Skip to content

Commit

Permalink
closes #50 : conditioned ssh credential library based on SSH_INJECTIO…
Browse files Browse the repository at this point in the history
…N variable
  • Loading branch information
Shayan-Ghani committed Sep 1, 2024
1 parent 7990a50 commit 6fe5a62
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 37 deletions.
61 changes: 30 additions & 31 deletions boundary/terraform/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -165,25 +165,6 @@ resource "boundary_credential_store_static" "main_cred_store" {
scope_id = boundary_scope.core_infra.id
}

## Uncomment the following lines if you have vault paid plan
# resource "boundary_credential_store_vault" "vault_cert_store" {
# name = "vault-cred-store"
# address = var.vault_address
# token = var.vault_cred_store_token
# scope_id = boundary_scope.core_infra.id
# }

# resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
# name = "certificates-library"
# credential_store_id = boundary_credential_store_vault.vault_cert_store.id
# path = var.vault_sign_path
# username = var.vault_username
# key_type = "ecdsa"
# key_bits = 521
# }

### end of vault ###

resource "boundary_credential_ssh_private_key" "main_server_keys" {
for_each = { for host in var.hosts_info : host.name => host }
name = each.value.ssh_key_name
Expand All @@ -207,21 +188,39 @@ resource "boundary_target" "main_servers_ssh" {
]
}

#### Start of Vault ssh credential store
# The following resources are only applied if SSH_INJECTION is set to True.

#### uncomment the following block if you have pain boundary plan to use cred injection
# resource "boundary_target" "test_server_ssh" {
# type = "tcp"
# name = "${var.test_server_name}_ssh_server"
# description = "test servers SSH target"
# scope_id = boundary_scope.core_infra.id
# default_port = var.ssh_port
resource "boundary_credential_store_vault" "vault_cert_store" {
count = var.SSH_INJECTION ? 1 : 0
name = "vault-cred-store"
address = var.vault_address
token = var.vault_cred_store_token
scope_id = boundary_scope.core_infra.id
}

# injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh.id]
resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
count = var.SSH_INJECTION ? 1 : 0
name = "certificates-library"
credential_store_id = boundary_credential_store_vault.vault_cert_store.id
path = var.vault_sign_path
username = var.vault_username
key_type = "ecdsa"
key_bits = 521
}

# host_source_ids = [
# boundary_host_set_static.main_servers_ssh.id
# ]
# }
resource "boundary_target" "test_server_ssh" {
count = var.SSH_INJECTION ? 1 : 0
type = "tcp"
name = "${var.test_server_name}_ssh_server"
description = "test servers SSH target"
scope_id = boundary_scope.core_infra.id
default_port = var.test_ssh_port
injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh.id]
host_source_ids = [
boundary_host_set_static.main_servers_ssh.id
]
}
### End of cred injection

# TODO: break resources into seperate tf files
3 changes: 2 additions & 1 deletion boundary/terraform/terraform.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ main_server_names = [
]

test_server_name = "testing"
test_ssh_port = 22

# provider variables
boundary_address = "https://boundary.dvh.tech"
Expand Down Expand Up @@ -80,4 +81,4 @@ session_recording_read_list = "id=*;type=session-recording;actions=list,read"
# vault cred store
vault_sign_path = "ssh-signer/issue/boundary-client"
vault_username = "admin"
vault_address = "http://vault:8200"
vault_address = "http://vault:8200"
27 changes: 22 additions & 5 deletions boundary/terraform/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -69,24 +69,41 @@ variable "main_cred_store_name" {
description = "main servers credential store name"
}

## start of SSH_INJECTION
variable "SSH_INJECTION" {
type = bool
default = false
description = "wehter to use ssh credential library"
}

variable "test_ssh_port" {
type = string
description = "ssh port for the test target"
}
variable "vault_address" {
type = string
sensitive = true
description = "address to vault server"
}

# variable "vault_cred_store_token" {
# type = string
# sensitive = true
# description = "vault token for credential store"
# }
variable "vault_cred_store_token" {
type = string
sensitive = true
default = "hvs.test"
description = "vault token for credential store"
}

variable "vault_sign_path" {
type = string
description = "Path to the Vault key to sign boundary client"
}
variable "vault_username" {
type = string
}

## end of SSH_INJECTION


# permissions and roles

## all grants
Expand Down

0 comments on commit 6fe5a62

Please sign in to comment.