-
Notifications
You must be signed in to change notification settings - Fork 131
/
Copy pathvault-terraform-integration
97 lines (64 loc) · 2.3 KB
/
vault-terraform-integration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash
echo "####################"
echo "####################"
echo "installing vault cli"
echo "####################"
echo "####################"
sudo apt update && sudo apt install gpg wget
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
sudo apt update && sudo apt install vault
### Start vault in developer mode
vault server -dev
# Access vault in browser - http://127.0.0.0:8200
# Get token from the output text
Browser -> secret engines -> enable new engine -> aws -> name=ec2-full-access
AWS -> IaM -> Policies -> EC2FullAccess -> JSON -> copy
Paste in vault/aws/ec2-full-access -> policy document
## Create Vault Admin user in IAM
IAM -> Create User -> vault-admin -> administrator access policy -> create user's access key and secret key
PASTE the vault-admin access key and secret key in: secrets engines -> aws -> configure
Now select -> secrets engines -> aws -> ec2-full-access -> generate -> generate aws credentials
Copy the access key and secret key shown in output %%
This will create a new user in AWS IAM .. check under users
We can now use this %% access key and secret key to create aws profile to be used with terraform
aws configure --profile vault-user
paste the access key and secret key %%
aws configure list --profile vault-user
------
Now lets create a project to use this user creds
------
mkdir vault-check
cd vault-check
vim terraform.tf
terraform {
required_version = "~> 1.3"
required_providers {
vault = {
source = "hashicorp/vault"
}
aws = {
source = "hashicorp/aws"
}
}
}
vim provider.tf
provider "aws" {
region = "ap-south-1"
profile = "vault-user"
}
provider "vault" {
address = "http://127.0.0.1:8200"
}
vim main.tf
resource "aws_instance" "indiaserver" {
ami = "ami-0c1a7f89451184c8b" #this ami is specific to mumbai region
instance_type = "t2.micro"
tags = {
Name = "india-server"
}
}
terraform init
terraform plan
terraform apply