DEV Community

Jasper Rodda
Jasper Rodda

Posted on

Install Hashicorp Vault to store Secrets and use it in Terraform.

#beginners #tutorial #devops #hashicorpvault

1. Installation Steps

  • Install gpg 
sudo apt update && sudo apt install gpg
Enter fullscreen mode Exit fullscreen mode
  • Download the signing key to a new keyring 
wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
Enter fullscreen mode Exit fullscreen mode
  • Verify the key's fingerprint 
gpg --no-default-keyring --keyring /usr/share/keyrings/hashicorp-archive-keyring.gpg --fingerprint
Enter fullscreen mode Exit fullscreen mode
  • Add the HashiCorp repo 
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
Enter fullscreen mode Exit fullscreen mode
  • Update packages 
sudo apt update
Enter fullscreen mode Exit fullscreen mode
  • Install Vault 
sudo apt install vault
Enter fullscreen mode Exit fullscreen mode

2. Start Vault Server

  • Start Vault Server 
vault server -dev -dev-listen-address="0.0.0.0:8200"
Enter fullscreen mode Exit fullscreen mode

3. Configure Terraform to read the secret from Vault.

  1. Enable AppRole Authentication: > To enable the AppRole authentication method in Vault, you need to use the Vault CLI or the Vault HTTP API.
  2. Run the following command to enable the AppRole authentication method: 
vault auth enable approle
Enter fullscreen mode Exit fullscreen mode
  1. Create an AppRole:
  2. 2.a) Create Policy 
vault policy write terraform - <<EOF path "*" { capabilities = ["list", "read"] } path "secrets/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "kv/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "secret/data/*" { capabilities = ["create", "read", "update", "delete", "list"] } path "auth/token/create" { capabilities = ["create", "read", "update", "list"] } EOF
Enter fullscreen mode Exit fullscreen mode

2.b) Create the AppRole:

vault write auth/approle/role/terraform \ secret_id_ttl=10m \ token_num_uses=10 \ token_ttl=20m \ token_max_ttl=30m \ secret_id_num_uses=40 \ token_policies=terraform
Enter fullscreen mode Exit fullscreen mode
  1. Generate Role ID and Secret ID: > After creating the AppRole, you need to generate a Role ID and Secret ID pair. The Role ID is a static identifier, while the Secret ID is a dynamic credential.
  2. 3.a) Generate Role ID: 
vault read auth/approle/role/my-approle/role-id
Enter fullscreen mode Exit fullscreen mode
  • 3.b) Generate Secret ID: 
vault write -f auth/approle/role/my-approle/secret-id
Enter fullscreen mode Exit fullscreen mode

This command generates a Secret ID and provides it in the response. Save the Secret ID securely, as it will be used for Terraform authentication.

4. Provider.tf file 

provider "vault" { address = "<>:8200" skip_child_token = true auth_login { path = "auth/approle/login" parameters = { role_id = "<>" secret_id = "<>" } } }
Enter fullscreen mode Exit fullscreen mode

5. Main.tf

  • 5.a) Create vault server 
# Create vault server - 1 resource "aws_instance" "vault-server-1" { ami = "ami-053b0d53c279acc90" instance_type = "t2.micro" key_name = "efronlogin" subnet_id = aws_subnet.sd-snet1.id vpc_security_group_ids = [aws_security_group.sd-sg-1.id] user_data = base64encode(file("vault_userdata.sh")) tags = { name="vault-Master" Environment="dev" } }
Enter fullscreen mode Exit fullscreen mode
  • 5.b) Connect to Hashicorp Vault via "data" resource 
 data "vault_kv_secret_v2" "example" { mount = "secret" // change it according to your mount name = "dev-s3" // change it according to your secret }
Enter fullscreen mode Exit fullscreen mode

  • 5.c) Use it to retrieve in Terraform

  • create EC2 instance with Tag names and Secret Name

resource "aws_instance" "my_instance" { ami = "ami-053b0d53c279acc90" instance_type = "t2.micro" tags = { Name = "test" Secret = data.vault_kv_secret_v2.example.data["secret_name"] } }
Enter fullscreen mode Exit fullscreen mode

Credits:-
Thanks to Abhishek Veeramalla

Top comments (0)