aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorpmikus <pmikus@cisco.com>2021-05-18 13:30:08 +0000
committerPeter Mikus <pmikus@cisco.com>2021-08-09 11:51:31 +0000
commit73440ab332c51eb11405767d320bc496d9ebdbe7 (patch)
tree003e06b7ab75c311009516a9872e77fdb00e47a8
parentbbfe9b5ba82a3998687909a833c2646bccbb6aa6 (diff)
Infra: Vault
Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: Ia6e728f98d20144c3771405b32933a77fe15b19b
-rw-r--r--fdio.infra.ansible/roles/vault/defaults/main.yaml159
-rw-r--r--fdio.infra.ansible/roles/vault/handlers/main.yaml9
-rw-r--r--fdio.infra.ansible/roles/vault/meta/main.yaml23
-rw-r--r--fdio.infra.ansible/roles/vault/tasks/main.yaml133
-rw-r--r--fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j215
-rw-r--r--fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j293
-rw-r--r--fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j222
-rw-r--r--fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j230
-rw-r--r--fdio.infra.ansible/roles/vault/vars/main.yaml5
-rw-r--r--fdio.infra.terraform/1n_nmd/aws/main.tf37
-rw-r--r--fdio.infra.terraform/1n_nmd/aws/providers.tf14
-rw-r--r--fdio.infra.terraform/1n_nmd/aws/variables.tf9
-rw-r--r--fdio.infra.terraform/2n_aws_c5n/deploy/main.tf7
-rw-r--r--fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf11
-rw-r--r--fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf4
-rw-r--r--fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf23
-rw-r--r--fdio.infra.terraform/2n_aws_c5n/variables.tf4
-rw-r--r--fdio.infra.terraform/3n_aws_c5n/deploy/main.tf5
-rw-r--r--fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf11
-rw-r--r--fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf4
-rw-r--r--fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf23
21 files changed, 616 insertions, 25 deletions
diff --git a/fdio.infra.ansible/roles/vault/defaults/main.yaml b/fdio.infra.ansible/roles/vault/defaults/main.yaml
new file mode 100644
index 0000000000..232dc40694
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/defaults/main.yaml
@@ -0,0 +1,159 @@
+---
+# file: roles/vault/defaults/main.yaml
+
+# Inst - Prerequisites.
+packages: "{{ packages_base + packages_by_distro[ansible_distribution | lower] + packages_by_arch[ansible_machine] }}"
+packages_base:
+ - "curl"
+ - "unzip"
+packages_by_distro:
+ ubuntu:
+ - []
+packages_by_arch:
+ aarch64:
+ - []
+ x86_64:
+ - []
+
+# Inst - Vault Map.
+vault_version: "1.8.1"
+vault_architecture_map:
+ amd64: "amd64"
+ x86_64: "amd64"
+ armv7l: "arm"
+ aarch64: "arm64"
+ 32-bit: "386"
+ 64-bit: "amd64"
+vault_architecture: "{{ vault_architecture_map[ansible_architecture] }}"
+vault_os: "{{ ansible_system|lower }}"
+vault_pkg: "vault_{{ vault_version }}_{{ vault_os }}_{{ vault_architecture }}.zip"
+vault_zip_url: "https://releases.hashicorp.com/vault/{{ vault_version }}/{{ vault_pkg }}"
+
+# Conf - Service.
+vault_node_role: "server"
+vault_restart_handler_state: "restarted"
+vault_systemd_service_name: "vault"
+
+# Inst - System paths.
+vault_bin_dir: "/usr/local/bin"
+vault_config_dir: "/etc/vault.d"
+vault_data_dir: "/var/vault"
+vault_inst_dir: "/opt"
+vault_run_dir: "/var/run/vault"
+vault_ssl_dir: "/etc/vault.d/ssl"
+
+# Conf - User and group.
