How to get Vault secret through Terraform - terraform

I have created the key/secret pair in Vault UI. Trying to get the Vault's secret through Terraform.
Please share thoughts!

You need to define a vault provider, and fetch it as a data object. Here's a simple example:
provider "vault" {
address = "https://my-vault-address.com"
skip_tls_verify = true
token = "xxx"
}
data "vault_generic_secret" "my_secret" {
path = "secret/path/to/mysecret"
}
Then in order to use it:
...
pass = data.vault_generic_secret.my_secret.data["password"]
...

Related

add organization to subject field with terraform's vault provider

I'm trying to provision a kubernetes cluster by creating all the certificates through vault first. It somehow makes it easy in the context of terraform, because I can insert all this information in the cloudinit config, so I don't have to rely on a node being ready and then transfer data from one to another.
In any case, the problem that I have is that vault_pki_secret_backend_cert doesn't seem to support any change to the subject field except for common_name (https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/pki_secret_backend_cert), whereas kubernetes relies on these types of certificates where the organization is specified. For example:
Subject: O = system:masters, CN = kube-etcd-healthcheck-client
I'm generating these certificates by directly using vault's intermediate certificate, so the private key is in vault. I cannot generate them separately, and I wouldn't want that anyway, because I'm trying to provision basically everything using terraform.
Any ideas how I can get around this issue?
I was able to find out the answer eventually. The only way to do this with terraform/vault seems to be configuring the backend role and add the organization parameter in that role:
https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/cert_auth_backend_role.
For example, you define the role:
resource "vault_pki_secret_backend_role" "etcd_ca_clients" {
depends_on = [ vault_pki_secret_backend_intermediate_set_signed.kube1_etcd_ca ]
backend = vault_mount.kube1_etcd_ca.path
name = "kubernetes-client"
ttl = 3600
allow_ip_sans = true
key_type = "ed25519"
allow_any_name = true
allowed_domains = ["*"]
allow_subdomains = true
organization = [ "system:masters" ]
}
And here you tell vault to generate the certificate based on that role:
resource "vault_pki_secret_backend_cert" "etcd_healthcheck_client" {
for_each = { for k, v in var.kubernetes_servers : k => v if startswith(k, "etcd-") }
depends_on = [vault_pki_secret_backend_role.etcd_ca_clients]
backend = vault_mount.kube1_etcd_ca.path
name = vault_pki_secret_backend_role.etcd_ca_clients.name
common_name = "kube-etcd-healthcheck-client"
}
The limitation makes no sense whatsoever to me, but if you don't a bulk of very different certificates, it's not all too bad and you don't have to repeat a lot of code.

Trim end of queue primary_connection_string and send to keyvault using terraform

I am able to store full primary_connection_string to keyvault for service bus queue in Azure using terraform. But not able to store the same value without ;EntityPath=*********
Original Connection String : Endpoint=sb://****.servicebus.windows.net/;SharedAccessKeyName=;SharedAccessKey=;EntityPath=*****
Required connection string to store in keyvault: Endpoint=sb://****.servicebus.windows.net/;SharedAccessKeyName=;SharedAccessKey=
I tried below code using replace but it did not worked. Its directly storing the string "azurerm_servicebus_queue_authorization_rule.que-referee-sr-lr.primary_connection_string". I need value as defined above:
resource "azurerm_key_vault_secret" "que-referee-sr-lr-connectionstring" {
name = lower(format("%s-%s", azurerm_servicebus_queue_authorization_rule.que-referee-sr-lr.name, "primary-connection-string"))
value = replace("azurerm_servicebus_queue_authorization_rule.que-referee-sr-lr.primary_connection_string", "/;EntityPath.*", "")
key_vault_id = data.azurerm_key_vault.PlatformKV.id
}

Create new resources on muti-accounts on AWS?

