Merge pull request hashicorp#45 from hashicorp/f-add-spring-cloud-vau…

…lt-aws-auth

adding aws auth

secrets/spring-cloud-vault/README.md

@@ -17,8 +17,9 @@ To keep it simple and lightweight, the [Java Sample App using Spring Cloud Vault
 
 - [Nomad](nomad)
 - [Kubernetes](kubernetes)
-- [Pivotal Cloud Foundry - PCF](pcf)
+- [Pivotal Cloud Foundry](pcf)
 - [Vagrant](vagrant-local)
+- [AWS](aws)
 <br>
 
 ### Setup

secrets/spring-cloud-vault/aws/README.md

@@ -0,0 +1,43 @@
+# spring-vault-demo-aws
+
+This folder will help you deploy the sample app to AWS.
+
+## Demo Instruction
+We will leverage Packer and Terraform to deploy immutable instances of our application. Spring Cloud Vault supports Vault [EC2](http://cloud.spring.io/spring-cloud-static/spring-cloud-vault/2.0.0.M4/single/spring-cloud-vault.html#vault.config.authentication.awsec2) and [IAM](http://cloud.spring.io/spring-cloud-static/spring-cloud-vault/2.0.0.M4/single/spring-cloud-vault.html#vault.config.authentication.awsiam) auth natively, which we will use to authenticate our app.
+
+### Setup
+You will need a Vault instance and a Postgres instance to get started. The top-level folder has instructions on provisioning these.
+
+1. Update the [EC2](bootstrap-ec2.yaml) and [IAM](bootstrap-iam.yaml) files for your environment.
+2. [Run the Packer builds](packer/build.sh) and retrieve the AMI IDs.
+
+```
+==> amazon-ebs: Creating the AMI: llarsen-vault-aws-ec2-auth-springboot
+    amazon-ebs: AMI: ami-05cf898f367c78842
+==> amazon-ebs: Creating the AMI: llarsen-vault-aws-iam-auth-springboot
+    amazon-ebs: AMI: ami-0c50a7e97627c1719
+```
+
+3. Update your [variables](terraform/terraform.tfvars) and run Terraform. Terraform will output your instances.
+
+```
+Outputs:
+
+springboot-ec2 = [
+    ec2-54-82-180-149.compute-1.amazonaws.com
+]
+springboot-iam = [
+    ec2-34-229-196-83.compute-1.amazonaws.com
+]
+```
+
+### Testing
+You can ssh into your new instances with your springboot.pem key and check the systemd logs for the application.
+
+```
+ssh -i springboot.pem [email protected]
+journalctl -u springboot -f
+```
+
+The API will serve on port 8080. Instructions for API use can be found in the top-level folder.
+You can can increase the count of the VMs using Terraform and verify the additional Vault leases and DB users.

secrets/spring-cloud-vault/aws/bootstrap-ec2.yaml

@@ -0,0 +1,19 @@
+spring.cloud.vault:
+    authentication: AWS_EC2
+    aws-ec2:
+        role: order
+        aws-ec2-path: aws-ec2
+    host: localhost
+    port: 8200
+    scheme: http
+    fail-fast: true
+    config.lifecycle.enabled: true
+    generic:
+      enabled: true
+      backend: secret
+    database:
+        enabled: true
+        role: order
+        backend: database
+spring.datasource:
+  url: jdbc:postgresql://localhost:5432/postgres

secrets/spring-cloud-vault/aws/bootstrap-iam.yaml

@@ -0,0 +1,19 @@
+spring.cloud.vault:
+    authentication: AWS_IAM
+    aws-iam::
+        role: order
+        aws-path: aws-iam
+    host: localhost
+    port: 8200
+    scheme: http
+    fail-fast: true
+    config.lifecycle.enabled: true
+    generic:
+      enabled: true
+      backend: secret
+    database:
+        enabled: true
+        role: order
+        backend: database
+spring.datasource:
+  url: jdbc:postgresql://localhost:5432/postgres

