HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Building secure
environments in clouds using
HashiCorp tools
Nicki Watt
@techiewatt
HashiConf EU - 12/06/2016
1

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2
About Me
• Hands on Lead consultant at OpenCredo 
• Co-author Neo4j In Action 
• Currently working with a UK government
department on cloud automation project 
• Twitter: @techiewatt  

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 3
Agenda
• What is the problem 
• What are the options 
• How: Principles, challenges, lessons, tools
• Conclusion  

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4
What problem are we
trying to address?

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 5
Act 1 :
“Take advantage of
cloud computing”

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 6
Act 2 :
“Efficiently
Take advantage of more
cloud computing”

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 7

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 8

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 9
How to create

fast, repeatable, secure

environments capable of running

in different clouds!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 10
An example requirement:

Team1 needs a

Kubernetes based development
environment

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 11
Input:
Environment prefix: team1
Number K8s Slaves: 3
Environment domain suffix: t1tools.domain.io
Initial SSH keys: AAAEFF [email protected]
Cloud: AWS

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 12

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
13
K8S
Master
K8S
Node-1
K8S
Node-2
K8S
Node-3
Postgres DB
Core User Solution requirements
(Intra-cloud) Supporting Services
VPN DNS
Environment
“Contract”
•Completely isolated, need to
VPN in to access
•Agreed customisable IaaS
layout
•Agreed base software
installed

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 14
What are our options?

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 15
you need our
cloud management platform !

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 16
vs

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 17

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 18
Principles

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 19
• Automate everything 
• Separate config from code
• API driven clouds & tools
• Prefer modular, open source tools 
ASAP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 20
ASAP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 21
ASAP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 22
ASAP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 23
ASAP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 24
• Self service functionality
• Automated environment creation  
(under the hood) functionality

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
25
K8S
Master
K8S
Node-1
K8S
Node-2
K8S
Node-3
Postgres DB
VPN DNS
Environment
“Contract”

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
26
K8S
Master
K8S
Node-1
K8S
Node-2
K8S
Node-3
Postgres DB
VPN DNS
Environment
“Implementation”
building blocks
Configuration
management
tool

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
27
Environment
building blocks

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
28
ovpn orchestrator
k8smaster
k8snode01 k8snode02 k8snode03
db01
Environment
building blocks

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
29
ovpn orchestrator
k8smaster
db01
Environment
building blocks

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
30
ovpn orchestrator
k8smaster
db01
VPN DNS
Configuration
management
tool
Environment
building blocks

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
31
ovpn orchestrator
k8smaster
db01
VPN DNS
Configuration
management
tool
Environment
building blocks

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
32
ovpn orchestrator
k8smaster
db01
VPN DNS
Approach style:
Mutable
infrastructure
Configuration
management
tool

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 34
How?

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
^
35
• Automated Image creation 
• Automated IaaS Provisioning
• Automated Instance Management
• Securing all the things!
Bootstrap

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 36
Challenge #1

Automated Image Provisioning

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
37

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ovpn orchestrator
k8smaster
db01
38
Challenge #2

Automated IaaS Provisioning

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 39
• Networks
• Firewall Rules
• Routers
• Compute  
Resources
• Public / Floating  
IP Addresses

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 41
Lesson

There is NO single
common cloud API

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 42
Tool: Terraform

Automated IaaS Provisioning

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 43
Creates, manages, and manipulates
infrastructure resources.

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 44
Multiple Cloud Providers

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 45
Multiple Cloud Providers

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 46
## OpenVPN Compute instance
resource "openstack_compute_instance_v2" "ovpn" {
name = "${var.env-prefix}-ovpn"
image_name = "${var.image_name}"
flavor_name = "${var.openvpn-flavour-name}"
floating_ip = “${openstack_compute_floatingip_v2.
openvpn.address}"
...
}
## OpenVPN Public IP
resource "openstack_compute_floatingip_v2" "openvpn" {
region = ""
pool = "${var.public-ip-pool}"
...
}
terraform.tf
Declarative DSL (AWS)
## AWS Compute instance
resource "aws_instance" "ovpn" {
ami = “${var.ovpn-ami}"
instance_type = “${var.m-openvpn-instance-type}"
vpc_security_group_ids = [
"${aws_security_group.ovpn.id}"]
subnet_id = “${aws_subnet.dmz.id}"
...
}
## DMZ network exposing Public IP
resource "aws_subnet" "dmz" {
vpc_id = "${aws_vpc.core.id}"
cidr_block = “${var.m-dmz-net-cidr}"
map_public_ip_on_launch = 1
...
}
terraform.tf

