├── .gitignore
├── LICENSE
├── Makefile
├── README.md
├── aws_ec2.tf
├── aws_s3.tf
├── aws_sql.tf
├── aws_sql.tf.bkp
├── boundary_dynamic_aws.tf.bkp
├── boundary_okta.tf
├── boundary_postgres.tf
├── boundary_postgres.tf.bkp
├── boundary_session_recording.tf
├── boundary_windows.tf
├── dev
    ├── .terraform.lock.hcl
    ├── Makefile
    ├── backend.tf
    ├── main.tf
    └── outputs.tf
├── generic_test.tf
├── hcp-boundary-worker.nomad
├── main.tf
├── nomad_job_ssh.tf
├── nomad_workers.tf
├── okta_boundary.tf
├── outputs.tf
├── pki_test.tf
├── provider.tf
├── terraform.tfvars
├── to_team.tf.bkp
├── variables.tf
├── vault_aws.tf.bkp
├── vault_boundary.tf
├── vault_consul.tf
├── vault_postgres.tf
├── vault_postgres.tf.bkp
├── vault_ssh.tf
└── vault_windows.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | 
11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
12 | # .tfvars files are managed as part of configuration and so should be included in
13 | # version control.
14 | #
15 | *.tfvars
16 | */dev/*.tfvars
17 | 
18 | # Ignore override files as they are usually used to override resources locally and so
19 | # are not checked in
20 | override.tf
21 | override.tf.json
22 | *_override.tf
23 | *_override.tf.json
24 | 
25 | # Include override files you do wish to add to version control using negated pattern
26 | #
27 | # !example_override.tf
28 | 
29 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
30 | # example: *tfplan*
31 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | all: login init demostack apply
 2 | .PHONY: all doormat_creds doormat_aws deploy destroy console
 3 | TFC_ORG = emea-se-playground-2019
 4 | WORKSPACE_DEMOSTACK = Guy-AWS-Demostack
 5 | DOORMAT_AWS_ACCOUNT = aws_guy_test
 6 | login:
 7 | 	doormat login
 8 | init:
 9 | 	terraform init
10 | demostack:
11 | 	doormat aws export --account $(DOORMAT_AWS_ACCOUNT)
12 | apply:
13 | 	terraform init
14 | 	terraform plan
15 | 	terraform apply
16 | destroy:
17 | 	terraform destroy


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # terraform-boundary-config
2 | a module for a demostack configuration of bounday
3 | 


--------------------------------------------------------------------------------
/aws_ec2.tf:
--------------------------------------------------------------------------------
 1 | # Configure the AWS Provider
 2 | provider "aws" {
 3 |   region = var.region
 4 | }
 5 | 
 6 | 
 7 | data "aws_instances" "servers" {
 8 | 
 9 | 
10 |   filter {
11 |     name   = "instance-state-name"
12 |     values = ["running"]
13 |   }
14 | 
15 |   instance_tags = {
16 |     # owner = var.owner_tag
17 |     Function = "worker"
18 |     Purpose  = var.application_name
19 |   }
20 | 
21 | }
22 | 
23 | data "aws_instance" "windows" {
24 | 
25 |   filter {
26 |     name   = "instance-state-name"
27 |     values = ["running"]
28 |   }
29 | 
30 |   instance_tags = {
31 |     Function = "Windows"
32 |     Purpose  = var.application_name
33 |     #owner = var.owner_tag
34 |   }
35 | 
36 |   get_password_data = true
37 | }


--------------------------------------------------------------------------------
/aws_s3.tf:
--------------------------------------------------------------------------------
 1 | resource "aws_s3_bucket" "boundary_session_recording" {
 2 |   bucket        = var.s3_bucket_name
 3 |   force_destroy = true
 4 |   tags = {
 5 |     Name        = var.s3_bucket_name_tags
 6 |     Environment = var.s3_bucket_env_tags
 7 |     Terraform   = "true"
 8 |   }
 9 | }
10 | 
11 | resource "aws_s3_bucket_versioning" "versioning_demo" {
12 |   bucket = aws_s3_bucket.boundary_session_recording.id
13 |   versioning_configuration {
14 |     status = "Enabled"
15 |   }
16 | }
17 | 
18 | resource "aws_s3_bucket_metric" "demo-bucket-metric" {
19 |   bucket = aws_s3_bucket.boundary_session_recording.id
20 |   name   = "EntireBucket"
21 | }


--------------------------------------------------------------------------------
/aws_sql.tf:
--------------------------------------------------------------------------------
1 | data "aws_db_instance" "mysql" {
2 |   db_instance_identifier = "${var.application_name}-mysql"
3 | }
4 | 
5 | 
6 | data "aws_db_instance" "postgres" {
7 |   db_instance_identifier = "${var.application_name}-postgres"
8 | }


--------------------------------------------------------------------------------
/aws_sql.tf.bkp:
--------------------------------------------------------------------------------
 1 | 
 2 | resource "aws_db_subnet_group" "databases" {
 3 |   name       = "databases"
 4 |   subnet_ids  = aws_subnet.demostack.*.id
 5 | 
 6 | }
 7 | 
 8 | resource "aws_db_instance" "mysql" {
 9 |   identifier           = "${var.namespace}-mysql"
10 |   allocated_storage    = 10
11 |   engine               = "mysql"
12 |   engine_version       = "5.7"
13 |   instance_class       = "db.t3.micro"
14 |   db_name                 = "mydb"
15 |   username             = "foo"
16 |   password             = "foobarbaz"
17 |   parameter_group_name = "default.mysql5.7"
18 |   db_subnet_group_name = aws_db_subnet_group.databases.id
19 |   vpc_security_group_ids =[aws_security_group.demostack.id]
20 |   skip_final_snapshot  = true
21 |    timeouts {
22 |     create = "10m"
23 |     delete = "10m"
24 |   }
25 | }
26 | 
27 | # https://github.com/terraform-aws-modules/terraform-aws-rds/tree/master/examples/complete-postgres
28 | resource "aws_db_instance" "postgres" {
29 | identifier           = "${var.namespace}-postgres"
30 | engine               = "postgres"
31 | engine_version         = "13.1"
32 | instance_class         = "db.t3.micro"
33 | 
34 |  allocated_storage      = 5
35 | storage_encrypted     = true
36 | 
37 | db_name     = "postgress"
38 | username = "postgresql"
39 | password = "YourPwdShouldBeLongAndSecure!"
40 | port     = 5432
41 | db_subnet_group_name = aws_db_subnet_group.databases.id
42 | vpc_security_group_ids =[aws_security_group.demostack.id]
43 | skip_final_snapshot    = true
44 |  timeouts {
45 |     create = "10m"
46 |     delete = "10m"
47 |   }
48 | }


--------------------------------------------------------------------------------
/boundary_dynamic_aws.tf.bkp:
--------------------------------------------------------------------------------
 1 | 
 2 | data "aws_iam_access_key" "boundary_dynamic_host_catalog" {
 3 |   user_name = "${var.namespace}-bdhc"
 4 | }
 5 | 
 6 | resource "boundary_host_catalog_plugin" "aws_ec2" {
 7 |   name            = "AWS Sandbox"
 8 |   description     = "Host catalog in AWS Sandbox"
 9 |   scope_id        = boundary_scope.project.id
10 |   plugin_name     = "aws"
11 |   attributes_json = jsonencode({ "region" = data.aws_region.current.name })
12 |   secrets_json = jsonencode({
13 |     "access_key_id"     = data.aws_iam_access_key.boundary_dynamic_host_catalog.id
14 |     "secret_access_key" = data.aws_iam_access_key.boundary_dynamic_host_catalog.secret
15 |   })
16 | }


--------------------------------------------------------------------------------
/boundary_okta.tf:
--------------------------------------------------------------------------------
 1 | resource "boundary_auth_method_oidc" "provider" {
 2 |   name                 = "Okta"
 3 |   description          = "OIDC auth method for Okta"
 4 |   scope_id             = "global"
 5 |   issuer               = okta_auth_server.boundary.issuer
 6 |   client_id            = okta_app_oauth.boundary.client_id
 7 |   client_secret        = okta_app_oauth.boundary.client_secret
 8 |   signing_algorithms   = ["RS256"]
 9 |   api_url_prefix       = var.boundary_address
10 |   is_primary_for_scope = true
11 |   state                = "active-public"
12 |   max_age              = 0
13 | }
14 | 
15 | resource "boundary_account_oidc" "oidc_user" {
16 |   name           = "guy-hashicorp"
17 |   description    = "OIDC account for guy-HashiCorp"
18 |   auth_method_id = boundary_auth_method_oidc.provider.id
19 |   issuer         = okta_auth_server.boundary.issuer
20 |   subject        = okta_app_oauth.boundary.client_id
21 | }
22 | 
23 | resource "boundary_managed_group" "oidc_managed_group" {
24 |   name           = "okta-managed-group"
25 |   description    = "Okta Managed Group"
26 |   auth_method_id = boundary_auth_method_oidc.provider.id
27 |   filter         = "\"okta.com\" in \"/token/iss\""
28 | }
29 | 
30 | resource "boundary_role" "oidc_admin_role" {
31 |   name          = "Admin Role"
32 |   description   = "admin role"
33 |   principal_ids = [boundary_managed_group.oidc_managed_group.id]
34 |   grant_strings = ["id=*;type=*;actions=*"]
35 |   scope_id      = "global"
36 | }
37 | 
38 | 
39 | resource "boundary_role" "oidc_user_role" {
40 |   name          = "User Role"
41 |   description   = "user role org"
42 |   principal_ids = [boundary_managed_group.oidc_managed_group.id]
43 |   grant_strings = ["id=*;type=*;actions=*"]
44 |   scope_id      = boundary_scope.app.id
45 | }
46 | 
47 | 
48 | 
49 | resource "boundary_role" "oidc_user_role_project" {
50 |   name          = "User Role"
51 |   description   = "user role project"
52 |   principal_ids = [boundary_managed_group.oidc_managed_group.id]
53 |   grant_strings = ["id=*;type=*;actions=*"]
54 |   scope_id      = boundary_scope.app_infra.id
55 | }
56 | 


--------------------------------------------------------------------------------
/boundary_postgres.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | resource "boundary_credential_library_vault" "postgres" {
 4 |   name                = "postgres_creds"
 5 |   description         = "postgres dynamic creds"
 6 |   credential_type     = "username_password"
 7 |   credential_store_id = boundary_credential_store_vault.app_vault.id
 8 |   path                = "postgres/creds/postgres-role" # change to Vault backend path
 9 |   http_method         = "GET"
10 | }
11 | 
12 | 
13 | resource "boundary_host_catalog_static" "postgres_catalog" {
14 |   name        = "postgres_consul_servers"
15 |   description = "Postgres servers host catalog"
16 |   scope_id    = boundary_scope.app_infra.id
17 | }
18 | 
19 | resource "boundary_host_static" "postgres_host" {
20 |   type            = "static"
21 |   name            = "postgres_server"
22 |   description     = "Postgres server host"
23 |   address         = data.aws_db_instance.postgres.address
24 |   host_catalog_id = boundary_host_catalog_static.postgres_catalog.id
25 | }
26 | 
27 | resource "boundary_host_set_static" "postgres_set" {
28 |   type            = "static"
29 |   name            = "postgres_set"
30 |   description     = "Host set for postgres servers"
31 |   host_catalog_id = boundary_host_catalog_static.postgres_catalog.id
32 |   host_ids        = [boundary_host_static.postgres_host.id]
33 | }
34 | 
35 | resource "boundary_target" "postgres" {
36 |   type                     = "tcp"
37 |   name                     = "postgres servers"
38 |   description              = "Postgres target"
39 |   scope_id                 = boundary_scope.app_infra.id
40 |   default_port             = data.aws_db_instance.postgres.port
41 |   session_connection_limit = -1
42 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
43 | 
44 |   host_source_ids = [
45 |     boundary_host_set_static.postgres_set.id
46 |   ]
47 | 
48 |   brokered_credential_source_ids = [
49 |     boundary_credential_library_vault.postgres.id
50 |   ]
51 | }
52 | 
53 | 


