From 3b4df0395cbde2485adb4527f15d0ebdfe6ae10e Mon Sep 17 00:00:00 2001 From: Sibi Prabakaran Date: Fri, 12 Jul 2019 01:08:49 +0530 Subject: [PATCH 1/9] WIP: Vault and IAM integration --- examples/vault-s3-private/Makefile | 49 ++++++++++ examples/vault-s3-private/README.md | 128 +++++++++++++++++++++++++ examples/vault-s3-private/main.tf | 67 +++++++++++++ examples/vault-s3-private/variables.tf | 56 +++++++++++ modules/vault-aws-backend/README.md | 6 ++ modules/vault-aws-backend/main.tf | 25 +++++ modules/vault-aws-backend/variables.tf | 55 +++++++++++ modules/vault-iam/Makefile | 43 +++++++++ modules/vault-iam/README.md | 7 ++ modules/vault-iam/main.tf | 44 +++++++++ modules/vault-iam/outputs.tf | 7 ++ 11 files changed, 487 insertions(+) create mode 100644 examples/vault-s3-private/Makefile create mode 100644 examples/vault-s3-private/README.md create mode 100644 examples/vault-s3-private/main.tf create mode 100644 examples/vault-s3-private/variables.tf create mode 100644 modules/vault-aws-backend/README.md create mode 100644 modules/vault-aws-backend/main.tf create mode 100644 modules/vault-aws-backend/variables.tf create mode 100644 modules/vault-iam/Makefile create mode 100644 modules/vault-iam/README.md create mode 100644 modules/vault-iam/main.tf create mode 100644 modules/vault-iam/outputs.tf diff --git a/examples/vault-s3-private/Makefile b/examples/vault-s3-private/Makefile new file mode 100644 index 00000000..3694c5c4 --- /dev/null +++ b/examples/vault-s3-private/Makefile @@ -0,0 +1,49 @@ +.PHONY: init plan apply destroy clean + +.DEFAULT_GOAL = help + +# Hardcoding value of 3 minutes when we check if the plan file is stale +STALE_PLAN_FILE := `find "tf.out" -mmin -3 | grep -q tf.out` + +## Check if tf.out is stale (Older than 2 minutes) +check-plan-file: + @if ! ${STALE_PLAN_FILE} ; then \ + echo "ERROR: Stale tf.out plan file (older than 3 minutes)!"; \ + exit 1; \ + fi + +## Runs terraform get and terraform init for env +init: + @terraform get + @terraform init + +## use 'terraform plan' to map out updates to apply +plan: + @terraform plan -out=tf.out + +## use 'terraform apply' to apply updates in a 'tf.out' plan file +apply: check-plan-file + @terraform apply tf.out + +## use 'terraform destroy' to remove all resources from AWS +destroy: + @terraform destroy + +## rm -rf all files and state +clean: + @rm -f tf.out + @rm -f terraform.*.backup + @rm -f terraform.tfstate + +## Show help screen. +help: + @echo "Please use \`make ' where is one of\n\n" + @awk '/^[a-zA-Z\-\_0-9]+:/ { \ + helpMessage = match(lastLine, /^## (.*)/); \ + if (helpMessage) { \ + helpCommand = substr($$1, 0, index($$1, ":")-1); \ + helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \ + printf "%-30s %s\n", helpCommand, helpMessage; \ + } \ + } \ + { lastLine = $$0 }' $(MAKEFILE_LIST) diff --git a/examples/vault-s3-private/README.md b/examples/vault-s3-private/README.md new file mode 100644 index 00000000..8bb524ff --- /dev/null +++ b/examples/vault-s3-private/README.md @@ -0,0 +1,128 @@ +# Example showing Vault and IAM Integration + +This example creates a private s3 bucket resources. It then uses vault +to create keys which only has access to those s3 buckets. The example +code will create an IAM role with access to that bucket and will also +configure vault so that we can dynamically generate credentials for +accessing that bucket. + +## Requirements + +These are the required things for this example: + +* A running vault server. If you just want to experiment with this, + run a development server using: + +``` shellsession +vault server -dev +``` + +* The AWS access and secret keys for an IAM user which the AWS Secret + Backend for Vault will use for issuing new credentials. If you don't + have any, you can create one using [vault-iam + module](../../modules/vault-iam). You need to put the access keys in + [variables.tf](./variables.tf) + + +## Environment creation and deployment + +``` shellsession +$ make init +$ make plan +$ make apply +module.vault_aws_backend.vault_aws_secret_backend.aws: Creating... +module.vault_aws_backend.vault_aws_secret_backend.aws: Creation complete after 0s [id=fpco/aws/dev/vault] +aws_iam_role.vault_bucket_role: Creating... +aws_s3_bucket.vault-test-bucket: Creating... +aws_iam_role.vault_bucket_role: Still creating... [10s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [10s elapsed] +aws_iam_role.vault_bucket_role: Still creating... [20s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [20s elapsed] +aws_iam_role.vault_bucket_role: Creation complete after 22s [id=bucket_access_role] +module.vault_aws_backend.vault_aws_secret_backend_role.aws_role: Creating... +module.vault_aws_backend.vault_aws_secret_backend_role.aws_role: Creation complete after 0s [id=fpco/aws/dev/vault/roles/s3_app_user] +aws_s3_bucket.vault-test-bucket: Still creating... [30s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [40s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [50s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m0s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m10s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m20s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m30s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m40s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [1m50s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [2m0s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [2m10s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [2m20s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [2m30s elapsed] +aws_s3_bucket.vault-test-bucket: Still creating... [2m40s elapsed] +aws_s3_bucket.vault-test-bucket: Creation complete after 2m48s [id=vault-fpco-test-bucket] +aws_iam_role_policy.vault_bucket_policy: Creating... +aws_iam_role_policy.vault_bucket_policy: Still creating... [10s elapsed] +aws_iam_role_policy.vault_bucket_policy: Still creating... [20s elapsed] +aws_iam_role_policy.vault_bucket_policy: Creation complete after 24s [id=bucket_access_role:bucket-policy] + +Apply complete! Resources: 5 added, 0 changed, 0 destroyed. + +The state of your infrastructure has been saved to the path +below. This state is required to modify and destroy your +infrastructure, so keep it safe. To inspect the complete state +use the `terraform show` command. + +State path: terraform.tfstate +``` + +## Testing + +Make sure you are already authorized with the vault server. If not, +use `vault login` to do it. And then, you can dynamically create AWS +credentials for accessing the s3 bucket you created: + +``` shellsession +$ vault read fpco/aws/dev/vault/creds/s3_app_user +Key Value +--- ----- +lease_id fpco/aws/prod/vault/creds/s3_app_user/eJcLUNbpTNRFpLoTL9mEW76p +lease_duration 14m59s +lease_renewable false +access_key xxx +secret_key xxx +security_token xxx +``` + +Now let's try to see all the files in our bucket: + +``` shellsession +$ env AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx AWS_SESSION_TOKEN=xxx aws s3 ls s3://vault-fpco-test-bucket +``` + +It gives you no output since there are no files. But the command +works, which confirms us that the generated credentials are working as +expected. + +Now let's try to do something for which you don't have access with the +same credentials: + +``` shellsession +$ env AWS_ACCESS_KEY_ID=xxxx AWS_SECRET_ACCESS_KEY=xxxx AWS_SESSION_TOKEN=xxx aws ec2 describe-instances --region="us-east-2" +An error occurred (UnauthorizedOperation) when calling the DescribeInstances operation: You are not authorized to perform this operation. +``` + +That