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 47
name = “${var.m-env-prefix}-ovpn"
image_name = “${var.m-ovpn-imgname}”
flavor_name = “${var.m-ovpn-flavour-name}"
openvpn.address}"
...
}
region = ""
pool = “${var.m-public-ip-pool}"
...
}
terraform.tf
Declarative DSL (OpenStack)

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 48
openvpn.address}"
...
}
variable “m-env-prefix" { default = "team1" }
variable “m-ovpn-imgname” { default = "centos7-001"}
variable “m-ovpn-flavour-name"{ default = "x1.medium" }
terraform.tf
inputs.tf
Variables

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 49
openvpn.address}"
...
}
region = ""
pool = “${var.m-public-ip-pool}"
...
}
terraform.tf
Declarative DSL (OpenStack)

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 50
Configurable modules
are your friend!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 51
# External DNS (AWS Route 53)
resource "aws_route53_record" "dns" {
zone_id = “${var.m-route-53-domain-id}”
name = “${var.m-dns-name}”
type = "${var.m-type}"
ttl = "${var.m-ttl}"
records = [“${var.m-public-ip}"]
}
core.tf
DNS Module

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 52
module "mgt" {
source = “.../openstack/mgt”
m-public-ip-pool = “${var.tf_public_ip_pool}”
m-ovpn-flavour-name = “${var.tf_ovpn_flav_name}”
m-ovpn-imgname = “${var.tf_ovpn_imgname}”
…
}
module “ext-dns" {
source = “.../aws/dns”
m-public-ip = “${module.mgt.ovpn-public-ip}”
m-dns-name = “${var.tf_ext_dns_name}”
…
}
terraform.tf
Modules are your friend!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 53
module "mgt" {
…
}
…
}
terraform.tf

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 54
module "mgt" {
…
}
…
}
terraform.tf

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 55
cohesive multi-provider management
is often required
a lot sooner than you may think!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
56
“Other” Infrastructure Providers

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 57
External DNS

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 58
External DNS

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 59
module "mgt" {
…
}
m-ovpn-public-ip = “${module.mgt.ovpn-public-ip}”
…
}
terraform.tf
Composed terraform file

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 60
• Adhered to all our ASAP principles
• Handle multiple infrastructure providers 
• Compose/Generate Terraform from
modular definitions
• Infrastructure as code
IaaS provisioning Summary

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 62
ovpn orchestrator
k8smaster
db01
VPN DNS
Configuration
management
tool
Challenge #3

Automated Instance Management

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 63
initial bootstrap
vs.
longer term maintenance

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
boot time

cloud/VM instance
customisation
64
configuration
management

tool
Lesson:

conscious de-coupling
is your friend
—>

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 65
—>
Approach & Tools:

Automated (Bootstrap)
Instance Management

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadat
a
service
management subnet
app
subnet
public IP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 67
Boot time customisation
of cloud instances (VMs)

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 68
Hooks into cloud provider’s
metadata service
cloud
provider
metadat
a
service

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 69
Accesses user supplied data
for VM it is running on
cloud
provider
metadat
a
service
#cloud-config
hostname: ${env-prefix}-jm
fqdn: ${env-prefix}-jm.${domain}
manage_etc_hosts: true
puppet:
conf:
agent:
server: "${env-prefix}-ipa.$
{domain}"
runcmd:
- until curl -ksf https://${env-
prefix}-ipa.${domain}:443/ca/admin/
ca/getStatus ; do sleep 30 ; done ;
ipa-client-install —domain=${domain}
... --unattended --force-join
- export COUNT=0 ; until puppet
agent -t ; do echo "`date` -
Attempting to run puppet agent for
$COUNT time" ; if [[ $COUNT -eq 3 ]]
; then break ; fi ; sleep 30 ;
((COUNT++)) ; done