--------------------------------------------------------------------------------
/boundary_postgres.tf.bkp:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | resource "boundary_credential_library_vault" "postgres" {
 4 |   name                = "postgres_creds"
 5 |   description         = "postgres dynamic creds"
 6 |   credential_store_id = boundary_credential_store_vault.app_vault.id
 7 |   path                = "postgres/creds/postgres-role" # change to Vault backend path
 8 |   http_method         = "GET"
 9 | }
10 | 
11 | 
12 | resource "boundary_host_catalog_static" "postgres_catalog" {
13 |   name        = "postgres_consul_servers"
14 |   description = "Postgres servers host catalog"
15 |   scope_id    = boundary_scope.app_infra.id
16 | }
17 | 
18 | resource "boundary_host" "postgres_host" {
19 |   type            = "static"
20 |   name            = "postgres_server"
21 |   description     = "Postgres server host"
22 |   address         = var.postgres_hostname
23 |   host_catalog_id = boundary_host_catalog_static.postgres_catalog.id
24 | }
25 | 
26 | resource "boundary_host_set" "postgres_set" {
27 |   type            = "static"
28 |   name            = "postgres_set"
29 |   description     = "Host set for postgres servers"
30 |   host_catalog_id = boundary_host_catalog_static.postgres_catalog.id
31 |   host_ids        = [boundary_host.postgres_host.id]
32 | }
33 | 
34 | resource "boundary_target" "postgres" {
35 |   type                     = "tcp"
36 |   name                     = "postgres servers"
37 |   description              = "Postgres target"
38 |   scope_id                 = boundary_scope.app_infra.id
39 |   default_port             = var.postgres_port
40 |   session_connection_limit = -1
41 |   # worker_filter = "demostack in /tags/type"
42 | 
43 |   host_source_ids = [
44 |     boundary_host_set.postgres_set.id
45 |   ]
46 | 
47 |    injected_application_credential_source_ids   = [
48 |     boundary_credential_library_vault.postgres.id
49 |   ]
50 | }


--------------------------------------------------------------------------------
/boundary_session_recording.tf:
--------------------------------------------------------------------------------
 1 | # Grab some information about and from the current AWS account.
 2 | data "aws_caller_identity" "current" {}
 3 | 
 4 | data "aws_iam_policy" "demo_user_permissions_boundary" {
 5 |   name = "DemoUser"
 6 | }
 7 | 
 8 | locals {
 9 |   my_email = split("/", data.aws_caller_identity.current.arn)[2]
10 | }
11 | 
12 | # Create the user to be used in Boundary for session recording. Then attach the policy to the user.
13 | resource "aws_iam_user" "boundary_session_recording" {
14 |   name                 = "demo-${local.my_email}-bsr"
15 |   permissions_boundary = data.aws_iam_policy.demo_user_permissions_boundary.arn
16 |   force_destroy        = true
17 | }
18 | 
19 | resource "aws_iam_user_policy_attachment" "boundary_session_recording" {
20 |   user       = aws_iam_user.boundary_session_recording.name
21 |   policy_arn = data.aws_iam_policy.demo_user_permissions_boundary.arn
22 | }
23 | 
24 | data "aws_iam_policy_document" "boundary_user_policy" {
25 |   statement {
26 |     sid = "InteractWithS3"
27 |     actions = [
28 |       "s3:PutObject",
29 |       "s3:GetObject",
30 |       "s3:GetObjectAttributes",
31 |     ]
32 |     resources = ["arn:aws:s3:::${var.s3_bucket_name}/*"]
33 |   }
34 |   statement {
35 |     actions = [
36 |       "iam:DeleteAccessKey",
37 |       "iam:GetUser",
38 |       "iam:CreateAccessKey"
39 |     ]
40 |     resources = [aws_iam_user.boundary_session_recording.arn]
41 |   }
42 | }
43 | 
44 | resource "aws_iam_policy" "boundary_user_policy" {
45 |   name        = "demo-${local.my_email}-bsr-policy"
46 |   path        = "/"
47 |   description = "Managed policy for the Boundary user recorder"
48 |   policy      = data.aws_iam_policy_document.boundary_user_policy.json
49 | }
50 | 
51 | 
52 | resource "aws_iam_user_policy_attachment" "boundary_user_policy" {
53 |   user       = aws_iam_user.boundary_session_recording.name
54 |   policy_arn = aws_iam_policy.boundary_user_policy.arn
55 | }
56 | 
57 | # Generate some secrets to pass in to the Boundary configuration.
58 | # WARNING: These secrets are not encrypted in the state file. Ensure that you do not commit your state file!
59 | resource "aws_iam_access_key" "boundary_session_recording" {
60 |   user       = aws_iam_user.boundary_session_recording.name
61 |   depends_on = [aws_iam_user_policy_attachment.boundary_session_recording]
62 | }
63 | 
64 | # AWS is eventually-consistent when creating IAM Users. Introduce a wait
65 | # before handing credentails off to boundary.
66 | resource "time_sleep" "boundary_session_recording_user_ready" {
67 |   create_duration = "1m"
68 | 
69 |   depends_on = [aws_iam_access_key.boundary_session_recording,nomad_job.nomad_boundary_workers]
70 | }
71 | 
72 | # NOTE:  Be advised, at this time there is no way to delete a storage bucket with the provider or inside of Boundary GUI
73 | # The only way to delete the storage bucket is to delete the cluster at the moment.  As such, you could leverage the below
74 | # to provision a storage bucket with this demo, or you can manage this in your Boundary Cluster Configuration
75 | 
76 | 
77 | resource "boundary_storage_bucket" "doormat_example" {
78 |   depends_on = [ nomad_job.nomad_boundary_workers,aws_iam_user.boundary_session_recording,time_sleep.boundary_session_recording_user_ready ]
79 |   name            = "Demo BSR Bucket"
80 |   description     = "Demo Boundary Session Recording Bucket"
81 |   #scope_id        = boundary_scope.app.id
82 |   scope_id        = "global"
83 |   plugin_name     = "aws"
84 |   bucket_name     = var.s3_bucket_name
85 |   attributes_json = jsonencode({ "region" = var.region, "disable_credential_rotation" = var.disable_credential_rotation })
86 | 
87 |   secrets_json = jsonencode({
88 |     "access_key_id"     = aws_iam_access_key.boundary_session_recording.id,
89 |     "secret_access_key" = aws_iam_access_key.boundary_session_recording.secret
90 |   })
91 |   worker_filter = " \"demostack\" in \"/tags/type\" "
92 | }
93 | 


--------------------------------------------------------------------------------
/boundary_windows.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | resource "boundary_credential_library_vault" "windows" {
 4 |   name                = "windows_creds"
 5 |   description         = "windows dynamic creds"
 6 |   credential_type     = "username_password"
 7 |   credential_store_id = boundary_credential_store_vault.app_vault.id
 8 |   path                = "boundary_creds/data/windows" # change to Vault backend path
 9 |   http_method         = "GET"
10 | }
11 | 
12 | 
13 | resource "boundary_host_catalog_static" "windows_catalog" {
14 |   name        = "windows_consul_servers"
15 |   description = "windows servers host catalog"
16 |   scope_id    = boundary_scope.app_infra.id
17 | }
18 | 
19 | resource "boundary_host_static" "windows_host" {
20 |   type            = "static"
21 |   name            = "windows_server"
22 |   description     = "windows server host"
23 |   address         = data.aws_instance.windows.private_ip
24 |   host_catalog_id = boundary_host_catalog_static.windows_catalog.id
25 | }
26 | 
27 | resource "boundary_host_set_static" "windows_set" {
28 |   type            = "static"
29 |   name            = "windows_set"
30 |   description     = "Host set for windows servers"
31 |   host_catalog_id = boundary_host_catalog_static.windows_catalog.id
32 |   host_ids        = [boundary_host_static.windows_host.id]
33 | }
34 | 
35 | resource "boundary_target" "windows" {
36 |   type                     = "tcp"
37 |   name                     = "windows servers"
38 |   description              = "windows target"
39 |   scope_id                 = boundary_scope.app_infra.id
40 |   default_port             = var.windows_port
41 |   session_connection_limit = -1
42 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
43 | 
44 |   host_source_ids = [
45 |     boundary_host_set_static.windows_set.id
46 |   ]
47 | 
48 |   brokered_credential_source_ids = [
49 |     boundary_credential_library_vault.windows.id
50 |   ]
51 | }


