Deploying a Hashicorp Vault Server on a AWS EC2 Instance with Terraform and Ansible.

Hey folks!!

In this article let`s take a quick look in to Hashicorp Vault, your propose and how to deploy using DevOps tools ( Ansible and Terraform) on AWS Ec2.

What is Hashicorp Vault?

Hashicorp Vault it`s a solution to secrets management.

A secret is anything that you want to tightly control access, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

Why we need manage secrets?

The main use case is to centralize secrets management. Teams want to avoid having secrets sprawled across the infrastructure, so they use Vault to keep their management in one location. Additionally, they want to be able to have an audit log, and enforce access control list (ACL) policies on a least-privilege basis.

We can rotate credentials or generate temporary credentials, such as database credentials or IAM. Once a specific task is complete, these credentials are revoked.

How does the Vault protect data?

Vault creates an encryption key that is used to encrypt any data stored in the vault on your Storage-backend. Vault has a master key that is used to encrypt and decrypt the encryption keys. Masterkey is stored in the vault node memory, it`s not stored in persistent storage

Storage-backend?

Vault itself does not store anything. It’s a middleware, needs a storage backend. Hashicorp Vault support many storage-backends, most commons:

• Consul
• PostgreSQL
• MySQL
• Aws S3
• FileSystem
• Etcd
• DynamoDB

https://www.vaultproject.io/docs/configuration/storage for more details.

For complexity reasons, in this articles we will use FileSystem as Storage-backend

Getting your hands dirty!!

Before we start, have some requirements to deploy your project:

• All actions were performed on MacOS, but they certainly work in a Linux environment
• Aws account with a programatic user (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html)
• AWS Access Key ID AWS Secret Key ID 
• AWS CLI installed on your local machine (https://docs.aws.amazon.com/pt_br/cli/latest/userguide/install-cliv2.html)
• Aws Key Pair(https://docs.aws.amazon.com/pt_br/AWSEC2/latest/UserGuide/ec2-key-pairs.html)
• Terraform
• Ansible
• Git

Fortunately I already did the heavy lifting and made the content available on the Github repository:

https://github.com/matheusmaais/HashicorpVault

So..

$git clone https://github.com/matheusmaais/HashicorpVault

Put your aws key in to directory HashicorpVault.

key_name = “ PUT ONLY YOUR KEY NAME, WITHOUT .pem”

Change /PATH_TO_YOUR_KEY.pem, to ./your_key_name.pem

Only this adjust it`s necessary to the project works:

Run:

$sh deploy.sh

We will now explain how the process works:

• Terraform will use the ec2.tf file to provision a t2.micro instance, use the output encoded in the output.tf file to create a text file inside the ./ansible directory that will contain our instance’s IP.
• The sg.tf file will create the Security Group with the necessary ports to access the vault externally

After the server is online Ansible will take action:

• Upgrade the server
• Add Hashicorp Repository
• Download and Install the Vault Binary
• Moving Binary to Path
• Copy vault.hcl config file (in this file, we set the filesystem as storage-backend)
• Adding environment variables permanently
• Reboot Machine
• Performing the initialization and Vault Unseal
• Copy the encryption keys and Root Token from the server to your local machine in the ./ansible directory

All actions are performed by ./ansible/vault.yml file

All Calls to Terraform and Ansible are executed in the deploy.sh script..

To destroy the entire infrastructure, simple run the command

$sh destroy.sh

How to access Vault Server and put some secrets??

We will use our own local machine to access the Vault server, for this:

* Download Vault

If you’re on mac, run the brew install vault command, if you’re on linux follow the Link tutorial below:

https://learn.hashicorp.com/tutorials/vault/getting-started-install

Once installed, lets set a environment variable, changing 123.123.123.123 by your instance IP address, ex:

export VAULT_ADDR=”https://123.123.123.123:8200"

Copy the root token, placed in ./ansible/ec2IP/key.txt

Run $vault login and paste your root token.

run

$vault status

$vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.5.5
Cluster Name    vault-cluster-6f57a99a
Cluster ID      9ca54096-5789-a906-9762-d3580b212487
HA Enabled      false

Let`s enable KV engine ( key/value ) in your path demo:

$vault secrets enable -path=vaultdemo/ kv 
$vault secrets list ( will show the paths avaliables )
$vault kv put vaultdemo/foo username=foo password=bar
$vault kv get vaultdemo/foo 
====== Data ======
Key         Value
---         -----
password    bar
username    foo

To access Vault UI, put in your browser https://ec2_IP:8200

OK, Vault deployed and works fine!!

That was a brief introduction to the Hashicorp Vault, I hope you enjoyed it! See you !!

Medium:

— — — — — — — — — -

References

https://learn.hashicorp.com/vault

https://medium.com/faun/vault-securely-manage-sensitive-data-3a528e3c18f8

https://blog.sensu.io/what-is-hashicorp-vault-and-how-does-it-work#:~:text=Vault%20provides%20%E2%80%9Cencryption%20as%20a,in%20your%20cloud%20and%20datacenters

https://medium.com/weareservian/get-started-with-hashicorp-vault-cc132dce627d

https://medium.com/faun/all-you-need-to-know-about-hashicorp-vault-to-get-started-574aab203efc

WRITTEN BY

Matheusmaais