Skip to content
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.

AWS IAM Policy for Vault AWS Auth method #71

Open
wants to merge 25 commits into
base: master
Choose a base branch
from
Open

AWS IAM Policy for Vault AWS Auth method #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
3323a71
Add ability to specify VPC.
boldandbusted Nov 27, 2017
93339ed
Add non-default VPC support to vault-cluster-private example.
boldandbusted Nov 27, 2017
6eee689
Merge to preserve S3 persistent storage capability, hopefully.
boldandbusted Apr 12, 2018
c624968
Create IAM Instance Profile Role policy to allow Vault AWS Auth full …
boldandbusted Apr 12, 2018
03d8194
Remove duplicate vpc_id variable; set default to false for new enable…
boldandbusted Apr 13, 2018
3eef292
Expose more variables from underlying modules.
boldandbusted Apr 13, 2018
720adbf
Merge branch 'master' of https://github.com/hashicorp/terraform-aws-v…
boldandbusted Apr 13, 2018
6cf8e19
Move variables to proper modules, set enable_EC2_IAM_Auth on vault-cl…
boldandbusted Apr 17, 2018
7dc1638
Expose s3, and EC2 IAM role components to vault-cluster-private examp…
boldandbusted Apr 17, 2018
8de0eab
Copy user-data-vault.sh from vault-s3-backend. (Should probably just …
boldandbusted Apr 17, 2018
c544ca3
Copy user-data-vault.sh from vault-s3-backend. (Should probably just …
boldandbusted Apr 17, 2018
8893851
Specific local changes to packer build.
boldandbusted Apr 17, 2018
b4f4e31
Specify private subnets, using private_subnet_tags (see Terraform Reg…
boldandbusted Apr 17, 2018
ab63036
Re-add consul-server configuring section. Oops.
boldandbusted Apr 17, 2018
fdeb3e0
Filed https://github.com/hashicorp/vault/issues/4383, staying at 0.9.…
boldandbusted Apr 17, 2018
17a02db
Merge with upstream master.
boldandbusted May 2, 2018
a268913
Merge with upstream origin.
boldandbusted Jun 1, 2018
3b85902
Remove non-IAM-related work (S3 buckets and non-default VPCs.)
boldandbusted Jun 1, 2018
932d711
Cleanup: run terraform fmt before PR. :)
boldandbusted Jun 1, 2018
7512e42
*_EC2_IAM_Auth -> *_ec2_iam_auth, yay sed.
boldandbusted Oct 1, 2018
199b04a
With suggestions by @brikis98, hopefully craft a clearer description.
boldandbusted Oct 1, 2018
0f03108
Rename -> create_aws_auth_backend_iam_policies, per @brikis98 suggest…
boldandbusted Oct 1, 2018
69e47eb
Add source for IAM policies.
boldandbusted Oct 1, 2018
dae9f4b
Merge branch 'master' of https://github.com/hashicorp/terraform-aws-v…
boldandbusted Oct 1, 2018
471b5f5
Remove redundant '? 1 : 0' for boolean variables, per @brikis98 PR su…
boldandbusted Oct 1, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 8 additions & 3 deletions examples/vault-cluster-private/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ module "vault_cluster" {
allowed_inbound_security_group_ids = []
allowed_inbound_security_group_count = 0
ssh_key_name = "${var.ssh_key_name}"
enable_EC2_IAM_Auth = "${var.enable_EC2_IAM_Auth}"
}

# ---------------------------------------------------------------------------------------------------------------------
Expand Down Expand Up @@ -74,11 +75,11 @@ data "template_file" "user_data_vault_cluster" {
module "security_group_rules" {
source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3"

security_group_id = "${module.vault_cluster.security_group_id}"
security_group_id = "${module.vault_cluster.security_group_id}"

# To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly*
# recommend you limit this to the IP address ranges of known, trusted servers inside your VPC.

allowed_inbound_cidr_blocks = ["0.0.0.0/0"]
}

Expand Down Expand Up @@ -139,6 +140,10 @@ data "aws_vpc" "default" {

data "aws_subnet_ids" "default" {
vpc_id = "${data.aws_vpc.default.id}"

tags {
SubnetType = "private"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be configurable by variable and probably disabled by default. I know this is vault cluster private, but the default settings run it in the Default VPC, which for most users will have no private subnets. We could add comments to mention that for prod usage, this should be a custom VPC and private subnets.