--------------------------------------------------------------------------------
/dev/.terraform.lock.hcl:
--------------------------------------------------------------------------------
  1 | # This file is maintained automatically by "terraform init".
  2 | # Manual edits may be lost in future updates.
  3 | 
  4 | provider "registry.terraform.io/hashicorp/aws" {
  5 |   version = "5.10.0"
  6 |   hashes = [
  7 |     "h1:ll2mC5mMF+Tm/+tmDQ6p6h3oAFpMSbZsA54STMZegwI=",
  8 |     "zh:24f8b40ba25521ec809906623ce1387542f3da848952167bc960663583a7b2c7",
  9 |     "zh:3c12afbda4e8ed44ab8315d16bbba4329ef3f18ffe3c0d5ea456dd05472fa610",
 10 |     "zh:4da2de97535c7fb51ede8ef9b6bd45c790005aec36daac4317a6175d2ff632fd",
 11 |     "zh:5631fd3c02c5abe5e51a73bd77ddeaaf97b2d508845ea03bc1e5955b52d94706",
 12 |     "zh:5bdef27b4e5b2dcd0661125fcc1e70826d545903b1e19bb8d28d2a0c812468d5",
 13 |     "zh:7b7f6b3e00ad4b7bfaa9872388f7b8014d8c9a1fe5c3f9f57865535865727633",
 14 |     "zh:935f7a599a3f55f69052b096491262d59787625ce5d52f729080328e5088e823",
 15 |     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
 16 |     "zh:a451a24f6675f8ad643a9b218cdb54c2af75a53d6a712daff46f64b81ec61032",
 17 |     "zh:a5bcf820baefdc9f455222878f276a7f406a1092ac7b4c0cdbd6e588bff84847",
 18 |     "zh:c9ab7b838a75bbcacc298658c1a04d1f0ee5935a928d821afcbe08c98cca7c5f",
 19 |     "zh:d83855b6d66aaa03b1e66e03b7d0a4d1c9f992fce06f00011edde2a6ad6d91d6",
 20 |     "zh:f1793e9a1e3ced98ca301ef1a294f46c06f77f6eb10f4d67ffef87ea60835421",
 21 |     "zh:f366c99ddb16d75e07a687a60c015e8e2e0cdb593dea902385629571bd604859",
 22 |     "zh:fb3ec60ea72144f480f495634c6d3e7a7638d7061a77c228a30768c1ae0b91f6",
 23 |   ]
 24 | }
 25 | 
 26 | provider "registry.terraform.io/hashicorp/boundary" {
 27 |   version = "1.1.9"
 28 |   hashes = [
 29 |     "h1:0CVDjVvwGP61jrm9EoS3LPFDNXsMw9A4ePGl4N/yjVk=",
 30 |     "zh:04ba8085e722d61e553337882b4f6b5ee2c1eff21dbb2422eed329fbdfe6e95d",
 31 |     "zh:1fe6b90fc0e2c91ae8d94236554ec3939f98b989b86c4d5452845b803bcd3af6",
 32 |     "zh:3a211c794760b2842b1d90ff5f373ad5e3b1112e436d0318a4056dda80e35ee2",
 33 |     "zh:3aa2ad8aaf57984186c202dbc0f376025d0e7e6b605115a94e3c9f5ca302ab75",
 34 |     "zh:3bdd9b8bc7df69908310864e9beae161aba00cbb1ffa468535982d7f5b37e716",
 35 |     "zh:3df06331ed139f911c1af05ad4d29279e2bc6d862bf8c80fa2423ffafc7b41b9",
 36 |     "zh:44829f169ca8647f742bb42ffe19f8521684bf43e2f435747c8fee280546eeac",
 37 |     "zh:45ec983fbbca68a6bfa429f7beb9593f802d1f17b27f84f86e1bc794bfd8c4d0",
 38 |     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
 39 |     "zh:790b8e405057afb8ae16169116de18bfdf0134452601ed084afbf2e5ee810548",
 40 |     "zh:d7a399d5d54b109ce08b3a20e5b13cfa4488d19c54db7e5cb8c9bf962a9bafbc",
 41 |     "zh:f25c62b4de4bcaa6b878dfa6098a49ad5f9bd9fbe9fe46d94646351df274befc",
 42 |   ]
 43 | }
 44 | 
 45 | provider "registry.terraform.io/hashicorp/nomad" {
 46 |   version = "1.4.20"
 47 |   hashes = [
 48 |     "h1:4IKRa9RKAwJ55lLQjgkOkXLnm+KV4T0bCH+ldNhRR14=",
 49 |     "zh:02989edcebe724fc0aa873b22176fd20074c4f46295e728010711a8fc5dfa72c",
 50 |     "zh:089ba7d19bcf5c6bab3f8b8c5920eb6d78c52cf79bb0c5dfeb411c600e7efcba",
 51 |     "zh:235865a2182ca372bcbf440201a8b8cc0715ad5dbc4de893d99b6f32b5be53ab",
 52 |     "zh:67ea718764f3f344ecc6e027d20c1327b86353c8064aa90da3ec12cec4a88954",
 53 |     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
 54 |     "zh:8c68c540f0df4980568bdd688c2adec86eda62eb2de154e3db215b16de0a7ae0",
 55 |     "zh:911969c63a69a733be57b96d54c5966c9424e1abec8d5f20038c8cef3a504c65",
 56 |     "zh:a673c92ddc9d47e8d53dcb9b376f1adcb4543488202fc83a3e7eab8677530684",
 57 |     "zh:a94a73eae89fd8c8ebf872013079be41161d3f293f4026c92d45c4c5667dd613",
 58 |     "zh:db6b89f8b696040c0344f00928e4cf6e0a75034421ba14cdcd8a4d23bc865dce",
 59 |     "zh:e512c0b1239e3d66b60d22c2b4de19fea288e492cde90dff9277cc475fd9dbbf",
 60 |     "zh:ef6eccecbdef3bb8ce629cabfb5550c1db5c3e952943dda1786ef6cb470a8c23",
 61 |   ]
 62 | }
 63 | 
 64 | provider "registry.terraform.io/hashicorp/time" {
 65 |   version = "0.9.1"
 66 |   hashes = [
 67 |     "h1:VxyoYYOCaJGDmLz4TruZQTSfQhvwEcMxvcKclWdnpbs=",
 68 |     "zh:00a1476ecf18c735cc08e27bfa835c33f8ac8fa6fa746b01cd3bcbad8ca84f7f",
 69 |     "zh:3007f8fc4a4f8614c43e8ef1d4b0c773a5de1dcac50e701d8abc9fdc8fcb6bf5",
 70 |     "zh:5f79d0730fdec8cb148b277de3f00485eff3e9cf1ff47fb715b1c969e5bbd9d4",
 71 |     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
 72 |     "zh:8c8094689a2bed4bb597d24a418bbbf846e15507f08be447d0a5acea67c2265a",
 73 |     "zh:a6d9206e95d5681229429b406bc7a9ba4b2d9b67470bda7df88fa161508ace57",
 74 |     "zh:aa299ec058f23ebe68976c7581017de50da6204883950de228ed9246f309e7f1",
 75 |     "zh:b129f00f45fba1991db0aa954a6ba48d90f64a738629119bfb8e9a844b66e80b",
 76 |     "zh:ef6cecf5f50cda971c1b215847938ced4cb4a30a18095509c068643b14030b00",
 77 |     "zh:f1f46a4f6c65886d2dd27b66d92632232adc64f92145bf8403fe64d5ffa5caea",
 78 |     "zh:f79d6155cda7d559c60d74883a24879a01c4d5f6fd7e8d1e3250f3cd215fb904",
 79 |     "zh:fd59fa73074805c3575f08cd627eef7acda14ab6dac2c135a66e7a38d262201c",
 80 |   ]
 81 | }
 82 | 
 83 | provider "registry.terraform.io/hashicorp/vault" {
 84 |   version = "3.18.0"
 85 |   hashes = [
 86 |     "h1:dAfEObrH5Qs81VDfaFcdwfPDx4BgRG/CLaj7ybm3RCs=",
 87 |     "zh:0e898f977d2dbd0b2ffeb25520f6f3aaa0a078f654bf312dc12fefc327313204",
 88 |     "zh:11899fb3e6d2ce6215047cc37c4e1cbdc01334242103600d79009bcdda2cccd9",
 89 |     "zh:19c57f433f014f6275d1461dd190c50b1fbd2b1217718de6d2eb64e6a9bcea5c",
 90 |     "zh:4e2aa164ffd13080dc10d5de4256b684108126e1082c2613854e26a398831389",
 91 |     "zh:77abbf9d90d085677194305cf192f7890408881bbedc77e97c5146cef3e27a7c",
 92 |     "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
 93 |     "zh:790758438efe4389fdb0cabfb6f5118dad13869946665a72ba79a2f1102ff153",
 94 |     "zh:b9f3f1ba160a41545c4a8cb3a0d91fb37e194cfd6879ac7f358321851242ff78",
 95 |     "zh:bf19d8380e93a8a6ea8735cc015d4d04c6c588b233bb7cbb2bc3c277b7973f9a",
 96 |     "zh:de096c2afc87052e4848661ae5fc87528468399ae1a3ef242f1d6738504c79fc",
 97 |     "zh:eb4dce6a7bc10fa836cd379161bb5fad698d3288099e6ce0fa92ca3183acf242",
 98 |     "zh:f1c150dc13d6597ee08b83904fdd97a6702a106d3f524d60f048f2bd5c492f51",
 99 |   ]
100 | }
101 | 


--------------------------------------------------------------------------------
/dev/Makefile:
--------------------------------------------------------------------------------
 1 | all: login init demostack apply
 2 | .PHONY: all doormat_creds doormat_aws deploy destroy console
 3 | TFC_ORG = emea-se-playground-2019
 4 | WORKSPACE_DEMOSTACK = Guy-AWS-Demostack
 5 | DOORMAT_AWS_ACCOUNT = aws_guy_test
 6 | login:
 7 | 	doormat login
 8 | init:
 9 | 	terraform init
10 | demostack:
11 | 	doormat aws export --account $(DOORMAT_AWS_ACCOUNT)
12 | apply:
13 | 	terraform init
14 | 	terraform plan
15 | 	terraform apply
16 | destroy:
17 | 	terraform destroy


--------------------------------------------------------------------------------
/dev/backend.tf:
--------------------------------------------------------------------------------
 1 | # Using a single workspace:
 2 | 
 3 | terraform {
 4 |   backend "remote" {
 5 |     hostname     = "app.terraform.io"
 6 |     organization = "emea-se-playground-2019"
 7 |     workspaces {
 8 |       name = "GUY-HCP-Boundary-Config"
 9 |     }
10 |   }
11 | }
12 | 


--------------------------------------------------------------------------------
/dev/main.tf:
--------------------------------------------------------------------------------
 1 | //--------------------------------------------------------------------
 2 | // Variables
 3 | variable "config_boundary_auth_method_id" {}
 4 | variable "config_boundary_address" {}
 5 | variable "config_boundary_password" {}
 6 | variable "config_boundary_username" {}
 7 | variable "config_vault_address" {}
 8 | variable "config_vault_namespace" {}
 9 | variable "config_vault_token" {}
10 | variable "config_nomad_address" {}
11 | variable "config_nomad_token" {}
12 | variable "config_path_to_private_key" {}
13 | variable "config_path_to_public_key" {}
14 | variable "config_application_name" {}
15 | 
16 | //--------------------------------------------------------------------
17 | // Modules
18 | module "config" {
19 | #  source  = "app.terraform.io/emea-se-playground-2019/config/boundary"
20 |  source = "github.com/GuyBarros/terraform-boundary-config"
21 | 
22 |   application_name = var.config_application_name
23 |   boundary_auth_method_id = var.config_boundary_auth_method_id
24 |   boundary_address = var.config_boundary_address
25 |   boundary_password = var.config_boundary_password
26 |   boundary_username = var.config_boundary_username
27 |   postgres_password = "YourPwdShouldBeLongAndSecure!"
28 |   vault_address = var.config_vault_address
29 |   vault_namespace = var.config_vault_namespace
30 |   vault_token = var.config_vault_token
31 |   nomad_address = var.config_nomad_address
32 |   nomad_token = var.config_nomad_token
33 |   windows_port = 3389
34 |   path_to_private_key = var.config_path_to_private_key
35 |   path_to_public_key = var.config_path_to_public_key
36 | }