secrets/spring-cloud-vault/aws/packer/build.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+
+FAIL=0
+
+#Get vars
+if [ -z ${PACKER_ENVIRONMENT} ]; then
+  read -p $'\033[1;32mPlease enter your PACKER ENVIRONMENT: \033[0m' PACKER_ENVIRONMENT
+  export PACKER_ENVIRONMENT="${PACKER_ENVIRONMENT}"
+else
+  export PACKER_ENVIRONMENT="${PACKER_ENVIRONMENT}"
+fi
+
+if [ -z ${AWS_ACCESS_KEY_ID} ]; then
+  read -p $'\033[1;32mPlease enter an AWS access key ID for Packer: \033[0m' AWS_ACCESS_KEY_ID
+  export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}"
+else
+  export AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}"
+fi
+
+if [ -z ${AWS_SECRET_ACCESS_KEY} ]; then
+  read -p $'\033[1;32mPlease enter an AWS secret access key for Packer: \033[0m' AWS_SECRET_ACCESS_KEY
+  export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}"
+else
+  export AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}"
+fi
+
+#Start Jobs
+echo "Starting Packer builds..."
+export AWS_REGION=us-east-1
+packer build -force springboot-ec2.json &
+packer build -force springboot-iam.json &
+
+#Wait for completion
+for job in `jobs -p`; do
+  echo $job
+  wait $job || let "FAIL+=1"
+done
+
+if [ "$FAIL" == "0" ]; then
+  echo -e "\033[32m\033[1m[BUILD SUCCESFUL]\033[0m"
+else
+  echo -e "\033[31m\033[1m[BUILD ERROR]\033[0m"
+fi

secrets/spring-cloud-vault/aws/packer/springboot-ec2.json

@@ -0,0 +1,58 @@
+{
+   "variables": {
+      "aws_access_key_id": "{{ env `AWS_ACCESS_KEY_ID` }}",
+      "aws_secret_access_key": "{{ env `AWS_SECRET_ACCESS_KEY` }}",
+      "environment": "{{ env `PACKER_ENVIRONMENT` }}"
+   },
+   "builders": [
+      {
+         "type": "amazon-ebs",
+         "access_key": "{{user `aws_access_key`}}",
+         "secret_key": "{{user `aws_secret_key`}}",
+         "region": "us-east-1",
+         "source_ami_filter": {
+            "filters": {
+               "virtualization-type": "hvm",
+               "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
+               "root-device-type": "ebs"
+            },
+            "owners": [
+               "099720109477"
+            ],
+            "most_recent": true
+         },
+         "instance_type": "t2.micro",
+         "ssh_username": "ubuntu",
+         "ami_name": "{{user `environment`}}-vault-aws-ec2-auth-springboot"
+      }
+   ],
+   "provisioners": [
+     {
+        "type": "file",
+        "source": "../bootstrap-ec2.yaml",
+        "destination": "/tmp/bootstrap.yaml"
+     },
+     {
+        "type": "file",
+        "source": "../springboot.service",
+        "destination": "/tmp/springboot.service"
+     },
+      {
+         "type": "file",
+         "source": "../../target/spring-vault-demo-1.0.jar",
+         "destination": "/tmp/spring-vault-demo-1.0.jar"
+      },
+      {
+         "type": "shell",
+         "inline": [
+            "sudo apt-get update",
+            "sudo apt-get install -y openjdk-8-jre-headless",
+            "sudo mkdir -p /var/springboot",
+            "sudo cp /tmp/spring-vault-demo-1.0.jar /var/springboot/spring-vault-demo-1.0.jar",
+            "sudo cp /tmp/bootstrap.yaml /var/springboot/bootstrap.yaml",
+            "sudo cp /tmp/springboot.service /etc/systemd/system/springboot.service",
+            "sudo systemctl enable springboot.service"
+         ]
+      }
+   ]
+}