+vault_group: "vault"
+vault_group_state: "present"
+vault_user: "vault"
+vault_user_state: "present"
+
+# Conf - Main
+vault_group_name: "vault_instances"
+vault_cluster_name: "yul1"
+vault_datacenter: "yul1"
+vault_log_level: "{{ lookup('env','VAULT_LOG_LEVEL') | default('info', true) }}"
+vault_iface: "{{ lookup('env','VAULT_IFACE') | default(ansible_default_ipv4.interface, true) }}"
+vault_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}"
+vault_ui: "{{ lookup('env', 'VAULT_UI') | default(true, true) }}"
+vault_port: 8200
+vault_use_config_path: false
+vault_main_config: "{{ vault_config_dir }}/vault_main.hcl"
+vault_main_configuration_template: "vault_main_configuration.hcl.j2"
+vault_listener_localhost_enable: false
+vault_http_proxy: ""
+vault_https_proxy: ""
+vault_no_proxy: ""
+
+# Conf - Listeners
+vault_tcp_listeners:
+ - vault_address: "{{ vault_address }}"
+ vault_port: "{{ vault_port }}"
+ vault_cluster_address: "{{ vault_cluster_address }}"
+ vault_tls_disable: "{{ vault_tls_disable }}"
+ vault_tls_config_path: "{{ vault_tls_config_path }}"
+ vault_tls_cert_file: "{{ vault_tls_cert_file }}"
+ vault_tls_key_file: "{{ vault_tls_key_file }}"
+ vault_tls_ca_file: "{{ vault_tls_ca_file }}"
+ vault_tls_min_version: "{{ vault_tls_min_version }}"
+ vault_tls_cipher_suites: "{{ vault_tls_cipher_suites }}"
+ vault_tls_prefer_server_cipher_suites: "{{ vault_tls_prefer_server_cipher_suites }}"
+ vault_tls_require_and_verify_client_cert: "{{ vault_tls_require_and_verify_client_cert }}"
+ vault_tls_disable_client_certs: "{{ vault_tls_disable_client_certs }}"
+ vault_disable_mlock: true
+
+# Conf - Backend
+vault_backend_consul: "vault_backend_consul.j2"
+vault_backend_file: "vault_backend_file.j2"
+vault_backend_raft: "vault_backend_raft.j2"
+vault_backend_etcd: "vault_backend_etcd.j2"
+vault_backend_s3: "vault_backend_s3.j2"
+vault_backend_dynamodb: "vault_backend_dynamodb.j2"
+vault_backend_mysql: "vault_backend_mysql.j2"
+vault_backend_gcs: "vault_backend_gcs.j2"
+
+vault_cluster_disable: false
+vault_cluster_address: "{{ hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address'] }}:{{ (vault_port | int) + 1}}"
+vault_cluster_addr: "{{ vault_protocol }}://{{ vault_cluster_address }}"
+vault_api_addr: "{{ vault_protocol }}://{{ vault_redirect_address | default(hostvars[inventory_hostname]['ansible_'+vault_iface]['ipv4']['address']) }}:{{ vault_port }}"
+
+vault_max_lease_ttl: "768h"
+vault_default_lease_ttl: "768h"
+
+vault_backend_tls_src_files: "{{ vault_tls_src_files }}"
+vault_backend_tls_config_path: "{{ vault_tls_config_path }}"
+vault_backend_tls_cert_file: "{{ vault_tls_cert_file }}"
+vault_backend_tls_key_file: "{{ vault_tls_key_file }}"
+vault_backend_tls_ca_file: "{{ vault_tls_ca_file }}"
+
+vault_consul: "127.0.0.1:8500"
+vault_consul_path: "vault"
+vault_consul_service: "vault"
+vault_consul_scheme: "http"
+
+vault_backend: "consul"
+
+# Conf - Service registration
+vault_service_registration_consul_enable: true
+vault_service_registration_consul_template: "vault_service_registration_consul.hcl.j2"
+vault_service_registration_consul_check_timeout: "5s"
+vault_service_registration_consul_address: "127.0.0.1:8500"
+vault_service_registration_consul_service: "vault"
+vault_service_registration_consul_service_tags: ""
+vault_service_registration_consul_service_address:
+vault_service_registration_consul_disable_registration: false
+vault_service_registration_consul_scheme: "http"
+
+vault_service_registration_consul_tls_config_path: "{{ vault_tls_config_path }}"
+vault_service_registration_consul_tls_cert_file: "{{ vault_tls_cert_file }}"
+vault_service_registration_consul_tls_key_file: "{{ vault_tls_key_file }}"
+vault_service_registration_consul_tls_ca_file: "{{ vault_tls_ca_file }}"
+vault_service_registration_consul_tls_min_version: "{{ vault_tls_min_version }}"
+vault_service_registration_consul_tls_skip_verify: false
