Automating Cloud Security with HashiCorp Terraform and Vault

In today's cloud-centric world, managing infrastructure while ensuring security is paramount. HashiCorp provides two powerful tools—Terraform and Vault—that help developers provision infrastructure efficiently and securely manage sensitive data and access controls. In this article, we'll explore how these tools can work together to enable dynamic authentication for cloud resources, allowing you to control developer access effectively.

What is HashiCorp Terraform?

Terraform is an open-source infrastructure as code (IaC) tool that enables developers to define and provision cloud resources declaratively. With a simple, readable configuration language, users can deploy resources like virtual machines, databases, and networks across various cloud providers. Terraform's strength lies in its ability to manage and track infrastructure changes securely, simplifying the process of deploying and maintaining cloud environments.

What is HashiCorp Vault?

Vault is a tool for managing and securing sensitive information, such as API keys, tokens, and passwords. It offers a variety of features, including secret management, data encryption, and support for dynamic secrets that can be created and revoked on-the-fly. This functionality allows you to control access to resources dynamically, which is crucial in modern, containerized, and cloud-based environments.

The Synergy Between Terraform and Vault

Integrating Terraform with Vault provides a comprehensive solution for managing infrastructure and security. Here are some key benefits:

1. Dynamic Authentication

By using Vault, you can generate dynamic secrets that are specific to your cloud platforms. This means developers do not need to rely on static credentials that could potentially be compromised. Instead, they receive temporary, time-limited credentials valid only for the duration of their session, reducing the risk of secrets being misused.

2. Fine-Grained Access Control

Vault allows you to set fine-grained access controls for different users and teams. By integrating Terraform with Vault, you can ensure that only authorized developers can access specific cloud resources. You can define policies that control access to certain environments or resources based on user roles.

3. Automated Secret Rotation

Vault's ability to automate secret rotation is another significant advantage. When a developer provisions a resource via Terraform, Vault can automatically generate credentials and rotate them after a predefined period. This minimizes the risk of compromised credentials being used over extended periods.

4. Unified API for Resource Management

The combination of Terraform and Vault allows you to create a unified API for managing cloud resources and their access. With Terraform, you can declaratively define infrastructure, while Vault provides the necessary secrets to use that infrastructure securely. This promotes not only efficiency but also consistency in managing cloud resources.

Example: Using Terraform with Vault for Dynamic Secrets

Here’s a simple example to illustrate how to use Terraform with Vault for dynamic secrets. In this example, we’ll create an AWS RDS instance with credentials managed by Vault.

Prerequisites

1. Terraform installed.
2. HashiCorp Vault installed and running.
3. AWS account with proper permissions.

Step 1: Configure Vault

First, enable the AWS secrets engine in Vault and configure it to generate aws credentials, that allow clients to access ec2 instances. So we enable the aws secrets engine and configure it to generate aws credentials, that allow clients to access ec2 instances.

Generate a file vault/aws_secret_engine.tf with the following content:

 1
 2provider "vault" {
 3  address = "http://127.0.0.1:8200"
 4}
 5
 6variable "account_name" {
 7  description = "The name of the AWS account"
 8  type        = string
 9}
10variable "aws_region" {
11  description = "The AWS region"
12  type        = string
13}
14resource "aws_iam_user" "secrets_engine" {
15  name = "vault-secrets-${var.account_name}"
16}
17
18resource "aws_iam_access_key" "secrets_engine_credentials" {
19  user = aws_iam_user.secrets_engine.name
20}
21
22resource "aws_iam_user_policy" "secrets_engine" {
23  user = aws_iam_user.secrets_engine.name
24
25  policy = jsonencode({
26    Statement = [
27      {
28        Action = [
29          "iam:*"
30        ]
31        Effect   = "Allow"
32        Resource = "*"
33      },
34    ]
35    Version = "2012-10-17"
36  })
37}
38
39resource "vault_aws_secret_backend" "aws" {
40  access_key = aws_iam_access_key.secrets_engine_credentials.id
41  secret_key = aws_iam_access_key.secrets_engine_credentials.secret
42  region     = var.aws_region
43  path       = "aws-${var.account_name}-${var.aws_region}"
44
45
46  default_lease_ttl_seconds = 60 * 60
47  max_lease_ttl_seconds     = 60 * 60 * 24
48}
49
50resource "vault_aws_secret_backend_role" "ec2" {
51  backend         = vault_aws_secret_backend.aws.path
52  name            = "ec2"
53  credential_type = "iam_user"
54
55  policy_document = <<EOF
56{
57    "Version": "2012-10-17",
58    "Statement": [
59      {
60        "Effect": "Allow",
61        "Action": [
62          "sts:GetCallerIdentity",
63          "ec2:*",
64          "iam:GetUser"
65        ],
66        "Resource": "*"
67      }
68    ]
69  }
70EOF
71}
72
73resource "vault_policy" "aws_ec2" {
74  name     = "aws-${var.account_name}-${var.aws_region}-ec2"
75  policy = <<EOF
76# Allow tokens to query themselves
77path "auth/token/lookup-self" {
78  capabilities = ["read"]
79}
80
81# Allow tokens to renew themselves
82path "auth/token/renew-self" {
83    capabilities = ["update"]
84}
85
86# Allow tokens to revoke themselves
87path "auth/token/revoke-self" {
88    capabilities = ["update"]
89}
90
91path "aws-${ var.account_name }-${ var.aws_region }/creds/ec2" {
92    capabilities = [ "read" ]
93}
94EOF
95
96}

Step 2: Initialize and Apply Vault Configuration

Next, initialize and apply the Vault configuration:

1terraform -chdir=vault init
2terraform -chdir=vault vault

This will configure Vault to generate dynamic AWS credentials for accessing EC2 instances.

Step 3: Application Terraform Configuration

Next, create a ec/2main.tf file with the following content:

 1provider "vault" {
 2  address = "http://127.0.0.1:8200"
 3}
 4
 5variable "account_name" {
 6  description = "The name of the AWS account"
 7  type        = string
 8}
 9variable "aws_region" {
10  description = "The AWS region"
11  type        = string
12}
13
14data "vault_aws_access_credentials" "ec2" {
15  backend = "aws-${var.account_name}-${var.aws_region}"
16  region  = var.aws_region
17  role    = "ec2"
18  type    = "creds"
19  ttl     = "2h"
20}
21
22provider "aws" {
23  region     = var.aws_region
24  access_key = data.vault_aws_access_credentials.ec2.access_key
25  secret_key = data.vault_aws_access_credentials.ec2.secret_key
26}
27
28data "aws_ami" "ubuntu" {
29  most_recent = true
30  owners      = ["099720109477"] # Canonical
31  filter {
32    name   = "name"
33    values = ["ubuntu/images/hvm-ssd/ubuntu-noble-24.04-amd64-server-*"]
34  }
35  filter {
36    name   = "virtualization-type"
37    values = ["hvm"]
38  }
39}
40
41resource "aws_instance" "web" {
42  ami           = data.aws_ami.ubuntu.id
43  instance_type = "t3.micro"
44
45  tags = {
46    Name = "HelloWorld"
47  }
48}

Step 4: Initialize and Apply Application code

Finally, initialize and apply the Terraform configuration:

1terraform -chdir=ec2 init
2terraform -chdir=ec2 apply

This will provision an AWS EC2 instance with AWS credentials dynamically managed by Vault.

Conclusion

The integration of HashiCorp Terraform and Vault offers a powerful solution for efficiently managing cloud resources while enhancing security. By leveraging dynamic secrets and fine-grained access controls, organizations can ensure that developers have the access they need without compromising the security of their environment. In a time when cybersecurity is increasingly important, such solutions are essential for maintaining the integrity and security of cloud infrastructures.

For more insights on using Vault-backed dynamic credentials, check out thse LinkedIn posts about dynamic credentials and terraform fetching secrets from vault, the HashiCorp blog and also the section within the developer documentation.

The future of cloud infrastructure belongs to those who seamlessly integrate automation and security—and with HashiCorp, you have the right tools for the job.