├── m6 ├── key_shares.txt ├── vaultadmin1 ├── vaultadmin2 ├── vaultadmin3 ├── root_token_revoke.sh ├── auto_unseal_ops.sh ├── vaultconfig.hcl ├── key_vault_creation.sh └── pgp-key-gen.sh ├── m8 ├── m8_commands.sh └── azure-vms │ ├── vars.tfvars.txt │ ├── variables.tf │ ├── vaultinstall.tpl │ └── resources.tf ├── m3 ├── aks │ ├── vault-ingress.yaml │ ├── consul-dns.yaml │ ├── dns-text.yaml │ ├── helm-rbac.yaml │ ├── ui-ingress.yaml │ ├── vault-values.yaml │ └── helm-prep.sh └── azure-vms │ ├── vaultconfig.hcl │ ├── vault.service │ └── vaultinstall.sh ├── .gitignore ├── m4 ├── policies │ ├── engine_admin.hcl │ ├── audit_admin.hcl │ ├── helpdesk_admin.hcl │ ├── full_admin.hcl │ └── policy_creation.sh └── token-demo.sh ├── m5 ├── healthCheck.sh ├── vaultconfig.hcl ├── telegraf_install.sh └── activityGenerator.sh ├── vars.tfvars.txt ├── m2 ├── aks │ ├── outputs.tf │ ├── variables.tf │ └── resources.tf └── azure-vms │ ├── variables.tf │ └── resources.tf ├── m9 └── azure-vms │ ├── m9_commands.sh │ ├── variables.tf │ ├── mysql.tf │ ├── network.tf │ ├── load_balancer.tf │ ├── vaultinstall.tpl │ ├── main.tf │ └── key_vault.tf ├── m7 └── azure-vms │ ├── m7_commands.sh │ ├── variables.tf │ ├── vaultinstall.tpl │ └── resources.tf ├── LICENSE └── README.md /m6/key_shares.txt: -------------------------------------------------------------------------------- 1 | #Paste the encrypted keys here 2 | 3 | #Paste the decrypted keys here 4 | -------------------------------------------------------------------------------- /m6/vaultadmin1: -------------------------------------------------------------------------------- 1 | Key-Type: 1 2 | Key-Length: 2048 3 | Subkey-Type: 1 4 | Subkey-Length: 2048 5 | Name-Real: vaultadmin1 6 | Passphrase: vaultpassphrase 7 | Expire-Date: 0 -------------------------------------------------------------------------------- /m6/vaultadmin2: -------------------------------------------------------------------------------- 1 | Key-Type: 1 2 | Key-Length: 2048 3 | Subkey-Type: 1 4 | Subkey-Length: 2048 5 | Name-Real: vaultadmin2 6 | Passphrase: vaultpassphrase 7 | Expire-Date: 0 -------------------------------------------------------------------------------- /m6/vaultadmin3: -------------------------------------------------------------------------------- 1 | Key-Type: 1 2 | Key-Length: 2048 3 | Subkey-Type: 1 4 | Subkey-Length: 2048 5 | Name-Real: vaultadmin3 6 | Passphrase: vaultpassphrase 7 | Expire-Date: 0 -------------------------------------------------------------------------------- /m8/m8_commands.sh: -------------------------------------------------------------------------------- 1 | #Deploy the recovery vault server 2 | terraform init 3 | terraform plan -var-file="vars.tfvars" -out azure-vms.tfplan 4 | terraform apply "azure-vms.tfplan" -------------------------------------------------------------------------------- /m3/aks/vault-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: vault-lb 5 | labels: 6 | app: vault 7 | spec: 8 | type: LoadBalancer 9 | ports: 10 | - port: 8200 11 | targetPort: 8200 12 | selector: 13 | app: vault 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Local .terraform directories 2 | **/.terraform/* 3 | 4 | # .tfstate files 5 | *.tfstate 6 | *.tfstate.* 7 | 8 | # .tfvars files 9 | *.tfvars 10 | 11 | # .tfplan files 12 | *.tfplan 13 | 14 | # cert files 15 | *.pem 16 | *.pfx 17 | 18 | # .asc files 19 | *.asc 20 | -------------------------------------------------------------------------------- /m4/policies/engine_admin.hcl: -------------------------------------------------------------------------------- 1 | # Create and manage secret backends broadly across Vault. 2 | path "sys/mounts/*" 3 | { 4 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 5 | } 6 | 7 | # Read health checks 8 | path "sys/health" 9 | { 10 | capabilities = ["read"] 11 | } -------------------------------------------------------------------------------- /m5/healthCheck.sh: -------------------------------------------------------------------------------- 1 | #Bash 2 | curl https://vault-vms.globomantics.xyz:8200/v1/sys/health | jq 3 | 4 | #PowerShell 5 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 6 | $resp = Invoke-WebRequest https://vault-vms.globomantics.xyz:8200/v1/sys/health 7 | $resp.Content | ConvertFrom-Json -------------------------------------------------------------------------------- /m3/aks/consul-dns.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | labels: 5 | addonmanager.kubernetes.io/mode: EnsureExists 6 | name: coredns-custom 7 | namespace: kube-system 8 | data: 9 | consul.server: | 10 | consul:53 { 11 | errors 12 | cache 30 13 | proxy . X.X.X.X 14 | } -------------------------------------------------------------------------------- /m3/aks/dns-text.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: dns 5 | spec: 6 | template: 7 | spec: 8 | containers: 9 | - name: dns 10 | image: anubhavmishra/tiny-tools 11 | command: ["dig", "consul.service.consul"] 12 | restartPolicy: Never 13 | backoffLimit: 4 -------------------------------------------------------------------------------- /vars.tfvars.txt: -------------------------------------------------------------------------------- 1 | arm_client_id = "" 2 | 3 | arm_client_secret = "" 4 | 5 | arm_tenant_id = "" 6 | 7 | arm_subscription_id = "" 8 | 9 | ssh_key_pub = "~/.ssh/id_rsa.pub" 10 | 11 | mysql_password = "" 12 | 13 | aks_prefix = "vault" 14 | 15 | kubernetes_client_id = "" 16 | 17 | kubernetes_client_secret = "" 18 | 19 | vault_domain = "" -------------------------------------------------------------------------------- /m8/azure-vms/vars.tfvars.txt: -------------------------------------------------------------------------------- 1 | arm_client_id = "" 2 | 3 | arm_client_secret = "" 4 | 5 | arm_tenant_id = "" 6 | 7 | arm_subscription_id = "" 8 | 9 | ssh_key_pub = "~/.ssh/id_rsa.pub" 10 | 11 | vault_domain = "" 12 | 13 | vault_name = "" 14 | 15 | vault_resource_group = "" 16 | 17 | certificate_thumbprint = "" 18 | 19 | mysql_server_name = "" -------------------------------------------------------------------------------- /m6/root_token_revoke.sh: -------------------------------------------------------------------------------- 1 | #Revoke the existing root token 2 | vault token revoke -self 3 | vault token lookup 4 | 5 | #Try to log in using the root token 6 | vault login 7 | 8 | #Start the root token generation process 9 | vault operator generate-root -init -pgp-key="vaultadmin1.asc" 10 | 11 | vault operator generate-root -nonce=NONCE_VALUE 12 | 13 | echo "ENCODED_TOKEN" | base64 --decode | gpg -u vaultadmin1 -dq 14 | -------------------------------------------------------------------------------- /m4/token-demo.sh: -------------------------------------------------------------------------------- 1 | #Spin up a dev server 2 | vault server -dev 3 | VAULT_ADDR="http://127.0.0.1:8200" 4 | #PowerShell 5 | $env:VAULT_ADDR="http://127.0.0.1:8200" 6 | 7 | #Use existing server from previous module 8 | #Bash 9 | VAULT_ADDR="https://vault-vms.globomantics.xyz:8200" 10 | #PowerShell 11 | $env:VAULT_ADDR="https://vault-vms.globomantics.xyz:8200" 12 | 13 | #login and view token 14 | vault login 15 | vault token lookup 16 | -------------------------------------------------------------------------------- /m3/aks/helm-rbac.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ServiceAccount 3 | metadata: 4 | name: tiller 5 | namespace: kube-system 6 | --- 7 | apiVersion: rbac.authorization.k8s.io/v1 8 | kind: ClusterRoleBinding 9 | metadata: 10 | name: tiller 11 | roleRef: 12 | apiGroup: rbac.authorization.k8s.io 13 | kind: ClusterRole 14 | name: cluster-admin 15 | subjects: 16 | - kind: ServiceAccount 17 | name: tiller 18 | namespace: kube-system -------------------------------------------------------------------------------- /m3/aks/ui-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: extensions/v1beta1 2 | kind: Ingress 3 | metadata: 4 | name: consul-ui-ingress 5 | namespace: default 6 | annotations: 7 | kubernetes.io/ingress.class: nginx 8 | nginx.ingress.kubernetes.io/ssl-redirect: "false" 9 | nginx.ingress.kubernetes.io/rewrite-target: / 10 | spec: 11 | rules: 12 | - http: 13 | paths: 14 | - path: / 15 | backend: 16 | serviceName: consul-helm-ui 17 | servicePort: 8500 -------------------------------------------------------------------------------- /m4/policies/audit_admin.hcl: -------------------------------------------------------------------------------- 1 | #This policy is meant to grant the holder access to add, remove, and 2 | #configure audit devices within Vault 3 | 4 | #Configure audit devices 5 | path "sys/audit/*" 6 | { 7 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 8 | } 9 | 10 | #List audit configurations 11 | path "sys/config/auditing" 12 | { 13 | capabilities = ["read","list"] 14 | } 15 | #Configure audit settings for a device 16 | path "sys/config/auditing/*" 17 | { 18 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 19 | } -------------------------------------------------------------------------------- /m3/aks/vault-values.yaml: -------------------------------------------------------------------------------- 1 | vault: 2 | extraVolumes: 3 | - name: vault-tls 4 | secret: 5 | secretName: vault-tls 6 | extraVolumeMounts: 7 | - name: vault-tls 8 | mountPath: /vault/tls 9 | readOnly: true 10 | dev: false 11 | config: 12 | storage: 13 | consul: 14 | address: "localhost:8500" 15 | listener: 16 | tcp: 17 | tls_disable: false 18 | tls_cert_file: /vault/tls/tls.crt 19 | tls_key_file: /vault/tls/tls.key 20 | ui: true 21 | replicaCount: 1 22 | consulAgent: 23 | join: consul.service.consul 24 | -------------------------------------------------------------------------------- /m6/auto_unseal_ops.sh: -------------------------------------------------------------------------------- 1 | #Connect to the Vault Server via ssh 2 | #Stop the Vault Server service 3 | sudo systemctl stop vault 4 | 5 | #Update the HCL 6 | sudo vi /etc/vault/vault_server.hcl 7 | 8 | #Start the Vault server 9 | sudo systemctl start vault 10 | 11 | #Connect to vault server and migrate the seal to Azure Key Vault 12 | export VAULT_ADDR=https://vault-vms.globomantics.xyz:8200 13 | vault operator unseal -migrate 14 | 15 | #Verify migration complete in the log 16 | sudo tail -40 /var/log/syslog 17 | 18 | #Restart the vault service and check the seal 19 | sudo systemctl restart vault 20 | vault status 21 | -------------------------------------------------------------------------------- /m3/azure-vms/vaultconfig.hcl: -------------------------------------------------------------------------------- 1 | #General parameters 2 | cluster_name = "vault-vms" 3 | log_level = "Error" 4 | ui = true 5 | 6 | #Listener 7 | listener "tcp" { 8 | address = "0.0.0.0:8200" 9 | cluster_address = "0.0.0.0:8201" 10 | tls_cert_file = "/etc/vault/certs/vault_cert.crt" 11 | tls_key_file = "/etc/vault/certs/vault_cert.key" 12 | tls_min_version = "tls12" 13 | } 14 | 15 | #Storage 16 | storage "mysql" { 17 | address = "vault-mysql-1.mysql.database.azure.com:3306" 18 | username = "vaultsqladmin@vault-mysql-1" 19 | password = "V@ultMy$QL!DB" 20 | database = "vault" 21 | tls_ca_file = "/etc/vault/certs/mysql.pem" 22 | } -------------------------------------------------------------------------------- /m2/aks/outputs.tf: -------------------------------------------------------------------------------- 1 | output "id" { 2 | value = "${azurerm_kubernetes_cluster.aks.id}" 3 | } 4 | 5 | output "kube_config" { 6 | value = "${azurerm_kubernetes_cluster.aks.kube_config_raw}" 7 | } 8 | 9 | output "client_key" { 10 | value = "${azurerm_kubernetes_cluster.aks.kube_config.0.client_key}" 11 | } 12 | 13 | output "client_certificate" { 14 | value = "${azurerm_kubernetes_cluster.aks.kube_config.0.client_certificate}" 15 | } 16 | 17 | output "cluster_ca_certificate" { 18 | value = "${azurerm_kubernetes_cluster.aks.kube_config.0.cluster_ca_certificate}" 19 | } 20 | 21 | output "host" { 22 | value = "${azurerm_kubernetes_cluster.aks.kube_config.0.host}" 23 | } 24 | -------------------------------------------------------------------------------- /m5/vaultconfig.hcl: -------------------------------------------------------------------------------- 1 | #General parameters 2 | cluster_name = "vault-vms" 3 | log_level = "Error" 4 | ui = true 5 | 6 | #Listener 7 | listener "tcp" { 8 | address = "0.0.0.0:8200" 9 | cluster_address = "0.0.0.0:8201" 10 | tls_cert_file = "/etc/vault/certs/vault_cert.crt" 11 | tls_key_file = "/etc/vault/certs/vault_cert.key" 12 | tls_min_version = "tls12" 13 | } 14 | 15 | #Storage 16 | storage "mysql" { 17 | address = "vault-mysql-1.mysql.database.azure.com:3306" 18 | username = "vaultsqladmin@vault-mysql-1" 19 | password = "V@ultMy$QL!DB" 20 | database = "vault" 21 | tls_ca_file = "/etc/vault/certs/mysql.pem" 22 | } 23 | 24 | telemetry { 25 | statsd_address = "127.0.0.1:8125" 26 | } -------------------------------------------------------------------------------- /m2/aks/variables.tf: -------------------------------------------------------------------------------- 1 | #K8s variables 2 | variable "aks_prefix" { 3 | description = "A prefix used for all resources in this example" 4 | } 5 | 6 | 7 | variable "kubernetes_client_id" { 8 | description = "The Client ID for the Service Principal to use for this Managed Kubernetes Cluster" 9 | } 10 | 11 | variable "kubernetes_client_secret" { 12 | description = "The Client Secret for the Service Principal to use for this Managed Kubernetes Cluster" 13 | } 14 | 15 | # Azure Variables 16 | variable "arm_region" { 17 | default = "eastus" 18 | } 19 | 20 | variable "arm_resource_group_name" { 21 | default = "vault" 22 | } 23 | 24 | #Provider authentication 25 | variable "arm_subscription_id" {} 26 | 27 | variable "arm_client_id" {} 28 | variable "arm_tenant_id" {} 29 | variable "arm_client_secret" {} 30 | -------------------------------------------------------------------------------- /m3/azure-vms/vault.service: -------------------------------------------------------------------------------- 1 | ### BEGIN INIT INFO 2 | # Provides: vault 3 | # Required-Start: $local_fs $remote_fs 4 | # Required-Stop: $local_fs $remote_fs 5 | # Default-Start: 2 3 4 5 6 | # Default-Stop: 0 1 6 7 | # Short-Description: Vault server 8 | # Description: Vault secret management tool 9 | ### END INIT INFO 10 | 11 | [Unit] 12 | Description=Vault secret management tool 13 | Requires=network-online.target 14 | After=network-online.target 15 | 16 | [Service] 17 | User=vault 18 | Group=vault 19 | PIDFile=/var/run/vault/vault.pid 20 | ExecStart=/usr/local/bin/vault server -config=/etc/vault/vault_server.hcl -log-level=info 21 | ExecReload=/bin/kill -HUP $MAINPID 22 | KillMode=process 23 | KillSignal=SIGTERM 24 | Restart=on-failure 25 | RestartSec=42s 26 | LimitMEMLOCK=infinity 27 | 28 | [Install] 29 | WantedBy=multi-user.target -------------------------------------------------------------------------------- /m6/vaultconfig.hcl: -------------------------------------------------------------------------------- 1 | #General parameters 2 | cluster_name = "vault-vms" 3 | log_level = "Error" 4 | ui = true 5 | 6 | #Listener 7 | listener "tcp" { 8 | address = "0.0.0.0:8200" 9 | cluster_address = "0.0.0.0:8201" 10 | tls_cert_file = "/etc/vault/certs/vault_cert.crt" 11 | tls_key_file = "/etc/vault/certs/vault_cert.key" 12 | tls_min_version = "tls12" 13 | } 14 | 15 | #Storage 16 | storage "mysql" { 17 | address = "vault-mysql-1.mysql.database.azure.com:3306" 18 | username = "vaultsqladmin@vault-mysql-1" 19 | password = "V@ultMy$QL!DB" 20 | database = "vault" 21 | tls_ca_file = "/etc/vault/certs/mysql.pem" 22 | } 23 | 24 | telemetry { 25 | statsd_address = "127.0.0.1:8125" 26 | } 27 | 28 | seal "azurekeyvault" { 29 | tenant_id = "AZURE_AD_TENANT_ID" 30 | vault_name = "vault-keyvault" 31 | key_name = "vault-key" 32 | } -------------------------------------------------------------------------------- /m4/policies/helpdesk_admin.hcl: -------------------------------------------------------------------------------- 1 | #This policy is meant to grant a heldesk user access to handle 2 | #basic support issues with Vault. They can work on auth backends, 3 | #view policies, and manage engine mounts. They cannot delete existing 4 | #items in all cases. 5 | 6 | # Manage existing auth backends but not add new ones 7 | path "auth/*" 8 | { 9 | capabilities = ["read", "update", "list"] 10 | } 11 | 12 | # List and update auth backends 13 | path "sys/auth/*" 14 | { 15 | capabilities = ["read", "update"] 16 | } 17 | 18 | # List existing policies 19 | path "sys/policy" 20 | { 21 | capabilities = ["read"] 22 | } 23 | 24 | # Manage secret backends including creation, but not deletion 25 | path "sys/mounts/*" 26 | { 27 | capabilities = ["create", "read", "update", "list"] 28 | } 29 | 30 | # Read health checks 31 | path "sys/health" 32 | { 33 | capabilities = ["read"] 34 | } -------------------------------------------------------------------------------- /m9/azure-vms/m9_commands.sh: -------------------------------------------------------------------------------- 1 | #Deploy the vault server initially 2 | terraform init 3 | terraform plan -var-file="..\..\vars.tfvars" -out azure-vms.tfplan 4 | terraform apply "azure-vms.tfplan" 5 | 6 | #Initialize Vault server 7 | export VAULT_ADDR=https://vault.globomantics.xyz:8200 8 | 9 | #PowerShell 10 | $env:VAULT_ADDR = "https://vault.globomantics.xyz:8200" 11 | 12 | vault status 13 | vault operator init -key-shares=3 -key-threshold=2 14 | 15 | #Update the version of Vault being deployed 16 | terraform plan -var-file="..\..\vars.tfvars" -var "vault_version=1.1.3" -out azure-vms.tfplan 17 | 18 | #View the health for each node 19 | curl -k https://127.0.0.1:8200/v1/sys/health | jq 20 | 21 | #Stop the Vault service on the active node 22 | sudo systemctl stop vault 23 | 24 | #Start the Vault service back up 25 | sudo systemctl start vault 26 | 27 | #Force failback 28 | vault operator step-down -------------------------------------------------------------------------------- /m7/azure-vms/m7_commands.sh: -------------------------------------------------------------------------------- 1 | #Deploy the vault server initially 2 | terraform init 3 | terraform plan -var-file="..\..\vars.tfvars" -out azure-vms.tfplan 4 | terraform apply "azure-vms.tfplan" 5 | 6 | #Initialize Vault server 7 | export VAULT_ADDR=https://vault.globomantics.xyz:8200 8 | 9 | #PowerShell 10 | $env:VAULT_ADDR = "https://vault.globomantics.xyz:8200" 11 | 12 | vault status 13 | vault operator init -key-shares=3 -key-threshold=2 14 | 15 | #Add a second vault server 16 | terraform plan -var-file="..\..\vars.tfvars" -var "count=2" -out azure-vms.tfplan 17 | terraform apply "azure-vms.tfplan" 18 | 19 | #View the health for each node 20 | curl -k https://127.0.0.1:8200/v1/sys/health | jq 21 | 22 | #Stop the Vault service on the active node 23 | sudo systemctl stop vault 24 | 25 | #Start the Vault service back up 26 | sudo systemctl start vault 27 | 28 | #Force failback 29 | vault operator step-down -------------------------------------------------------------------------------- /m2/azure-vms/variables.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # VARIABLES 3 | ################################################################################## 4 | 5 | # Azure Variables 6 | variable "arm_region" { 7 | default = "eastus" 8 | } 9 | 10 | variable "arm_resource_group_name" { 11 | default = "vault" 12 | } 13 | 14 | #Provider authentication 15 | variable "arm_subscription_id" {} 16 | variable "arm_client_id" {} 17 | variable "arm_tenant_id" {} 18 | variable "arm_client_secret" {} 19 | 20 | #Network info 21 | variable "arm_network_address_space" { 22 | default = "10.0.0.0/16" 23 | } 24 | 25 | variable "arm_subnet1_address_space" { 26 | default = "10.0.0.0/24" 27 | } 28 | 29 | variable "arm_subnet2_address_space" { 30 | default = "10.0.1.0/24" 31 | } 32 | 33 | variable "ssh_key_pub" { 34 | default = "~/.ssh/id_rsa.pub" 35 | } 36 | 37 | variable "mysql_password" { 38 | 39 | } 40 | 41 | -------------------------------------------------------------------------------- /m5/telegraf_install.sh: -------------------------------------------------------------------------------- 1 | #Enable MSI for Azure VM instance 2 | az login 3 | az vm list -g vault-azurevms --query '[].{Name:name}' -o tsv 4 | az vm identity assign -g vault-azurevms -n 5 | 6 | #Download latest version of Telegraf and install it 7 | wget https://dl.influxdata.com/telegraf/releases/telegraf_1.10.4-1_amd64.deb 8 | sudo dpkg -i telegraf_1.10.4-1_amd64.deb 9 | 10 | #Create a new configuration for StatsD and Azure Monitor 11 | telegraf --input-filter statsd --output-filter azure_monitor config > azm-telegraf.conf 12 | 13 | #Copy config and restart service 14 | sudo cp azm-telegraf.conf /etc/telegraf/telegraf.conf 15 | sudo systemctl stop telegraf 16 | sudo systemctl start telegraf 17 | sudo systemctl status telegraf 18 | 19 | #Update Vault server config and restart service 20 | sudo vi /etc/vault/vault_server.hcl 21 | sudo systemctl stop vault 22 | sudo systemctl start vault 23 | 24 | #Unseal the Vault and run some activity through with activity generator 25 | export VAULT_ADDR=https://vault-vms.globomantics.xyz:8200 26 | vault status 27 | vault operator unseal 28 | -------------------------------------------------------------------------------- /m6/key_vault_creation.sh: -------------------------------------------------------------------------------- 1 | #Log into Azure with CLI 2 | az login 3 | az account set --subscription "SUB_NAME" 4 | 5 | #Create an Azure Key Vault for Key Shares 6 | az group create -n "vault-keyvault" -l "eastus" 7 | az keyvault create --name "vault-keyvault" --resource-group "vault-keyvault" --location "eastus" 8 | az keyvault update --name "vault-keyvault" --resource-group "vault-keyvault" --enabled-for-deployment "true" --enabled-for-template-deployment "true" 9 | 10 | 11 | #Grant the VAULT VM access to manipulate keys in Azure Key Vault 12 | az vm list -g vault-azurevms --query '[].identity.principalId' -o tsv 13 | az keyvault set-policy --name "vault-keyvault" --object-id PRINCIPAL_ID --key-permissions get list create delete update wrapKey unwrapKey 14 | 15 | #Create a key in key vault 16 | az keyvault key create --vault-name "vault-keyvault" --name "vault-key" --protection software --kty RSA --size 2048 --ops decrypt encrypt sign unwrapKey verify wrapKey 17 | 18 | #Get the tenant ID for the Vault Server config 19 | az account show --subscription "SUB_NAME" --query 'tenantId' -o tsv 20 | -------------------------------------------------------------------------------- /m5/activityGenerator.sh: -------------------------------------------------------------------------------- 1 | #Set env variables 2 | export VAULT_ADDR=https://vault-vms.globomantics.xyz:8200 3 | export VAULT_TOKEN=AddYourVaultTokenHere 4 | 5 | #Add the secret backend if it isn't there already 6 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST \ 7 | --data '{"type": "kv", "options": {"version": "1"}}' $VAULT_ADDR/v1/sys/mounts/secret 8 | 9 | #Create five secrets 10 | secrets='Life Universe Everything Thanks Fish' 11 | for secret in $secrets 12 | do 13 | #write secret to vault 14 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request POST --data '{"answer": "42"}' $VAULT_ADDR/v1/secret/$secret 