Awx: Support external secret backends

https://aws.amazon.com/kms/
https://azure.microsoft.com/en-us/services/key-vault/
https://cloud.google.com/kms/

AWS SSM Parameter store
Managed
Free (vs KMS)
Can store encrypted strings (uses KMS behind scenes)
https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-paramstore-about.html

We'll focus on:

• Hashi Vault
• CyberArk
• Azure KV

The key part of this implementation is:

• Adding credential types for the credential management systems that we'll support
• Adding a layer on top of the existing credentials that
  * Allows you to assign a credential management system's credential
  * Populate the settings necessary to look up the necessary credential values in that system
• Creating a plugin component to the external credential access to allow other backends to be added.

There are some nuanced details on how these secrets will be used. Hashi vault for example has a particular mechanism for how ssh keys are used/signed that will necessitate making some changes to the way we use ssh keys overall.

Question: If a user does not have access to the credential management system credential, but they have been granted access to a credential that makes use of it, will they be able to retrieve the secret?

For example,

1. An org admin creates a credential for access to HashiCorp Vault
2. The admin creates a credential that uses the Vault access credential
3. The admin shares it with a regular user

Will the user be able to create job templates with the shared credential?
If the user has been granted admin on the credential without access to the SM credential, will they be able to modify it?

My initial take on this:

~The _actual_ permission to a credential, as experienced by a user, should be the lower of the two credentials should the one they intend to use be linked to a SM credential.~ (update: this is over-conservative - see @matburt 's response below)

There is probably an edge case / usability issue that I'm missing here, so I'd very much like to continue this discussion. It is good for us to be asking these questions early.

This behaves the same way as credentials do right now... you can be delegated usage of a credential without owning it in any way. Thus, if an admin has delegated a Machine credential which utilizes a CM credential to a user but the user doesn't have access to use the CM credential they'd still be able to use the one they've been delegated.

We use this same pattern with user who are delegated to run Job Templates, even if they don't have any other access to the Inventory and/or Project associated with the Job Template.

additional request: Cybermove

We are very interested in AWS KMS, so when the interface is ready, we can contribute with code and/or testing.

looking forward to thycotic secret server integration

resolved by https://github.com/ansible/awx/pull/3098

so, no thycotic secret server support in the initial version I take it?

@kinwolfqc nope, not currently:

https://github.com/ansible/awx/issues/2238#issuecomment-452395837

We'll focus on:
Hashi Vault
CyberArk
Azure KV

That said, we implemented this as a plugin-based system, so it's pretty simple to add support via a pull request if it's something you're interested in:

https://github.com/ansible/awx/blob/devel/docs/credential_plugins.md

@ryanpetrello I'm more dabbler than dev, but I'll give it a look.