doesn't work, which is expected. Let's try to see if we can +access files of some other buckets which is present: + +``` shellsession +$ env AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx AWS_SESSION_TOKEN=xxx aws s3 ls s3://some-other-existing-bucket +An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied +``` + +## Destruction + +``` shellsession +$ make destroy +$ make clean +``` + +## Notes + +- This example was last tested with `Terraform v0.12.3` +- This example assumes AWS credentials setup with access to the **us-east-2** region. diff --git a/examples/vault-s3-private/main.tf b/examples/vault-s3-private/main.tf new file mode 100644 index 00000000..f16ac0dd --- /dev/null +++ b/examples/vault-s3-private/main.tf @@ -0,0 +1,67 @@ +resource "aws_s3_bucket" "vault-test-bucket" { + bucket = "vault-fpco-test-bucket" + acl = "private" + region = "us-east-2" + + tags = { + Name = "Vault test bucket" + Environment = "Dev" + } +} + +# Here we allow everyone to assume this role. In production systems +# it's best to restrict it's scope so that only some IAM users are +# able to assume this role. +resource "aws_iam_role" "vault_bucket_role" { + name = "bucket_access_role" + + assume_role_policy = <' where is one of\n\n" + @awk '/^[a-zA-Z\-\_0-9]+:/ { \ + helpMessage = match(lastLine, /^## (.*)/); \ + if (helpMessage) { \ + helpCommand = substr($$1, 0, index($$1, ":")-1); \ + helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \ + printf "%-30s %s\n", helpCommand, helpMessage; \ + } \ + } \ + { lastLine = $$0 }' $(MAKEFILE_LIST) diff --git a/modules/vault-iam/README.md b/modules/vault-iam/README.md new file mode 100644 index 00000000..0103b046 --- /dev/null +++ b/modules/vault-iam/README.md @@ -0,0 +1,7 @@ +# Vault IAM user + +When setting up vault with AWS as it's secret engine, you need to have +AWS secret and access keys for an IAM user with relevant +permission. This module sets up the user with relevant policies. + +Todo: Try with different resour4ce diff --git a/modules/vault-iam/main.tf b/modules/vault-iam/main.tf new file mode 100644 index 00000000..630b9ae4 --- /dev/null +++ b/modules/vault-iam/main.tf @@ -0,0 +1,44 @@ +resource "aws_iam_user" "vault_user" { + name = "vault_user" + tags = { + "user" = "vault" + } +} + +resource "aws_iam_access_key" "vaultkey" { + user = "${aws_iam_user.vault_user.name}" +} + +resource "aws_iam_user_policy" "vault_user_policy" { + name = "vault_user_policy" + user = "${aws_iam_user.vault_user.name}" + + policy = < Date: Wed, 17 Jul 2019 21:41:00 +0530 Subject: [PATCH 2/9] Generalize IAM user and associated policy --- modules/iam-user-policy/README.md | 9 +++++++++ modules/iam-user-policy/main.tf | 13 +++++++++++++ modules/iam-user-policy/outputs.tf | 3 +++ modules/iam-user-policy/variables.tf | 20 ++++++++++++++++++++ 4 files changed, 45 insertions(+) create mode 100644 modules/iam-user-policy/README.md create mode 100644 modules/iam-user-policy/main.tf create mode 100644 modules/iam-user-policy/outputs.tf create mode 100644 modules/iam-user-policy/variables.tf diff --git a/modules/iam-user-policy/README.md b/modules/iam-user-policy/README.md new file mode 100644 index 00000000..2bc08c27 --- /dev/null +++ b/modules/iam-user-policy/README.md @@ -0,0 +1,9 @@ +# IAM user and associated policy + +This module creates IAM user and associates supplied IAM policy with +the created user. + +Further resources: + +* [AWS Policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) +* [AWS IAM Policy Documents with terraform](https://www.terraform.io/docs/providers/aws/guides/iam-policy-documents.html) diff --git a/modules/iam-user-policy/main.tf b/modules/iam-user-policy/main.tf new file mode 100644 index 00000000..9df976a3 --- /dev/null +++ b/modules/iam-user-policy/main.tf @@ -0,0 +1,13 @@ +resource "aws_iam_user" "iam_user" { + name = "${var.user_name}" + tags = { + "user" = "${var.user_name}", + "stage" = "${var.stage}" + } +} + +resource "aws_iam_user_policy" "iam_user_policy" { + name = "${var.iam_policy_name}" + user = "${aws_iam_user.iam_user.name}" + policy = "${var.iam_user_policy}" +} diff --git a/modules/iam-user-policy/outputs.tf b/modules/iam-user-policy/outputs.tf new file mode 100644 index 00000000..d7d06dd9 --- /dev/null +++ b/modules/iam-user-policy/outputs.tf @@ -0,0 +1,3 @@ +output "user_name" { + value = "${aws_iam_user.iam_user.name}" +} diff --git a/modules/iam-user-policy/variables.tf b/modules/iam-user-policy/variables.tf new file mode 100644 index 00000000..c1b39aee --- /dev/null +++ b/modules/iam-user-policy/variables.tf @@ -0,0 +1,20 @@ +variable "user_name" { + description = "Name of the IAM user that needs to be created" + type = "string" +} + +variable "stage" { + description = "Environment stage to indicate whether it is prod/staging or dev. Used for tagging purpose." + type = "string" + default = "dev" +} + +variable "iam_policy_name" { + description = "Policy name for the IAM user" + type = "string" +} + +variable "iam_user_policy" { + description = "The policy document. This is a JSON formatted string." + type = "string" +} From c0539b63c135a276ae1697db9bfb6d7ebd417cd1 Mon Sep 17 00:00:00 2001 From: Sibi Prabakaran Date: Thu, 18 Jul 2019 12:12:23 +0530 Subject: [PATCH 3/9] Add example for creating vault user --- examples/vault-iam/Makefile | 43 +++++++++++++++++++++++++++++++++ examples/vault-iam/README.md | 10 ++++++++ examples/vault-iam/main.tf | 39 ++++++++++++++++++++++++++++++ examples/vault-iam/outputs.tf | 7 ++++++ examples/vault-iam/variables.tf | 4 +++ 5 files changed, 103 insertions(+) create mode 100644 examples/vault-iam/Makefile create mode 100644 examples/vault-iam/README.md create mode 100644 examples/vault-iam/main.tf create mode 100644 examples/vault-iam/outputs.tf create mode 100644 examples/vault-iam/variables.tf diff --git a/examples/vault-iam/Makefile b/examples/vault-iam/Makefile new file mode 100644 index 00000000..6a60f4c8 --- /dev/null +++ b/examples/vault-iam/Makefile @@ -0,0 +1,43 @@ +.PHONY: init plan apply destroy clean + +.DEFAULT_GOAL = help + +# Hardcoding value of 3 minutes when we check if the plan file is stale +STALE_PLAN_FILE := `find "tf.out" -mmin -3 | grep -q tf.out` + +## Check if tf.out is stale (Older than 2 minutes) +check-plan-file: + @if ! ${STALE_PLAN_FILE} ; then \ + echo "ERROR: Stale tf.out plan file (older than 3 minutes)!"; \ + exit 1; \ + fi + +## Runs terraform get and terraform init for env +init: + @terraform get + @terraform init + +## use 'terraform plan' to map out updates to apply +plan: + @terraform plan -out=tf.out + +## use 'terraform apply' to apply updates in a 'tf.out' plan file +apply: check-plan-file + @terraform apply tf.out + +## use 'terraform destroy' to remove all resources from AWS +destroy: + @terraform destroy + +## Show help screen. +help: + @echo "Please use \`make ' where is one of\n\n" + @awk '/^[a-zA-Z\-\_0-9]+:/ { \ + helpMessage = match(lastLine, /^## (.*)/); \ + if (helpMessage) { \ + helpCommand = substr($$1, 0, index($$1, ":")-1); \ + helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \ + printf "%-30s %s\n", helpCommand, helpMessage; \ + } \ + } \ + { lastLine = $$0 }' $(MAKEFILE_LIST) diff --git a/examples/vault-iam/README.md b/examples/vault-iam/README.md new file mode 100644 index 00000000..bcfdac27 --- /dev/null +++ b/examples/vault-iam/README.md @@ -0,0 +1,10 @@ +# Vault IAM user + +When setting up vault with AWS as it's secret engine, you need to have +AWS secret and access keys for an IAM user with relevant +permission. This example creates IAM user named "vault_user" and +appropriate policy for it. + +In order for this example to create keys, you need to modify +`variables.tf` appropriately. + diff --git a/examples/vault-iam/main.tf b/examples/vault-iam/main.tf new file mode 100644 index 00000000..ba19188f --- /dev/null +++ b/examples/vault-iam/main.tf @@ -0,0 +1,39 @@ +resource "aws_iam_access_key" "vaultkey" { + user = "${module.vault_iam_user_policy.user_name}" + count = "${var.key_count}" +} + +module "vault_iam_user_policy" { + source = "../../modules/iam-user-policy/" + user_name = "vault_user" + stage = "dev" + iam_policy_name = "vault_user_policy" + iam_user_policy = < Date: Thu, 18 Jul 2019 12:13:15 +0530 Subject: [PATCH 4/9] Update iam-user-policy module --- modules/iam-user-policy/README.md | 6 +++--- modules/iam-user-policy/main.tf | 8 ++++++-- 2 files changed, 9 insertions(+), 5 deletions(-) diff --git a/modules/iam-user-policy/README.md b/modules/iam-user-policy/README.md index 2bc08c27..21460867 100644 --- a/modules/iam-user-policy/README.md +++ b/modules/iam-user-policy/README.md @@ -1,7 +1,7 @@ -# IAM user and associated policy +# IAM user and policy -This module creates IAM user and associates supplied IAM policy with -the created user. +This module creates IAM user and policy and associates it with the +created user. Further resources: diff --git a/modules/iam-user-policy/main.tf b/modules/iam-user-policy/main.tf index 9df976a3..fdbc4619 100644 --- a/modules/iam-user-policy/main.tf +++ b/modules/iam-user-policy/main.tf @@ -6,8 +6,12 @@ resource "aws_iam_user" "iam_user" { } } -resource "aws_iam_user_policy" "iam_user_policy" { +resource "aws_iam_policy" "iam_policy" { name = "${var.iam_policy_name}" - user = "${aws_iam_user.iam_user.name}" policy = "${var.iam_user_policy}" } + +resource "aws_iam_user_policy_attachment" "iam_user_policy" { + user = "${aws_iam_user.iam_user.name}" + policy_arn = "${aws_iam_policy.iam_policy.arn}" +} From 36b343a5309c93fa86cf161a1f3c5278540e9551 Mon Sep 17 00:00:00 2001 From: Sibi Prabakaran Date: Thu, 18 Jul 2019 12:17:36 +0530 Subject: [PATCH 5/9] Remove vault-iam module --- modules/vault-iam/Makefile | 43 ----------------------------------- modules/vault-iam/README.md | 7 ------ modules/vault-iam/main.tf | 44 ------------------------------------ modules/vault-iam/outputs.tf | 7 ------ 4 files changed, 101 deletions(-) delete mode 100644 modules/vault-iam/Makefile delete mode 100644 modules/vault-iam/README.md delete mode 100644 modules/vault-iam/main.tf delete mode 100644 modules/vault-iam/outputs.tf diff --git a/modules/vault-iam/Makefile b/modules/vault-iam/Makefile deleted file mode 100644 index 6a60f4c8..00000000 --- a/modules/vault-iam/Makefile +++ /dev/null @@ -1,43 +0,0 @@ -.PHONY: init plan apply destroy clean - -.DEFAULT_GOAL = help - -# Hardcoding value of 3 minutes when we check if the plan file is stale -STALE_PLAN_FILE := `find "tf.out" -mmin -3 | grep -q tf.out` - -## Check if tf.out is stale (Older than 2 minutes) -check-plan-file: - @if ! ${STALE_PLAN_FILE} ; then \ - echo "ERROR: Stale tf.out plan file (older than 3 minutes)!"; \ - exit 1; \ - fi - -## Runs terraform get and terraform init for env -init: - @terraform get - @terraform init - -## use 'terraform plan' to map out updates to apply -plan: - @terraform plan -out=tf.out - -## use 'terraform apply' to apply updates in a 'tf.out' plan file -apply: check-plan-file - @terraform apply tf.out - -## use 'terraform destroy' to remove all resources from AWS -destroy: - @terraform destroy - -## Show help screen. -help: - @echo "Please use \`make ' where is one of\n\n" - @awk '/^[a-zA-Z\-\_0-9]+:/ { \ - helpMessage = match(lastLine, /^## (.