15 | done 16 | 17 | #Retrieve five secrets 100 times 18 | for value in {1..100} 19 | do 20 | for secret in $secrets 21 | do 22 | #Retrieve the secret 23 | curl --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/secret/$secret -s > /dev/null 24 | done 25 | done 26 | 27 | #Delete five secrets 28 | for secret in $secrets 29 | do 30 | #delete secret from vault 31 | curl --header "X-Vault-Token: $VAULT_TOKEN" --request DELETE $VAULT_ADDR/v1/secret/$secret 32 | done -------------------------------------------------------------------------------- /m2/aks/resources.tf: -------------------------------------------------------------------------------- 1 | provider "azurerm" { 2 | subscription_id = "${var.arm_subscription_id}" 3 | client_id = "${var.arm_client_id}" 4 | client_secret = "${var.arm_client_secret}" 5 | tenant_id = "${var.arm_tenant_id}" 6 | } 7 | 8 | resource "azurerm_resource_group" "aks" { 9 | name = "${var.aks_prefix}-aks" 10 | location = "${var.arm_region}" 11 | } 12 | 13 | resource "azurerm_kubernetes_cluster" "aks" { 14 | name = "${var.aks_prefix}-rbac" 15 | location = "${azurerm_resource_group.aks.location}" 16 | resource_group_name = "${azurerm_resource_group.aks.name}" 17 | dns_prefix = "${var.aks_prefix}-rbac" 18 | 19 | agent_pool_profile { 20 | name = "default" 21 | count = 1 22 | vm_size = "Standard_D1_v2" 23 | os_type = "Linux" 24 | os_disk_size_gb = 30 25 | } 26 | 27 | service_principal { 28 | client_id = "${var.kubernetes_client_id}" 29 | client_secret = "${var.kubernetes_client_secret}" 30 | } 31 | 32 | role_based_access_control { 33 | enabled = true 34 | } 35 | 36 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 Ned Bellavance 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /m6/pgp-key-gen.sh: -------------------------------------------------------------------------------- 1 | #Install GnuPG and rng-tools 2 | sudo apt install gnupg rng-tools -y 3 | sudo rngd -r /dev/urandom 4 | 5 | #First we have to generate our pgp keys using gpg 6 | gpg --batch --gen-key vaultadmin1 7 | gpg --batch --gen-key vaultadmin2 8 | gpg --batch --gen-key vaultadmin3 9 | 10 | gpg --list-keys 11 | 12 | #Now we need the base64 encoded public keys to use with Vault 13 | gpg --export vaultadmin1 | base64 > vaultadmin1.asc 14 | gpg --export vaultadmin2 | base64 > vaultadmin2.asc 15 | gpg --export vaultadmin3 | base64 > vaultadmin3.asc 16 | 17 | #Now we can update the seal with our gpg keys 18 | export VAULT_ADDR="https://vault-vms.globomantics.xyz:8200" 19 | vault operator rekey -init -key-shares=3 -key-threshold=2 -pgp-keys="vaultadmin1.asc,vaultadmin2.asc,vaultadmin3.asc" 20 | vault operator rekey -nonce NONCE_VALUE 21 | 22 | #Copy out the key values to key_shares.txt 23 | 24 | #Now seal the vault and unseal using the new key shares 25 | vault operator seal 26 | 27 | #Decrypt the first two keys 28 | echo "FIRST_KEY" | base64 --decode | gpg -u vaultadmin1 -dq 29 | echo "SECOND_KEY" | base64 --decode | gpg -u vaultadmin2 -dq 30 | 31 | #Unseal the vault 32 | vault operator unseal 33 | 34 | #Clean up the keys 35 | gpg --delete-secret-and-public-key vaultadmin1 36 | gpg --delete-secret-and-public-key vaultadmin2 37 | gpg --delete-secret-and-public-key vaultadmin3 -------------------------------------------------------------------------------- /m9/azure-vms/variables.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # VARIABLES 3 | ################################################################################## 4 | 5 | # Azure Provider 6 | variable "arm_region" { 7 | default = "eastus" 8 | } 9 | 10 | variable "arm_resource_group_name" { 11 | default = "vault-vmss" 12 | } 13 | 14 | #Provider authentication 15 | variable "arm_subscription_id" {} 16 | 17 | variable "arm_client_id" {} 18 | variable "arm_tenant_id" {} 19 | variable "arm_client_secret" {} 20 | 21 | #Network 22 | variable "arm_network_address_space" { 23 | default = "10.0.0.0/16" 24 | } 25 | 26 | variable "arm_subnet1_address_space" { 27 | default = "10.0.0.0/24" 28 | } 29 | 30 | variable "arm_subnet2_address_space" { 31 | default = "10.0.1.0/24" 32 | } 33 | 34 | # Key Vault 35 | variable "key_name" { 36 | description = "Azure Key Vault key name" 37 | default = "generated-key" 38 | } 39 | 40 | variable "environment" { 41 | default = "Production" 42 | } 43 | 44 | # Virtual Machine 45 | variable "ssh_key_pub" { 46 | default = "~/.ssh/id_rsa.pub" 47 | } 48 | 49 | variable "vm_name" { 50 | default = "vault" 51 | } 52 | 53 | # Vault VM Template 54 | variable "vault_version" { 55 | default = "1.1.2" 56 | } 57 | 58 | variable "vault_domain" {} 59 | 60 | 61 | # MySQL 62 | 63 | variable "mysql_server_name" { 64 | default = "vault-mysql" 65 | } 66 | 67 | variable "mysql_password" {} 68 | -------------------------------------------------------------------------------- /m3/azure-vms/vaultinstall.sh: -------------------------------------------------------------------------------- 1 | #Install unzip 2 | sudo apt install unzip -y 3 | 4 | #Install Vault 5 | VAULT_VERSION="1.1.2" 6 | wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip 7 | unzip vault_${VAULT_VERSION}_linux_amd64.zip 8 | sudo chown root:root vault 9 | sudo mv vault /usr/local/bin/ 10 | 11 | #Prepare for systemd 12 | sudo useradd --system --home /etc/vault.d --shell /bin/false vault 13 | sudo mkdir --parents /opt/vault 14 | sudo chown --recursive vault:vault /opt/vault 15 | 16 | sudo vi /etc/systemd/system/vault.service 17 | 18 | #Create general config 19 | sudo mkdir --parents /etc/vault 20 | sudo vi /etc/vault/vault_server.hcl 21 | sudo chown --recursive vault:vault /etc/vault 22 | sudo chmod 640 /etc/vault/vault_server.hcl 23 | 24 | #Adding certificates 25 | sudo mkdir /etc/vault/certs 26 | sudo cp ~/fullchain.pem /etc/vault/certs/vault_cert.crt 27 | sudo cp ~/privkey.pem /etc/vault/certs/vault_cert.key 28 | sudo chown --recursive vault:vault /etc/vault/certs 29 | sudo chmod 750 --recursive /etc/vault/certs/ 30 | 31 | #Get MySQL certificate 32 | wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem -O ~/mysql.pem 33 | sudo cp ~/mysql.pem /etc/vault/certs/mysql.pem 34 | 35 | #Start service 36 | sudo systemctl enable vault 37 | sudo systemctl start vault 38 | 39 | #Add entry to hosts 40 | sudo vi /etc/hosts 41 | 42 | #Set environment variable for vault server 43 | export VAULT_ADDR=https://vault-vms.globomantics.xyz:8200 -------------------------------------------------------------------------------- /m7/azure-vms/variables.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # VARIABLES 3 | ################################################################################## 4 | 5 | # Azure Provider 6 | variable "arm_region" { 7 | default = "eastus" 8 | } 9 | 10 | variable "arm_resource_group_name" { 11 | default = "vault" 12 | } 13 | 14 | #Provider authentication 15 | variable "arm_subscription_id" {} 16 | 17 | variable "arm_client_id" {} 18 | variable "arm_tenant_id" {} 19 | variable "arm_client_secret" {} 20 | 21 | #Network 22 | variable "arm_network_address_space" { 23 | default = "10.0.0.0/16" 24 | } 25 | 26 | variable "arm_subnet1_address_space" { 27 | default = "10.0.0.0/24" 28 | } 29 | 30 | variable "arm_subnet2_address_space" { 31 | default = "10.0.1.0/24" 32 | } 33 | 34 | # Key Vault 35 | variable "key_name" { 36 | description = "Azure Key Vault key name" 37 | default = "generated-key" 38 | } 39 | 40 | variable "environment" { 41 | default = "Production" 42 | } 43 | 44 | # Virtual Machine 45 | variable "ssh_key_pub" { 46 | default = "~/.ssh/id_rsa.pub" 47 | } 48 | 49 | variable "vm_name" { 50 | default = "vault" 51 | } 52 | 53 | variable "count" { 54 | default = "1" 55 | } 56 | 57 | # Vault VM Template 58 | variable "vault_version" { 59 | default = "1.1.2" 60 | } 61 | 62 | variable "vault_domain" { 63 | 64 | } 65 | 66 | 67 | # MySQL 68 | 69 | variable "mysql_server_name" { 70 | default = "vault-mysql" 71 | } 72 | 73 | variable "mysql_password" {} 74 | -------------------------------------------------------------------------------- /m9/azure-vms/mysql.tf: -------------------------------------------------------------------------------- 1 | # MYSQL 2 | 3 | resource "azurerm_mysql_server" "vaultmysql" { 4 | name = "${var.mysql_server_name}-${random_id.vault_rand.hex}" 5 | location = "${var.arm_region}" 6 | resource_group_name = "${azurerm_resource_group.vault.name}" 7 | 8 | sku { 9 | name = "GP_Gen5_2" 10 | capacity = 2 11 | tier = "GeneralPurpose" 12 | family = "Gen5" 13 | } 14 | 15 | storage_profile { 16 | storage_mb = 5120 17 | backup_retention_days = 7 18 | geo_redundant_backup = "Enabled" 19 | } 20 | 21 | administrator_login = "vaultsqladmin" 22 | administrator_login_password = "${var.mysql_password}" 23 | version = "5.7" 24 | ssl_enforcement = "Enabled" 25 | } 26 | 27 | resource "azurerm_mysql_virtual_network_rule" "vaultvnetrule" { 28 | name = "vault-vnet-rule" 29 | resource_group_name = "${azurerm_resource_group.vault.name}" 30 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 31 | subnet_id = "${azurerm_subnet.vault.id}" 32 | } 33 | 34 | resource "azurerm_mysql_database" "vaultdb" { 35 | name = "vaultdb" 36 | resource_group_name = "${azurerm_resource_group.vault.name}" 37 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 38 | charset = "utf8" 39 | collation = "utf8_unicode_ci" 40 | } 41 | 42 | output "mysql_fqdn" { 43 | value = "${azurerm_mysql_server.vaultmysql.fqdn}" 44 | } 45 | 46 | output "mysql_name" { 47 | value = "${element(split(".",azurerm_mysql_server.vaultmysql.fqdn),0)}" 48 | } -------------------------------------------------------------------------------- /m8/azure-vms/variables.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # VARIABLES 3 | ################################################################################## 4 | 5 | # Azure Provider 6 | variable "arm_region" { 7 | default = "eastus" 8 | } 9 | 10 | variable "arm_resource_group_name" { 11 | default = "vault" 12 | } 13 | 14 | #Provider authentication 15 | variable "arm_subscription_id" {} 16 | 17 | variable "arm_client_id" {} 18 | variable "arm_tenant_id" {} 19 | variable "arm_client_secret" {} 20 | 21 | #Network 22 | variable "arm_network_address_space" { 23 | default = "10.0.0.0/16" 24 | } 25 | 26 | variable "arm_subnet1_address_space" { 27 | default = "10.0.0.0/24" 28 | } 29 | 30 | variable "arm_subnet2_address_space" { 31 | default = "10.0.1.0/24" 32 | } 33 | 34 | # Key Vault 35 | variable "vault_name" {} 36 | 37 | variable "vault_resource_group" {} 38 | 39 | variable "key_name" { 40 | description = "Azure Key Vault key name" 41 | default = "generated-key" 42 | } 43 | 44 | variable "cert_name" { 45 | default = "vault-cert" 46 | } 47 | 48 | variable "certificate_thumbprint" {} 49 | 50 | variable "mysql_password_name" { 51 | default = "mysql-password" 52 | } 53 | 54 | 55 | variable "environment" { 56 | default = "Recovery" 57 | } 58 | 59 | # Virtual Machine 60 | variable "ssh_key_pub" { 61 | default = "~/.ssh/id_rsa.pub" 62 | } 63 | 64 | variable "vm_name" { 65 | default = "vault" 66 | } 67 | 68 | variable "count" { 69 | default = "1" 70 | } 71 | 72 | # Vault VM Template 73 | variable "vault_version" { 74 | default = "1.1.2" 75 | } 76 | 77 | variable "vault_domain" { 78 | 79 | } 80 | 81 | 82 | # MySQL 83 | 84 | variable "mysql_server_name" { 85 | 86 | } 87 | -------------------------------------------------------------------------------- /m4/policies/full_admin.hcl: -------------------------------------------------------------------------------- 1 | #This policy is meant to grant an admin almost unlimited rights within Vault 2 | 3 | #Configure audit devices 4 | path "sys/audit/*" 5 | { 6 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 7 | } 8 | 9 | #List audit configurations 10 | path "sys/config/auditing" 11 | { 12 | capabilities = ["read","list"] 13 | } 14 | #Configure audit settings for a device 15 | path "sys/config/auditing/*" 16 | { 17 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 18 | } 19 | 20 | # Manage auth backends broadly across Vault 21 | path "auth/*" 22 | { 23 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 24 | } 25 | 26 | # List, create, update, and delete auth backends 27 | path "sys/auth/*" 28 | { 29 | capabilities = ["create", "read", "update", "delete", "sudo"] 30 | } 31 | 32 | path "sys/auth" 33 | { 34 | capabilities = ["read"] 35 | } 36 | 37 | # List existing policies 38 | path "sys/policy" 39 | { 40 | capabilities = ["read"] 41 | } 42 | 43 | # Create and manage ACL policies broadly across Vault 44 | path "sys/policy/*" 45 | { 46 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 47 | } 48 | 49 | # List, create, update, and delete key/value secrets 50 | path "secret/*" 51 | { 52 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 53 | } 54 | 55 | # Manage secret backends broadly across Vault. 