+
+# Conf - Telemetry
+vault_telemetry_enabled: true
+vault_telemetry_disable_hostname: false
+vault_prometheus_retention_time: 30s
+
+# Conf - TLS
+validate_certs_during_api_reachable_check: true
+
+vault_tls_config_path: "{{ lookup('env','VAULT_TLS_DIR') | default('/etc/vault/tls', true) }}"
+vault_tls_src_files: "{{ lookup('env','VAULT_TLS_SRC_FILES') | default(role_path+'/files', true) }}"
+
+vault_tls_disable: "{{ lookup('env','VAULT_TLS_DISABLE') | default(1, true) }}"
+vault_tls_gossip: "{{ lookup('env','VAULT_TLS_GOSSIP') | default(0, true) }}"
+
+vault_tls_copy_keys: true
+vault_protocol: "{% if vault_tls_disable %}http{% else %}https{% endif %}"
+vault_tls_cert_file: "{{ lookup('env','VAULT_TLS_CERT_FILE') | default('server.crt', true) }}"
+vault_tls_key_file: "{{ lookup('env','VAULT_TLS_KEY_FILE') | default('server.key', true) }}"
+vault_tls_ca_file: "{{ lookup('env','VAULT_TLS_CA_CRT') | default('ca.crt', true) }}"
+
+vault_tls_min_version: "{{ lookup('env','VAULT_TLS_MIN_VERSION') | default('tls12', true) }}"
+vault_tls_cipher_suites: ""
+vault_tls_prefer_server_cipher_suites: "{{ lookup('env','VAULT_TLS_PREFER_SERVER_CIPHER_SUITES') | default('false', true) }}"
+vault_tls_files_remote_src: false
+vault_tls_require_and_verify_client_cert: false
+vault_tls_disable_client_certs: false \ No newline at end of file
diff --git a/fdio.infra.ansible/roles/vault/handlers/main.yaml b/fdio.infra.ansible/roles/vault/handlers/main.yaml
new file mode 100644
index 0000000000..35841c7bc3
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/handlers/main.yaml
@@ -0,0 +1,9 @@
+---
+# file roles/vault/handlers/main.yaml
+
+- name: Restart Vault
+ systemd:
+ daemon_reload: true
+ enabled: true
+ name: "{{ vault_systemd_service_name }}"
+ state: "{{ vault_restart_handler_state }}"
diff --git a/fdio.infra.ansible/roles/vault/meta/main.yaml b/fdio.infra.ansible/roles/vault/meta/main.yaml
new file mode 100644
index 0000000000..b97486a6e7
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/meta/main.yaml
@@ -0,0 +1,23 @@
+---
+# file: roles/vault/meta/main.yaml
+
+# desc: Install vault from repo and configure service.
+# inst: Vault
+# conf: ?
+# info: 1.0 - added role
+
+dependencies: [ ]
+
+galaxy_info:
+ role_name: vault
+ author: fd.io
+ description: Hashicorp Vault.
+ company: none
+ license: "license (Apache)"
+ min_ansible_version: 2.9
+ platforms:
+ - name: Ubuntu
+ versions:
+ - focal
+ galaxy_tags:
+ - vault
diff --git a/fdio.infra.ansible/roles/vault/tasks/main.yaml b/fdio.infra.ansible/roles/vault/tasks/main.yaml
new file mode 100644
index 0000000000..8b9e3bf76f
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/tasks/main.yaml
@@ -0,0 +1,133 @@
+---
+# file: roles/vault/tasks/main.yaml
+
+- name: Inst - Update Package Cache (APT)
+ apt:
+ update_cache: true
+ cache_valid_time: 3600
+ when:
+ - ansible_distribution|lower == 'ubuntu'
+ tags:
+ - vault-inst-prerequisites
+
+- name: Inst - Prerequisites
+ package:
+ name: "{{ packages | flatten(levels=1) }}"
+ state: latest
+ tags:
+ - vault-inst-prerequisites
+
+- name: Conf - Add Vault Group
+ group:
+ name: "{{ vault_group }}"
+ state: "{{ vault_user_state }}"
+ tags:
+ - vault-conf-user
+
+- name: Conf - Add Vault user
+ user:
+ name: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ state: "{{ vault_group_state }}"
+ system: true
+ tags:
+ - vault-conf-user
+
+- name: Inst - Clean Vault
+ file:
+ path: "{{ vault_inst_dir }}/vault"
+ state: "absent"
+ tags:
+ - vault-inst-package
+
+- name: Inst - Download Vault
+ get_url:
+ url: "{{ vault_zip_url }}"
+ dest: "{{ vault_inst_dir }}/{{ vault_pkg }}"
+ tags:
+ - vault-inst-package
+
+- name: Inst - Unarchive Vault
+ unarchive:
+ src: "{{ vault_inst_dir }}/{{ vault_pkg }}"
+ dest: "{{ vault_inst_dir }}/"
+ creates: "{{ vault_inst_dir }}/vault"
+ remote_src: true
+ tags:
+ - vault-inst-package
+
+- name: Inst - Vault
+ copy:
+ src: "{{ vault_inst_dir }}/vault"
+ dest: "{{ vault_bin_dir }}"
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ force: true
+ mode: 0755
+ remote_src: true
+ tags:
+ - vault-inst-package
+
+- name: Inst - Check Vault mlock capability
+ command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
+ changed_when: false # read-only task
+ ignore_errors: true
+ register: vault_mlock_capability
+ tags:
+ - vault-inst-package
+
+- name: Inst - Enable non root mlock capability
+ command: "setcap cap_ipc_lock=+ep {{ vault_bin_dir }}/vault"
+ when: vault_mlock_capability is failed
+ tags:
+ - vault-inst-package
+
+- name: Conf - Create directories
+ file:
+ dest: "{{ item }}"
+ state: directory
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ mode: 0750
+ with_items:
+ - "{{ vault_data_dir }}"
+ - "{{ vault_config_dir }}"
+ - "{{ vault_ssl_dir }}"
+ tags:
+ - vault-conf
+
+- name: Conf - Vault main configuration
+ template:
+ src: "{{ vault_main_configuration_template }}"
+ dest: "{{ vault_main_config }}"
+ owner: "{{ vault_user }}"
+ group: "{{ vault_group }}"
+ mode: 0400
+ tags:
+ - vault-conf
+
+#- name: Conf - Copy Certificates And Keys
+# copy:
+# content: "{{ item.src }}"
+# dest: "{{ item.dest }}"
+# owner: "{{ vault_user }}"
+# group: "{{ vault_group }}"
+# mode: 0600
+# no_log: true
+# loop: "{{ vault_certificates | flatten(levels=1) }}"
+# tags:
+# - vault-conf
+
+- name: Conf - System.d Script
+ template:
+ src: "vault_systemd.service.j2"
+ dest: "/lib/systemd/system/vault.service"
+ owner: "root"
+ group: "root"
+ mode: 0644
+ notify:
+ - "Restart Vault"
+ tags:
+ - vault-conf
+
+- meta: flush_handlers
diff --git a/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2 b/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2
new file mode 100644
index 0000000000..c45498af90
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/templates/vault_backend_consul.j2
@@ -0,0 +1,15 @@
+backend "consul" {
+ address = "{{ vault_consul }}"
+ path = "{{ vault_consul_path }}"
+ service = "{{ vault_consul_service }}"
+ {% if vault_consul_token is defined and vault_consul_token -%}
+ token = "{{ vault_consul_token }}"
+ {% endif -%}
+ scheme = "{{ vault_consul_scheme }}"
+ {% if vault_tls_gossip | bool -%}
+ tls_cert_file = "{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_cert_file }}"
+ tls_key_file = "{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_key_file }}"
+ tls_ca_file="{{ vault_backend_tls_config_path }}/{{ vault_backend_tls_ca_file }}"
+ {% endif %}
+
+} \ No newline at end of file
diff --git a/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2 b/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2
new file mode 100644
index 0000000000..dec4fff8d9
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/templates/vault_main_configuration.hcl.j2
@@ -0,0 +1,93 @@
+cluster_name = "{{ vault_cluster_name }}"
+max_lease_ttl = "{{ vault_max_lease_ttl }}"
+default_lease_ttl = "{{ vault_default_lease_ttl }}"
+
+disable_clustering = "{{ vault_cluster_disable | bool | lower }}"
+cluster_addr = "{{ vault_cluster_addr }}"
+api_addr = "{{ vault_api_addr }}"
+
+{% for l in vault_tcp_listeners %}
+listener "tcp" {
+ address = "{{ l.vault_address }}:{{ l.vault_port }}"
+ cluster_address = "{{ l.vault_cluster_address }}"
+ {% if (l.vault_proxy_protocol_behavior is defined and l.vault_proxy_protocol_behavior) -%}
+ proxy_protocol_behavior = "{{ l.vault_proxy_protocol_behavior }}"
+ {% if (l.vault_proxy_protocol_authorized_addrs is defined) -%}
+ proxy_protocol_authorized_addrs = "{{ l.vault_proxy_protocol_authorized_addrs }}"
+ {% endif -%}
+ {% endif -%}
+ {% if not (l.vault_tls_disable | bool) -%}
+ tls_cert_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_cert_file }}"
+ tls_key_file = "{{ l.vault_tls_config_path }}/{{ l.vault_tls_key_file }}"
+ tls_client_ca_file="{{ l.vault_tls_config_path }}/{{ l.vault_tls_ca_file }}"