*)/); \ - if (helpMessage) { \ - helpCommand = substr($$1, 0, index($$1, ":")-1); \ - helpMessage = substr(lastLine, RSTART + 3, RLENGTH); \ - printf "%-30s %s\n", helpCommand, helpMessage; \ - } \ - } \ - { lastLine = $$0 }' $(MAKEFILE_LIST) diff --git a/modules/vault-iam/README.md b/modules/vault-iam/README.md deleted file mode 100644 index 0103b046..00000000 --- a/modules/vault-iam/README.md +++ /dev/null @@ -1,7 +0,0 @@ -# Vault IAM user - -When setting up vault with AWS as it's secret engine, you need to have -AWS secret and access keys for an IAM user with relevant -permission. This module sets up the user with relevant policies. - -Todo: Try with different resour4ce diff --git a/modules/vault-iam/main.tf b/modules/vault-iam/main.tf deleted file mode 100644 index 630b9ae4..00000000 --- a/modules/vault-iam/main.tf +++ /dev/null @@ -1,44 +0,0 @@ -resource "aws_iam_user" "vault_user" { - name = "vault_user" - tags = { - "user" = "vault" - } -} - -resource "aws_iam_access_key" "vaultkey" { - user = "${aws_iam_user.vault_user.name}" -} - -resource "aws_iam_user_policy" "vault_user_policy" { - name = "vault_user_policy" - user = "${aws_iam_user.vault_user.name}" - - policy = < Date: Thu, 18 Jul 2019 12:21:40 +0530 Subject: [PATCH 6/9] Update README --- examples/vault-iam/main.tf | 2 +- examples/vault-s3-private/README.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/vault-iam/main.tf b/examples/vault-iam/main.tf index ba19188f..ef07abcd 100644 --- a/examples/vault-iam/main.tf +++ b/examples/vault-iam/main.tf @@ -30,7 +30,7 @@ module "vault_iam_user_policy" { "iam:RemoveUserFromGroup" ], "Resource": [ - "arn:aws:iam::793514493597:user/vtest-*" + "arn:aws:iam::xxxxxxx:user/vtest-*" ] } ] diff --git a/examples/vault-s3-private/README.md b/examples/vault-s3-private/README.md index 8bb524ff..9d5e29d6 100644 --- a/examples/vault-s3-private/README.md +++ b/examples/vault-s3-private/README.md @@ -20,7 +20,7 @@ vault server -dev * The AWS access and secret keys for an IAM user which the AWS Secret Backend for Vault will use for issuing new credentials. If you don't have any, you can create one using [vault-iam - module](../../modules/vault-iam). You need to put the access keys in + example](../vault-iam). You need to put the access keys in [variables.tf](./variables.tf) From 10b0778412444414996a15dcd340468afb9198a3 Mon Sep 17 00:00:00 2001 From: Sibi Prabakaran Date: Thu, 18 Jul 2019 12:45:47 +0530 Subject: [PATCH 7/9] Update vault-iam documentation --- examples/vault-iam/README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/examples/vault-iam/README.md b/examples/vault-iam/README.md index bcfdac27..343a2fc1 100644 --- a/examples/vault-iam/README.md +++ b/examples/vault-iam/README.md @@ -6,5 +6,6 @@ permission. This example creates IAM user named "vault_user" and appropriate policy for it. In order for this example to create keys, you need to modify -`variables.tf` appropriately. +`variables.tf` appropriately. Also make sure to change the resource +arn in the policy document in `main.tf` file. From 5e74870f6129d897d8d8c468f13dd29ba3e6d40e Mon Sep 17 00:00:00 2001 From: Sibi Prabakaran Date: Sun, 21 Jul 2019 16:35:53 +0530 Subject: [PATCH 8/9] Update with terraform 0.12 changes --- examples/vault-iam/main.tf | 8 +++-- examples/vault-iam/outputs.tf | 5 +-- examples/vault-iam/variables.tf | 1 + examples/vault-s3-private/main.tf | 43 ++++++++++++++----------- examples/vault-s3-private/variables.tf | 44 ++++++++++++++++---------- modules/iam-user-policy/main.tf | 15 +++++---- modules/iam-user-policy/outputs.tf | 3 +- modules/iam-user-policy/variables.tf | 13 ++++---- 8 files changed, 79 insertions(+), 53 deletions(-) diff --git a/examples/vault-iam/main.tf b/examples/vault-iam/main.tf index ef07abcd..1a062836 100644 --- a/examples/vault-iam/main.tf +++ b/examples/vault-iam/main.tf @@ -1,12 +1,12 @@ resource "aws_iam_access_key" "vaultkey" { - user = "${module.vault_iam_user_policy.user_name}" - count = "${var.key_count}" + user = module.vault_iam_user_policy.user_name + count = var.key_count } module "vault_iam_user_policy" { source = "../../modules/iam-user-policy/" user_name = "vault_user" - stage = "dev" + environment = "dev" iam_policy_name = "vault_user_policy" iam_user_policy = < Date: Sun, 21 Jul 2019 19:16:11 +0530 Subject: [PATCH 9/9] Update documentation, changelog and add support for terraform 12 --- CHANGELOG.md | 4 ++++ examples/vault-iam/README.md | 3 +-- examples/vault-iam/main.tf | 4 +++- examples/vault-s3-private/README.md | 2 +- examples/vault-s3-private/main.tf | 11 +++++++---- examples/vault-s3-private/variables.tf | 6 ------ tests/main.tf | 8 ++++++++ 7 files changed, 24 insertions(+), 14 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a6ec52d..84ff9c27 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,8 +4,12 @@ ### Modules +* `iam-user-policy`: Module for IAM user and corresponding policy + ### Examples +* `vault-iam`: New example which creates a admin user for vault with policy suitable for it. +* `vault-s3-private`: New example showing vault and IAM integration with restricted access. # v0.8.2 diff --git a/examples/vault-iam/README.md b/examples/vault-iam/README.md index 343a2fc1..bcfdac27 100644 --- a/examples/vault-iam/README.md +++ b/examples/vault-iam/README.md @@ -6,6 +6,5 @@ permission. This example creates IAM user named "vault_user" and appropriate policy for it. In order for this example to create keys, you need to modify -`variables.tf` appropriately. Also make sure to change the resource -arn in the policy document in `main.tf` file. +`variables.tf` appropriately. diff --git a/examples/vault-iam/main.tf b/examples/vault-iam/main.tf index 1a062836..1ce19d76 100644 --- a/examples/vault-iam/main.tf +++ b/examples/vault-iam/main.tf @@ -3,6 +3,8 @@ resource "aws_iam_access_key" "vaultkey" { count = var.key_count } +data "aws_caller_identity" "current" {} + module "vault_iam_user_policy" { source = "../../modules/iam-user-policy/" user_name = "vault_user" @@ -30,7 +32,7 @@ module "vault_iam_user_policy" { "iam:RemoveUserFromGroup" ], "Resource": [ - "arn:aws:iam::xxxxxxx:user/vtest-*" + "arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/vtest-*" ] } ] diff --git a/examples/vault-s3-private/README.md b/examples/vault-s3-private/README.md index 9d5e29d6..52a40053 100644 --- a/examples/vault-s3-private/README.md +++ b/examples/vault-s3-private/README.md @@ -92,7 +92,7 @@ security_token xxx Now let's try to see all the files in our bucket: ``` shellsession -$ env AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx AWS_SESSION_TOKEN=xxx aws s3 ls s3://vault-fpco-test-bucket +$ env AWS_ACCESS_KEY_ID=xxx AWS_SECRET_ACCESS_KEY=xxx AWS_SESSION_TOKEN=xxx aws s3 ls s3://s3-vault-demo-dev-bucket ``` It gives you no output since there are no files. But the command diff --git a/examples/vault-s3-private/main.tf b/examples/vault-s3-private/main.tf index 7ae63fd5..6330f01b 100644 --- a/examples/vault-s3-private/main.tf +++ b/examples/vault-s3-private/main.tf @@ -1,11 +1,14 @@ +data "aws_region" "current" {} + locals { name_prefix = "${var.application}-${var.environment}" + region = data.aws_region.current.name } resource "aws_s3_bucket" "vault-test-bucket" { - bucket = "${locals.name_prefix}-bucket" + bucket = "${local.name_prefix}-bucket" acl = "private" - region = "us-east-2" + region = local.region tags = { Environment = var.environment @@ -16,7 +19,7 @@ resource "aws_s3_bucket" "vault-test-bucket" { # it's best to restrict it's scope so that only some IAM users are # able to assume this role. resource "aws_iam_role" "vault_bucket_role" { - name = "${locals.name_prefix}-bucket-role" + name = "${local.name_prefix}-bucket-role" assume_role_policy = <