--------------------------------------------------------------------------------
/dev/outputs.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | output "A_Welcome_Message" {
 3 |   value = <<EOF
 4 | 
 5 | ooooo   ooooo                    oooo         o8o    .oooooo.
 6 | `888'   `888'                    `888         `"'   d8P'  `Y8b
 7 |  888     888   .oooo.    .oooo.o  888 .oo.   oooo  888           .ooooo.  oooo d8b oo.ooooo.
 8 |  888ooooo888  `P  )88b  d88(  "8  888P"Y88b  `888  888          d88' `88b `888""8P  888' `88b
 9 |  888     888   .oP"888  `"Y88b.   888   888   888  888          888   888  888      888   888
10 |  888     888  d8(  888  o.  )88b  888   888   888  `88b    ooo  888   888  888      888   888
11 | o888o   o888o `Y888""8o 8""888P' o888o o888o o888o  `Y8bood8P'  `Y8bod8P' d888b     888bod8P'
12 |                                                                                     888
13 |                                                                                    o888o
14 | export BOUNDARY_ADDR=${module.config.boundary_address}
15 | 
16 | ${module.config.boundary_auth_string}
17 | # Consul
18 | boundary connect -target-id=${module.config.consul_target}
19 | # Vault
20 | boundary connect -target-id=${module.config.vault_target}
21 | 
22 | # Nomad
23 | boundary connect -target-id=${module.config.nomad_target} 
24 | # boundary connect -exec chrome -target-id=${module.config.nomad_target} -- {{boundary.host}} {{boundary.port}}
25 | 
26 | # Postgres
27 | boundary connect postgres -target-id ${module.config.postgres_target}  -dbname postgres
28 | 
29 | # SSh
30 | boundary connect ssh  -target-id  ${module.config.ssh_target} 
31 | 
32 | EOF
33 | }
34 | 
35 | 


--------------------------------------------------------------------------------
/generic_test.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | resource "boundary_target" "gen_test" {
 3 |   type                     = "ssh"
 4 |   name                     = "gen_test_ssh_injected"
 5 |   description              = "gen_test"
 6 |   scope_id                 = boundary_scope.app_infra.id
 7 |   default_port             = "22"
 8 |   session_connection_limit = -1
 9 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
10 | 
11 |   host_source_ids = [
12 |     boundary_host_set_static.backend_servers_ssh.id
13 |   ]
14 |   injected_application_credential_source_ids = [
15 |     boundary_credential_library_vault_ssh_certificate.vault_ssh_cert.id
16 |   ]
17 | 
18 | }
19 | 
20 | # resource "boundary_credential_library_vault" "gen" {
21 | #   name                = "gen_vault_token"
22 | #   description         = "Credential Library for Vault Token"
23 | #   credential_store_id = boundary_credential_store_vault.app_vault.id
24 | #   path                = "boundary_creds/data/ssh" # change to Vault backend path
25 | #   http_method         = "GET"
26 | 
27 | #   credential_type = "ssh_private_key"
28 | #  # credential_mapping_overrides = {
29 | #  #   password_attribute = "password"
30 | #  #   username_attribute = "username"
31 | #  # }
32 | 
33 | # }
34 | 
35 | resource "boundary_credential_library_vault_ssh_certificate" "vault_ssh_cert" {
36 |   name                = "ssh-certs"
37 |   description         = "Vault SSH Cert Library"
38 |   credential_store_id = boundary_credential_store_vault.app_vault.id
39 |   path                = "ssh-client-signer/sign/boundary-client" # change to correct Vault endpoint and role
40 |   username            = "ubuntu"                                 # change to valid username
41 | }


--------------------------------------------------------------------------------
/hcp-boundary-worker.nomad:
--------------------------------------------------------------------------------
  1 | #### to run: nomad job run  -var="hcp_boundary_cluster_id=0fcfa413-3d03-4ba3-89f4-389be0a7e252" hcp-boundary-worker.nomad
  2 | 
  3 | 
  4 | variable "boundary_version" {
  5 |   type = string
  6 |   default = "0.11.0+hcp"
  7 | }
  8 | 
  9 | variable "boundary_checksum" {
 10 |   type = string
 11 |   default = "cde09452d5d129c56e03f4f495f87ab0586005b31aba53fd8501b8b02199d6c3"
 12 | 
 13 | }
 14 | 
 15 | variable "hcp_boundary_cluster_id" {
 16 |   type = string
 17 |   
 18 | }
 19 | 
 20 | 
 21 | job "boundary-worker" {
 22 |  region = "global"
 23 |   datacenters = ["eu-west-2a","eu-west-2b","eu-west-2c","eu-west-2","dc1"]
 24 |   type = "service"
 25 | 
 26 |   group "boundary-worker" {
 27 |     count = 3
 28 | 
 29 |       constraint {
 30 |         operator = "distinct_hosts"
 31 |         value = "true"
 32 |       }
 33 |     network {
 34 |           port  "worker"  {
 35 |             static = 9202
 36 |           }
 37 |         }
 38 |     task "boundary-worker.service" {
 39 |       driver = "raw_exec"
 40 | 
 41 |       resources {
 42 |         cpu = 2000
 43 |         memory = 1024
 44 | 
 45 |       }
 46 |       artifact {
 47 |          source     = "https://releases.hashicorp.com/boundary-worker/${var.boundary_version}/boundary-worker_${var.boundary_version}_linux_amd64.zip"
 48 |         destination = "./tmp/"
 49 |         options {
 50 |           checksum = "sha256:${var.boundary_checksum}"
 51 |         }
 52 |       }
 53 |       template {
 54 |         data        = <<EOF
 55 |         disable_mlock = true
 56 | 
 57 |     hcp_boundary_cluster_id = "${var.hcp_boundary_cluster_id}"
 58 | 
 59 | listener "tcp" {
 60 |   address = "0.0.0.0:9202"
 61 |   purpose = "proxy"
 62 |      tls_disable = true
 63 | }
 64 |  
 65 | 
 66 | 
 67 | worker {
 68 |   auth_storage_path = "tmp/boundary.d/"
 69 |   # change this to the public ip address of the specific platform you are running or use "attr.unique.network.ip-address"
 70 |    public_addr = "{{ env "attr.unique.platform.aws.public-ipv4" }}"
 71 |      tags {
 72 |     type      = ["workers","hcp","demostack"]
 73 |   }
 74 | 
 75 | }
 76 | 
 77 | 
 78 |         EOF
 79 |         destination = "./tmp/boundary.d/pki-worker.hcl"
 80 |       }
 81 |       config {
 82 |         command = "/tmp/boundary-worker"
 83 |         args = ["server", "-config=tmp/boundary.d/pki-worker.hcl"]
 84 |       }
 85 |       service {
 86 |         name = "hcp-boundary-worker"
 87 |         tags = ["hcp","boundary-worker","worker-${NOMAD_ALLOC_INDEX}"]
 88 |         port = "worker"
 89 | 
 90 |         check {
 91 |           name     = "alive"
 92 |           type     = "tcp"
 93 |           interval = "10s"
 94 |           timeout  = "2s"
 95 |         }
 96 |       }
 97 |     }
 98 | 
 99 |   }
100 | 
101 |   update {
102 |     max_parallel = 1
103 |     min_healthy_time = "5s"
104 |     healthy_deadline = "3m"
105 |     auto_revert = false
106 |     canary = 0
107 |   }
108 | }
109 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | provider "boundary" {
  2 |   addr                            = var.boundary_address
  3 |   auth_method_id                  = var.boundary_auth_method_id
  4 |   password_auth_method_login_name = var.boundary_username
  5 |   password_auth_method_password   = var.boundary_password
  6 | }
  7 | 
  8 | 
  9 | resource "boundary_scope" "app" {
 10 |   name                     = var.application_name
 11 |   description              = "scope for ${var.application_name}"
 12 |   scope_id                 = "global"
 13 |   auto_create_admin_role   = true
 14 |   auto_create_default_role = true
 15 | }
 16 | 
 17 | resource "boundary_scope" "app_infra" {
 18 |   name                     = "${var.application_name}_infrastrcture"
 19 |   description              = "${var.application_name} project!"
 20 |   scope_id                 = boundary_scope.app.id
 21 |   auto_create_admin_role   = true
 22 |   auto_create_default_role = true
 23 | }
 24 | 
 25 | resource "boundary_host_catalog_static" "backend_servers" {
 26 |   name        = "backend_servers"
 27 |   description = "Backend servers host catalog"
 28 |   scope_id    = boundary_scope.app_infra.id
 29 | }
 30 | 
 31 | resource "boundary_host_static" "backend_servers" {
 32 |   for_each        = toset(data.aws_instances.servers.private_ips)
 33 |   type            = "static"
 34 |   name            = "backend_server_service_${each.value}"
 35 |   description     = "Backend server host"
 36 |   address         = each.key
 37 |   host_catalog_id = boundary_host_catalog_static.backend_servers.id
 38 | }
 39 | 
 40 | resource "boundary_host_set_static" "backend_servers_ssh" {
 41 |   type            = "static"
 42 |   name            = "backend_servers_ssh"
 43 |   description     = "Host set for backend servers"
 44 |   host_catalog_id = boundary_host_catalog_static.backend_servers.id
 45 |   host_ids        = [for host in boundary_host_static.backend_servers : host.id]
 46 | }
 47 | 
 48 | 
 49 | resource "boundary_target" "nomad" {
 50 |   type                     = "tcp"
 51 |   name                     = "nomad"
 52 |   description              = "nomad servers"
 53 |   scope_id                 = boundary_scope.app_infra.id
 54 |   default_port             = "4646"
 55 |   session_connection_limit = -1
 56 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
 57 | 
 58 |   host_source_ids = [
 59 |     boundary_host_set_static.backend_servers_ssh.id
 60 |   ]
 61 | }
 62 | 
 63 | resource "boundary_target" "consul" {
 64 |   type                     = "tcp"
 65 |   name                     = "consul"
 66 |   description              = "consul servers"
 67 |   scope_id                 = boundary_scope.app_infra.id
 68 |   default_port             = "8500"
 69 |   session_connection_limit = -1
 70 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
 71 | 
 72 |   host_source_ids = [
 73 |     boundary_host_set_static.backend_servers_ssh.id
 74 |   ]
 75 | }
 76 | 
 77 | resource "boundary_target" "vault" {
 78 |   type                     = "tcp"
 79 |   name                     = "vault"
 80 |   description              = "vault servers"
 81 |   scope_id                 = boundary_scope.app_infra.id
 82 |   default_port             = "8200"
 83 |   session_connection_limit = -1
 84 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
 85 | 
 86 |   host_source_ids = [
 87 |     boundary_host_set_static.backend_servers_ssh.id
 88 |   ]
 89 | }
 90 | 
 91 | # create target for accessing backend servers on port :22
 92 | resource "boundary_target" "backend_servers_ssh" {
 93 |   type                     = "ssh"
 94 |   name                     = "Nomad Workers SSH Injected creds"
 95 |   description              = "Nomad Workers SSH target"
 96 |   scope_id                 = boundary_scope.app_infra.id
 97 |   default_port             = "22"
 98 |   session_connection_limit = -1
 99 |   egress_worker_filter     = " \"demostack\" in \"/tags/type\" "
100 |   host_source_ids = [
101 |     boundary_host_set_static.backend_servers_ssh.id
102 |   ]
103 |   injected_application_credential_source_ids = [
104 |     boundary_credential_library_vault_ssh_certificate.vault_ssh_cert.id
105 |   ]
106 |  enable_session_recording = true
107 |   storage_bucket_id        = boundary_storage_bucket.doormat_example.id
108 | }
109 | 
110 | resource "boundary_credential_store_vault" "app_vault" {
111 |   name        = "appHCP_Vault"
112 |   description = "app Vault Credential Store"
113 |   # address     = "https://vault.service.consul:8200"
114 |   address = var.vault_address
115 |   token   = vault_token.boundary.client_token
116 |   # token       = var.vault_token
117 |   namespace = "admin/${var.application_name}"
118 |   scope_id  = boundary_scope.app_infra.id
119 | }
120 | 
121 | resource "boundary_credential_library_vault" "ssh" {
122 |   name                = "vault_token"
123 |   description         = "Credential Library for Vault Token"
124 |   credential_store_id = boundary_credential_store_vault.app_vault.id
125 |   path                = "boundary_creds/data/ssh" # change to Vault backend path
126 |   http_method         = "GET"
127 | }
128 | 


