Hands-on:- HashiCorp Vault with Terraform

In the below project we will install Vault in an EC2 instance & ensure it will configure Terraform to read the secret from Vault . Additionally it also ensure authenticate Terraform instead of default App role which has been defined in Vault web console .

• Install GPG: This is used for encrypting and signing data.

sudo apt update && sudo apt install gpg
        

• Download the Signing Key: This is used to verify the authenticity of the downloaded packages.

wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
        

• Verify the Key’s Fingerprint: This is used to ensure that the correct key has been downloaded.

gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
        

• Add the HashiCorp Repo: This is used to add the HashiCorp repository to your list of repositories.

echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update
        

• Install Vault: This is used to install Vault.

sudo apt install vault
        

• Start Vault: This is used to start the Vault server.

vault server -dev -dev-listen-address="0.0.0.0:8200"
        

• From Vault side we select a Secret Engine as kv (Key value) & create Vault
• Create a demo vault of test-secret and added Key name as Username & Value as credentials.
• Enable AppRole Authentication: This is used to enable the AppRole authentication method in Vault.

vault auth enable approle
        

• Create a Policy: This is used to create a policy that grants certain permissions.

vault policy write terraform - <<EOF
path "secret/data/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
EOF
        

• Create an AppRole: This is used to create an AppRole with the specified policy.

vault write auth/approle/role/terraform \
    secret_id_ttl=10m \
    token_num_uses=10 \
    token_ttl=20m \
    token_max_ttl=30m \
    secret_id_num_uses=40 \
    token_policies=terraform
        

• Generate Role ID: This is used to retrieve the Role ID. Here the role id will be generated for terraform instead of my-approle

vault read auth/approle/role/my-approle/role-id
        

• Generate Secret ID: This is used to generate a Secret ID. Here the secret -id will be generated for terraform instead of my-approle

vault write -f auth/approle/role/my-approle/secret-id
        

Now we will apply in our generic terraform script on where we will spin up EC2 instance . This Vault ensures to apply a tag based on the secret we create under kv (Key Value) secret engine & confirms EC2 instance tag (navigate to EC2 console in Tags )

1. AWS Provider Configuration:

provider "aws" {
  region = "us-east-1"
}
        

This block configures the AWS provider for Terraform. The region parameter specifies that AWS resources will be created in the us-east-1 region.

2. Vault Provider Configuration:

provider "vault" {
  address = "<>:8200"
  skip_child_token = true

  auth_login {
    path = "auth/approle/login"

    parameters = {
      role_id = "<>"
      secret_id = "<>"
    }
  }
}
        

This block configures the Vault provider for Terraform. The address parameter specifies the address of the Vault server. The auth_login block is used to authenticate to Vault using the AppRole authentication method .

3. Vault Secret Data Source:

data "vault_kv_secret_v2" "example" {
  mount = "secret" // change it according to your mount
  name  = "test-secret" // change it according to your secret
}
        

This block retrieves a secret from Vault. The mount parameter specifies the path where the KV secrets engine is mounted. The name parameter specifies the path of the secret to retrieve.

4. AWS Instance Resource:

resource "aws_instance" "my_instance" {
  ami           = "ami-053b0d53c279acc90"
  instance_type = "t2.micro"

  tags = {
    Name = "test"
    Secret = data.vault_kv_secret_v2.example.data["foo"]
  }
}
        

This block creates an AWS EC2 instance. The ami parameter specifies the Amazon Machine Image (AMI) to use for the instance. The instance_type parameter specifies the type of instance to launch. The tags block assigns metadata to the instance.

Implementation Steps :-

a> Execute terraform init :- This will authenticate terraform vault

b> Execute terraform apply :- This will apply terraform configuration and spin up EC2 instance .

Hierarchical :-

1> Secret Engines ---> Enable-new engine ---> kv ---> Secrets ---> test-secret(Name of vault)---> Then apply key (any name eg:-Username) Value as credentials (eg :password).