secrets/spring-cloud-vault/aws/packer/springboot-iam.json

@@ -0,0 +1,58 @@
+{
+   "variables": {
+      "aws_access_key_id": "{{ env `AWS_ACCESS_KEY_ID` }}",
+      "aws_secret_access_key": "{{ env `AWS_SECRET_ACCESS_KEY` }}",
+      "environment": "{{ env `PACKER_ENVIRONMENT` }}"
+   },
+   "builders": [
+      {
+         "type": "amazon-ebs",
+         "access_key": "{{user `aws_access_key`}}",
+         "secret_key": "{{user `aws_secret_key`}}",
+         "region": "us-east-1",
+         "source_ami_filter": {
+            "filters": {
+               "virtualization-type": "hvm",
+               "name": "ubuntu/images/*ubuntu-xenial-16.04-amd64-server-*",
+               "root-device-type": "ebs"
+            },
+            "owners": [
+               "099720109477"
+            ],
+            "most_recent": true
+         },
+         "instance_type": "t2.micro",
+         "ssh_username": "ubuntu",
+         "ami_name": "{{user `environment`}}-vault-aws-iam-auth-springboot"
+      }
+   ],
+   "provisioners": [
+     {
+        "type": "file",
+        "source": "../bootstrap-iam.yaml",
+        "destination": "/tmp/bootstrap.yaml"
+     },
+     {
+        "type": "file",
+        "source": "../springboot.service",
+        "destination": "/tmp/springboot.service"
+     },
+      {
+         "type": "file",
+         "source": "../../target/spring-vault-demo-1.0.jar",
+         "destination": "/tmp/spring-vault-demo-1.0.jar"
+      },
+      {
+         "type": "shell",
+         "inline": [
+            "sudo apt-get update",
+            "sudo apt-get install -y openjdk-8-jre-headless",
+            "sudo mkdir -p /var/springboot",
+            "sudo cp /tmp/spring-vault-demo-1.0.jar /var/springboot/spring-vault-demo-1.0.jar",
+            "sudo cp /tmp/bootstrap.yaml /var/springboot/bootstrap.yaml",
+            "sudo cp /tmp/springboot.service /etc/systemd/system/springboot.service",
+            "sudo systemctl enable springboot.service"
+         ]
+      }
+   ]
+}

secrets/spring-cloud-vault/aws/springboot.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=springboot
+After=syslog.target
+
+[Service]
+User=root
+Restart=always
+ExecStart=/var/springboot/spring-vault-demo-1.0.jar
+SuccessExitStatus=143
+
+[Install]
+WantedBy=multi-user.target

secrets/spring-cloud-vault/aws/terraform/ec2.tf

@@ -0,0 +1,70 @@
+data "aws_ami" "spring-ec2" {
+  most_recent = true
+
+  filter {
+    name   = "image-id"
+    values = ["${var.ec2_ami_id}"]
+  }
+
+  owners = ["${var.ami_owner}"]
+}
+
+data "aws_ami" "spring-iam" {
+  most_recent = true
+
+  filter {
+    name   = "image-id"
+    values = ["${var.iam_ami_id}"]
+  }
+
+  owners = ["${var.ami_owner}"]
+}
+
+resource "aws_key_pair" "springboot" {
+  key_name   = "${var.env}"
+  public_key = "${tls_private_key.springboot.public_key_openssh}"
+}
+
+resource "aws_security_group" "allow_all" {
+  name        = "allow_all"
+  description = "Allow all inbound traffic"
+
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port       = 0
+    to_port         = 0
+    protocol        = "-1"
+    cidr_blocks     = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "spring-ec2" {
+  count = 1
+  ami           = "${data.aws_ami.spring-ec2.id}"
+  instance_type = "t2.micro"
+  associate_public_ip_address = true
+  key_name = "${aws_key_pair.springboot.key_name}"
+  security_groups = ["${aws_security_group.allow_all.name}"]
+  tags {
+    env = "${var.env}"
+  }
+}
+
+resource "aws_instance" "spring-iam" {
+  count = 1
+  ami           = "${data.aws_ami.spring-iam.id}"
+  instance_type = "t2.micro"
+  iam_instance_profile = "${aws_iam_instance_profile.springboot.name}"
+  associate_public_ip_address = true
+  key_name = "${aws_key_pair.springboot.key_name}"
+  security_groups = ["${aws_security_group.allow_all.name}"]
+  tags {
+    env = "${var.env}"
+  }
+}

secrets/spring-cloud-vault/aws/terraform/iam.tf

@@ -0,0 +1,55 @@
+resource "aws_iam_user" "vault" {
+  name = "${var.env}"
+}
+
+resource "aws_iam_access_key" "vault" {
+  user = "${aws_iam_user.vault.name}"
+}
+
+resource "aws_iam_user_policy" "vault_ro" {
+  name = "${var.env}"
+  user = "${aws_iam_user.vault.name}"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DescribeInstances",
+        "iam:GetInstanceProfile",
+        "iam:GetUser",
+        "iam:GetRole"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role" "springboot" {
+  name = "${var.env}"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_instance_profile" "springboot" {
+  name = "${var.env}"
+  role = "${aws_iam_role.springboot.name}"
+}