I am building a small tool using Terraform to generate sandbox on AWS. I will be the owner of every new sandbox and each user will be added as an IAM user with appropriate rights.
The input file looks like this: users.auto.tfvars
sandboxs_manager = "pierre-alexandre.mousset"
dev_team_members = [
{ name = "brian.davids", is_enabled = true }, { name = "tom.hanks", is_enabled = true }]
Which is going to create 2 different AWS accounts:
pierre-alexandre.mousset+brian.davids#company.com
pierre-alexandre.mousset+tom.hanks#company.com
What I am now trying to achieve, is to create a simple S3 bucket on every new aws_organizations_account generated by Terraform.
This is how I am generating AWS accounts on my Terraform:
resource "aws_organizations_account" "this" {
for_each = local.all_user_names
name = "Dev Sandbox ${each.value}"
email = "${var.manager}+sbx_${each.value}#company.com"
role_name = "Administrator"
parent_id = var.sandbox_organizational_unit_id
}
Is there a way to loop over every id generated by aws_organizations_account to create a S3 bucket on each of those newly created account?
Based on this Github issue, I would need to use muti-provider which is not yet supported by Terraform and would probably look like this before to generate my s3 buckets:
provider "aws" {
for_each = local.aws_accounts
alias = each.value.aws_account_id
assume_role {
role_arn = "arn:aws:iam::${aws_organizations_account.this.id}:role/TerraformAccessRole"
}
}
Is there any way to deal with this?

COS access policies interface vs terraform

In interface I can go to COS Bucket Access Policies and easily assign policy that then looks more or less like:
Cloud Object Storage service
serviceInstance string equals foo-bar, resource string equals foo-bar-pcaps, resourceType string equals bucket
I'm struggling to find a way to do the same via terraform because whenever I try with the proper TF code like:
resource "ibm_iam_service_policy" "policy_pcaps" {
iam_service_id = ibm_iam_service_id.serviceID_pcaps.id
roles = ["Writer"]
resources {
service = "cloud-object-storage"
resource = ibm_cos_bucket.pcaps.id
}
}
I'm ending up with
Cloud Object Storage service
resource string equals crn:v1:bluemix:public:cloud-object-storage:global:a/27beaaea79a<redacted>34dd871b:8b124bc6-147c-47ba-bd47-<redacted>:bucket:foo-bar-pcaps:meta:rl:us-east
The problem is that the Writer policy that is required here does not work properly with that policy details.
How to achieve something similar to the first policy with Terraform?
Thanks
You can achieve this similar to this example Service Policy by using attributes.
I created a policy through the UI for Cloud Object Storage and specified the policy to contain a bucket name. Then I used:
ibmcloud iam access-group-policy GROUP_NAME POLICY_ID --output JSON
to get a better understanding of the policy.
With that I created this sample terraform snippet and tested it. It is creating the IAM access group + policy:
resource "ibm_iam_access_group" "accgrp_cos" {
name = "test_cos"
}
resource "ibm_iam_access_group_policy" "policy" {
access_group_id = ibm_iam_access_group.accgrp_cos.id
roles = ["Writer"]
resources {
service = "cloud-object-storage"
attributes = {
resourceType = "bucket"
resource = "tf-test-cos"
}
}
}

Terraform | Retrieve the (client-key) certificate from Cloud SQL

I would like to retrieve the client-key SSL key of cloudsql via Terraform, I was able to retrieve the server-ca and the client-cert via terraform but have no idea how to get the client-key file. TO retrieve the client-cert I have used the below mentioned point: Please look.
resource "google_sql_ssl_cert" "client_cert" {
depends_on = ["google_sql_database_instance.new_instance_sql_master",
"google_sql_user.users"]
common_name = "terraform1"
project = "${var.project_id}"
instance ="${google_sql_database_instance.new_instance_sql_master.name}"
}
Output.tf
output "client_cert" {
value = "${google_sql_ssl_cert.client_cert.0.cert}"
description = "The CA Certificate used to connect to the SQL Instance via
SSL"
}
Please let me know how can I retrieve the client-key private key. i.e server-ca, client-cert and I need client-key via terraform.
In order to get the client private key, use the following snippet with any other parameters you wish to have:
output "client_privkey" {
value = "${google_sql_ssl_cert.client_cert.*.private_key}"
}
For client-certificate: value = "${google_sql_ssl_cert.client_cert.*.cert}"
For server certificate: value = ${google_sql_ssl_cert.client_cert.*.server_ca_cert}"

Resources