56 | path "sys/mounts/*" 57 | { 58 | capabilities = ["create", "read", "update", "delete", "list", "sudo"] 59 | } 60 | 61 | # Manage entities, aliases, and groups 62 | path "identity/*" 63 | { 64 | capabilities = ["create", "read", "update", "delete", "list"] 65 | } 66 | 67 | # Read health checks 68 | path "sys/health" 69 | { 70 | capabilities = ["read", "sudo"] 71 | } -------------------------------------------------------------------------------- /m3/aks/helm-prep.sh: -------------------------------------------------------------------------------- 1 | #Clone the helm chart for consul 2 | git clone https://github.com/hashicorp/consul-helm.git 3 | git checkout v0.1.0 4 | 5 | #Get the kube config of the aks cluster 6 | az login 7 | az account set --subscription "sub_name" 8 | az aks list 9 | az aks get-credentials -n vault-rbac -g vault-aks 10 | 11 | #Verify connection to aks 12 | kubectl get nodes 13 | 14 | #Scale to three nodes 15 | az aks scale -n vault-rbac -g vault-aks -c 3 16 | 17 | #Prepare helm for use 18 | kubectl apply -f helm-rbac.yaml 19 | helm init --service-account tiller 20 | 21 | #Install the helm chart 22 | helm install --name "consul-helm" ./ 23 | helm status consul-helm 24 | 25 | #Register the stubDomain in core-dns 26 | kubectl get svc consul-helm-dns -o jsonpath='{.spec.clusterIP}' 27 | kubectl apply -f consul-dns.yaml 28 | kubectl delete pod --namespace kube-system -l k8s-app=kube-dns 29 | 30 | #Expose the UI 31 | helm install stable/nginx-ingress --namespace default --set controller.replicaCount=1 32 | kubectl get svc -l app=nginx-ingress 33 | kubectl apply -f ui-ingress.yaml 34 | 35 | #Add the vault certificates 36 | kubectl create secret tls vault-tls --key privkey.pem --cert fullchain.pem 37 | 38 | #Let's get the repo for the vault chart 39 | helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator 40 | helm install --name v1 --values vault-values.yaml incubator/vault 41 | 42 | #If there are issues with the helm chart, grab my copy 43 | git clone https://github.com/ned1313/charts.git 44 | helm install --name v1 --values PATH_TO_VALUES . 45 | 46 | #And expose the Vault service publicly 47 | kubectl apply -f vault-ingress.yaml 48 | az network dns record-set a add-record --subscription SUB_NAME -g RESOURCE_GROUP -z ZONE_NAME -n vault-aks --ipv4-address LB_IP_ADDRESS 49 | 50 | #Use kubectl proxy to initialize vault - unsealing breaks on LB 51 | kubectl port-forward --namespace default POD_NAME 8200:8200 -------------------------------------------------------------------------------- /m4/policies/policy_creation.sh: -------------------------------------------------------------------------------- 1 | #Create the policies 2 | vault policy write full_admin full_admin.hcl 3 | vault policy write engine_admin engine_admin.hcl 4 | vault policy write audit_admin audit_admin.hcl 5 | vault policy write helpdesk_admin helpdesk_admin.hcl 6 | 7 | #Create internal groups 8 | vault write identity/group name=full_admins policies=full_admin 9 | vault write identity/group name=engine_admins policies=engine_admin 10 | vault write identity/group name=audit_admins policies=audit_admin 11 | vault write identity/group name=helpdesk_admins policies=helpdesk_admin 12 | 13 | #Enable the userpass auth method and create four users 14 | vault auth enable userpass 15 | vault write auth/userpass/users/arthur password=dent 16 | vault write auth/userpass/users/ford password=prefect 17 | vault write auth/userpass/users/tricia password=mcmillian 18 | vault write auth/userpass/users/zaphod password=beeblebrox 19 | 20 | #Create entities and aliases for the users 21 | vault read sys/auth 22 | vault write identity/entity name=arthur 23 | vault write identity/entity-alias name=arthur mount_accessor=ACCESSOR_ID canonical_id=ENTITY_ID 24 | vault write identity/group name=full_admins member_entity_ids=ENTITY_ID 25 | 26 | #Login as Arthur and check policy assignment 27 | vault login -method=userpass username=arthur 28 | 29 | vault write identity/entity name=ford 30 | vault write identity/entity-alias name=ford mount_accessor=ACCESSOR_ID canonical_id=ENTITY_ID 31 | vault write identity/group name=engine_admins member_entity_ids=ENTITY_ID 32 | 33 | vault write identity/entity name=tricia 34 | vault write identity/entity-alias name=tricia mount_accessor=ACCESSOR_ID canonical_id=ENTITY_ID 35 | vault write identity/group name=audit_admins member_entity_ids=ENTITY_ID 36 | 37 | vault write identity/entity name=zaphod 38 | vault write identity/entity-alias name=zaphod mount_accessor=ACCESSOR_ID canonical_id=ENTITY_ID 39 | vault write identity/group name=helpdesk_admins member_entity_ids=ENTITY_ID 40 | 41 | #Login as ford and show permissions 42 | vault login -method=userpass username=ford 43 | vault read sys/auth 44 | vault token lookup 45 | 46 | -------------------------------------------------------------------------------- /m9/azure-vms/network.tf: -------------------------------------------------------------------------------- 1 | # NETWORKING # 2 | module "vnet" { 3 | source = "Azure/network/azurerm" 4 | resource_group_name = "${azurerm_resource_group.vault.name}" 5 | vnet_name = "${azurerm_resource_group.vault.name}" 6 | location = "${var.arm_region}" 7 | address_space = "${var.arm_network_address_space}" 8 | subnet_prefixes = ["${var.arm_subnet1_address_space}"] 9 | subnet_names = ["clients"] 10 | 11 | } 12 | 13 | resource "azurerm_subnet" "vault" { 14 | name = "vault" 15 | resource_group_name = "${azurerm_resource_group.vault.name}" 16 | virtual_network_name = "${module.vnet.vnet_name}" 17 | address_prefix = "${var.arm_subnet2_address_space}" 18 | service_endpoints = ["Microsoft.Sql"] 19 | } 20 | 21 | resource "azurerm_network_security_group" "vault_nsg" { 22 | name = "nsg-${random_id.vault_rand.hex}" 23 | location = "${var.arm_region}" 24 | resource_group_name = "${azurerm_resource_group.vault.name}" 25 | 26 | security_rule { 27 | name = "SSH" 28 | priority = 1001 29 | direction = "Inbound" 30 | access = "Allow" 31 | protocol = "Tcp" 32 | source_port_range = "*" 33 | destination_port_range = "22" 34 | source_address_prefix = "*" 35 | destination_address_prefix = "*" 36 | } 37 | 38 | security_rule { 39 | name = "Vault" 40 | priority = 1002 41 | direction = "Inbound" 42 | access = "Allow" 43 | protocol = "Tcp" 44 | source_port_range = "*" 45 | destination_port_range = "8200" 46 | source_address_prefix = "*" 47 | destination_address_prefix = "*" 48 | } 49 | 50 | security_rule { 51 | name = "VaultHA" 52 | priority = 1003 53 | direction = "Inbound" 54 | access = "Allow" 55 | protocol = "Tcp" 56 | source_port_range = "*" 57 | destination_port_range = "8201" 58 | source_address_prefix = "*" 59 | destination_address_prefix = "*" 60 | } 61 | 62 | tags { 63 | environment = "${var.environment}-${random_id.vault_rand.hex}" 64 | } 65 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Managing-HashiCorp-Vault 2 | 3 | Exercise files for use with the Pluralsight course Managing HashiCorp Vault 4 | 5 | ## Introduction 6 | 7 | Hello! These are the exercise files to go with my Pluralsight course, [Managing HashiCorp Vault.](https://www.pluralsight.com/courses/managing-hashicorp-vault) 8 | 9 | ## Preparing for the Course 10 | 11 | In order to use these files, there are a few things you will need to have set up. 12 | 13 | - **Vault binary**: You will need to install the Vault binary on your local system to run commands. You can find more information on the [Vault download page](https://www.vaultproject.io/downloads.html). 14 | - **Terraform**: The initial deployment of the Vault server examples use Terraform for creating them in Azure. You can find more information on the [Terraform download page](https://www.terraform.io/downloads.html). **NOTE**: The examples were developed using Terraform v0.11.x. If you are using the latest v0.12.x, they may not work correctly. I will be updating this in the near future. 15 | - **Azure subscription**: You will need an Azure subscription to deploy resources for the examples. If you'd rather use AWS or GCP, that's fine. You will need to create your own deployment outside of what's provided in the exercises. 16 | - **Azure CLI**: The examples will use the [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) to add resources in Azure for running Vault server on Azure VMs and in the Azure Kubernetes Service. 17 | - **Kubernetes Tools**: These are only needed if you are planning to do the AKS deployment of Vault. You will need `kubectl` and `helm` to perform the necessary deployment. 18 | - **Visual Studio Code**: This is not strictly necessary. You can use whatever IDE suits you. VS Code is free and multi-platform, and it's what I prefer to use. 19 | 20 | ## Doing the exercises 21 | 22 | For the Terraform deployments, you will need to fill out the `vars.tfvars.txt` file with the information necessary for deployment. Then rename the file `vars.tfvars` and use it with your deployments. There are also some placeholder values in the commands that you will run and I have flagged them by using `ALL_CAPS_LIKE_THIS`. In addition to making it stand out, it also makes it super easy to cut and paste. 