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 70
Example (user-data) cloud config
#cloud-config
puppet:
conf:
agent:
server: "${env-prefix}-ipa.${domain}"

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 71
#cloud-config
puppet:
conf:
agent:
server: "${env-prefix}-ipa.${domain}"
Example (user-data) cloud config

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
resource "openstack_compute_instance_v2" "km" {
name = "${var.env-prefix}-km"
flavor_name = "${var.km-flavour-name}"
user_data = "${template_file.clientconfig.rendered}"
...
}
## UserData as input to cloud-init
resource "template_file" "clientconfig" {
filename = "${path.module}/clientconfig.template"
vars {
domain = "${var.domain}"
env-prefix = "${var.env-prefix}"
...
}
}
72
Passing user-data via terraform

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 73
resource "openstack_compute_instance_v2" "km" {
name = "${var.env-prefix}-km"
flavor_name = "${var.km-flavour-name}"
user_data = "${template_file.clientconfig.rendered}"
...
}
## UserData as input to cloud-init
resource "template_file" "clientconfig" {
filename = "${path.module}/clientconfig.template"
vars {
domain = "${var.domain}"
env-prefix = "${var.env-prefix}"
...
}
}
Passing user-data via terraform

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadata
service
management subnet
app
subnet
public IP

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadata
service
management subnet
app
subnet

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadata
service
team1-orch
management subnet
app
subnet

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadata
service
team1-ovpn
team1-orch
team1-k8sm team1-k8sn1 team1-k8sn2 team1-db
team1-elk
management subnet
app
subnet

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 81
Automated Instance Mgt Summary
• Decoupled, async bootstrap process  
• Infrastructure as code
• Adhered to all our ASAP principles 
• Tool swap possible: Ansible —> Puppet 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ovpn orchestrator
k8smaster
db01
VPN DNS
Configuration
management
tool
83
Challenge #4

Securing all the things!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 84
Secrets Management
• For terraform provisioning 
• For configuration management
• For anything needing access to sensitive stuff 
 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 85
Lesson:

don’t roll your own!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 86
Tool:

Secure secrets management

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 87
• Unified API to access multiple backends
• ACL policies - who can access what
• Audit Logs

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Anything
Else

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 90
Part 1:
Securing the automated

IaaS provisioning process

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
Conﬁgure
Global Static
Secrets

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 93
Vault write, then read back secret
$ vault write iaas/cloud-provider-password value=ASDKJ234SF*2
Success! Data written to: iaas/cloud-provider-password 
$ vault read iaas/cloud-provider-password
Key Value
lease_duration 2592000
value ASDKJ234SF*2

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
The
brokering
framework/
services
Conﬁgure
Global Static
Secrets
94

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
The
brokering
framework/
services
Conﬁgure
Global Static
Secrets
Create new
environment
95

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
The
cloud-env
mgmt
App
The
brokering
framework/
services
Conﬁgure
Global Static
Secrets
Create speciﬁc mount,
policy & add secrets
Create new
environment
96

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
The
cloud-env
mgmt
App
The
brokering
framework/
services
Conﬁgure
Global Static
Secrets
Spin up
environment
Create new
environment
97

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Unseal
Init
Get IaaS creds The
brokering
framework/
services
Conﬁgure
Global Static
Secrets
Spin up
environment
Create new
environment
98

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
brokering
framework/
services
Unseal
Init
Get IaaS creds
Conﬁgure
Global Static
Secrets
Spin up
environment
Create new
environment
99

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
brokering
framework/
services
Unseal
Init
Get IaaS creds
Encrypt
tfstate
(terrahelp)
Conﬁgure
Global Static
Secrets
Spin up
environment
Create new
environment
https://github.com/opencredo/terrahelp
100

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 101
Benefits
• Centralised secure storage solution
• Flexible backends - “The right security for the job”
 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 102
Part 2:

Securing the automated

VM bootstrap process
—>

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud
provider
cloud
provider
metadat
a
service
management subnet
app
subnet
?
103

