Secretless Terraform

Transcript

1. Secretless Terraform mostly

2. @ksatirli on Twitter and GitHub Developer Advocate at HashiCorp

3. @devops_rob on Twitter and GitHub Developer Advocate at HashiCorp

4. Agenda Adding Secrets to Vault Creating passwords with the Random

   Provider Consuming Secrets with Terraform Reading passwords with the Vault Provider Questions and Answers Ask us anything (related to Terraform and Vault)

5. ⁄ Adding Secrets to HashiCorp Vault, using Terraform

6. Enabling a Secrets Engine vault:8200/ui/vault/settings/mount-secret-backend/

7. Enabling a Secrets Engine vault:8200/ui/vault/settings/mount-secret-backend/

8. Enabling a Secrets Engine vault:8200/ui/vault/secrets/secret/list

9. Environment TERMINAL > export VAULT_ADDR="https://vault:8200"

10. Environment TERMINAL > vault status Key Value --- ----- Seal

    Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.5.3 Cluster Name vault

11. Environment TERMINAL > vault login Token (will be hidden): Success!

    You are now authenticated.

12. Vault Provider CODE EDITOR provider "vault" { # Vault configuration

    is set via environment variables }

13. Generating Random Data CODE EDITOR resource "random_password" "pass" { length

    = 16 special = false } locals { pass = jsonencode({ "pass" : random_password.pass.result }) }

14. Writing Data to Vault CODE EDITOR resource "vault_generic_secret" "aws_db_instance" {

    path = "secret/aws_db_instance" data_json = local.pass }

15. Writing Data to Vault TERMINAL > terraform plan -out="provisioner.tfplan" Terraform

    will perform the following actions: # vault_generic_secret.aws_db_instance will be created + resource "vault_generic_secret" "aws_db_instance" { + data = (sensitive value) + data_json = (sensitive value) + disable_read = false + id = (known after apply) + path = "secret/aws_db_instance" } Plan: 1 to add, 0 to change, 0 to destroy.

16. Writing Data to Vault TERMINAL > terraform apply "provisioner.tfplan" vault_generic_secret.aws_db_instance:

    Creating... vault_generic_secret.aws_db_instance: Creation complete after 0s Apply complete! Resources: 1 added, 0 changed, 0 destroyed. The state of your infrastructure has been saved to the path below. This state is required to modify and destroy your infrastructure, so keep it safe. To inspect the complete state use the `terraform show` command. State path: terraform.tfstate

17. Writing Data to Vault TERMINAL Apply complete! Resources: 1 added,

    0 changed, 0 destroyed. The state of your infrastructure has been saved to the path below. This state is required to modify and destroy your infrastructure, so keep it safe. To inspect the complete state use the `terraform show` command. State path: terraform.tfstate Outputs: instance_password = tx964n7QA2cD3xmi

18. Verifying Data in Vault vault:8200/ui/vault/secrets/secret/list

19. Verifying Data in Vault vault:8200/ui/vault/secrets/secret/show/aws_db_instance

20. ⁄ Consuming Secrets with HashiCorp Terraform

21. Reading Data from Vault CODE EDITOR data "aws_vpc" "secretless_terraform" {

    } resource "aws_security_group" "secretless_terraform" { } resource "aws_security_group_rule" "allow_from_self" { }

22. Reading Data from Vault CODE EDITOR data "vault_generic_secret" "aws_db_instance" {

    path = "secret/aws_db_instance" version = 1 } resource "aws_db_instance" "secretless_terraform" { password = data.vault_generic_secret.pass.data["password"] }

23. Reading Data from Vault TERMINAL Terraform will perform the following

    actions: # aws_db_instance.secretless_terraform will be created + resource "aws_db_instance" "secretless_terraform" { + password = (sensitive value) } # aws_security_group.secretless_terraform will be created + resource "aws_security_group" "secretless_terraform" {} # aws_security_group_rule.allow_mysql_from_self will be created + resource "aws_security_group_rule" "allow_mysql_from_self" {} Plan: 3 to add, 0 to change, 0 to destroy.

24. Reading Data from Vault TERMINAL > terraform apply "consumer.tfplan" aws_security_group.secretless_terraform:

    Creating... aws_security_group.secretless_terraform: Creation complete aws_security_group_rule.allow_mysql_from_self: Creating... aws_security_group_rule.allow_mysql_from_self: Creation complete aws_db_instance.secretless_terraform: Creating... aws_db_instance.secretless_terraform: Creation complete Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Outputs:

25. Reading Data from Vault TERMINAL Outputs: connection_string = \ mysql

    --host="instance.eu-west-2.rds.amazonaws.com" \ --port="3306" \ --user="devops" \ --password="tx964n7QA2cD3xmi"

26. Connecting to RDS TERMINAL mysql --host="instance.eu-west-2.rds.amazonaws.com" --port="3306" --user="devops" --password="tx964n7QA2cD3xmi" mysql:

    [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Server version: 5.5.5-10.4.8-MariaDB Source distribution

27. Connecting to RDS TERMINAL mysql> SHOW DATABASES; +----------------------+ | Database

    | +----------------------+ | information_schema | | innodb | | mysql | | performance_schema | | secretless_terraform | | test | +----------------------+ 6 rows in set (0.10 sec)

28. Materials ▪ slides: speakerdeck.com/ksatirli/secretless-terraform ▪ code: github.com/ksatirli/secretless-terraform ▪ functions: hashi.co/tf-functions

    ▪ tutorials: hashi.co/tf-vault-tutorial ▪ forums: hashi.co/vault-forums

29. An online HashiCorp community experience October 12-15, 2020 US West

    daytime hours (PT)

30. Thank You [email protected] and [email protected]