23 | 24 | ## Feedback 25 | 26 | I welcome your feedback! Please reach out to me on Twitter or log an issue on the GitHub repo. Thanks for taking my course! -------------------------------------------------------------------------------- /m9/azure-vms/load_balancer.tf: -------------------------------------------------------------------------------- 1 | # LOAD BALANCER ITEMS # 2 | resource "azurerm_public_ip" "lb_pip" { 3 | name = "lb-pip-${random_id.vault_rand.hex}" 4 | location = "${var.arm_region}" 5 | resource_group_name = "${azurerm_resource_group.vault.name}" 6 | allocation_method = "Static" 7 | sku = "Standard" 8 | } 9 | 10 | resource "azurerm_lb" "vault_lb" { 11 | name = "lb-${random_id.vault_rand.hex}" 12 | location = "${var.arm_region}" 13 | resource_group_name = "${azurerm_resource_group.vault.name}" 14 | sku = "Standard" 15 | 16 | frontend_ip_configuration { 17 | name = "lb-pip" 18 | public_ip_address_id = "${azurerm_public_ip.lb_pip.id}" 19 | } 20 | } 21 | 22 | resource "azurerm_lb_backend_address_pool" "lb_be" { 23 | resource_group_name = "${azurerm_resource_group.vault.name}" 24 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 25 | name = "be-${random_id.vault_rand.hex}" 26 | } 27 | 28 | resource "azurerm_lb_rule" "vault_lb_rule" { 29 | resource_group_name = "${azurerm_resource_group.vault.name}" 30 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 31 | name = "Vault" 32 | protocol = "Tcp" 33 | frontend_port = 8200 34 | backend_port = 8200 35 | frontend_ip_configuration_name = "lb-pip" 36 | backend_address_pool_id = "${azurerm_lb_backend_address_pool.lb_be.id}" 37 | probe_id = "${azurerm_lb_probe.vault_lb_probe.id}" 38 | } 39 | 40 | resource "azurerm_lb_probe" "vault_lb_probe" { 41 | resource_group_name = "${azurerm_resource_group.vault.name}" 42 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 43 | name = "vault-tcp-probe" 44 | port = 8200 45 | protocol = "tcp" 46 | } 47 | 48 | resource "azurerm_lb_probe" "vault_https_probe" { 49 | resource_group_name = "${azurerm_resource_group.vault.name}" 50 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 51 | name = "vault-https-probe" 52 | port = 8200 53 | protocol = "https" 54 | request_path = "/v1/sys/health" 55 | } 56 | 57 | resource "azurerm_lb_nat_pool" "ssh_vmss_nat" { 58 | name = "ssh" 59 | resource_group_name = "${azurerm_resource_group.vault.name}" 60 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 61 | protocol = "Tcp" 62 | frontend_port_start = 2020 63 | frontend_port_end = 2040 64 | backend_port = 22 65 | frontend_ip_configuration_name = "lb-pip" 66 | } 67 | -------------------------------------------------------------------------------- /m7/azure-vms/vaultinstall.tpl: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo apt-get install -y unzip jq 4 | 5 | #Create a vault user 6 | sudo useradd --system --home /etc/vault.d --shell /bin/false vault 7 | sudo mkdir --parents /opt/vault 8 | sudo mkdir /etc/vault.d 9 | sudo chown --recursive vault:vault /opt/vault 10 | 11 | #Get the vault executable 12 | wget --quiet https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip 13 | unzip vault_${vault_version}_linux_amd64.zip 14 | sudo mv vault /usr/local/bin/ 15 | sudo chmod 0755 /usr/local/bin/vault 16 | sudo chown vault:vault /usr/local/bin/vault 17 | 18 | #Create the systemd service file 19 | cat << EOF > /lib/systemd/system/vault.service 20 | [Unit] 21 | Description=Vault Agent 22 | Requires=network-online.target 23 | After=network-online.target 24 | [Service] 25 | Restart=on-failure 26 | PermissionsStartOnly=true 27 | ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault 28 | ExecStart=/usr/local/bin/vault server -config /etc/vault.d log-level=info 29 | ExecReload=/bin/kill -HUP $MAINPID 30 | KillSignal=SIGTERM 31 | User=vault 32 | Group=vault 33 | [Install] 34 | WantedBy=multi-user.target 35 | EOF 36 | 37 | #Retrieve the mysql password 38 | token=$(curl --silent 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true) 39 | raw_token=$(echo $token | jq -r .access_token) 40 | resp=$(curl --silent ${mysql_password}?api-version=2016-10-01 -H "Authorization: Bearer $raw_token") 41 | mysql_password_value=$(echo $resp | jq -r .value) 42 | 43 | #Get the IP address of the host 44 | ip_addr=$( ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1) 45 | 46 | #Create the vault server configuration file 47 | cat << EOF > /etc/vault.d/config.hcl 48 | storage "mysql" { 49 | address = "${mysql_server}.mysql.database.azure.com:3306" 50 | username = "vaultsqladmin@${mysql_server}" 51 | password = "$mysql_password_value" 52 | database = "vault" 53 | tls_ca_file = "/etc/vault.d/certs/mysql.pem" 54 | ha_enabled = "true" 55 | } 56 | listener "tcp" { 57 | address = "0.0.0.0:8200" 58 | cluster_address = "$ip_addr:8201" 59 | tls_cert_file = "/etc/vault.d/certs/vault_cert.crt" 60 | tls_key_file = "/etc/vault.d/certs/vault_cert.key" 61 | } 62 | seal "azurekeyvault" { 63 | tenant_id = "${tenant_id}" 64 | vault_name = "${vault_name}" 65 | key_name = "${key_name}" 66 | } 67 | ui=true 68 | disable_mlock = false 69 | api_addr = "https://vault.${vault_domain}:8200" 70 | cluster_addr = "https://$ip_addr:8201" 71 | EOF 72 | 73 | sudo chown -R vault:vault /etc/vault.d 74 | sudo chmod -R 0644 /etc/vault.d/* 75 | 76 | #copy the certificates 77 | sudo mkdir /etc/vault.d/certs 78 | sudo cp /var/lib/waagent/${cert_thumb}.crt /etc/vault.d/certs/vault_cert.crt 79 | sudo cp /var/lib/waagent/${cert_thumb}.prv /etc/vault.d/certs/vault_cert.key 80 | sudo chown --recursive vault:vault /etc/vault.d/certs 81 | sudo chmod 750 --recursive /etc/vault.d/certs/ 82 | 83 | #Get MySQL certificate 84 | wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem -O ~/mysql.pem 85 | sudo cp ~/mysql.pem /etc/vault.d/certs/mysql.pem 86 | 87 | #Start the service 88 | sudo chmod 0664 /lib/systemd/system/vault.service 89 | sudo systemctl daemon-reload 90 | 91 | systemctl enable vault 92 | systemctl start vault -------------------------------------------------------------------------------- /m9/azure-vms/vaultinstall.tpl: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo apt-get install -y unzip jq 4 | 5 | #Create a vault user 6 | sudo useradd --system --home /etc/vault.d --shell /bin/false vault 7 | sudo mkdir --parents /opt/vault 8 | sudo mkdir /etc/vault.d 9 | sudo chown --recursive vault:vault /opt/vault 10 | 11 | #Get the vault executable 12 | wget --quiet https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip 13 | unzip vault_${vault_version}_linux_amd64.zip 14 | sudo mv vault /usr/local/bin/ 15 | sudo chmod 0755 /usr/local/bin/vault 16 | sudo chown vault:vault /usr/local/bin/vault 17 | 18 | #Create the systemd service file 19 | cat << EOF > /lib/systemd/system/vault.service 20 | [Unit] 21 | Description=Vault Agent 22 | Requires=network-online.target 23 | After=network-online.target 24 | [Service] 25 | Restart=on-failure 26 | PermissionsStartOnly=true 27 | ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault 28 | ExecStart=/usr/local/bin/vault server -config /etc/vault.d log-level=info 29 | ExecReload=/bin/kill -HUP $MAINPID 30 | KillSignal=SIGTERM 31 | User=vault 32 | Group=vault 33 | [Install] 34 | WantedBy=multi-user.target 35 | EOF 36 | 37 | #Retrieve the mysql password 38 | token=$(curl --silent 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true) 39 | raw_token=$(echo $token | jq -r .access_token) 40 | resp=$(curl --silent ${mysql_password}?api-version=2016-10-01 -H "Authorization: Bearer $raw_token") 41 | mysql_password_value=$(echo $resp | jq -r .value) 42 | 43 | #Get the IP address of the host 44 | ip_addr=$( ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1) 45 | 46 | #Create the vault server configuration file 47 | cat << EOF > /etc/vault.d/config.hcl 48 | storage "mysql" { 49 | address = "${mysql_server}.mysql.database.azure.com:3306" 50 | username = "vaultsqladmin@${mysql_server}" 51 | password = "$mysql_password_value" 52 | database = "vault" 53 | tls_ca_file = "/etc/vault.d/certs/mysql.pem" 54 | ha_enabled = "true" 55 | } 56 | listener "tcp" { 57 | address = "0.0.0.0:8200" 58 | cluster_address = "$ip_addr:8201" 59 | tls_cert_file = "/etc/vault.d/certs/vault_cert.crt" 60 | tls_key_file = "/etc/vault.d/certs/vault_cert.key" 61 | } 62 | seal "azurekeyvault" { 63 | tenant_id = "${tenant_id}" 64 | vault_name = "${vault_name}" 65 | key_name = "${key_name}" 66 | } 67 | ui=true 68 | disable_mlock = false 69 | api_addr = "https://vault.${vault_domain}:8200" 70 | cluster_addr = "https://$ip_addr:8201" 71 | EOF 72 | 73 | sudo chown -R vault:vault /etc/vault.d 74 | sudo chmod -R 0644 /etc/vault.d/* 75 | 76 | #copy the certificates 77 | sudo mkdir /etc/vault.d/certs 78 | sudo cp /var/lib/waagent/${cert_thumb}.crt /etc/vault.d/certs/vault_cert.crt 79 | sudo cp /var/lib/waagent/${cert_thumb}.prv /etc/vault.d/certs/vault_cert.key 80 | sudo chown --recursive vault:vault /etc/vault.d/certs 81 | sudo chmod 750 --recursive /etc/vault.d/certs/ 82 | 83 | #Get MySQL certificate 84 | wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem -O ~/mysql.pem 85 | sudo cp ~/mysql.pem /etc/vault.d/certs/mysql.pem 86 | 87 | #Start the service 88 | sudo chmod 0664 /lib/systemd/system/vault.service 89 | sudo systemctl daemon-reload 90 | 91 | systemctl enable vault 92 | systemctl start vault -------------------------------------------------------------------------------- /m8/azure-vms/vaultinstall.tpl: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | sudo apt-get install -y unzip jq 4 | 5 | #Create a vault user 6 | sudo useradd --system --home /etc/vault.d --shell /bin/false vault 7 | sudo mkdir --parents /opt/vault 8 | sudo mkdir /etc/vault.d 9 | sudo chown --recursive vault:vault /opt/vault 10 | 11 | #Get the vault executable 12 | wget --quiet https://releases.hashicorp.com/vault/${vault_version}/vault_${vault_version}_linux_amd64.zip 13 | unzip vault_${vault_version}_linux_amd64.zip 14 | sudo mv vault /usr/local/bin/ 15 | sudo chmod 0755 /usr/local/bin/vault 16 | sudo chown vault:vault /usr/local/bin/vault 17 | 18 | #Create the systemd service file 19 | cat << EOF > /lib/systemd/system/vault.service 20 | [Unit] 21 | Description=Vault Agent 22 | Requires=network-online.target 23 | After=network-online.target 24 | [Service] 25 | Restart=on-failure 26 | PermissionsStartOnly=true 27 | ExecStartPre=/sbin/setcap 'cap_ipc_lock=+ep' /usr/local/bin/vault 28 | ExecStart=/usr/local/bin/vault server -config /etc/vault.d log-level=info 29 | ExecReload=/bin/kill -HUP $MAINPID 30 | KillSignal=SIGTERM 31 | User=vault 32 | Group=vault 33 | [Install] 34 | WantedBy=multi-user.target 35 | EOF 36 | 37 | #Retrieve the mysql password 38 | token=$(curl --silent 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true) 39 | raw_token=$(echo $token | jq -r .access_token) 40 | resp=$(curl --silent ${mysql_password}?api-version=2016-10-01 -H "Authorization: Bearer $raw_token") 41 | mysql_password_value=$(echo $resp | jq -r .value) 42 | 43 | #Get the IP address of the host 44 | ip_addr=$( ip addr show eth0 | grep "inet\b" | awk '{print $2}' | cut -d/ -f1) 45 | 46 | #Create the vault server configuration file 47 | cat << EOF > /etc/vault.d/config.hcl 48 | storage "mysql" { 49 | address = "${mysql_server}.mysql.database.azure.com:3306" 50 | username = "vaultsqladmin@${mysql_server}" 51 | password = "$mysql_password_value" 52 | database = "vault" 53 | tls_ca_file = "/etc/vault.d/certs/mysql.pem" 54 | ha_enabled = "true" 55 | } 56 | listener "tcp" { 57 | address = "0.0.0.0:8200" 58 | cluster_address = "$ip_addr:8201" 59 | tls_cert_file = "/etc/vault.d/certs/vault_cert.crt" 60 | tls_key_file = "/etc/vault.d/certs/vault_cert.key" 61 | } 62 | seal "azurekeyvault" { 63 | tenant_id = "${tenant_id}" 64 | vault_name = "${vault_name}" 65 | key_name = "${key_name}" 66 | } 67 | ui=true 68 | disable_mlock = false 69 | api_addr = "https://vault-recover.${vault_domain}:8200" 70 | cluster_addr = "https://$ip_addr:8201" 71 | EOF 72 | 73 | sudo chown -R vault:vault /etc/vault.d 74 | sudo chmod -R 0644 /etc/vault.d/* 75 | 76 | #copy the certificates 77 | sudo mkdir /etc/vault.d/certs 78 | sudo cp /var/lib/waagent/${cert_thumb}.crt /etc/vault.d/certs/vault_cert.crt 79 | sudo cp /var/lib/waagent/${cert_thumb}.prv /etc/vault.d/certs/vault_cert.key 80 | sudo chown --recursive vault:vault /etc/vault.d/certs 81 | sudo chmod 750 --recursive /etc/vault.d/certs/ 82 | 83 | #Get MySQL certificate 84 | wget https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem -O ~/mysql.pem 85 | sudo cp ~/mysql.pem /etc/vault.d/certs/mysql.pem 86 | 87 | #Start the service 88 | sudo chmod 0664 /lib/systemd/system/vault.service 89 | sudo systemctl daemon-reload 90 | 91 | systemctl enable vault 92 | systemctl start vault -------------------------------------------------------------------------------- /m9/azure-vms/main.