Terraform & Vault - Un duo d'enfer!
Download as PPTX, PDF0 likes820 views
The document discusses the integration of Terraform and Vault for infrastructure management and secret management across platforms like AWS, GCP, and Azure. It describes various features and functionalities such as authentication methods, token management, and the use of Vault for obtaining AWS temporary credentials. Several demo scenarios illustrate how these tools can be combined to manage resources and secrets efficiently.
Terraform & Vault - Un duo d'enfer!
- 1. Terraform & Vault - Un duo d’Enfer
- 2. Oxalide Conseil, Infogérance & Hébergement Media / SaaS / E-commerce $ whoami Consultant Architecture & DevOps Théo Chamley theo.ch@mley.fr @MrTrustor
- 3. Infrastructure-as-Code AWS, GCP, Azure, OpenStack… Write ➢ Plan ➢ Apply https://www.terraform.io/ https://www.vaultproject.io/ Secret management Simple REST API Several « secret backends »
- 4. Terraform Infrastructure-as-Code Perfect to manage AWS (and other) resources resource "aws_instance" "web" { ami = “ami-xxxxxx” instance_type = "t2.micro” tags { Name = "HelloHUG" } }
- 5. DEMO 1 - Terraform
- 6. Vault Secret managment Consul MySQL AWS etc. Secret backends Vault Encryption Authentification ACLs… User Vault CLI Vault client libs etc. REST API Clients
- 7. Vault concepts Tokens ➢ Main authentication method. The other methods dynamically generate tokens. Leases, TTL, Hierarchies, etc. Authentication ➢ Verify an identity Several authentication backends (LDAP, App ID, etc.) (Un)seal ➢ Decrypt the encryption key Need a certain number of shards to get the master key Policies ➢ ACLs associated to paths in Vault. Given to token when they are created
- 8. DEMO 2 - Vault
- 9. Vault & AWS STS Using Vault to get AWS Credentials Vault Root AWS Account Target AWS Account IAM CrossAccount target role AssumeRole Temporary Credentials AWS STS AWS Secret Backend • Vault authenticates against AWS IAM • Uses a role that can connect to another account • Gets temporary credentials for this role from STS
- 10. DEMO 3 - Vault + AWS
- 11. Terraform + Vault Vault AWS Terraform STS Credentials
- 12. DEMO 4 - Vault + Terraform + AWS
- 13. Links • Source: https://github.com/MrTrustor/terraform-vault-demo • Terraform: https://www.terraform.io/ • Vault: https://www.vaultproject.io/
Editor's Notes
- #2: Comment est-ce qu’Oxalide utilise Terraform et Vault pour que des dizaines d’ingénieurs puissent gérer des dizaines de comptes AWS de manière sécurisée ? Je parle sous la surveillance de notre directeur technique/RSSI ici présent, donc si vous le voyez me plaquer soudainement au sol, ne vous étonnez pas, c’est que j’ai juste dépassé la limite de ce que j’ai le droit de dire
- #4: Vous avez déjà vu une démonstration de Terraform ce soir, donc je ne vais pas trop passer de temps dessus. On va surtout voir comment on peut faire interragir Terraform, Vault et AWS.