- HCP Account
- AWS Account
- HCP service principal credentials
- Boundary and Vault CLI
- Boundary Desktop
- Microsoft Remote Desktop
Once creds are created as per prerequisites, we need to make them available to Terraform as below.
export <AWS_CREDS>
export TF_VAR_hcp_client_id=<hcp_client_id> #The OAuth2 Client ID for API operations.
export TF_VAR_hcp_client_secret=<hcp_client_secret> #The OAuth2 Client Secret for API operations.
export TF_VAR_hcp_boundary_admin=<hcp_boundary_username> #The username of the initial admin user. This must be at least 3 characters in length, alphanumeric, hyphen, or period.
export TF_VAR_hcp_boundary_password=<hcp_boundary_password> #The password of the initial admin user. This must be at least 8 characters in length.
Below variables are optional and are configured with default values in variables.tf
file. You may change the default values either by exporting using TF_VAR_<varname>
or by setting their values in .tfvars
file.
ad_domain=<windows-domain> #e.g. hashidemo.com
timezone=<windows_machine_timezone> #e.g. "Singapore Standard Time"
aws_region=<aws_region> #e.g. "ap-southeast-1"
aws_vpc_cidr=<vpc_cidr> #e.g. "10.200.0.0/16"
aws_public_subnets=<public_subnet_cidr> #e.g. ["10.200.10.0/24"]
aws_private_subnets=<private_subnet_cidr> #e.g. ["10.200.20.0/24"]
boundary_version=<boundary_version> #e.g. "0.15.2+ent", this should match HCP Boundary Cluster version
hcp_boundary_tier=<boundary_tier> #e.g. "Plus"
hcp_vault_tier=<vault_tier> #e.g. "dev", Refer https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster for valid values
git clone <repo_url>
cd <cloned-directory>
terraform init -upgrade
terraform validate
terraform apply -target module.hcp
This step creates HCP Boundary and HCP Vault cluster. The terraform output should list below values. Please note HCP Boundary is configured with private endpoint of HCP Vault. The public HCP Vault URL and token is made available if you would like to explore HCP Vault features.
boundary_cluster_url
vault_cluster_public_url
vault_cluster_admin_token
terraform apply -target module.resources
This step should setup all required infrastructure resources including networking, security groups, EC2 instances, Boundary and Vault resources as per the below diagram. The infrastructure is setup in AWS within a single region, featuring a single VPC and a single public and private subnet. The Windows domain controller and the target Windows machine are hosted in the private subnet.
1.Login to Boundary Desktop Client as support
user. The password for this user is available from the terraform output. The support
user should have access to windows_restricted
target only.
2.Click on the "Connect" button to retrieve time-bound, dynamic Active Directory (AD) credentials. Please note that the username part of the dynamic credentials starts with v_restricted
, as per the Vault dynamic secret backend role configured for this target.
3.Connect to the remote target.
Configure Microsoft Remote Desktop client to connect to windows_restricted
target. All details including destination address, Windows domain name and user credentials are available from the Boundary Desktop.
Once logged in to the Windows machine, you can open the command prompt and run the whoami
command to confirm that the logged-in user is indeed the dynamically generated user account.
Let's also verify if the support
user has access to the Control Panel. As expected, the dynamic AD credential presented to the support
user does not allow access to the Windows Control Panel.
1.Login to Boundary Desktop Client as admin
user using the HCP Boundary admin credentials configured for creating the HCP Boundary cluster. As expected, the admin user should have access to both the Boundary targets.
2.Click on the "Connect" button to retrieve the time-bound, dynamic AD credentials for accessing the windows_privileged
target. Please note that the username part of the dynamic credentials starts with v_privileged
, as per the Vault dynamic secret backend role configured for this target.
3.Connect to the remote target.
Configure Microsoft Remote Desktop client to connect to windows_privileged
target.
Once logged in to the Windows machine, run the whoami
command to confirm that the logged-in user is using the dynamically generated privileged account credentials.
Finally, let's verify that admin
user has access to the Control Panel.