--------------------------------------------------------------------------------
/nomad_job_ssh.tf:
--------------------------------------------------------------------------------
 1 | provider "nomad" {
 2 |   address   = var.nomad_address
 3 |   secret_id = var.nomad_token
 4 | }
 5 | 
 6 | resource "nomad_job" "nomad_vault_config" {
 7 |   depends_on = [vault_ssh_secret_backend_role.ssh_role]
 8 |   jobspec    = <<EOT
 9 | 
10 | job "boundary_vault_ssh_config" {
11 |   region = "global"
12 |   datacenters = ["eu-west-2a","eu-west-2b","eu-west-2c","eu-west-2"]
13 |   type = "batch"
14 | 
15 |   group "workers_to_config"{
16 |   count = 3 
17 | 
18 | 
19 | /*
20 |   vault {
21 |     policies = ["superuser"]
22 |     change_mode   = "restart"
23 |     namespace = "=admin/guystack"
24 |   }
25 | */
26 |    constraint {
27 |       operator  = "distinct_hosts"
28 |       value     = "true"
29 |     }
30 | 
31 |   task "vault_ssh_ca_install" {
32 |     
33 |     driver = "raw_exec"
34 | 
35 |     template {
36 |       data = <<EOH
37 | set -v
38 | 
39 | export VAULT_ADDR=${var.vault_address}
40 | export VAULT_NAMESPACE=${trimsuffix(vault_namespace.app.id, "/")}
41 | export VAULT_TOKEN=${var.vault_token}
42 | 
43 | vault version
44 | 
45 | # Add the public key to all target host's SSH configuration
46 | vault read -field=public_key ${vault_mount.ssh_mount.path}/config/ca > /etc/ssh/trusted-user-ca-keys.pem
47 | 
48 | # Setting up /etc/ssh/sshd_config
49 | grep -qxF 'TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem' /etc/ssh/sshd_config || sudo echo 'TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem' >> /etc/ssh/sshd_config
50 | 
51 | # This is what your sshd config looks like now:
52 | cat /etc/ssh/sshd_config
53 | 
54 | # restarting SSHD
55 | sudo systemctl restart sshd
56 | 
57 | # remove your authorised_keys, if any.
58 | if [ -f /home/ubuntu/.ssh/authorized_keys ]; then
59 |   mv /home/ubuntu/.ssh/authorized_keys /home/ubuntu/.ssh/backup
60 | fi
61 | 
62 | # Uncomment the line below if you run into issues
63 | # mv /home/ubuntu/.ssh/backup /home/ubuntu/.ssh/authorized_keys
64 | 
65 | exit 0
66 | EOH
67 | 
68 |       destination = "script.sh"
69 |       perms = "755"
70 |     }
71 | 
72 |     config {
73 |       command = "bash"
74 |       args    = ["script.sh"]
75 |     }
76 |   }
77 | 
78 |  }#Group
79 | } # Job
80 | 
81 | 
82 | 
83 | 
84 | EOT
85 | }


--------------------------------------------------------------------------------
/nomad_workers.tf:
--------------------------------------------------------------------------------
  1 | resource "boundary_worker" "controller_led" {
  2 |   count       = var.boundary_ingress_worker_count
  3 |   scope_id    = "global"
  4 |   name        = "${var.application_name} ingress worker ${count.index}"
  5 |   description = "self managed worker with controller led auth"
  6 | }
  7 | 
  8 | resource "nomad_job" "nomad_boundary_workers" {
  9 |   count = var.boundary_ingress_worker_count
 10 |   hcl2 {
 11 |     enabled = true
 12 |     vars = {
 13 |       boundary_auth_token = boundary_worker.controller_led[count.index].controller_generated_activation_token
 14 |       #boundary_auth_token = boundary_worker.controller_led[0].controller_generated_activation_token
 15 |       boundary_ingress_worker_count = var.boundary_ingress_worker_count
 16 |       hcp_boundary_cluster_id       = substr(var.boundary_address, 8, 36)
 17 |     }
 18 |   }
 19 |   jobspec = <<EOT
 20 | 
 21 | variable "boundary_version" {
 22 |   type = string
 23 |   default = "0.14.3+ent"
 24 | }
 25 | 
 26 | variable "boundary_checksum" {
 27 |   type = string
 28 |   default = "b1364d334d56c4b3535ff192817a5a83c63348ec62e1fa3a63ddebe8f1967647"
 29 | 
 30 | }
 31 | 
 32 | variable "boundary_auth_token" {
 33 |   default = ""
 34 |   
 35 | }
 36 | 
 37 | variable "boundary_ingress_worker_count"{
 38 |   type = number
 39 |   default = 3
 40 | }
 41 | 
 42 | variable "hcp_boundary_cluster_id"{
 43 |   type = string
 44 |   default = ""
 45 | }
 46 | 
 47 | 
 48 | job "boundary-ingress-worker-${count.index}" {
 49 |  region = "global"
 50 |   datacenters = ["eu-west-2a","eu-west-2b","eu-west-2c","eu-west-2","dc1"]
 51 |   type = "service"
 52 | 
 53 |   group "boundary-worker" {
 54 |     count = 1
 55 | 
 56 |       constraint {
 57 |         operator = "distinct_hosts"
 58 |         value = "true"
 59 |       }
 60 |     network {
 61 |           port  "worker"  {
 62 |             static = 9202
 63 |           }
 64 |         }
 65 |     task "boundary-ingress-worker.service" {
 66 |       driver = "raw_exec"
 67 | 
 68 |       resources {
 69 |         cpu = 2000
 70 |         memory = 1024
 71 | 
 72 |       }
 73 |       artifact {
 74 |          source     = "https://releases.hashicorp.com/boundary/$${var.boundary_version}/boundary_$${var.boundary_version}_linux_amd64.zip"
 75 |         destination = "./tmp/"
 76 |         options {
 77 |           # checksum = "sha256:$${var.boundary_checksum}"
 78 |         }
 79 |       }
 80 | 
 81 |       env {
 82 |         AWS_ACCESS_KEY_ID     = aws_iam_access_key.boundary_session_recording.id
 83 |     AWS_SECRET_ACCESS_KEY = aws_iam_access_key.boundary_session_recording.secret
 84 |       }
 85 | 
 86 |       template {
 87 |         data        = <<EOF
 88 |         disable_mlock = true
 89 |  
 90 |  hcp_boundary_cluster_id = "$${var.hcp_boundary_cluster_id}"
 91 | 
 92 |  listener "tcp" {
 93 |   address = "0.0.0.0:9202"
 94 |   purpose = "proxy"
 95 |      tls_disable = true
 96 |  }
 97 |  
 98 | 
 99 | 
100 |  worker {
101 |   auth_storage_path = "tmp/boundary.d/"
102 |   recording_storage_path = "tmp/boundary.d/"
103 |   # change this to the public ip address of the specific platform you are running or use "attr.unique.network.ip-address"
104 |    public_addr = "{{ env "attr.unique.platform.aws.public-ipv4" }}"
105 | 
106 |     
107 |     
108 |      tags {
109 |     type      = ["workers","ent","demostack","ingress"]
110 |   }
111 |    controller_generated_activation_token = "$${var.boundary_auth_token}"
112 |  }
113 |  
114 |  events {
115 |   audit_enabled       = true
116 |   sysevents_enabled   = true
117 |   observations_enable = true
118 |   sink "stderr" {
119 |     name = "all-events"
120 |     description = "All events sent to stderr"
121 |     event_types = ["*"]
122 |     format = "cloudevents-json"
123 |   }
124 |   sink {
125 |     name = "file-sink"
126 |     description = "All events sent to a file"
127 |     event_types = ["*"]
128 |     format = "cloudevents-json"
129 |     file {
130 |       path = "/var/log/boundary"
131 |       file_name = "egress-worker.log"
132 |     }
133 |     audit_config {
134 |       audit_filter_overrides {
135 |         sensitive = "redact"
136 |         secret    = "redact"
137 |       }
138 |     }
139 |   }
140 |  }
141 | 
142 |         EOF
143 |         destination = "./tmp/boundary.d/pki-worker.hcl"
144 |       }
145 |       config {
146 |         command = "/tmp/boundary"
147 |         args = ["server", "-config=tmp/boundary.d/pki-worker.hcl"]
148 |       }
149 |       service {
150 |         name = "$${NOMAD_JOB_NAME}"
151 |         address = "$${attr.unique.platform.aws.public-ipv4}"
152 |         tags = ["boundary-ingress-worker","worker-$${NOMAD_JOB_NAME}"]
153 |         port = "worker"
154 | 
155 |         check {
156 |           name     = "alive"
157 |           type     = "tcp"
158 |           interval = "10s"
159 |           timeout  = "2s"
160 |         }
161 |       }
162 |     }
163 | 
164 |   }
165 | 
166 |   update {
167 |     max_parallel = 1
168 |     min_healthy_time = "5s"
169 |     healthy_deadline = "3m"
170 |     auto_revert = false
171 |     canary = 0
172 |   }
173 | }
174 | 
175 | EOT
176 | }