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # PROVIDERS 3 | ################################################################################## 4 | 5 | provider "azurerm" { 6 | subscription_id = "${var.arm_subscription_id}" 7 | client_id = "${var.arm_client_id}" 8 | client_secret = "${var.arm_client_secret}" 9 | tenant_id = "${var.arm_tenant_id}" 10 | } 11 | 12 | ################################################################################## 13 | # RESOURCES 14 | ################################################################################## 15 | 16 | # BASIC AZURE RESOURCES AND CONFIG # 17 | resource "azurerm_resource_group" "vault" { 18 | name = "${var.arm_resource_group_name}${var.environment}" 19 | location = "${var.arm_region}" 20 | 21 | } 22 | 23 | resource "random_id" "vault_rand" { 24 | byte_length = 4 25 | } 26 | 27 | resource "azurerm_user_assigned_identity" "vault_id" { 28 | resource_group_name = "${azurerm_resource_group.vault.name}" 29 | location = "${var.arm_region}" 30 | name = "vault-vms" 31 | } 32 | 33 | data "azurerm_client_config" "current" {} 34 | 35 | resource "azurerm_virtual_machine_scale_set" "vault_vmss" { 36 | name = "vault-vmss" 37 | location = "${var.arm_region}" 38 | resource_group_name = "${azurerm_resource_group.vault.name}" 39 | upgrade_policy_mode = "Manual" 40 | 41 | sku { 42 | name = "Standard_D2_V3" 43 | tier = "Standard" 44 | capacity = 3 45 | } 46 | 47 | storage_profile_image_reference { 48 | publisher = "Canonical" 49 | offer = "UbuntuServer" 50 | sku = "18.04-LTS" 51 | version = "latest" 52 | } 53 | 54 | storage_profile_os_disk { 55 | name = "" 56 | caching = "ReadWrite" 57 | create_option = "FromImage" 58 | managed_disk_type = "StandardSSD_LRS" 59 | } 60 | 61 | os_profile { 62 | computer_name_prefix = "${var.vm_name}" 63 | admin_username = "vaultadmin" 64 | custom_data = "${data.template_file.setup.rendered}" 65 | } 66 | 67 | os_profile_linux_config { 68 | disable_password_authentication = true 69 | 70 | ssh_keys { 71 | path = "/home/vaultadmin/.ssh/authorized_keys" 72 | key_data = "${file(var.ssh_key_pub)}" 73 | } 74 | } 75 | 76 | os_profile_secrets { 77 | source_vault_id = "${azurerm_key_vault.vault.id}" 78 | 79 | vault_certificates { 80 | certificate_url = "${azurerm_key_vault_certificate.vault_cert.secret_id}" 81 | } 82 | } 83 | 84 | identity = { 85 | type = "UserAssigned" 86 | identity_ids = ["${azurerm_user_assigned_identity.vault_id.id}"] 87 | } 88 | 89 | network_profile { 90 | name = "vaultnetworkprofile" 91 | primary = true 92 | network_security_group_id = "${azurerm_network_security_group.vault_nsg.id}" 93 | 94 | ip_configuration { 95 | name = "vaultprimaryipconfig" 96 | primary = true 97 | subnet_id = "${azurerm_subnet.vault.id}" 98 | load_balancer_backend_address_pool_ids = ["${azurerm_lb_backend_address_pool.lb_be.id}"] 99 | load_balancer_inbound_nat_rules_ids = ["${element(azurerm_lb_nat_pool.ssh_vmss_nat.*.id, count.index)}"] 100 | } 101 | } 102 | 103 | } 104 | -------------------------------------------------------------------------------- /m9/azure-vms/key_vault.tf: -------------------------------------------------------------------------------- 1 | # KEY VAULT ITEMS # 2 | 3 | resource "azurerm_key_vault" "vault" { 4 | name = "${var.environment}vault${random_id.vault_rand.hex}" 5 | location = "${azurerm_resource_group.vault.location}" 6 | resource_group_name = "${azurerm_resource_group.vault.name}" 7 | enabled_for_deployment = true 8 | enabled_for_disk_encryption = true 9 | tenant_id = "${var.arm_tenant_id}" 10 | 11 | sku { 12 | name = "standard" 13 | } 14 | 15 | access_policy { 16 | tenant_id = "${var.arm_tenant_id}" 17 | object_id = "${data.azurerm_client_config.current.service_principal_object_id}" 18 | 19 | key_permissions = [ 20 | "backup", 21 | "create", 22 | "decrypt", 23 | "delete", 24 | "encrypt", 25 | "get", 26 | "import", 27 | "list", 28 | "purge", 29 | "recover", 30 | "restore", 31 | "sign", 32 | "unwrapKey", 33 | "update", 34 | "verify", 35 | "wrapKey", 36 | ] 37 | 38 | secret_permissions = [ 39 | "backup", 40 | "delete", 41 | "get", 42 | "list", 43 | "purge", 44 | "recover", 45 | "restore", 46 | "set", 47 | ] 48 | 49 | certificate_permissions = [ 50 | "create", 51 | "delete", 52 | "deleteissuers", 53 | "get", 54 | "getissuers", 55 | "import", 56 | "list", 57 | "listissuers", 58 | "managecontacts", 59 | "manageissuers", 60 | "setissuers", 61 | "update", 62 | ] 63 | } 64 | 65 | access_policy { 66 | tenant_id = "${var.arm_tenant_id}" 67 | object_id = "${azurerm_user_assigned_identity.vault_id.principal_id}" 68 | 69 | certificate_permissions = [ 70 | "get", 71 | "getissuers", 72 | "import", 73 | "list", 74 | "listissuers", 75 | "update", 76 | ] 77 | 78 | key_permissions = [ 79 | "get", 80 | "list", 81 | "create", 82 | "delete", 83 | "update", 84 | "wrapKey", 85 | "unwrapKey", 86 | ] 87 | 88 | secret_permissions= [ 89 | "get", 90 | ] 91 | } 92 | 93 | /*network_acls { 94 | default_action = "Allow" 95 | bypass = "AzureServices" 96 | }*/ 97 | } 98 | 99 | resource "azurerm_key_vault_key" "generated" { 100 | name = "${var.key_name}" 101 | key_vault_id = "${azurerm_key_vault.vault.id}" 102 | key_type = "RSA" 103 | key_size = 2048 104 | 105 | key_opts = [ 106 | "decrypt", 107 | "encrypt", 108 | "sign", 109 | "unwrapKey", 110 | "verify", 111 | "wrapKey", 112 | ] 113 | } 114 | 115 | resource "azurerm_key_vault_certificate" "vault_cert" { 116 | name = "vault-cert" 117 | key_vault_id = "${azurerm_key_vault.vault.id}" 118 | 119 | certificate { 120 | contents = "${base64encode(file("bundle.pfx"))}" 121 | password = "vaultadmin" 122 | } 123 | 124 | certificate_policy { 125 | issuer_parameters { 126 | name = "Self" 127 | } 128 | 129 | key_properties { 130 | exportable = true 131 | key_size = 2048 132 | key_type = "RSA" 133 | reuse_key = false 134 | } 135 | 136 | secret_properties { 137 | content_type = "application/x-pkcs12" 138 | } 139 | } 140 | } 141 | 142 | resource "azurerm_key_vault_secret" "mysql_secret" { 143 | name = "mysql-password" 144 | value = "${var.mysql_password}" 145 | key_vault_id = "${azurerm_key_vault.vault.id}" 146 | } 147 | 148 | # VIRTUAL MACHINE RESOURCES # 149 | 150 | data "template_file" "setup" { 151 | template = "${file("${path.module}/vaultinstall.tpl")}" 152 | 153 | vars = { 154 | tenant_id = "${var.arm_tenant_id}" 155 | vault_name = "${azurerm_key_vault.vault.name}" 156 | key_name = "${var.key_name}" 157 | vault_version = "${var.vault_version}" 158 | mysql_server = "${element(split(".",azurerm_mysql_server.vaultmysql.fqdn),0)}" 159 | mysql_password = "${azurerm_key_vault_secret.mysql_secret.id}" 160 | cert_thumb = "${azurerm_key_vault_certificate.vault_cert.thumbprint}" 161 | vault_domain = "${var.vault_domain}" 162 | } 163 | } -------------------------------------------------------------------------------- /m2/azure-vms/resources.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # PROVIDERS 3 | ################################################################################## 4 | 5 | provider "azurerm" { 6 | subscription_id = "${var.arm_subscription_id}" 7 | client_id = "${var.arm_client_id}" 8 | client_secret = "${var.arm_client_secret}" 9 | tenant_id = "${var.arm_tenant_id}" 10 | } 11 | 12 | ################################################################################## 13 | # DATA 14 | ################################################################################## 15 | 16 | ################################################################################## 17 | # RESOURCES 18 | ################################################################################## 19 | 20 | resource "azurerm_resource_group" "rg" { 21 | name = "${var.arm_resource_group_name}-azurevms" 22 | location = "${var.arm_region}" 23 | } 24 | 25 | resource "random_id" "dns" { 26 | byte_length = 4 27 | prefix = "vault" 28 | } 29 | 30 | 31 | # NETWORKING # 32 | module "vnet" { 33 | source = "Azure/network/azurerm" 34 | resource_group_name = "${azurerm_resource_group.rg.name}" 35 | vnet_name = "${azurerm_resource_group.rg.name}" 36 | location = "${var.arm_region}" 37 | address_space = "${var.arm_network_address_space}" 38 | subnet_prefixes = ["${var.arm_subnet1_address_space}"] 39 | subnet_names = ["clients"] 40 | 41 | tags = { 42 | environment = "azure-vms" 43 | } 44 | } 45 | 46 | resource "azurerm_subnet" "vault" { 47 | name = "vault" 48 | resource_group_name = "${azurerm_resource_group.rg.name}" 49 | virtual_network_name = "${module.vnet.vnet_name}" 50 | address_prefix = "${var.arm_subnet2_address_space}" 51 | service_endpoints = ["Microsoft.Sql"] 52 | } 53 | 54 | # VIRTUAL MACHINES # 55 | module "vaultserver" { 56 | source = "Azure/compute/azurerm" 57 | location = "${var.arm_region}" 58 | vm_os_simple = "UbuntuServer" 59 | public_ip_dns = ["${lower(random_id.dns.b64_url)}"] 60 | vnet_subnet_id = "${azurerm_subnet.vault.id}" 61 | vm_size = "Standard_D2_V3" 62 | vm_hostname = "${random_id.dns.b64_url}" 63 | storage_account_type = "StandardSSD_LRS" 64 | ssh_key = "${var.ssh_key_pub}" 65 | admin_username = "vaultadmin" 66 | resource_group_name = "${azurerm_resource_group.rg.name}" 67 | 68 | tags = { 69 | environment = "azure-vms" 70 | } 71 | } 72 | 73 | resource "azurerm_network_security_rule" "vault" { 74 | name = "vault-ui" 75 | priority = 110 76 | direction = "Inbound" 77 | access = "Allow" 78 | protocol = "Tcp" 79 | source_port_range = "*" 80 | destination_port_range = "8200" 81 | source_address_prefix = "*" 82 | destination_address_prefix = "*" 83 | resource_group_name = "${azurerm_resource_group.rg.name}" 84 | network_security_group_name = "${basename(module.vaultserver.network_security_group_id)}" 85 | } 86 | 87 | # MYSQL 88 | 89 | resource "azurerm_mysql_server" "vaultmysql" { 90 | name = "vault-mysql-1" 91 | location = "${var.arm_region}" 92 | resource_group_name = "${azurerm_resource_group.rg.name}" 93 | 94 | sku { 95 | name = "GP_Gen5_2" 96 | capacity = 2 97 | tier = "GeneralPurpose" 98 | family = "Gen5" 99 | } 100 | 101 | storage_profile { 102 | storage_mb = 5120 103 | backup_retention_days = 7 104 | geo_redundant_backup = "Disabled" 105 | } 106 | 107 | administrator_login = "vaultsqladmin" 108 | administrator_login_password = "${var.mysql_password}" 109 | version = "5.7" 110 | ssl_enforcement = "Enabled" 111 | } 112 | 113 | resource "azurerm_mysql_virtual_network_rule" "vaultvnetrule" { 114 | name = "vault-vnet-rule" 115 | resource_group_name = "${azurerm_resource_group.rg.name}" 116 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 117 | subnet_id = "${azurerm_subnet.vault.id}" 118 | } 119 | 120 | resource "azurerm_mysql_database" "vaultdb" { 121 | name = "vaultdb" 122 | resource_group_name = "${azurerm_resource_group.rg.name}" 123 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 124 | charset = "utf8" 125 | collation = "utf8_unicode_ci" 126 | } -------------------------------------------------------------------------------- /m8/azure-vms/resources.