This workshop designed to show the basics of zero trust with Hashicorp Terraform, Vault, Consul and Boundary.
During this workshop we provision HCP consul and HCP Vault, VPC, Boundary server, EKS.
Later we deploy mysql, vault injector, consul catalog sync, consul terraform sync and configure boundary.
This guide assumes you're on linux/Mac, you have github and AWS accounts.
Click to expand!
- Copy the following lines to your favorite editor
export TF_VAR_tfc_organization_name=""
export TF_VAR_oauth_token_id=""
export TF_VAR_github_username=""
export TF_VAR_tfc_token=""
export AWS_ACCESS_KEY_ID=""
export AWS_SECRET_ACCESS_KEY=""
-
Login to your AWS account and switch to Frankfurt region
-
Go to IAM service
-
Create user / use existing user
-
Create new access key
-
Copy and insert your access key and secret access keys to the proper values
-
Go to EC2 service
-
Click on Launch Instances
-
Click on Community AMIs
-
Type in a search bar devopsdays
-
Choose devopsdays2021-hashicorp-terasky ami and click select
-
Choose t3.medium instance and click "Next: Configure instance details"
-
Ensure you deploy in to default VPC / subnet with access to the internets and Public IP assignment
-
Click Next until you reach "step 6: configure security group"
-
Ensure your ssh is open from your ip (or anywhere if you're lazy)
-
Click on "Review and Launch"
-
Click on "Launch"
-
Choose existing key pair / create new key pair - download it and chmod the key pair to 600
-
Click that you acknowledge ... and click "Launch Instances"
-
In your browser go to https://terraform.io
-
Click on "Terraform Cloud"
-
Click on Create Account
-
Type your username, email and password, agree and acknowledge T&S and Private Policy (if you agree and acknowledge) and click on "Create account"
-
Check your email and perform email validation
-
Click on "Start from scratch"
-
Type your Terraform Cloud "Organization name"
-
Copy your Terraform Cloud "Organization name" to the value of TF_VAR_tfc_organization_name
-
Instead of creating new workspace click on the Terraform Cloud "Organization name" in the upper left corner.
-
Click on "Settings"
-
Click on "Providers"
-
Click on "Add a VCS Provider"
-
Click on GitHub and choose "Github.com (Custom)"
-
Click on the link "register a new OAuth Application"
-
Copy your "Application Name", "Homepage URL", "Authorization callback URL" from Terraform cloud setup provider page to your github.
-
And click "Register Application" on your github page
-
On your github page click on "Generate a new client secret"
-
Copy client ID from github and paste it to Terraform cloud
-
Type Github in the "Name" field on your Terraform cloud add vcs provider page
-
Copy "Client Secret" from your github page and paste it Terraform cloud add vcs provider page "Client Secret" field
-
Click on "Connect and Continue"
-
Provide username and password for your github if asked
-
Click on "Authorize "
-
Click on "Skip and Finish"
-
Copy "OAuth token ID" and paste it in the value of TF_VAR_oauth_token_id in your favorite editor
-
Type your github username in the value of TF_VAR_github_username
-
On Terraform Cloud page click on "API Tokens"
-
Click on "Create an organization token"
-
Copy the token to the value of TF_VAR_tfc_token
Click to expand!
-
Browse to https://cloud.hashicorp.com
-
Click on "Start a free trial"
-
Click on "Sign up"
-
Click on "Sign up"
-
Type your email address and click "Continue'
-
Type your password and click continue
-
Click on "I Agree and I Accept" (assuming you agree and accept)
-
Click "Continue"
-
Check your email and perform email verification
-
Choose your country and click "Create Organization"
-
Click "Skip for now" to try HCP for free
-
Click on "Access control (IAM)"
-
Click on "Service principals"
-
Click on "+Create service principal"
-
Type a name in the "Name" field
-
Choose "Admin" Role
-
Click on "Save"
-
Click on "Create service principal key"
-
Copy clientID and client secret and remember which is which or you will have to do step "Fixing Mistake"
Click to expand!