--------------------------------------------------------------------------------
/okta_boundary.tf:
--------------------------------------------------------------------------------
  1 | # Okta config
  2 | resource "okta_group" "boundary-admins" {
  3 |   name        = "boundary-admins"
  4 |   description = "Group for boundary Admins"
  5 | }
  6 | 
  7 | resource "okta_group" "boundary-devs" {
  8 |   name        = "boundary-devs"
  9 |   description = "Group for Developers to use boundary"
 10 | }
 11 | 
 12 | resource "okta_app_oauth" "boundary" {
 13 |   label       = var.okta_tile_app_label
 14 |   type        = "web"
 15 |   grant_types = ["authorization_code", "implicit", "refresh_token"]
 16 |   redirect_uris = ["${var.boundary_address}/v1/auth-methods/oidc:authenticate:callback"
 17 |   ]
 18 |   response_types            = ["id_token", "code"]
 19 |   consent_method            = "REQUIRED"
 20 |   post_logout_redirect_uris = [var.boundary_address]
 21 |   login_uri                 = "${var.boundary_address}"
 22 |   refresh_token_rotation    = "STATIC"
 23 |   lifecycle {
 24 |     ignore_changes = [groups_claim]
 25 |   }
 26 |   groups_claim {
 27 |     type        = "FILTER"
 28 |     filter_type = "STARTS_WITH"
 29 |     name        = "groups"
 30 |     value       = "boundary"
 31 |   }
 32 |   login_mode   = "SPEC"
 33 |   login_scopes = ["openid", "email", "profile"]
 34 |   hide_web     = false
 35 |   hide_ios     = false
 36 | }
 37 | 
 38 | resource "okta_app_oauth_api_scope" "boundary" {
 39 |   app_id = okta_app_oauth.boundary.id
 40 |   issuer = var.okta_base_url_full
 41 |   scopes = ["okta.groups.read", "okta.users.read.self"]
 42 | }
 43 | 
 44 | resource "okta_app_group_assignments" "boundary-groups" {
 45 |   app_id = okta_app_oauth.boundary.id
 46 |   group {
 47 |     id = okta_group.boundary-admins.id
 48 |   }
 49 |   group {
 50 |     id = okta_group.boundary-devs.id
 51 |   }
 52 | }
 53 | 
 54 | resource "okta_auth_server" "boundary" {
 55 |   audiences   = [var.okta_auth_audience]
 56 |   description = ""
 57 |   name        = "boundary"
 58 |   issuer_mode = var.okta_issue_mode
 59 |   status      = "ACTIVE"
 60 | }
 61 | 
 62 | resource "okta_auth_server_claim" "example" {
 63 |   auth_server_id          = okta_auth_server.boundary.id
 64 |   name                    = "groups"
 65 |   value_type              = "GROUPS"
 66 |   group_filter_type       = "STARTS_WITH"
 67 |   value                   = "boundary-"
 68 |   scopes                  = ["profile"]
 69 |   claim_type              = "IDENTITY"
 70 |   always_include_in_token = true
 71 | }
 72 | 
 73 | resource "okta_auth_server_policy" "boundary" {
 74 |   auth_server_id   = okta_auth_server.boundary.id
 75 |   status           = "ACTIVE"
 76 |   name             = "boundary policy"
 77 |   description      = ""
 78 |   priority         = 1
 79 |   client_whitelist = ["ALL_CLIENTS"]
 80 | }
 81 | 
 82 | resource "okta_auth_server_policy_rule" "example" {
 83 |   auth_server_id       = okta_auth_server.boundary.id
 84 |   policy_id            = okta_auth_server_policy.boundary.id
 85 |   status               = "ACTIVE"
 86 |   name                 = "default"
 87 |   priority             = 1
 88 |   group_whitelist      = ["EVERYONE"]
 89 |   scope_whitelist      = ["*"]
 90 |   grant_type_whitelist = ["client_credentials", "authorization_code", "implicit"]
 91 | }
 92 | 
 93 | # Add user to groups
 94 | data "okta_user" "example" {
 95 |   search {
 96 |     name  = "profile.email"
 97 |     value = var.okta_user_email
 98 |   }
 99 | }
100 | 
101 | resource "okta_user_group_memberships" "example" {
102 |   user_id = data.okta_user.example.id
103 |   groups = [
104 |     okta_group.boundary-admins.id,
105 |     okta_group.boundary-devs.id,
106 |   ]
107 | }
108 | 
109 | 


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
 1 | output "boundary_address" {
 2 |   value = var.boundary_address
 3 | }
 4 | 
 5 | output "boundary_auth_string" {
 6 |   value = "boundary authenticate password -auth-method-id=${var.boundary_auth_method_id} -login-name=${var.boundary_username} -password=${var.boundary_password}"
 7 | }
 8 | 
 9 | output "consul_target" {
10 |   value = boundary_target.consul.id
11 | }
12 | 
13 | output "vault_target" {
14 |   value = boundary_target.vault.id
15 | }
16 | 
17 | output "nomad_target" {
18 |   value = boundary_target.nomad.id
19 | }
20 | 
21 | output "postgres_target" {
22 |   value = boundary_target.postgres.id
23 | }
24 | 
25 | 
26 | output "ssh_target" {
27 |   value = boundary_target.backend_servers_ssh.id
28 | }
29 | 
30 | # output "found_ec2_instances" {
31 | #  value = flatten(data.aws_instances.servers.*.private_ips)
32 | # }
33 | 
34 | # output "found_windows_instances" {
35 | #  value = data.aws_instance.windows.private_ip
36 | # }
37 | 
38 | # output "found_windows_instance_password" {
39 | #  value = rsadecrypt(data.aws_instance.windows.password_data, file("/Users/guybarros/.ssh/id_rsa"))
40 | # }
41 | 
42 | # Nomad
43 | output "zz_boundary_connect_nomad" {
44 |   value = "boundary connect -exec chrome -target-id=${boundary_target.nomad.id} -- {{boundary.host}} {{boundary.port}}"
45 | }
46 | # Postgres
47 | output "zz_boundary_connect_postgres" {
48 |   value = "boundary connect postgres -target-id ${boundary_target.postgres.id}  -dbname postgres"
49 | }
50 | # SSh
51 | output "zz_boundary_connect_ssh" {
52 |   value = "boundary connect ssh  -target-id  ${boundary_target.backend_servers_ssh.id} --username ubuntu"
53 | }
54 | 
55 | output "boundary_worker_tokens" {
56 |   value = boundary_worker.controller_led.*.controller_generated_activation_token
57 | }
58 | 


--------------------------------------------------------------------------------
/pki_test.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | resource "vault_mount" "pki_root" {
 3 |   path                  = "pki_root"
 4 |   type                  = "pki"
 5 |   max_lease_ttl_seconds = 315360000 # 10 years
 6 | }
 7 | 
 8 | resource "vault_pki_secret_backend_root_cert" "pki_root" {
 9 |   backend = vault_mount.pki_root.path
10 | 
11 |   type                 = "internal"
12 |   common_name          = "Vault Root Certificate Authority"
13 |   ttl                  = "87600h"
14 |   key_type             = "rsa"
15 |   key_bits             = 4096
16 |   exclude_cn_from_sans = true
17 |   ////////////////////////////////////////////////////////////////
18 |   # common_name = "kubernetes"
19 |   # ttl = "15768000s"
20 |   format             = "pem"
21 |   private_key_format = "der"
22 |   # key_type = "rsa"
23 |   # key_bits = 2048
24 |   # exclude_cn_from_sans = true
25 |   ou           = "Solution Egineering"
26 |   organization = "Hashicorp"
27 |   //////////////////////////////////////////////////////////
28 | 
29 | }
30 | 
31 | resource "vault_mount" "pki_int" {
32 |   path                  = "pki_int"
33 |   type                  = "pki"
34 |   max_lease_ttl_seconds = 157680000 # 5 years
35 | }
36 | 
37 | resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int" {
38 |   backend = vault_mount.pki_int.path
39 | 
40 |   type        = "internal"
41 |   common_name = "Vault Intermediate Authority"
42 |   key_type    = "rsa"
43 |   key_bits    = "4096"
44 | }
45 | 
46 | resource "vault_pki_secret_backend_root_sign_intermediate" "pki_int" {
47 |   backend = vault_mount.pki_root.path
48 | 
49 |   csr                  = vault_pki_secret_backend_intermediate_cert_request.pki_int.csr
50 |   common_name          = "Vault Intermediate Authority"
51 |   ttl                  = "43800h"
52 |   exclude_cn_from_sans = true
53 | }
54 | 
55 | resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int" {
56 |   backend = vault_mount.pki_int.path
57 | 
58 |   certificate = vault_pki_secret_backend_root_sign_intermediate.pki_int.certificate
59 | }
60 | 
61 | resource "vault_pki_secret_backend_role" "leaf" {
62 |   backend = vault_mount.pki_int.path
63 |   name    = "leaf-cert"
64 |   # allowed_domains    = ["example.io"]
65 |   allow_bare_domains = true #
66 |   allow_subdomains   = true #
67 |   allow_glob_domains = true #
68 |   allow_any_name     = true # adjust allow_*, flags accordingly
69 |   allow_ip_sans      = true #
70 |   server_flag        = true #
71 |   client_flag        = true #
72 | 
73 |   key_usage = ["DigitalSignature", "KeyAgreement", "KeyEncipherment", "KeyUsageCertSign"]
74 |   max_ttl   = "730h" # ~1 month
75 |   ttl       = "730h"
76 | }
77 | 
78 | 
79 | 


--------------------------------------------------------------------------------
/provider.tf:
--------------------------------------------------------------------------------
 1 | ///////////////// Vault Namespace
 2 | 
 3 | provider "vault" {
 4 |   address = var.vault_address
 5 |   # namespace = var.vault_namespace
 6 |   token = var.vault_token
 7 | }
 8 | 
 9 | 
10 | provider "vault" {
11 |   alias     = "app"
12 |   address   = var.vault_address
13 |   namespace = trimsuffix(vault_namespace.app.id, "/")
14 |   token     = var.vault_token
15 | }
16 | 
17 | resource "vault_namespace" "app" {
18 |   path = var.application_name
19 | }
20 | 
21 | terraform {
22 |   required_providers {
23 |     okta = {
24 |       source = "okta/okta"
25 |       version = "~> 4.4.2"
26 |     }
27 |   }
28 | }
29 | 
30 | # Configure the Okta Provider
31 | provider "okta" {
32 |   org_name  = var.okta_org_name
33 |   base_url  = var.okta_base_url
34 |   api_token = var.okta_api_token
35 | }


--------------------------------------------------------------------------------
/terraform.tfvars:
--------------------------------------------------------------------------------
 1 | 
 2 | boundary_address  =   "https://6f70da8b-1f6b-4a5d-b2c4-ca23f549e15e.boundary.hashicorp.cloud"
 3 | boundary_auth_method_id = "ampw_sMJSdKHzoc"
 4 | boundary_username       = "admin"
 5 | boundary_password       = "Welcome1"
 6 | 
 7 | vault_address    = "https://guylabstack-vault-public-vault-ebf9aa8a.ee94bddd.z1.hashicorp.cloud:8200"
 8 | vault_token   = "hvs.CAESIJ1Cfx2XqfagoGuYs83guFqRu6wMHrtTtelJrAjllDPJGiYKImh2cy4xS0dCS1cyUlpPVTJoQ3daUUNMVVVYYzYuR0l5QnQQfw"
 9 | vault_namespace = "boundary"
10 | 
11 | 
12 | nomad_addr  = "https://nomad.guylabstack.guy.aws.sbx.hashicorpdemo.com:4646"
13 | nomad_token = "06fab985-1647-e555-e43c-ba1c70bccd94"
14 | 
15 | path_to_private_key = "/Users/guybarros/.ssh/id_rsa"
16 | path_to_public_key  = "/Users/guybarros/.ssh/id_rsa.pub"
17 | 
18 | postgres_password = "YourPwdShouldBeLongAndSecure!"
19 | 
20 | sshca_hostname = "workers-0.guylabstack.guy.aws.sbx.hashicorpdemo.com"
21 | 
22 | application_name = "guylabstack"
23 | 
24 | windows_port = 3389
25 | 


