Deploy a Self-Hosted HCP Vault and Boundary stack using end-to-end automation.
This project provides a comprehensive, hands-on experience in Infrastructure as Code (IaC) and Configuration Management. It simulates a real-world infrastructure environment with a focus on end-to-end automation, enabling DevOps engineers to collaboratively deliver a reliable, production-ready stack. Key deliverables include detailed documentation and diagrams.
As of the latest release, BVSTACK covers steps 0-3 of the DevOpsHobbies Ultimate Roadmap.
- Vagrant
- Virtualbox
- Python => 3.10.12
- Pip
- venv
-
Read the Documentation: Before getting started, ensure you have thoroughly reviewed the project documentation, the automation workflow diagram and installed the prerequisites.
-
Configure Variables: Create your own
tfvars
file based on the samples provided in the Boundary and Vault directories. Alternatively, you can remove the.sample
extension from the provided sample files to use the default values. -
Run the Start Script: Begin the setup by running the
start.sh
script in your desired environment:# Run in development: ./start.sh -e development
you'll be prompted to choose which NIC you want to bridge to by Vagrant.
- Enter Vault Password: You will be prompted to enter the Vault password four times to decrypt Ansible Vault-encrypted files (e.g.,
inventory.ini
) unless the related issue is resolved.
Note: The default
ansible-vault-pass
isBVSTACK
. This is provided for simplicity in the sample; ensure you use a strong password for your Ansible Vault-encrypted files.
Note
The stack assumes that your host machine acts as the Ansible/Terraform controller. If you have the resources, it's recommended to spin up a separate VM to serve as the controller by cloning and running the project on that VM. after that you can export STACK_SERVER environment variable and set it to false this enables you to keep your host machine clean and isolated. Otherwise, don't even bother you won't be losing much. learn more about STACK_SERVER
For further assistance on exit/return codes and configurations, refer to the documentation.
- Add a Vagrantfile to provision a VM using the Vagrant provider of your choice, based on the specifications.
- Provision an EC2 instance using the AWS provider based on the specifications and additional required configurations.
- Provision an Azure VM using the Azure provider based on the specifications and additional required configurations.
- Provision a VM on an ESXi server using the vSphere provider based on the specifications.
- Add a remote backend option for Boundary and Vault.
- Implement additional Vault authentication methods.
- Enhance Terraform output values for both Boundary and Vault.
- Implement Policy as Code (PaC) to validate Terraform policies.
- Add a Packer custom image template for VMware vSphere using the specifications.
- Install and configure Terraform on the control node using the
prepare_env
role. - Install and configure Docker on target (managed) nodes using the
prepare_env
role. - Template
tfvars
files to handle specific variables for both Boundary and Vault Terraform providers. - Create a well-organized Ansible template for Vault and Boundary configurations.
- Update environment variable declarations in Ansible roles to use the
environment
attribute instead of inline definitions in theshell
module. - Add proper configurations to serve the stack as a reverse proxy in the
serve
directory (tool optional). - Update
boundary.yml
to use environment variables instead of hardcoding, then manage the export of these variables with Ansible. - Convert Docker Compose files to corresponding Ansible modules using the
community.docker.docker_container
collection as an optional deployment method. - Implement Ansible Molecule scenarios to test different aspects of your roles.
- Choose which provider to provision based on a user-defined or environment variable when handling provisions with Ansible.
- Implement automated testing using GitHub Actions for pull requests.
- Write a custom logger function and implement it throughout all shell scripts for better error handling and logging (in the
log
directory). - Use
case
statements instead ofif
for argument handling ininit.sh
. - Update
start.sh
to prompt for the Ansible Vault password once and use it for all operations. - Replace sleep commands in
start.sh
with the appropriate Ansiblewait_for
modules. - Remove the Vault root token in the
cleanup
script.
All contributions are welcome! Please read the Contributing Guidelines for more information.
Copyright © 2024 Shayan Ghani - [email protected]