+ tls_min_version = "{{ l.vault_tls_min_version }}"
+ {% if vault_tls_cipher_suites is defined and vault_tls_cipher_suites -%}
+ tls_cipher_suites = "{{ l.vault_tls_cipher_suites}}"
+ {% endif -%}
+ tls_prefer_server_cipher_suites = "{{ l.vault_tls_prefer_server_cipher_suites }}"
+ {% if (l.vault_tls_require_and_verify_client_cert | bool) -%}
+ tls_require_and_verify_client_cert = "{{ l.vault_tls_require_and_verify_client_cert | bool | lower}}"
+ {% endif -%}
+ {% if (l.vault_tls_disable_client_certs | bool) -%}
+ tls_disable_client_certs = "{{ l.vault_tls_disable_client_certs | bool | lower}}"
+ {% endif -%}
+ {% endif -%}
+ tls_disable = "{{ l.vault_tls_disable | bool | lower }}"
+}
+{% endfor %}
+
+{% if (vault_listener_localhost_enable | bool) -%}
+listener "tcp" {
+ address = "127.0.0.1:{{ vault_port }}"
+ cluster_address = "127.0.0.1:8201"
+ tls_disable = "true"
+}
+{% endif -%}
+
+{#
+ Select which storage backend you want generated and placed
+ in the vault configuration file.
+#}
+{%- if vault_backend == 'consul' -%}
+ {% include vault_backend_consul with context %}
+{% elif vault_backend == 'etcd' -%}
+ {% include vault_backend_etcd with context %}
+{% elif vault_backend == 'file' -%}
+ {% include vault_backend_file with context %}
+{% elif vault_backend == 's3' -%}
+ {% include vault_backend_s3 with context %}
+{% elif vault_backend == 'dynamodb' -%}
+ {% include vault_backend_dynamodb with context %}
+{% elif vault_backend == 'mysql' -%}
+ {% include vault_backend_mysql with context %}
+{% elif vault_backend == 'gcs' -%}
+ {% include vault_backend_gcs with context %}
+{% elif vault_backend == 'raft' -%}
+ {% include vault_backend_raft with context %}
+{% endif %}
+
+{% if vault_service_registration_consul_enable -%}
+ {% include vault_service_registration_consul_template with context %}
+{% endif %}
+
+{% if vault_ui %}
+ui = {{ vault_ui | bool | lower }}
+{% endif %}
+
+{% if vault_telemetry_enabled | bool -%}
+telemetry {
+ {% if vault_statsite_address is defined -%}
+ statsite_address = "{{vault_statsite_address}}"
+ {% endif -%}
+ {% if vault_statsd_address is defined -%}
+ statsd_address = "{{vault_statsd_address}}"
+ {% endif -%}
+ {% if vault_prometheus_retention_time is defined -%}
+ prometheus_retention_time = "{{ vault_prometheus_retention_time }}"
+ {% endif -%}
+ {% if vault_telemetry_disable_hostname is defined -%}
+ disable_hostname = {{vault_telemetry_disable_hostname | bool | lower }}
+ {% endif %}
+
+}
+{% endif %} \ No newline at end of file
diff --git a/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2 b/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2
new file mode 100644
index 0000000000..cd5da1ffb6
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/templates/vault_service_registration_consul.hcl.j2
@@ -0,0 +1,22 @@
+service_registration "consul" {
+ address = "{{ vault_service_registration_consul_address }}"
+ check_timeout = "{{ vault_service_registration_consul_check_timeout }}"
+ disable_registration = "{{ vault_service_registration_consul_disable_registration | bool | lower }}"
+ scheme = "{{ vault_service_registration_consul_scheme }}"
+ service = "{{ vault_service_registration_consul_service }}"
+ service_tags = "{{ vault_service_registration_consul_service_tags }}"
+ {% if vault_service_registration_consul_service_address is defined and vault_service_registration_consul_service_address -%}
+ service_address = "{{ vault_service_registration_consul_service_address }}"
+ {% endif -%}
+ {% if vault_service_registration_consul_token is defined and vault_service_registration_consul_token -%}
+ token = "{{ vault_service_registration_consul_token }}"
+ {% endif -%}
+ {% if vault_service_registration_consul_scheme == "https" -%}
+ tls_ca_file="{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_ca_file }}"
+ tls_cert_file = "{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_cert_file }}"