--------------------------------------------------------------------------------
/to_team.tf.bkp:
--------------------------------------------------------------------------------
  1 | ///////////////// Vault Namespace
  2 | 
  3 | provider "vault" {
  4 |   address = var.vault_address
  5 |  # namespace = var.vault_namespace
  6 |   token   = var.vault_token
  7 | }
  8 | 
  9 | 
 10 | provider "vault" {
 11 |   alias     = "app"
 12 |   address = var.vault_address
 13 |   namespace = trimsuffix(vault_namespace.app.id, "/")
 14 |   token   = var.vault_token
 15 | }
 16 | 
 17 | resource "vault_namespace" "app" {
 18 |   path = var.application_name
 19 | }
 20 | 
 21 | 
 22 | resource "vault_mount" "boundary_creds" {
 23 |     provider = vault.app
 24 |   path        = "boundary_creds"
 25 |   type        = "kv"
 26 |   options     = { version = "2" }
 27 |   description = "KV Version 2 secret engine mount"
 28 | }
 29 | 
 30 | 
 31 | resource "time_sleep" "wait_5_seconds" {
 32 |   depends_on = [vault_mount.boundary_creds]
 33 | 
 34 |   create_duration = "5s"
 35 | }
 36 | 
 37 | resource "vault_kv_secret_v2" "windows" {
 38 |     depends_on = [time_sleep.wait_5_seconds]
 39 |     provider = vault.app
 40 |   mount                      = vault_mount.boundary_creds.path
 41 |   name                       = "windows"
 42 |   cas                        = 1
 43 |   delete_all_versions        = true
 44 |   data_json                  = jsonencode(
 45 |   {
 46 |     Username       = "Example1",
 47 |     Password       = "53cr37"
 48 |   }
 49 |   )
 50 | }
 51 | 
 52 | 
 53 | resource "vault_kv_secret_v2" "ssh" {
 54 |     depends_on = [time_sleep.wait_5_seconds]
 55 |     provider = vault.app
 56 |   mount                      = vault_mount.boundary_creds.path
 57 |   name                       = "ssh"
 58 |   cas                        = 1
 59 |   delete_all_versions        = true
 60 |   data_json                  = jsonencode(
 61 |   {
 62 |     username       = "ubuntu",
 63 |     public_key       = "lalalala"
 64 |     private_key      = "lelele"
 65 |   }
 66 |   )
 67 | }
 68 | 
 69 | 
 70 | 
 71 | resource "boundary_target" "gen_test" {
 72 |   type                     = "tcp"
 73 |   name                     = "gen_test"
 74 |   description              = "gen_test"
 75 |   scope_id                 = boundary_scope.app_infra.id
 76 |   default_port             = "8500"
 77 |   session_connection_limit = -1
 78 |    # worker_filter = "demostack in /tags/type"
 79 |   host_source_ids = [
 80 |     boundary_host_set.backend_servers_ssh.id
 81 |   ]
 82 |    brokered_credential_source_ids = [
 83 |     boundary_credential_library_vault.gen.id
 84 |   ]
 85 | }
 86 | 
 87 | resource "boundary_credential_library_vault" "gen" {
 88 |   name                = "gen_vault_token"
 89 |   description         = "Credential Library for Vault Token"
 90 |   credential_store_id = boundary_credential_store_vault.app_vault.id
 91 |   path                = "boundary_creds/data/windows" # change to Vault backend path
 92 |   http_method         = "GET"
 93 |  
 94 |   credential_type     = "username_password"
 95 |   credential_mapping_overrides = {
 96 |     password_attribute = "Password"
 97 |     username_attribute = "Username"
 98 |   }
 99 | 
100 | }
101 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | variable "boundary_address" {
  2 |   description = "Boundary Host"
  3 |   default     = ""
  4 | }
  5 | 
  6 | variable "boundary_auth_method_id" {
  7 |   description = "Boundary Auth Method"
  8 |   default     = ""
  9 | }
 10 | 
 11 | variable "boundary_username" {
 12 |   description = "Boundary Username"
 13 |   default     = "admin"
 14 | }
 15 | 
 16 | variable "boundary_password" {
 17 |   description = "Boundary Password"
 18 |   default     = ""
 19 | }
 20 | 
 21 | 
 22 | # Vault Dynamic DB Cred
 23 | 
 24 | //PostgresSQL
 25 | 
 26 | variable "postgres_password" {
 27 |   description = "the password for admin username of the MySQL Database we will configure in Vault(this will be rotated after config)"
 28 | }
 29 | 
 30 | 
 31 | 
 32 | variable "windows_port" {
 33 |   description = "the port of the windows VM we will RDP into"
 34 | }
 35 | 
 36 | ################ Vault
 37 | variable "application_name" {
 38 |   type        = string
 39 |   description = "the application identifier which will create github repo, terraform workspace, vault namespace"
 40 | }
 41 | 
 42 | variable "vault_namespace" {
 43 |   description = "the HCP Vault namespace we will use for mounting the database secret engine"
 44 |   default     = "admin"
 45 | }
 46 | 
 47 | variable "vault_address" {
 48 |   description = "the Vault Address"
 49 | }
 50 | 
 51 | variable "vault_token" {
 52 |   description = "the Vault Address"
 53 |   sensitive   = true
 54 | }
 55 | 
 56 | variable "windows_username" {
 57 |   description = "the HCP Vault namespace we will use for mounting the database secret engine"
 58 |   default     = "Administrator"
 59 | }
 60 | 
 61 | variable "path_to_private_key" {
 62 |   description = "path to the private key used on your Windows EC2 host"
 63 | }
 64 | 
 65 | variable "path_to_public_key" {
 66 |   description = "path to the private key used on your Windows EC2 host"
 67 | }
 68 | 
 69 | 
 70 | variable "owner_tag" {
 71 |   description = "Owner in the AWS tags to find resources in the account"
 72 |   default     = "guybarros"
 73 | }
 74 | 
 75 | 
 76 | variable "nomad_address" {
 77 |   description = "nomad address to run the vault ssh config job"
 78 |   default     = "https://nomad.guylabstack.guy.aws.sbx.hashicorpdemo.com:4646"
 79 | }
 80 | 
 81 | variable "nomad_token" {
 82 |   description = "nomad acl secret id  to run the vault ssh config job"
 83 |   sensitive   = true
 84 | }
 85 | 
 86 | variable "boundary_ingress_worker_count" {
 87 |   description = "count of ingress workers do deploy on nomad"
 88 |   default     = 3
 89 | }
 90 | 
 91 | 
 92 | variable "disable_credential_rotation" {
 93 |   type        = bool
 94 |   description = "Bool to signal if Boundary should not rotate the IAM Access Credentials"
 95 |   default     = true
 96 | }
 97 | 
 98 | 
 99 | 
100 | variable "region" {
101 |   type        = string
102 |   description = "AWS Region"
103 |   default     = "eu-west-2"
104 | }
105 | 
106 | variable "consul_datacenter" {
107 |   type        = string
108 |   description = "HCP Consul Datacenter Name"
109 |   default     = "eu-west-2"
110 | }
111 | 
112 | variable "consul_address" {
113 |   type        = string
114 |   description = "HCP Consul Address"
115 | }
116 | 
117 | variable "consul_token" {
118 |   type        = string
119 |   description = "HCP Consul Token"
120 |   sensitive = true
121 | }
122 | 
123 | 
124 | variable "okta_org_name" {
125 |   type        = string
126 |   description = "The org name, ie for dev environments `dev-123456`"
127 | }
128 | 
129 | variable "okta_base_url" {
130 |   type        = string
131 |   description = "The Okta SaaS endpoint, usually okta.com or oktapreview.com"
132 | }
133 | 
134 | variable "okta_base_url_full" {
135 |   type        = string
136 |   description = "Full URL of Okta login, usually instanceID.okta.com, ie https://dev-208447.okta.com"
137 | }
138 | 
139 | variable "okta_issue_mode" {
140 |   type        = string
141 |   description = "Indicates whether the Okta Authorization Server uses the original Okta org domain URL or a custom domain URL as the issuer of ID token for this client. ORG_URL = foo.okta.com, CUSTOM_URL = custom domain"
142 |   default     = "ORG_URL"
143 | }
144 | 
145 | variable "okta_api_token" {
146 |   type        = string
147 |   description = "Okta API key"
148 | }
149 | 
150 | variable "okta_allowed_groups" {
151 |   type        = list(any)
152 |   description = "Okta group for Vault admins"
153 |   default     = ["vault_admins"]
154 | }
155 | 
156 | variable "okta_mount_path" {
157 |   type        = string
158 |   description = "Mount path for Okta auth"
159 |   default     = "okta_oidc"
160 | }
161 | 
162 | variable "okta_user_email" {
163 |   type        = string
164 |   description = "e-mail of a user to dynamically add to the groups created by this config"
165 | }
166 | 
167 | variable "okta_tile_app_label" {
168 |   type        = string
169 |   description = "HCP Vault"
170 | }
171 | 
172 | # variable "okta_client_id" {
173 | #   type        = string
174 | #   description = "Okta Vault app client ID"
175 | # }
176 | 
177 | # variable "okta_client_secret" {
178 | #   type        = string
179 | #   description = "Okta Vault app client secret"
180 | # }
181 | 
182 | # variable "okta_bound_audiences" {
183 | #   type        = list(any)
184 | #   description = "A list of allowed token audiences"
185 | # }
186 | 
187 | variable "okta_auth_audience" {
188 |   type        = string
189 |   description = ""
190 |   default     = "api://vault"
191 | }
192 | 
193 | 
194 | variable "s3_bucket_name" {
195 |   description = "Name of the S3 bucket"
196 |   type        = string
197 |   default     = "boundary-s3-bucket"
198 | }
199 | 
200 | variable "s3_bucket_name_tags" {
201 |   type        = string
202 |   description = "Name tag to associate to the S3 Bucket"
203 |   default     = "Session-Recording"
204 | }
205 | 
206 | variable "s3_bucket_env_tags" {
207 |   type        = string
208 |   description = "Environment tag to associate to the S3 Bucket"
209 |   default     = "Boundary"
210 | }
211 | 


--------------------------------------------------------------------------------
/vault_aws.tf.bkp:
--------------------------------------------------------------------------------
 1 | resource "vault_aws_secret_backend" "vault_aws" {
 2 |     provider            = vault.app
 3 |   access_key        = aws_iam_access_key.vault_mount_user.id
 4 |   secret_key        = aws_iam_access_key.vault_mount_user.secret
 5 |   description       = "Demo of the AWS secrets engine"
 6 |   region            = data.aws_region.current.name
 7 |   username_template = "{{ if (eq .Type \"STS\") }}{{ printf \"${aws_iam_user.vault_mount_user.name}-%s-%s\" (random 20) (unix_time) | truncate 32 }}{{ else }}{{ printf \"${aws_iam_user.vault_mount_user.name}-vault-%s-%s\" (unix_time) (random 20) | truncate 60 }}{{ end }}"
 8 | }
 9 | 
10 | resource "vault_aws_secret_backend_role" "vault_role_iam_user_credential_type" {
11 |     provider            = vault.app
12 |   backend                  = vault_aws_secret_backend.vault_aws.path
13 |   credential_type          = "iam_user"
14 |   name                     = "vault-demo-iam-user"
15 |   permissions_boundary_arn = data.aws_iam_policy.demo_user_permissions_boundary.arn
16 |   policy_document          = data.aws_iam_policy_document.vault_dynamic_iam_user_policy.json
17 | }
18 | 
19 | resource "vault_aws_secret_backend_role" "vault_role_federation_token_credential_type" {
20 |     provider            = vault.app
21 |   backend         = vault_aws_secret_backend.vault_aws.path
22 |   credential_type = "federation_token"
23 |   name            = "vault-demo-federation-token"
24 |   policy_document = data.aws_iam_policy_document.vault_dynamic_iam_user_policy.json
25 | }
26 | 
27 | resource "vault_aws_secret_backend_role" "vault_role_assumed_role_credential_type" {
28 |     provider            = vault.app
29 |   backend         = vault_aws_secret_backend.vault_aws.path
30 |   credential_type = "assumed_role"
31 |   name            = "vault-demo-assumed-role"
32 |   role_arns       = [data.aws_iam_role.vault_target_iam_role.arn]
33 | }