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # PROVIDERS 3 | ################################################################################## 4 | 5 | provider "azurerm" { 6 | subscription_id = "${var.arm_subscription_id}" 7 | client_id = "${var.arm_client_id}" 8 | client_secret = "${var.arm_client_secret}" 9 | tenant_id = "${var.arm_tenant_id}" 10 | } 11 | 12 | ################################################################################## 13 | # RESOURCES 14 | ################################################################################## 15 | 16 | # BASIC AZURE RESOURCES AND CONFIG # 17 | resource "azurerm_resource_group" "vault" { 18 | name = "${var.arm_resource_group_name}${var.environment}" 19 | location = "${var.arm_region}" 20 | 21 | } 22 | 23 | resource "random_id" "vault_rand" { 24 | byte_length = 4 25 | } 26 | 27 | resource "azurerm_user_assigned_identity" "vault_id" { 28 | resource_group_name = "${azurerm_resource_group.vault.name}" 29 | location = "${var.arm_region}" 30 | name = "vault-recovery" 31 | } 32 | 33 | 34 | # NETWORKING # 35 | module "vnet" { 36 | source = "Azure/network/azurerm" 37 | resource_group_name = "${azurerm_resource_group.vault.name}" 38 | vnet_name = "${azurerm_resource_group.vault.name}" 39 | location = "${var.arm_region}" 40 | address_space = "${var.arm_network_address_space}" 41 | subnet_prefixes = ["${var.arm_subnet1_address_space}"] 42 | subnet_names = ["clients"] 43 | 44 | } 45 | 46 | resource "azurerm_subnet" "vault" { 47 | name = "vault" 48 | resource_group_name = "${azurerm_resource_group.vault.name}" 49 | virtual_network_name = "${module.vnet.vnet_name}" 50 | address_prefix = "${var.arm_subnet2_address_space}" 51 | service_endpoints = ["Microsoft.Sql"] 52 | } 53 | 54 | resource "azurerm_network_security_group" "vault_nsg" { 55 | name = "nsg-${random_id.vault_rand.hex}" 56 | location = "${var.arm_region}" 57 | resource_group_name = "${azurerm_resource_group.vault.name}" 58 | 59 | security_rule { 60 | name = "SSH" 61 | priority = 1001 62 | direction = "Inbound" 63 | access = "Allow" 64 | protocol = "Tcp" 65 | source_port_range = "*" 66 | destination_port_range = "22" 67 | source_address_prefix = "*" 68 | destination_address_prefix = "*" 69 | } 70 | 71 | security_rule { 72 | name = "Vault" 73 | priority = 1002 74 | direction = "Inbound" 75 | access = "Allow" 76 | protocol = "Tcp" 77 | source_port_range = "*" 78 | destination_port_range = "8200" 79 | source_address_prefix = "*" 80 | destination_address_prefix = "*" 81 | } 82 | 83 | security_rule { 84 | name = "VaultHA" 85 | priority = 1003 86 | direction = "Inbound" 87 | access = "Allow" 88 | protocol = "Tcp" 89 | source_port_range = "*" 90 | destination_port_range = "8201" 91 | source_address_prefix = "*" 92 | destination_address_prefix = "*" 93 | } 94 | 95 | } 96 | 97 | # LOAD BALANCER ITEMS # 98 | resource "azurerm_public_ip" "lb_pip" { 99 | name = "lb-pip-${random_id.vault_rand.hex}" 100 | location = "${var.arm_region}" 101 | resource_group_name = "${azurerm_resource_group.vault.name}" 102 | allocation_method = "Static" 103 | sku = "Standard" 104 | } 105 | 106 | resource "azurerm_lb" "vault_lb" { 107 | name = "lb-${random_id.vault_rand.hex}" 108 | location = "${var.arm_region}" 109 | resource_group_name = "${azurerm_resource_group.vault.name}" 110 | sku = "Standard" 111 | 112 | frontend_ip_configuration { 113 | name = "lb-pip" 114 | public_ip_address_id = "${azurerm_public_ip.lb_pip.id}" 115 | } 116 | } 117 | 118 | resource "azurerm_lb_backend_address_pool" "lb_be" { 119 | resource_group_name = "${azurerm_resource_group.vault.name}" 120 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 121 | name = "be-${random_id.vault_rand.hex}" 122 | } 123 | 124 | resource "azurerm_lb_rule" "vault_lb_rule" { 125 | resource_group_name = "${azurerm_resource_group.vault.name}" 126 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 127 | name = "Vault" 128 | protocol = "Tcp" 129 | frontend_port = 8200 130 | backend_port = 8200 131 | frontend_ip_configuration_name = "lb-pip" 132 | backend_address_pool_id = "${azurerm_lb_backend_address_pool.lb_be.id}" 133 | probe_id = "${azurerm_lb_probe.vault_lb_probe.id}" 134 | } 135 | 136 | resource "azurerm_lb_probe" "vault_lb_probe" { 137 | resource_group_name = "${azurerm_resource_group.vault.name}" 138 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 139 | name = "vault-tcp-probe" 140 | port = 8200 141 | protocol = "tcp" 142 | } 143 | 144 | resource "azurerm_lb_probe" "vault_https_probe" { 145 | resource_group_name = "${azurerm_resource_group.vault.name}" 146 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 147 | name = "vault-https-probe" 148 | port = 8200 149 | protocol = "https" 150 | request_path = "/v1/sys/health" 151 | } 152 | 153 | resource "azurerm_network_interface_backend_address_pool_association" "nic_be" { 154 | count = "${var.count}" 155 | network_interface_id = "${azurerm_network_interface.vault_nic.*.id[count.index]}" 156 | ip_configuration_name = "nic-${random_id.vault_rand.hex}-${count.index}" 157 | backend_address_pool_id = "${azurerm_lb_backend_address_pool.lb_be.id}" 158 | } 159 | 160 | resource "azurerm_lb_nat_rule" "ssh_nat" { 161 | count = "${var.count}" 162 | resource_group_name = "${azurerm_resource_group.vault.name}" 163 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 164 | name = "ssh-nat-${count.index}" 165 | protocol = "Tcp" 166 | frontend_port = "202${count.index}" 167 | backend_port = "22" 168 | frontend_ip_configuration_name = "lb-pip" 169 | } 170 | 171 | resource "azurerm_network_interface_nat_rule_association" "ssh_nat_ass" { 172 | count = "${var.count}" 173 | network_interface_id = "${azurerm_network_interface.vault_nic.*.id[count.index]}" 174 | ip_configuration_name = "nic-${random_id.vault_rand.hex}-${count.index}" 175 | nat_rule_id = "${azurerm_lb_nat_rule.ssh_nat.*.id[count.index]}" 176 | } 177 | 178 | 179 | # KEY VAULT ITEMS # 180 | 181 | data "azurerm_key_vault" "vault_keyvault" { 182 | name = "${var.vault_name}" 183 | resource_group_name = "${var.vault_resource_group}" 184 | } 185 | 186 | data "azurerm_key_vault_secret" "mysql_password" { 187 | name = "${var.mysql_password_name}" 188 | key_vault_id = "${data.azurerm_key_vault.vault_keyvault.id}" 189 | } 190 | 191 | data "azurerm_key_vault_secret" "vault_cert" { 192 | name = "${var.cert_name}" 193 | key_vault_id = "${data.azurerm_key_vault.vault_keyvault.id}" 194 | } 195 | 196 | resource "azurerm_key_vault_access_policy" "vault-recovery" { 197 | vault_name = "${var.vault_name}" 198 | resource_group_name = "${var.vault_resource_group}" 199 | 200 | tenant_id = "${data.azurerm_key_vault.vault_keyvault.tenant_id}" 201 | object_id = "${azurerm_user_assigned_identity.vault_id.principal_id}" 202 | 203 | certificate_permissions = [ 204 | "get", 205 | "getissuers", 206 | "import", 207 | "list", 208 | "listissuers", 209 | "update", 210 | ] 211 | 212 | key_permissions = [ 213 | "get", 214 | "list", 215 | "create", 216 | "delete", 217 | "update", 218 | "wrapKey", 219 | "unwrapKey", 220 | ] 221 | 222 | secret_permissions= [ 223 | "get", 224 | ] 225 | } 226 | 227 | # VIRTUAL MACHINE RESOURCES # 228 | resource "azurerm_network_interface" "vault_nic" { 229 | count = "${var.count}" 230 | name = "nic-${random_id.vault_rand.hex}-${count.index}" 231 | location = "${var.arm_region}" 232 | resource_group_name = "${azurerm_resource_group.vault.name}" 233 | network_security_group_id = "${azurerm_network_security_group.vault_nsg.id}" 234 | 235 | ip_configuration { 236 | name = "nic-${random_id.vault_rand.hex}-${count.index}" 237 | subnet_id = "${azurerm_subnet.vault.id}" 238 | private_ip_address_allocation = "dynamic" 239 | 240 | } 241 | 242 | } 243 | 244 | resource "azurerm_availability_set" "vault-vms" { 245 | name = "vault-vms" 246 | resource_group_name = "${azurerm_resource_group.vault.name}" 247 | location = "${var.arm_region}" 248 | managed = true 249 | 250 | } 251 | 252 | data "template_file" "setup" { 253 | template = "${file("${path.module}/vaultinstall.tpl")}" 254 | 255 | vars = { 256 | tenant_id = "${var.arm_tenant_id}" 257 | vault_name = "${var.vault_name}" 258 | key_name = "${var.key_name}" 259 | vault_version = "${var.vault_version}" 260 | mysql_server = "${var.mysql_server_name}" 261 | mysql_password = "${data.azurerm_key_vault_secret.mysql_password.id}" 262 | cert_thumb = "${var.certificate_thumbprint}" 263 | vault_domain = "${var.vault_domain}" 264 | } 265 | } 266 | 267 | resource "azurerm_virtual_machine" "vault_vm" { 268 | count = "${var.count}" 269 | name = "${var.vm_name}-${count.index}" 270 | location = "${var.arm_region}" 271 | resource_group_name = "${azurerm_resource_group.vault.name}" 272 | network_interface_ids = ["${azurerm_network_interface.vault_nic.*.id[count.index]}"] 273 | vm_size = "Standard_D2_V3" 274 | delete_os_disk_on_termination = true 275 | availability_set_id = "${azurerm_availability_set.vault-vms.id}" 276 | 277 | identity = { 278 | type = "UserAssigned" 279 | identity_ids = ["${azurerm_user_assigned_identity.vault_id.id}"] 280 | } 281 | 282 | storage_os_disk { 283 | name = "OsDisk${count.index}" 284 | caching = "ReadWrite" 285 | create_option = "FromImage" 286 | managed_disk_type = "StandardSSD_LRS" 287 | } 288 | 289 | storage_image_reference { 290 | publisher = "Canonical" 291 | offer = "UbuntuServer" 292 | sku = "18.04-LTS" 293 | version = "latest" 294 | } 295 | 296 | os_profile { 297 | computer_name = "${var.vm_name}-${count.index}" 298 | admin_username = "vaultadmin" 299 | custom_data = "${data.template_file.setup.rendered}" 300 | } 301 | 302 | os_profile_secrets { 303 | source_vault_id = "${data.azurerm_key_vault.vault_keyvault.id}" 304 | 305 | vault_certificates { 306 | certificate_url = "${data.azurerm_key_vault_secret.vault_cert.id}" 307 | } 308 | } 309 | 310 | os_profile_linux_config { 311 | disable_password_authentication = true 312 | 313 | ssh_keys { 314 | path = "/home/vaultadmin/.ssh/authorized_keys" 315 | key_data = "${file(var.ssh_key_pub)}" 316 | } 317 | } 318 | 319 | } 320 | 321 | resource "azurerm_mysql_virtual_network_rule" "vaultvnetrule" { 322 | name = "vault-vnet-rule" 323 | resource_group_name = "${var.vault_resource_group}" 324 | server_name = "${var.mysql_server_name}" 325 | subnet_id = "${azurerm_subnet.vault.id}" 326 | } 327 | -------------------------------------------------------------------------------- /m7/azure-vms/resources.tf: -------------------------------------------------------------------------------- 1 | ################################################################################## 2 | # PROVIDERS 3 | ################################################################################## 4 | 5 | provider "azurerm" { 6 | subscription_id = "${var.arm_subscription_id}" 7 | client_id = "${var.arm_client_id}" 8 | client_secret = "${var.arm_client_secret}" 9 | tenant_id = "${var.arm_tenant_id}" 10 | } 11 | 12 | ################################################################################## 13 | # RESOURCES 14 | ################################################################################## 15 | 16 | # BASIC AZURE RESOURCES AND CONFIG # 17 | resource "azurerm_resource_group" "vault" { 18 | name = "${var.arm_resource_group_name}${var.environment}" 19 | location = "${var.arm_region}" 20 | 21 | } 22 | 23 | resource "random_id" "vault_rand" { 24 | byte_length = 4 25 | } 26 | 27 | resource "azurerm_user_assigned_identity" "vault_id" { 28 | resource_group_name = "${azurerm_resource_group.vault.name}" 29 | location = "${var.arm_region}" 30 | name = "vault-vms" 31 | } 32 | 33 | data "azurerm_client_config" "current" {} 34 | 35 | # NETWORKING # 36 | module "vnet" { 37 | source = "Azure/network/azurerm" 38 | resource_group_name = "${azurerm_resource_group.vault.name}" 39 | vnet_name = "${azurerm_resource_group.vault.name}" 40 | location = "${var.arm_region}" 41 | address_space = "${var.arm_network_address_space}" 42 | subnet_prefixes = ["${var.arm_subnet1_address_space}"] 43 | subnet_names = ["clients"] 44 | 45 | } 46 | 47 | resource "azurerm_subnet" "vault" { 48 | name = "vault" 49 | resource_group_name = "${azurerm_resource_group.vault.name}" 50 | virtual_network_name = "${module.vnet.vnet_name}" 51 | address_prefix = "${var.arm_subnet2_address_space}" 52 | service_endpoints = ["Microsoft.Sql"] 53 | } 54 | 55 | #Public IP addresses for the virtual machines 56 | /*resource "azurerm_public_ip" "vault_publicip" { 57 | count = "${var.count}" 58 | name = "ip-${random_id.vault_rand.hex}-${count.index}" 59 | location = "${var.arm_region}" 60 | resource_group_name = "${azurerm_resource_group.vault.name}" 61 | allocation_method = "Static" 62 | sku = "Standard" 63 | 64 | tags { 65 | environment = "${var.environment}-${random_id.vault_rand.hex}" 66 | } 67 | }*/ 68 | 69 | 70 | resource "azurerm_network_security_group" "vault_nsg" { 71 | name = "nsg-${random_id.vault_rand.hex}" 72 | location = "${var.arm_region}" 73 | resource_group_name = "${azurerm_resource_group.vault.name}" 74 | 75 | security_rule { 76 | name = "SSH" 77 | priority = 1001 78 | direction = "Inbound" 79 | access = "Allow" 80 | protocol = "Tcp" 81 | source_port_range = "*" 82 | destination_port_range = "22" 83 | source_address_prefix = "*" 84 | destination_address_prefix = "*" 85 | } 86 | 87 | security_rule { 88 | name = "Vault" 89 | priority = 1002 90 | direction = "Inbound" 91 | access = "Allow" 92 | protocol = "Tcp" 93 | source_port_range = "*" 94 | destination_port_range = "8200" 95 | source_address_prefix = "*" 96 | destination_address_prefix = "*" 97 | } 98 | 99 | security_rule { 100 | name = "VaultHA" 101 | priority = 1003 102 | direction = "Inbound" 103 | access = "Allow" 104 | protocol = "Tcp" 105 | source_port_range = "*" 106 | destination_port_range = "8201" 107 | source_address_prefix = "*" 108 | destination_address_prefix = "*" 109 | } 110 | 111 | tags { 112 | environment = "${var.environment}-${random_id.vault_rand.hex}" 113 | } 114 | } 115 | 116 | # LOAD BALANCER ITEMS # 117 | resource "azurerm_public_ip" "lb_pip" { 118 | name = "lb-pip-${random_id.vault_rand.hex}" 119 | location = "${var.arm_region}" 120 | resource_group_name = "${azurerm_resource_group.vault.name}" 121 | allocation_method = "Static" 122 | sku = "Standard" 123 | } 124 | 125 | resource "azurerm_lb" "vault_lb" { 126 | name = "lb-${random_id.vault_rand.hex}" 127 | location = "${var.arm_region}" 128 | resource_group_name = "${azurerm_resource_group.vault.name}" 129 | sku = "Standard" 130 | 131 | frontend_ip_configuration { 132 | name = "lb-pip" 133 | public_ip_address_id = "${azurerm_public_ip.lb_pip.id}" 134 | } 135 | } 136 | 137 | resource "azurerm_lb_backend_address_pool" "lb_be" { 138 | resource_group_name = "${azurerm_resource_group.vault.name}" 139 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 140 | name = "be-${random_id.vault_rand.hex}" 141 | } 142 | 143 | resource "azurerm_lb_rule" "vault_lb_rule" { 144 | resource_group_name = "${azurerm_resource_group.vault.name}" 145 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 146 | name = "Vault" 147 | protocol = "Tcp" 148 | frontend_port = 8200 149 | backend_port = 8200 150 | frontend_ip_configuration_name = "lb-pip" 151 | backend_address_pool_id = "${azurerm_lb_backend_address_pool.lb_be.id}" 152 | probe_id = "${azurerm_lb_probe.vault_lb_probe.id}" 153 | } 154 | 155 | resource "azurerm_lb_probe" "vault_lb_probe" { 156 | resource_group_name = "${azurerm_resource_group.vault.name}" 157 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 158 | name = "vault-tcp-probe" 159 | port = 8200 160 | protocol = "tcp" 161 | } 162 | 163 | resource "azurerm_lb_probe" "vault_https_probe" { 164 | resource_group_name = "${azurerm_resource_group.vault.name}" 165 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 166 | name = "vault-https-probe" 167 | port = 8200 168 | protocol = "https" 169 | request_path = "/v1/sys/health" 170 | } 171 | 172 | resource "azurerm_network_interface_backend_address_pool_association" "nic_be" { 173 | count = "${var.count}" 174 | network_interface_id = "${azurerm_network_interface.vault_nic.*.id[count.index]}" 175 | ip_configuration_name = "nic-${random_id.vault_rand.hex}-${count.index}" 176 | backend_address_pool_id = "${azurerm_lb_backend_address_pool.lb_be.id}" 177 | } 178 | 179 | resource "azurerm_lb_nat_rule" "ssh_nat" { 180 | count = "${var.count}" 181 | resource_group_name = "${azurerm_resource_group.vault.name}" 182 | loadbalancer_id = "${azurerm_lb.vault_lb.id}" 183 | name = "ssh-nat-${count.index}" 184 | protocol = "Tcp" 185 | frontend_port = "202${count.index}" 186 | backend_port = "22" 187 | frontend_ip_configuration_name = "lb-pip" 188 | } 189 | 190 | resource "azurerm_network_interface_nat_rule_association" "ssh_nat_ass" { 191 | count = "${var.count}" 192 | network_interface_id = "${azurerm_network_interface.vault_nic.*.id[count.index]}" 193 | ip_configuration_name = "nic-${random_id.vault_rand.hex}-${count.index}" 194 | nat_rule_id = "${azurerm_lb_nat_rule.ssh_nat.*.id[count.index]}" 195 | } 196 | 197 | 198 | # KEY VAULT ITEMS # 199 | 200 | resource "azurerm_key_vault" "vault" { 201 | name = "${var.environment}vault${random_id.vault_rand.hex}" 202 | location = "${azurerm_resource_group.vault.location}" 203 | resource_group_name = "${azurerm_resource_group.vault.name}" 204 | enabled_for_deployment = true 205 | enabled_for_disk_encryption = true 206 | tenant_id = "${var.arm_tenant_id}" 207 | 208 | sku { 209 | name = "standard" 210 | } 211 | 212 | access_policy { 213 | tenant_id = "${var.arm_tenant_id}" 214 | object_id = "${data.azurerm_client_config.current.service_principal_object_id}" 215 | 216 | key_permissions = [ 217 | "backup", 218 | "create", 219 | "decrypt", 220 | "delete", 221 | "encrypt", 222 | "get", 223 | "import", 224 | "list", 225 | "purge", 226 | "recover", 227 | "restore", 228 | "sign", 229 | "unwrapKey", 230 | "update", 231 | "verify", 232 | "wrapKey", 233 | ] 234 | 235 | secret_permissions = [ 236 | "backup", 237 | "delete", 238 | "get", 239 | "list", 240 | "purge", 241 | "recover", 242 | "restore", 243 | "set", 244 | ] 245 | 246 | certificate_permissions = [ 247 | "create", 248 | "delete", 249 | "deleteissuers", 250 | "get", 251 | "getissuers", 252 | "import", 253 | "list", 254 | "listissuers", 255 | "managecontacts", 256 | "manageissuers", 257 | "setissuers", 258 | "update", 259 | ] 260 | } 261 | 262 | access_policy { 263 | tenant_id = "${var.arm_tenant_id}" 264 | object_id = "${azurerm_user_assigned_identity.vault_id.principal_id}" 265 | 266 | certificate_permissions = [ 267 | "get", 268 | "getissuers", 269 | "import", 270 | "list", 271 | "listissuers", 272 | "update", 273 | ] 274 | 275 | key_permissions = [ 276 | "get", 277 | "list", 278 | "create", 279 | "delete", 280 | "update", 281 | "wrapKey", 282 | "unwrapKey", 283 | ] 284 | 285 | secret_permissions= [ 286 | "get", 287 | ] 288 | } 289 | 290 | /*network_acls { 291 | default_action = "Allow" 292 | bypass = "AzureServices" 293 | }*/ 294 | } 295 | 296 | resource "azurerm_key_vault_key" "generated" { 297 | name = "${var.key_name}" 298 | key_vault_id = "${azurerm_key_vault.vault.id}" 299 | key_type = "RSA" 300 | key_size = 2048 301 | 302 | key_opts = [ 303 | "decrypt", 304 | "encrypt", 305 | "sign", 306 | "unwrapKey", 307 | "verify", 308 | "wrapKey", 309 | ] 310 | } 311 | 312 | resource "azurerm_key_vault_certificate" "vault_cert" { 313 | name = "vault-cert" 314 | key_vault_id = "${azurerm_key_vault.vault.id}" 315 | 316 | certificate { 317 | contents = "${base64encode(file("bundle.pfx"))}" 318 | password = "vaultadmin" 319 | } 320 | 321 | certificate_policy { 322 | issuer_parameters { 323 | name = "Self" 324 | } 325 | 326 | key_properties { 327 | exportable = true 328 | key_size = 2048 329 | key_type = "RSA" 330 | reuse_key = false 331 | } 332 | 333 | secret_properties { 334 | content_type = "application/x-pkcs12" 335 | } 336 | } 337 | } 338 | 339 | resource "azurerm_key_vault_secret" "mysql_secret" { 340 | name = "mysql-password" 341 | value = "${var.mysql_password}" 342 | key_vault_id = "${azurerm_key_vault.vault.id}" 343 | } 344 | 345 | # VIRTUAL MACHINE RESOURCES # 346 | resource "azurerm_network_interface" "vault_nic" { 347 | count = "${var.count}" 348 | name = "nic-${random_id.vault_rand.hex}-${count.index}" 349 | location = "${var.arm_region}" 350 | resource_group_name = "${azurerm_resource_group.vault.name}" 351 | network_security_group_id = "${azurerm_network_security_group.vault_nsg.id}" 352 | 353 | ip_configuration { 354 | name = "nic-${random_id.vault_rand.hex}-${count.index}" 355 | subnet_id = "${azurerm_subnet.vault.id}" 356 | private_ip_address_allocation = "dynamic" 357 | #public_ip_address_id = "${azurerm_public_ip.vault_publicip.*.id[count.index]}" 358 | } 359 | 360 | } 361 | 362 | resource "azurerm_availability_set" "vault-vms" { 363 | name = "vault-vms" 364 | resource_group_name = "${azurerm_resource_group.vault.name}" 365 | location = "${var.arm_region}" 366 | managed = true 367 | 368 | } 369 | 370 | data "template_file" "setup" { 371 | template = "${file("${path.module}/vaultinstall.tpl")}" 372 | 373 | vars = { 374 | tenant_id = "${var.arm_tenant_id}" 375 | vault_name = "${azurerm_key_vault.vault.name}" 376 | key_name = "${var.key_name}" 377 | vault_version = "${var.vault_version}" 378 | mysql_server = "${element(split(".",azurerm_mysql_server.vaultmysql.fqdn),0)}" 379 | mysql_password = "${azurerm_key_vault_secret.mysql_secret.id}" 380 | cert_thumb = "${azurerm_key_vault_certificate.vault_cert.thumbprint}" 381 | vault_domain = "${var.vault_domain}" 382 | } 383 | } 384 | 385 | resource "azurerm_virtual_machine" "vault_vm" { 386 | count = "${var.count}" 387 | name = "${var.vm_name}-${count.index}" 388 | location = "${var.arm_region}" 389 | resource_group_name = "${azurerm_resource_group.vault.name}" 390 | network_interface_ids = ["${azurerm_network_interface.vault_nic.*.id[count.index]}"] 391 | vm_size = "Standard_D2_V3" 392 | delete_os_disk_on_termination = true 393 | availability_set_id = "${azurerm_availability_set.vault-vms.id}" 394 | 395 | identity = { 396 | type = "UserAssigned" 397 | identity_ids = ["${azurerm_user_assigned_identity.vault_id.id}"] 398 | } 399 | 400 | storage_os_disk { 401 | name = "OsDisk${count.index}" 402 | caching = "ReadWrite" 403 | create_option = "FromImage" 404 | managed_disk_type = "StandardSSD_LRS" 405 | } 406 | 407 | storage_image_reference { 408 | publisher = "Canonical" 409 | offer = "UbuntuServer" 410 | sku = "18.04-LTS" 411 | version = "latest" 412 | } 413 | 414 | os_profile { 415 | computer_name = "${var.vm_name}-${count.index}" 416 | admin_username = "vaultadmin" 417 | custom_data = "${data.template_file.setup.rendered}" 418 | } 419 | 420 | os_profile_secrets { 421 | source_vault_id = "${azurerm_key_vault.vault.id}" 422 | 423 | vault_certificates { 424 | certificate_url = "${azurerm_key_vault_certificate.vault_cert.secret_id}" 425 | } 426 | } 427 | 428 | os_profile_linux_config { 429 | disable_password_authentication = true 430 | 431 | ssh_keys { 432 | path = "/home/vaultadmin/.ssh/authorized_keys" 433 | key_data = "${file(var.ssh_key_pub)}" 434 | } 435 | } 436 | 437 | } 438 | 439 | # MYSQL 440 | 441 | resource "azurerm_mysql_server" "vaultmysql" { 442 | name = "${var.mysql_server_name}-${random_id.vault_rand.hex}" 443 | location = "${var.arm_region}" 444 | resource_group_name = "${azurerm_resource_group.vault.name}" 445 | 446 | sku { 447 | name = "GP_Gen5_2" 448 | capacity = 2 449 | tier = "GeneralPurpose" 450 | family = "Gen5" 451 | } 452 | 453 | storage_profile { 454 | storage_mb = 5120 455 | backup_retention_days = 7 456 | geo_redundant_backup = "Enabled" 457 | } 458 | 459 | administrator_login = "vaultsqladmin" 460 | administrator_login_password = "${var.mysql_password}" 461 | version = "5.7" 462 | ssl_enforcement = "Enabled" 463 | } 464 | 465 | resource "azurerm_mysql_virtual_network_rule" "vaultvnetrule" { 466 | name = "vault-vnet-rule" 467 | resource_group_name = "${azurerm_resource_group.vault.name}" 468 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 469 | subnet_id = "${azurerm_subnet.vault.id}" 470 | } 471 | 472 | resource "azurerm_mysql_database" "vaultdb" { 473 | name = "vaultdb" 474 | resource_group_name = "${azurerm_resource_group.vault.name}" 475 | server_name = "${azurerm_mysql_server.vaultmysql.name}" 476 | charset = "utf8" 477 | collation = "utf8_unicode_ci" 478 | } 479 | 480 | output "mysql_fqdn" { 481 | value = "${azurerm_mysql_server.vaultmysql.fqdn}" 482 | } 483 | 484 | output "mysql_name" { 485 | value = "${element(split(".",azurerm_mysql_server.vaultmysql.fqdn),0)}" 486 | } --------------------------------------------------------------------------------