+ tls_key_file = "{{ vault_service_registration_consul_tls_config_path }}/{{ vault_service_registration_consul_tls_key_file }}"
+ tls_min_version = "{{ vault_service_registration_consul_tls_min_version }}"
+ tls_skip_verify = "{{ vault_service_registration_consul_tls_skip_verify }}"
+ {% endif %}
+
+} \ No newline at end of file
diff --git a/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2 b/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2
new file mode 100644
index 0000000000..5d2ca78b2e
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/templates/vault_systemd.service.j2
@@ -0,0 +1,30 @@
+[Unit]
+Description=Vault
+Documentation=https://www.vaultproject.io/docs/
+Requires=network-online.target
+After=network-online.target
+
+[Service]
+User={{ vault_user }}
+Group={{ vault_group }}
+ProtectSystem=full
+ProtectHome=read-only
+PrivateTmp=yes
+PrivateDevices=yes
+NoNewPrivileges=yes
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart={{ vault_bin_dir }}/vault {{ vault_node_role }} -config={{ vault_config_dir }}
+KillMode=process
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitInterval=60
+StartLimitBurst=3
+LimitNOFILE=524288
+LimitNPROC=524288
+LimitMEMLOCK=infinity
+LimitCORE=0
+
+[Install]
+WantedBy=multi-user.target \ No newline at end of file
diff --git a/fdio.infra.ansible/roles/vault/vars/main.yaml b/fdio.infra.ansible/roles/vault/vars/main.yaml
new file mode 100644
index 0000000000..2b16a63fdf
--- /dev/null
+++ b/fdio.infra.ansible/roles/vault/vars/main.yaml
@@ -0,0 +1,5 @@
+---
+# file: roles/vault/vars/main.yaml
+
+vault_node_client: "{{ (vault_node_role == 'client') or (vault_node_role == 'both') }}"
+vault_node_server: "{{ (vault_node_role == 'server') or (vault_node_role == 'both') }}"
diff --git a/fdio.infra.terraform/1n_nmd/aws/main.tf b/fdio.infra.terraform/1n_nmd/aws/main.tf
new file mode 100644
index 0000000000..6768203441
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+ access_key = var.aws_access_key
+ secret_key = var.aws_secret_key
+ path = "${var.name}-path"
+
+ default_lease_ttl_seconds = "120"
+ max_lease_ttl_seconds = "240"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+ backend = vault_aws_secret_backend.aws.path
+ name = "${var.name}-role"
+ credential_type = "iam_user"
+
+ policy_document = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Action": [
+ "iam:*", "ec2:*"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
+EOF
+}
+
+output "backend" {
+ value = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+ value = vault_aws_secret_backend_role.admin.name
+} \ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/providers.tf b/fdio.infra.terraform/1n_nmd/aws/providers.tf
new file mode 100644
index 0000000000..49922fd78f
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/providers.tf
@@ -0,0 +1,14 @@
+terraform {
+ required_providers {
+ vault = {
+ version = ">=2.22.1"
+ }
+ }
+ required_version = ">= 1.0.3"
+}
+
+provider "vault" {
+ address = "http://10.30.51.28:8200"
+ skip_tls_verify = true
+ token = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+} \ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/variables.tf b/fdio.infra.terraform/1n_nmd/aws/variables.tf
new file mode 100644
index 0000000000..11c3535266
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/variables.tf
@@ -0,0 +1,9 @@
+variable "aws_access_key" {
+}
+
+variable "aws_secret_key" {
+}
+
+variable "name" {
+ default = "dynamic-aws-creds-vault-admin"
+} \ No newline at end of file
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
index b9d6f188bb..95464fa177 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
@@ -1,11 +1,12 @@
-provider "aws" {
- region = var.region
+data "vault_aws_access_credentials" "creds" {
+ backend = "${var.vault-name}-path"
+ role = "${var.vault-name}-role"
}
resource "aws_vpc" "CSITVPC" {
cidr_block = var.vpc_cidr_mgmt
- tags = {
+ tags = {