--------------------------------------------------------------------------------
/vault_boundary.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | resource "vault_token" "boundary" {
 4 |   provider     = vault.app
 5 |   no_parent    = true
 6 |   policies     = [vault_policy.boundary_policy.name, "superadmin", "admin-policy"]
 7 |   display_name = "boundary cred store"
 8 |   renewable    = true
 9 |   period       = "72h"
10 | 
11 | }
12 | 
13 | resource "vault_policy" "boundary_policy" {
14 |   provider = vault.app
15 |   name     = "dev-team"
16 | 
17 | 
18 |   policy = <<EOT
19 | path "*" {
20 |   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
21 |   }
22 | 
23 |   path "kv/*" {
24 |     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
25 | }
26 | 
27 | path "kv/test/*" {
28 |     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
29 | }
30 | 
31 | path "pki/*" {
32 |     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
33 | }
34 | 
35 | # all access to boundary namespace
36 | path "postgres/*" {
37 |     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
38 |   }
39 | 
40 | path "boundary/*" {
41 |     capabilities = ["create", "read", "update", "delete", "list", "sudo"]
42 | }
43 | 
44 |   path "auth/token/revoke-accessor" {
45 |     capabilities = ["read","update"]
46 |   }
47 | 
48 |   path "auth/token/lookup-self" {
49 |     capabilities = ["read"]
50 |   }
51 |   path "auth/token/lookup" {
52 |     capabilities = ["read","update"]
53 |   }
54 |   path "auth/token/renew-self" {
55 |     capabilities = ["read","update"]
56 |   }
57 |     path "auth/token/revoke-self" {
58 |     capabilities = ["read","update"]
59 |   }
60 |     path "sys/leases/renew" {
61 |     capabilities = ["read","update"]
62 |   }
63 |      path "sys/leases/revoke" {
64 |     capabilities = ["read","update"]
65 |   }
66 | 
67 |   path "auth/token/revoke-accessor" {
68 |     capabilities = ["read","update"]
69 |   }
70 |   path "/sys/capabilities-self" {
71 |     capabilities =   ["delete", "list", "read", "update"]
72 |   }
73 | 
74 |   path "/sys/capabilities-accessor" {
75 |      capabilities =  ["delete", "list", "read", "update"]
76 |   }
77 | 
78 |   path "/sys/capabilities" {
79 |      capabilities =  ["delete", "list", "read", "update"]
80 |   }
81 | 
82 |   path "auth/token/renew-self" {
83 |     capabilities = ["read","update"]
84 |   }
85 | 
86 |   path "/postgres/creds/*"{
87 |    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
88 |   }
89 | 
90 | EOT
91 | }
92 | 
93 | 


--------------------------------------------------------------------------------
/vault_consul.tf:
--------------------------------------------------------------------------------
 1 | provider "consul" {
 2 |   address    = var.consul_address
 3 |   datacenter = var.consul_datacenter
 4 |   token      = var.consul_token
 5 | }
 6 | 
 7 | resource "consul_acl_policy" "vault-se-policy" {
 8 |   name        = "vault-se-policy"
 9 |   rules       = <<-RULE
10 | acl = "write"
11 | 
12 |     namespace_prefix "sandbox" {
13 | 
14 | acl = "write"
15 | 
16 | }
17 |     RULE
18 | }
19 | 
20 | resource "consul_acl_policy" "test-policy" {
21 |   name        = "test-policy"
22 |   namespace   = consul_namespace.sandbox.name
23 |   rules       = <<-RULE
24 | acl = "write"
25 | 
26 | 
27 |     RULE
28 | }
29 | 
30 | 
31 | 
32 | resource "consul_namespace" "sandbox" {
33 |   name        = "sandbox"
34 |   description = "sandbox namespace"
35 | 
36 |   meta = {
37 |     example = "of a meta argument"
38 |   }
39 | }
40 | 
41 | 
42 | resource "consul_acl_token" "vault_token" {
43 |   description = "vault token"
44 |   policies = [consul_acl_policy.vault-se-policy.name]
45 |   local = true
46 | }
47 | 
48 | 
49 | 
50 | data "consul_acl_token_secret_id" "token" {
51 |   accessor_id = consul_acl_token.vault_token.id
52 | }
53 | 
54 | resource "vault_consul_secret_backend" "consul" {
55 |   path        = "consul"
56 |   description = "Manages the Consul backend"
57 | 
58 |   address = var.consul_address
59 |   token   = data.consul_acl_token_secret_id.token.secret_id
60 | }
61 | 
62 | resource "vault_consul_secret_backend_role" "example" {
63 |   name    = "test-role"
64 |   backend = vault_consul_secret_backend.consul.path
65 |   consul_namespace = consul_namespace.sandbox.name
66 | 
67 |   consul_policies = [
68 |     consul_acl_policy.test-policy.name 
69 |   ]
70 | }


--------------------------------------------------------------------------------
/vault_postgres.tf:
--------------------------------------------------------------------------------
 1 | resource "vault_mount" "postgres" {
 2 |   provider = vault.app
 3 |   path     = "postgres"
 4 |   type     = "database"
 5 | }
 6 | resource "vault_database_secret_backend_connection" "postgres-con" {
 7 |   provider      = vault.app
 8 |   backend       = vault_mount.postgres.path
 9 |   name          = "postgres-con"
10 |   allowed_roles = ["postgres-role"]
11 |   postgresql {
12 |     connection_url       = "postgres://${data.aws_db_instance.postgres.master_username}:${var.postgres_password}@${data.aws_db_instance.postgres.endpoint}/${data.aws_db_instance.postgres.db_name}" #?sslmode=disable"
13 |     max_open_connections = -1
14 |   }
15 | }
16 | 
17 | 
18 | resource "vault_database_secret_backend_role" "postgres-role" {
19 |   provider            = vault.app
20 |   depends_on          = [vault_database_secret_backend_connection.postgres-con]
21 |   backend             = vault_mount.postgres.path
22 |   name                = "postgres-role"
23 |   db_name             = vault_database_secret_backend_connection.postgres-con.name
24 |   creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"]
25 |   revocation_statements = [
26 |     "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\";",
27 |     "DROP USER \"{{name}}\";",
28 |   ]
29 | 
30 | }
31 | 


--------------------------------------------------------------------------------
/vault_postgres.tf.bkp:
--------------------------------------------------------------------------------
 1 | resource "vault_mount" "postgres" {
 2 |   provider = vault.app
 3 |   path = "postgres"
 4 |   type = "database"
 5 | }
 6 | resource "vault_database_secret_backend_connection" "postgres-con" {
 7 | provider = vault.app
 8 |   backend       = vault_mount.postgres.path
 9 |   name          = "postgres-con"
10 | allowed_roles   = ["postgres-role"]
11 |   postgresql {
12 |     connection_url = "postgres://${var.postgres_username}:${var.postgres_password}@${var.postgres_hostname}:${var.postgres_port}/${var.postgres_name}?sslmode=disable"
13 |   max_open_connections = -1
14 |   }
15 | }
16 | 
17 | 
18 | resource "vault_database_secret_backend_role" "postgres-role" {
19 |   provider = vault.app
20 |   depends_on = [vault_database_secret_backend_connection.postgres-con]
21 |   backend             = vault_mount.postgres.path
22 |   name                = "postgres-role"
23 |   db_name             =  vault_database_secret_backend_connection.postgres-con.name
24 |   creation_statements = ["CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';"]
25 |   revocation_statements = [
26 |     "REVOKE ALL PRIVILEGES ON ALL TABLES IN SCHEMA public FROM \"{{name}}\";",
27 |     "DROP USER \"{{name}}\";",
28 |   ]
29 | 
30 | }
31 | 


--------------------------------------------------------------------------------
/vault_ssh.tf:
--------------------------------------------------------------------------------
 1 | resource "vault_mount" "ssh_mount" {
 2 |   provider    = vault.app
 3 |   path        = "ssh-client-signer"
 4 |   type        = "ssh"
 5 |   description = "SSH Mount"
 6 | }
 7 | 
 8 | resource "vault_ssh_secret_backend_ca" "ssh_backend" {
 9 |   provider    = vault.app
10 |   backend     = vault_mount.ssh_mount.path
11 |   generate_signing_key = true
12 |   # public_key  = file(var.path_to_public_key)
13 |   # private_key = file(var.path_to_private_key)
14 | 
15 | }
16 | 
17 | resource "vault_ssh_secret_backend_role" "ssh_role" {
18 |   provider                = vault.app
19 |   name                    = "boundary-client"
20 |   backend                 = vault_mount.ssh_mount.path
21 |   key_type                = "ca"
22 |   allow_host_certificates = true
23 |   allow_user_certificates = true
24 |   default_user            = "ubuntu"
25 |   ttl                     = "2m0s"
26 |   default_extensions = {
27 |     permit-pty = ""
28 |   }
29 |   allowed_users      = "*"
30 |   allowed_extensions = "*"
31 | }
32 | 
33 | resource "vault_ssh_secret_backend_role" "guy" {
34 |   provider                = vault.app
35 |   name                    = "boundary-client"
36 |   backend                 = vault_mount.ssh_mount.path
37 |   key_type                = "ca"
38 |   allow_host_certificates = true
39 |   allow_user_certificates = true
40 |   default_user            = "ubuntu"
41 |   ttl                     = "2m0s"
42 |   default_extensions = {
43 |     permit-pty = ""
44 |   }
45 |   allowed_users      = "*"
46 |   allowed_extensions = "*"
47 | }
48 | 


--------------------------------------------------------------------------------
/vault_windows.tf:
--------------------------------------------------------------------------------
 1 | resource "vault_mount" "boundary_creds" {
 2 |   provider    = vault.app
 3 |   path        = "boundary_creds"
 4 |   type        = "kv"
 5 |   options     = { version = "2" }
 6 |   description = "KV Version 2 secret engine mount"
 7 | }
 8 | 
 9 | 
10 | resource "time_sleep" "wait_5_seconds" {
11 |   depends_on = [vault_mount.boundary_creds]
12 | 
13 |   create_duration = "5s"
14 | }
15 | 
16 | resource "vault_kv_secret_v2" "windows" {
17 |   depends_on          = [time_sleep.wait_5_seconds]
18 |   provider            = vault.app
19 |   mount               = vault_mount.boundary_creds.path
20 |   name                = "windows"
21 |   cas                 = 1
22 |   delete_all_versions = true
23 |   data_json = jsonencode(
24 |     {
25 |       username = "${var.windows_username}",
26 |       password = rsadecrypt(data.aws_instance.windows.password_data, file("/Users/guybarros/.ssh/id_rsa"))
27 |     }
28 |   )
29 | }
30 | 
31 | 
32 | resource "vault_kv_secret_v2" "ssh" {
33 |   depends_on          = [time_sleep.wait_5_seconds]
34 |   provider            = vault.app
35 |   mount               = vault_mount.boundary_creds.path
36 |   name                = "ssh"
37 |   cas                 = 1
38 |   delete_all_versions = true
39 |   data_json = jsonencode(
40 |     {
41 |       username    = "ubuntu",
42 |       public_key  = file(var.path_to_public_key)
43 |       private_key = file(var.path_to_private_key)
44 |     }
45 |   )
46 | }


--------------------------------------------------------------------------------