-
Broswe to "https://github.com/DevOpsDaysTLV/2021-Hashicorp-Terrasky-Workshop"
-
Click on "fork" in right upper corner
-
Choose you personal user as forking destination
-
** In your AWS console* go to "EC2 service" click on "Instances" and check the box near the instance that was previously started.
-
Copy the "Public IPv4 address"
-
Open terminal and connect to the instance with the key you downloaded/created previously
ssh -i <some_key.pem> ubuntu@<public_ipv4>
- On the instance perform
sudo -i
docker pull devopsdaystlv/2021-hashicorp-terashy-workshop:amd64
docker run -it devopsdaystlv/2021-hashicorp-terashy-workshop:amd64 bash
- Inside container run the following commands to avoid accidental exit/logouts
export IGNOREEOF=4
alias exit='echo "Are you insane?! Over my dead body"'
Note: To leave container press CTRL+D 5 times consecutively
-
Inside container run copy and paste all the environment variable you've created earlier in your favorite editor
-
Inside container run
terraform init
terraform apply
-
Open Terraform Cloud browser window. Click on "TerraformCloudSeed" workspace, click on "Variables", locate "TFE_TOKEN".
-
Click on "..." and then click "Edit"
-
Copy the value of "TF_VAR_tfc_token" from your favorite editor to Value of "TFE_TOKEN" in Terraform Cloud window, check "Sensitive" checkbox, then click "Save Variable"
-
Click on "Actions", click on "Start new plan", fill the reason for starting a plan and click on "Start plan"
-
Wait until finished.
-
Click on Organization name in left upper corner and should see 4 workspaces "EKS","HCP","VPC" and "TerraformCloudSeed"
Click to expand!
-
In your Terraform Cloud window click on HCP workspace
-
Click on Variables
-
Locate "HCP_CLIENT_ID" variable, click on "...", click on "Edit", replace the text "Provide me and make me sensitive" with value of HCP Client Id that was created earlier, check "Sensitive" checkbox and click on "Save Variable"
-
Locate "HCP_CLIENT_SECRET" variable, click on "...", click on "Edit", replace the text "Provide me and make me sensitive" with value of HCP Client Secret that was created earlier, check "Sensitive" checkbox and click on "Save Variable"
-
Click on "Setting" in the top menu bar
-
Click on "Variables Sets"
-
In your terminal inside container perform the following commands
bash -x varsets.sh
-
In your Terraform Cloud window refresh the "Variable sets" page, you should find newly created "Variable set"
-
Click on "DevOpsDays2021Workshop" variable set
-
Locate "AWS_ACCESS_KEY_ID" and "AWS_SECRET_ACCESS_KEY" edit and replace the placeholders with proper values from your favorite browser, check "Sensitive" checkbox and "Save variable"
-
Locate "Workspaces" section on "Variable sets" Page, ensure "Apply to specific workspaces" selected and type "VPC","EKS","HCP" in "Find workspaces this variable set should be shared with".
-
Click on "Save variable set"
-
Click on "Organization name" to return to the list of workspaces
-
Click on "VPC" workspace, click on "Actions", click on "Start new plan", type the "reason for starting plan" and click on "Start plan"
-
Wait until apply of "VPC" workspace is complete
-
Click on Organization name to see all workspaces. Completion of "VPC" workspace supposed to trigger "HCP" and "EKS" workspaces.
- In your terminal inside container perform the following commands
./vault-demo.sh
- Click enter every time prompt appears and follow the instructions
- In your terminal inside container perform the following commands
./consul-demo.sh
- Click enter every time prompt appears and follow the instructions
- In your terminal inside container perform the following commands
./cts-demo.sh
- Click enter every time prompt appears and follow the instructions
Comming soon
All the credentials have been erased (I hope)