Secretless Terraform - Speaker Deck

Slide 1

Slide 1 text

Secretless Terraform mostly

Slide 2

Slide 2 text

@ksatirli on Twitter and GitHub Developer Advocate at HashiCorp

Slide 3

Slide 3 text

@devops_rob on Twitter and GitHub Developer Advocate at HashiCorp

Slide 4

Slide 4 text

Agenda Adding Secrets to Vault Creating passwords with the Random Provider Consuming Secrets with Terraform Reading passwords with the Vault Provider Questions and Answers Ask us anything (related to Terraform and Vault)

Slide 5

Slide 5 text

⁄ Adding Secrets to HashiCorp Vault, using Terraform

Slide 6

Slide 6 text

Enabling a Secrets Engine vault:8200/ui/vault/settings/mount-secret-backend/

Slide 7

Slide 7 text

Enabling a Secrets Engine vault:8200/ui/vault/settings/mount-secret-backend/

Slide 8

Slide 8 text

Enabling a Secrets Engine vault:8200/ui/vault/secrets/secret/list

Slide 9

Slide 9 text

Environment TERMINAL > export VAULT_ADDR="https://vault:8200"

Slide 10

Slide 10 text

Environment TERMINAL > vault status Key Value --- ----- Seal Type shamir Initialized true Sealed false Total Shares 1 Threshold 1 Version 1.5.3 Cluster Name vault

Slide 11

Slide 11 text

Environment TERMINAL > vault login Token (will be hidden): Success! You are now authenticated.

Slide 12

Slide 12 text

Vault Provider CODE EDITOR provider "vault" { # Vault configuration is set via environment variables }

Slide 13

Slide 13 text

Generating Random Data CODE EDITOR resource "random_password" "pass" { length = 16 special = false } locals { pass = jsonencode({ "pass" : random_password.pass.result }) }

Slide 14

Slide 14 text

Writing Data to Vault CODE EDITOR resource "vault_generic_secret" "aws_db_instance" { path = "secret/aws_db_instance" data_json = local.pass }

Slide 15

Slide 15 text

Writing Data to Vault TERMINAL > terraform plan -out="provisioner.tfplan" Terraform will perform the following actions: # vault_generic_secret.aws_db_instance will be created + resource "vault_generic_secret" "aws_db_instance" { + data = (sensitive value) + data_json = (sensitive value) + disable_read = false + id = (known after apply) + path = "secret/aws_db_instance" } Plan: 1 to add, 0 to change, 0 to destroy.

Slide 16

Slide 16 text

Writing Data to Vault TERMINAL > terraform apply "provisioner.tfplan" vault_generic_secret.aws_db_instance: Creating... vault_generic_secret.aws_db_instance: Creation complete after 0s Apply complete! Resources: 1 added, 0 changed, 0 destroyed. The state of your infrastructure has been saved to the path below. This state is required to modify and destroy your infrastructure, so keep it safe. To inspect the complete state use the `terraform show` command. State path: terraform.tfstate

Slide 17

Slide 17 text

Writing Data to Vault TERMINAL Apply complete! Resources: 1 added, 0 changed, 0 destroyed. The state of your infrastructure has been saved to the path below. This state is required to modify and destroy your infrastructure, so keep it safe. To inspect the complete state use the `terraform show` command. State path: terraform.tfstate Outputs: instance_password = tx964n7QA2cD3xmi

Slide 18

Slide 18 text

Verifying Data in Vault vault:8200/ui/vault/secrets/secret/list

Slide 19

Slide 19 text

Verifying Data in Vault vault:8200/ui/vault/secrets/secret/show/aws_db_instance

Slide 20

Slide 20 text

⁄ Consuming Secrets with HashiCorp Terraform

Slide 21

Slide 21 text

Reading Data from Vault CODE EDITOR data "aws_vpc" "secretless_terraform" { } resource "aws_security_group" "secretless_terraform" { } resource "aws_security_group_rule" "allow_from_self" { }

Slide 22

Slide 22 text

Reading Data from Vault CODE EDITOR data "vault_generic_secret" "aws_db_instance" { path = "secret/aws_db_instance" version = 1 } resource "aws_db_instance" "secretless_terraform" { password = data.vault_generic_secret.pass.data["password"] }

Slide 23

Slide 23 text

Reading Data from Vault TERMINAL Terraform will perform the following actions: # aws_db_instance.secretless_terraform will be created + resource "aws_db_instance" "secretless_terraform" { + password = (sensitive value) } # aws_security_group.secretless_terraform will be created + resource "aws_security_group" "secretless_terraform" {} # aws_security_group_rule.allow_mysql_from_self will be created + resource "aws_security_group_rule" "allow_mysql_from_self" {} Plan: 3 to add, 0 to change, 0 to destroy.

Slide 24

Slide 24 text

Reading Data from Vault TERMINAL > terraform apply "consumer.tfplan" aws_security_group.secretless_terraform: Creating... aws_security_group.secretless_terraform: Creation complete aws_security_group_rule.allow_mysql_from_self: Creating... aws_security_group_rule.allow_mysql_from_self: Creation complete aws_db_instance.secretless_terraform: Creating... aws_db_instance.secretless_terraform: Creation complete Apply complete! Resources: 3 added, 0 changed, 0 destroyed. Outputs:

Slide 25

Slide 25 text

Reading Data from Vault TERMINAL Outputs: connection_string = \ mysql --host="instance.eu-west-2.rds.amazonaws.com" \ --port="3306" \ --user="devops" \ --password="tx964n7QA2cD3xmi"

Slide 26

Slide 26 text

Connecting to RDS TERMINAL mysql --host="instance.eu-west-2.rds.amazonaws.com" --port="3306" --user="devops" --password="tx964n7QA2cD3xmi" mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Server version: 5.5.5-10.4.8-MariaDB Source distribution

Slide 27

Slide 27 text

Slide 28

Slide 28 text

Materials ▪ slides: speakerdeck.com/ksatirli/secretless-terraform ▪ code: github.com/ksatirli/secretless-terraform ▪ functions: hashi.co/tf-functions ▪ tutorials: hashi.co/tf-vault-tutorial ▪ forums: hashi.co/vault-forums

Slide 29

Slide 29 text

An online HashiCorp community experience October 12-15, 2020 US West daytime hours (PT)

Slide 30

Slide 30 text

Thank You rbarnes@hashicorp.com and kerim@hashicorp.com