]

What happens in the very first flow:

• no leader
• trying to delete vault-synchronizer-leader if that doesn't exist?

Should I check if that variable is set altogether with expiration date or can I just try to delete it and then try to create it.

[jvanderhoof]

Delete on a resource that's not present results in a no-op, so it should be fine to always attempt the delete before trying to claim "leader" status.

[GrzegorzK-CA]

"secrets"?
I thought it would be something like "conjur/vault-synchronizer/...."
but I guess this might be my lack of knowledge here

how about creating/updating variables for LOBs - will that also be under "secrets"?

[jvanderhoof]

In this case secrets is the resource type. conjur%2Fvault-synchronizer%2Fleader-expiration is the url escaped variable ID.

[GrzegorzK-CA]

I guess this "vault-lines-of-business" policy should be created without body, and Synchronizer should create variables for each LOBs during synchonization intervals.
It would be great to have examples for that as well

[jvanderhoof]

Great catch. I updated this in the Conjur Intro example above.