Vault generates AWS credentials (with a time-to-live) from Vault's AWS Secrets Engine and Terraform uses the credentials to authenticate and provision an EC2 instance in AWS.
The repository comprises 3 directories: modules, setup and test
- aws-ec2 module contains code for provisioning an EC2 instance in a subnet that already exists in AWS
- vault-aws module sets up aws secrets engine and IAM credentials using your aws account and credentials. Terraform automatically fetches them
This is where terraform is called to spin-up infrastructure
leverages terratest to execute unit tests on infrastructure code and vault code check readme
- AWS Account and Credentials
- Vault: Knowledge of AWS Secret Engine
- Terraform
- aws-access-key
- aws-secret-key
- lease-start-time
- lease-ttl
- backend
- role
- subnet-id
-
aws account and credentials are needed for terraform to provision the infrastructure
-
if you have an existing subnet in aws, initialize the variable subnet-tag with the tag value of your subnet in setup/main.tf
module "ec2" { source = "../modules/aws-ec2" subnet-tag = "eastern-subnet" } -
set up the dev server. run this command on the cli:
vault server -dev -
export the vault address and root token in another terminal taken from the output response of
vault server -devcmd:export VAULT_ADDRas environment variableexport VAULT_TOKENas environment variable
export VAULT_ADDR='http://127.0.0.1:8200' export VAULT_TOKEN='s.GkFZ7.......' -
cd to
setup/:- run
terraform initcmd - run
terraform plancmd - run
terraform applycmd
- run