aherman
/
boundary
mirror of https://github.com/hashicorp/boundary
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c2bc19c71f'
${ noResults }
boundary/website/content/docs/install-boundary/terraform-patterns/terraform-credentials-and-c...

199 lines
8.0 KiB
Raw Blame History

---
layout: docs
page_title: Terraform patterns for Boundary credentials and credential stores
description: >-
Use Terraform patterns to create and manage Boundary credentials and credential stores. Learn how to create static or Vault credential stores, add credentials.
---
# Terraform patterns for Boundary credentials and credential stores
Boundary supports multiple types of static credentials and Vault dynamic credentials. A credential store stores credentials for hosts. Static credential stores can hold username/passwords, JSON tokens, SSH key pairs, and SSH certificates.
## Requirements
This document assumes the reader has:
- An understanding of [Terraform](/terraform/docs) fundamentals
- An existing Boundary installation. Refer to [Initialize Boundary](/boundary/docs/install-boundary/initialize) to learn about deploying Boundary.
- Configured the [Terraform Boundary provider](/boundary/docs/install-boundary/terraform-patterns/#terraform-provider-configuration).
- Configured [hosts](/boundary/docs/install-boundary/terraform-patterns/terraform-hosts-and-host-management) for any credential store you plan to create.
## Static credential store configuration
This example creates both a static credential store and a Vault credential store.
```hcl
# Create a static credential store
resource "boundary_credential_store_static" "example" {
name = "example_static_credential_store"
description = "My first static credential store"
scope_id = boundary_scope.project.id
}
# Create a Vault credential store
resource "boundary_credential_store_vault" "example" {
name = "vault_store"
description = "My first Vault credential store"
# change to your Vault address
address = "http://127.0.0.1:8200"
# Use a token that has rights to access the secrets in Vault that
# Boundary should use
token = var.vault_token
scope_id = boundary_scope.project.id
}
```
After you create a credential store, you can create one or more credentials in that store.
### Add static credentials configuration
This example creates static credentials that Boundary manages. The credentials are for a user named Carlos.
```hcl
# Create a username/password combination
resource "boundary_credential_username_password" "carlos" {
name = "example_username_password"
description = "My first username password credential"
credential_store_id = boundary_credential_store_static.example.id
username = "Carlos"
password = "Carlos-password"
}
# Create an ssh private key
resource "boundary_credential_ssh_private_key" "carlos_ssh" {
name = "example_ssh_private_key"
description = "My first ssh private key credential"
credential_store_id = boundary_credential_store_static.example.id
username = "carlos"
# You can also load the private_key from a file using the Terraform file() function.
private_key = var.carlos_ssh_key
# change to the passphrase of the private key, if required
private_key_passphrase = "optional-passphrase"
}
# Create a JSON credential
resource "boundary_credential_json" "example" {
name = "example_json"
description = "My first json credential"
credential_store_id = boundary_credential_store_static.example.id
# This points to the actual json file. You can also load this from a variable.
object = file("~/object.json")
}
```
## Vault credential store configuration
For Vault credential stores, you can then create a credential library which distributes credentials of a specific access level from a Vault path.
This example creates a credential library that reads secrets from a Vault path called `my/secret/foo`.
```hcl
resource "boundary_credential_library_vault" "foo" {
name = "foo"
description = "My first Vault credential library"
credential_store_id = boundary_credential_store_vault.example.id
# Defines a valid Vault secret path
path = "my/secret/foo"
http_method = "GET"
}
```
### Translate key names from Vault configuration
If you need to translate the key names from Vault into values expected by
Boundary, use this pattern.
```hcl
resource "boundary_credential_library_vault" "baz" {
name = "baz"
description = "vault username password credential with mapping overrides"
credential_store_id = boundary_credential_store_vault.example.id
# Defines the vault path that contains the secret you need
path = "my/secret/baz"
http_method = "GET"
credential_type = "username_password"
# This maps the username and password field names in Vault to their names in Boundary
credential_mapping_overrides = {
password_attribute = "alternative_password_label"
username_attribute = "alternative_username_label"
}
}
```
### Use SSH certificates as credentials configuration
To use SSH certificates as credentials, you use the `boundary_credential_vault_ssh_certificate` resource as shown in this example.
```hcl
resource "boundary_credential_library_vault_ssh_certificate" "example" {
name = "foo"
description = "My first Vault SSH certificate credential library"
credential_store_id = boundary_credential_store_vault.foo.id
# Declares the vault path that generates certificates
path = "ssh/sign/foo"
# Defines the username
username = "foo"
}
```
### Declare additional certificate attributes and extensions configuration
This example declares additional certificate attributes and extensions. Note that you can enable extensions by declaring their names and setting their values to empty strings.
```hcl
resource "boundary_credential_library_vault_ssh_certificate" "example" {
name = "baz"
description = "vault "
credential_store_id = boundary_credential_store_vault.foo.id
path = "ssh/issue/foo" # change to the Vault endpoint and role
username = "foo"
# Defines additional optional certificate attributes
key_type = "rsa"
key_bits = 4096
extensions = {
permit-pty = ""
permit-X11-forwarding = ""
}
critical_options = {
force-command = "/bin/some_script"
}
}
```
## More information
For more information about the Boundary resources mentioned in this topic, refer to the domain model documentation:
- [Credential stores](/boundary/docs/concepts/domain-model/credential-stores)
- [Credentials](/boundary/docs/concepts/domain-model/credentials)
- [Credential libraries](/boundary/docs/concepts/domain-model/credential-libraries)
For more information about managing the following resources using Terraform, refer to the Boundary provider documentation:
- Credentials
- [JSON](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_json/)
- [SSH private keys](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_ssh_private_key/)
- [Username/passwords](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_username_password/)
- Credential libraries
- [Vault](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_library_vault/)
- [Vault SSH certificates](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_library_vault_ssh_certificate/)
- Credential stores
- [Static](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_store_static/)
- [Vault](https://registry.terraform.io/providers/hashicorp/boundary/latest/docs/resources/credential_store_vault/)
## Next steps
Once you have configured credentials and credential stores, you may want to enable [session recording](/boundary/docs/install-boundary/terraform-patterns/terraform-session-recording) for auditing purposes or configure [targets](/boundary/docs/install-boundary/terraform-patterns/terraform-targets) for your users to connect to.
Reference in new issue View Git Blame Copy Permalink