AI for DevOps Engineers - Part 1: The Building Blocks of DevOps AI
DevOps is a key success factor for modern software development and we have most definitely come across AI in one way or another. The intersection of AI and
In today's cloud-centric world, managing infrastructure while ensuring security is paramount. HashiCorp provides two powerful tools—Terraform and Vault—that help developers provision infrastructure efficiently and securely manage sensitive data and access controls. In this article, we'll explore how these tools can work together to enable dynamic authentication for cloud resources, allowing you to control developer access effectively.
Terraform is an open-source infrastructure as code (IaC) tool that enables developers to define and provision cloud resources declaratively. With a simple, readable configuration language, users can deploy resources like virtual machines, databases, and networks across various cloud providers. Terraform's strength lies in its ability to manage and track infrastructure changes securely, simplifying the process of deploying and maintaining cloud environments.
Vault is a tool for managing and securing sensitive information, such as API keys, tokens, and passwords. It offers a variety of features, including secret management, data encryption, and support for dynamic secrets that can be created and revoked on-the-fly. This functionality allows you to control access to resources dynamically, which is crucial in modern, containerized, and cloud-based environments.
Integrating Terraform with Vault provides a comprehensive solution for managing infrastructure and security. Here are some key benefits:
By using Vault, you can generate dynamic secrets that are specific to your cloud platforms. This means developers do not need to rely on static credentials that could potentially be compromised. Instead, they receive temporary, time-limited credentials valid only for the duration of their session, reducing the risk of secrets being misused.
Vault allows you to set fine-grained access controls for different users and teams. By integrating Terraform with Vault, you can ensure that only authorized developers can access specific cloud resources. You can define policies that control access to certain environments or resources based on user roles.
Vault's ability to automate secret rotation is another significant advantage. When a developer provisions a resource via Terraform, Vault can automatically generate credentials and rotate them after a predefined period. This minimizes the risk of compromised credentials being used over extended periods.
The combination of Terraform and Vault allows you to create a unified API for managing cloud resources and their access. With Terraform, you can declaratively define infrastructure, while Vault provides the necessary secrets to use that infrastructure securely. This promotes not only efficiency but also consistency in managing cloud resources.
Here’s a simple example to illustrate how to use Terraform with Vault for dynamic secrets. In this example, we’ll create an AWS RDS instance with credentials managed by Vault.
First, enable the AWS secrets engine in Vault and configure it to generate aws credentials, that allow clients to access ec2 instances. So we enable the aws secrets engine and configure it to generate aws credentials, that allow clients to access ec2 instances.
Generate a file vault/aws_secret_engine.tf
with the following content:
1
2provider "vault" {
3 address = "http://127.0.0.1:8200"
4}
5
6variable "account_name" {
7 description = "The name of the AWS account"
8 type = string
9}
10variable "aws_region" {
11 description = "The AWS region"
12 type = string
13}
14resource "aws_iam_user" "secrets_engine" {
15 name = "vault-secrets-${var.account_name}"
16}
17
18resource "aws_iam_access_key" "secrets_engine_credentials" {
19 user = aws_iam_user.secrets_engine.name
20}
21
22resource "aws_iam_user_policy" "secrets_engine" {
23 user = aws_iam_user.secrets_engine.name
24
25 policy = jsonencode({
26 Statement = [
27 {
28 Action = [
29 "iam:*"
30 ]
31 Effect = "Allow"
32 Resource = "*"
33 },
34 ]
35 Version = "2012-10-17"
36 })
37}
38
39resource "vault_aws_secret_backend" "aws" {
40 access_key = aws_iam_access_key.secrets_engine_credentials.id
41 secret_key = aws_iam_access_key.secrets_engine_credentials.secret
42 region = var.aws_region
43 path = "aws-${var.account_name}-${var.aws_region}"
44
45
46 default_lease_ttl_seconds = 60 * 60
47 max_lease_ttl_seconds = 60 * 60 * 24
48}
49
50resource "vault_aws_secret_backend_role" "ec2" {
51 backend = vault_aws_secret_backend.aws.path
52 name = "ec2"
53 credential_type = "iam_user"
54
55 policy_document = <<EOF
56{
57 "Version": "2012-10-17",
58 "Statement": [
59 {
60 "Effect": "Allow",
61 "Action": [
62 "sts:GetCallerIdentity",
63 "ec2:*",
64 "iam:GetUser"
65 ],
66 "Resource": "*"
67 }
68 ]
69 }
70EOF
71}
72
73resource "vault_policy" "aws_ec2" {
74 name = "aws-${var.account_name}-${var.aws_region}-ec2"
75 policy = <<EOF
76# Allow tokens to query themselves
77path "auth/token/lookup-self" {
78 capabilities = ["read"]
79}
80
81# Allow tokens to renew themselves
82path "auth/token/renew-self" {
83 capabilities = ["update"]
84}
85
86# Allow tokens to revoke themselves
87path "auth/token/revoke-self" {
88 capabilities = ["update"]
89}
90
91path "aws-${ var.account_name }-${ var.aws_region }/creds/ec2" {
92 capabilities = [ "read" ]
93}
94EOF
95
96}
Next, initialize and apply the Vault configuration:
1terraform -chdir=vault init
2terraform -chdir=vault vault
This will configure Vault to generate dynamic AWS credentials for accessing EC2 instances.
Next, create a ec/2main.tf
file with the following content:
1provider "vault" {
2 address = "http://127.0.0.1:8200"
3}
4
5variable "account_name" {
6 description = "The name of the AWS account"
7 type = string
8}
9variable "aws_region" {
10 description = "The AWS region"
11 type = string
12}
13
14data "vault_aws_access_credentials" "ec2" {
15 backend = "aws-${var.account_name}-${var.aws_region}"
16 region = var.aws_region
17 role = "ec2"
18 type = "creds"
19 ttl = "2h"
20}
21
22provider "aws" {
23 region = var.aws_region
24 access_key = data.vault_aws_access_credentials.ec2.access_key
25 secret_key = data.vault_aws_access_credentials.ec2.secret_key
26}
27
28data "aws_ami" "ubuntu" {
29 most_recent = true
30 owners = ["099720109477"] # Canonical
31 filter {
32 name = "name"
33 values = ["ubuntu/images/hvm-ssd/ubuntu-noble-24.04-amd64-server-*"]
34 }
35 filter {
36 name = "virtualization-type"
37 values = ["hvm"]
38 }
39}
40
41resource "aws_instance" "web" {
42 ami = data.aws_ami.ubuntu.id
43 instance_type = "t3.micro"
44
45 tags = {
46 Name = "HelloWorld"
47 }
48}
Finally, initialize and apply the Terraform configuration:
1terraform -chdir=ec2 init
2terraform -chdir=ec2 apply
This will provision an AWS EC2 instance with AWS credentials dynamically managed by Vault.
The integration of HashiCorp Terraform and Vault offers a powerful solution for efficiently managing cloud resources while enhancing security. By leveraging dynamic secrets and fine-grained access controls, organizations can ensure that developers have the access they need without compromising the security of their environment. In a time when cybersecurity is increasingly important, such solutions are essential for maintaining the integrity and security of cloud infrastructures.
For more insights on using Vault-backed dynamic credentials, check out thse LinkedIn posts about dynamic credentials and terraform fetching secrets from vault, the HashiCorp blog and also the section within the developer documentation.
The future of cloud infrastructure belongs to those who seamlessly integrate automation and security—and with HashiCorp, you have the right tools for the job.
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us