annexe 1 - approles

1. Goals

When you use tools like Vault to automate the creation and sharing of secrets (includings tokens, certs, etc.), it could be also interesting to rethink the way thoses secrets are provided to each hosts.
There is already a very interesting article on the Hashicorp blog about using Vault Approles.

In this demo, I try to apply as most as possible the good practices:

In this demo, we have to be able to provide:

2. Image creation with Packer

First, an image is created with Packer.

Packer is used to prepare and install everything that does not need per host (or per datacenter, if you don’t want to have differents AMIs in different datacenters) customizations.

As yo can see in the image, the bastion host, that runs Packer, makes all the requests to the Vault-PKI.
It then writes the results on the image being created by Packer.

"global"

The host will also need SSL Certificate Authorities, so we copy them from the bastion host.

3. Preparing the host to join the Consul cluster

After the host is started using the previous AMI, we can prepare its accesses to the Consul cluster.

The bastion host makes one more time all the requests in order to create the unique AppRole Role for the host.

"global"

4. Host provisioning

The host can be now provisioned.

  1. First, it needs the newly created AppRole Role ID for its unique accesses

    "global"

  2. Then, it needs the Approle Secrets IDs and all other secrets

    "global"

  3. Finally, we can let the host itself make some requests because they are unique to it:

    • asking for new SSL certs
    • asking for new Consul cluster tokens

    "global"

A lot of tasks are done in Ansible because Terraform providers don’t offer (for now) enough features to do it directly.
I hope more features will be added to be able to do more works in Terraform: that should increase speed and maintanability.

4. And it’s done!