"Name" = "${var.resources_name_prefix}_${var.testbed_name}-vpc"
"Environment" = var.environment_name
}
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf
new file mode 100644
index 0000000000..a74ebb2455
--- /dev/null
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+ region = var.region
+ access_key = data.vault_aws_access_credentials.creds.access_key
+ secret_key = data.vault_aws_access_credentials.creds.secret_key
+}
+
+provider "vault" {
+ address = "http://10.30.51.28:8200"
+ skip_tls_verify = true
+ token = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+} \ No newline at end of file
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
index ca974709cd..429c5040de 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
@@ -3,6 +3,10 @@ variable "region" {
type = string
}
+variable "vault-name" {
+ default = "dynamic-aws-creds-vault-admin"
+}
+
variable "ami_image" {
description = "AWS AMI image name"
type = string
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
index 8017bb9dc3..05fa5502b5 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
@@ -1,17 +1,20 @@
terraform {
required_providers {
- aws = {
- source = "hashicorp/aws"
- version = "~> 3.32.0"
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 3.32.0"
}
- null = {
- source = "hashicorp/null"
- version = "~> 3.0.0"
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.0.0"
}
- tls = {
- source = "hashicorp/tls"
- version = "~> 3.0.0"
+ tls = {
+ source = "hashicorp/tls"
+ version = "~> 3.0.0"
+ }
+ vault = {
+ version = ">=2.22.1"
}
}
- required_version = ">= 0.13"
+ required_version = ">= 1.0.3"
}
diff --git a/fdio.infra.terraform/2n_aws_c5n/variables.tf b/fdio.infra.terraform/2n_aws_c5n/variables.tf
index c5c74f6d13..43a2df335a 100644
--- a/fdio.infra.terraform/2n_aws_c5n/variables.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/variables.tf
@@ -4,6 +4,10 @@ variable "region" {
default = "eu-central-1"
}
+variable "vault-name" {
+ default = "dynamic-aws-creds-vault-admin"
+}
+
variable "avail_zone" {
description = "AWS availability zone"
type = string
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
index d8968bf5fe..3ca8758678 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
@@ -1,5 +1,6 @@
-provider "aws" {
- region = var.region
+data "vault_aws_access_credentials" "creds" {
+ backend = "${var.vault-name}-path"
+ role = "${var.vault-name}-role"
}
resource "aws_vpc" "CSITVPC" {
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf
new file mode 100644
index 0000000000..a74ebb2455
--- /dev/null
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+ region = var.region
+ access_key = data.vault_aws_access_credentials.creds.access_key
+ secret_key = data.vault_aws_access_credentials.creds.secret_key
+}
+
+provider "vault" {
+ address = "http://10.30.51.28:8200"
+ skip_tls_verify = true
+ token = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+} \ No newline at end of file
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
index 5dbc481938..97e986bb2f 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
@@ -3,6 +3,10 @@ variable "region" {
type = string
}
+variable "vault-name" {
+ default = "dynamic-aws-creds-vault-admin"
+}
+
variable "ami_image" {
description = "AWS AMI image name"
type = string
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
index 8017bb9dc3..05fa5502b5 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
@@ -1,17 +1,20 @@
terraform {
required_providers {
- aws = {
- source = "hashicorp/aws"
- version = "~> 3.32.0"
+ aws = {
+ source = "hashicorp/aws"
+ version = "~> 3.32.0"
}
- null = {
- source = "hashicorp/null"
- version = "~> 3.0.0"
+ null = {
+ source = "hashicorp/null"
+ version = "~> 3.0.0"
}
- tls = {
- source = "hashicorp/tls"
- version = "~> 3.0.0"
+ tls = {
+ source = "hashicorp/tls"
+ version = "~> 3.0.0"
+ }
+ vault = {
+ version = ">=2.22.1"
}
}
- required_version = ">= 0.13"
+ required_version = ">= 1.0.3"
}