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
Unseal
Init
Get IaaS creds
Encrypt
tfstate
(terrahelp)
Spin up
environment
Create new
environment
104

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
Spin up
environment
Get IaaS creds,
/team1
+ gitcred1 = x
+ gitcred2 = z
Create new
environment
105

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 106
$ vault mount -path=team1 generic
Successfully mounted 'generic' at ‘team1'!
$ vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secr ...
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used f...
team1/ generic system system
Vault create new mount

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 107
Vault write, then read back secret
$ vault write team1/git-password value=ASDKJ234SF*2
Success! Data written to: team1/git-password 
$ vault write team1/postgres-pwd value=S98KDJS#mvs3
Success! Data written to: team1/postgres-pwd

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 108
$ cat team1-vm-bootstrap.policy
path "team1/*" {
policy = "read"
}
$ vault policy-write team1-vm-bootstrap team1-vm-bootstrap.policy
Policy ‘team1-vm-bootstrap' written.
Vault create custom policy

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
Spin up
environment
Create new
environment
/team1
+ gitcred1 = x
+ gitcred2 = z
Get IaaS creds,
generate real token
109

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
Get IaaS creds,
generate real token & OTP
/team1
+ gitcred1 = x
+ gitcred2 = z
Spin up
environment
Create new
environment
110

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
Get IaaS creds,
TOKEN:
USES: 1
REAL
TOKEN
/cubbyhole
/team1
+ gitcred1 = x
+ gitcred2 = z
Spin up
environment
Create new
environment
111

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The
cloud-env
mgmt
App
TOKEN:
USES: 1
REAL
TOKEN
/cubbyhole
/team1
+ gitcred1 = x
+ gitcred2 = z
Get IaaS creds,
Spin up
environment
Create new
environment
112

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
TOKEN:
USES: 1
REAL
TOKEN
/cubbyhole
cloud provider
management subnet
dev subnet
orch-vm
/team1
+ gitcred1 = x
+ gitcred2 = z
113

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud provider
management subnet
dev subnet
orch-vm
TOKEN:
USES: 1
REAL
TOKEN
/cubbyhole
/team1
+ gitcred1 = x
+ gitcred2 = z
114

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud provider
management subnet
dev subnet
orch-vm
TOKEN:
USES: 0
/cubbyhole
REAL
TOKEN
/team1
+ gitcred1 = x
+ gitcred2 = z
115

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud provider
management subnet
dev subnet
orch-vm
/team1
+ gitcred1 = x
+ gitcred2 = z
116

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud provider
management subnet
dev subnet
orch-vm
/team1
+ gitcred1 = x
+ gitcred2 = z
117

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 118
$ cat team1-vm-bootstrap.policy
path "team1/*" {
policy = "read"
}
Real token - policy restricted

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/team1
+ gitcred1 = x
+ gitcred2 = z
cloud provider
management subnet
dev subnet
orch-vm
119

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/team1
+ gitcred1 = x
+ gitcred2 = z
cloud provider
management subnet
dev subnet
orch-vm
120

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
cloud provider
management subnet
dev subnet
orch-vm
/team1
+ gitcred1 = x
+ gitcred2 = z
121

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
/team1
+ secret1 = x
+ secret2 = z
cloud provider
management subnet
dev subnet
orch-vm
https://github.com/jsok/hiera-vault 122

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 123
Secrets Management Summary
• Vault embodies our ASAP principles
• Centralised secure storage solution
• Flexible backends - “The right security for the job” 
• Granular access control
 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 125
Conclusion

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 126
How to create
fast, repeatable, secure
environments capable of running
in different clouds!

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 127
• Developers can create environment in minutes 
• Addressed concerns moving towards cloud
• Start leverage promise of cloud
• Right cloud for the job
 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 128
• Combined “the right tools for the job” 
• Flexible and adaptive moving forward

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 129
“The only thing constant in life
is change.”
— François de La Rochefoucauld 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 130
Be true to your principles,
but flex your tools
(and approach)
as required 

View Slide

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 131
Thanks
Questions?
@techiewatt

View Slide

HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

Nicki Watt

More Decks by Nicki Watt

Other Decks in Technology

Featured

Transcript