}
}

data "aws_region" "current" {}
data "aws_region" "current" {}
5 changes: 5 additions & 0 deletions examples/vault-cluster-private/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,3 +64,8 @@ variable "vpc_id" {
description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region."
default = ""
}

variable "enable_EC2_IAM_Auth" {
description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policies that will permit it to function as expected."
default = false
}
6 changes: 3 additions & 3 deletions examples/vault-s3-backend/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,11 @@ data "template_file" "user_data_vault_cluster" {
module "security_group_rules" {
source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3"

security_group_id = "${module.vault_cluster.security_group_id}"
security_group_id = "${module.vault_cluster.security_group_id}"

# To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly*
# recommend you limit this to the IP address ranges of known, trusted servers inside your VPC.

allowed_inbound_cidr_blocks = ["0.0.0.0/0"]
}

Expand Down Expand Up @@ -146,4 +146,4 @@ data "aws_subnet_ids" "default" {
vpc_id = "${data.aws_vpc.default.id}"
}

data "aws_region" "current" {}
data "aws_region" "current" {}
2 changes: 1 addition & 1 deletion examples/vault-s3-backend/outputs.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,4 @@ output "consul_cluster_cluster_tag_value" {

output "s3_bucket_arn" {
value = "${module.vault_cluster.s3_bucket_arn}"
}
}
2 changes: 1 addition & 1 deletion examples/vault-s3-backend/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,4 +73,4 @@ variable "s3_bucket_name" {
variable "force_destroy_s3_bucket" {
description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves."
default = false
}
}
6 changes: 3 additions & 3 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,11 +117,11 @@ data "template_file" "user_data_vault_cluster" {
module "security_group_rules" {
source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3"

security_group_id = "${module.vault_cluster.security_group_id}"
security_group_id = "${module.vault_cluster.security_group_id}"

# To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly*
# recommend you limit this to the IP address ranges of known, trusted servers inside your VPC.

allowed_inbound_cidr_blocks = ["0.0.0.0/0"]
}

Expand Down Expand Up @@ -223,4 +223,4 @@ data "aws_subnet_ids" "default" {
tags = "${var.subnet_tags}"
}

data "aws_region" "current" {}
data "aws_region" "current" {}
33 changes: 30 additions & 3 deletions modules/vault-cluster/main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,7 @@ data "aws_iam_policy_document" "instance_role" {
}

resource "aws_s3_bucket" "vault_storage" {
count = "${var.enable_s3_backend ? 1 : 0}"
count = "${var.enable_s3_backend}"
bucket = "${var.s3_bucket_name}"
force_destroy = "${var.force_destroy_s3_bucket}"

Expand All @@ -194,14 +194,14 @@ resource "aws_s3_bucket" "vault_storage" {
}

resource "aws_iam_role_policy" "vault_s3" {
count = "${var.enable_s3_backend ? 1 : 0}"
count = "${var.enable_s3_backend}"
name = "vault_s3"
role = "${aws_iam_role.instance_role.id}"
policy = "${element(concat(data.aws_iam_policy_document.vault_s3.*.json, list("")), 0)}"
}

data "aws_iam_policy_document" "vault_s3" {
count = "${var.enable_s3_backend ? 1 : 0}"
count = "${var.enable_s3_backend}"

statement {
effect = "Allow"
Expand All @@ -213,3 +213,30 @@ data "aws_iam_policy_document" "vault_s3" {
]
}
}

resource "aws_iam_role_policy" "vault_aws_ec2_iam_auth" {
count = "${var.create_aws_auth_backend_iam_policies}"
name = "vault_aws_ec2_iam_auth"
role = "${aws_iam_role.instance_role.id}"
policy = "${element(concat(data.aws_iam_policy_document.vault_aws_ec2_iam_auth.*.json, list("")), 0)}"
}

# Source for IAM policies: https://www.vaultproject.io/docs/auth/aws.html#recommended-vault-iam-policy
# TODO: Add Cross Account Access stanza, enumerating all roles with cross-account access

data "aws_iam_policy_document" "vault_aws_ec2_iam_auth" {
count = "${var.create_aws_auth_backend_iam_policies}"

statement {
effect = "Allow"

actions = [
"ec2:DescribeInstances",
"iam:GetInstanceProfile",
"iam:GetUser",
"iam:GetRole",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add a link to the docs where the requirements for these policies are defined?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am setting up something similar myself. The docs for this policy are located at: https://www.vaultproject.io/docs/auth/aws.html#recommended-vault-iam-policy

However, it would be nice to have an option for the sts:AssumeRole action in a cross account scenario.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@brikis98 Done with latest commit but I leave it to you to 'resolve', if you're satisfied. :) @BMonsalvatge That's exactly where I got them. Thanks for the link. :) Re: cross-account 'sts:AssumeRole': I know the original policies have the sts:AssumeRole stanza, but I'm not sure how to properly enumerate the roles and accounts that's 'generic' for all cases. My present company doesn't really need it - we have sts:AssumeRole added to the IAM Instance Profile at line 175 in this file, and that was enough. However, I added a "TODO", seen in the recent commit. If you have this sussed out, I'd love to see it in the code, too. :)

]

resources = ["*"]
}
}
5 changes: 5 additions & 0 deletions modules/vault-cluster/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,3 +197,8 @@ variable "force_destroy_s3_bucket" {
description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true."
default = false
}

variable "create_aws_auth_backend_iam_policies" {
description = "If set to true, create IAM policies required by the AWS Auth backend, and apply the policies via IAM Instance Profiles. Note that this does NOT actually enable the backend, but merely sets policies that will permit it to function as expected."
default = false
}