sa_8001/dsk-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

file 이전

Browse Source
This commit is contained in:
havelight-ee
2023-04-03 11:20:43 +09:00
parent 1b523b539d
commit c4747e51b1
229 changed files with 1081 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
aws_middle/vault/00-main.tf Normal file
View File

@@ -0,0 +1,8 @@
provider "aws" {
region = var.aws_region
}
resource "random_pet" "env" {
length = 2
separator = "_"
}

55
aws_middle/vault/01-instance-profile.tf Normal file
View File

@@ -0,0 +1,55 @@
resource "aws_kms_key" "vault" {
description = "Vault unseal key"
deletion_window_in_days = 10
tags = {
Name = "vault-kms-unseal-${random_pet.env.id}"
}
}
resource "aws_kms_alias" "vault-a" {
name = "alias/prod-vault-auto-unseal"
target_key_id = aws_kms_key.vault.key_id
}
data "aws_iam_policy_document" "assume_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
data "aws_iam_policy_document" "vault-kms-unseal" {
statement {
sid = "VaultKMSUnseal"
effect = "Allow"
resources = [aws_kms_key.vault.arn]
actions = [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey",
]
}
}
resource "aws_iam_role" "vault-kms-unseal" {
name = "vault-kms-role-${random_pet.env.id}"
assume_role_policy = data.aws_iam_policy_document.assume_role.json
}
resource "aws_iam_role_policy" "vault-kms-unseal" {
name = "Vault-KMS-Unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.id
policy = data.aws_iam_policy_document.vault-kms-unseal.json
}
resource "aws_iam_instance_profile" "vault-kms-unseal" {
name = "vault-kms-unseal-${random_pet.env.id}"
role = aws_iam_role.vault-kms-unseal.name
}

3
aws_middle/vault/02-versions.tf Normal file
View File

@@ -0,0 +1,3 @@
terraform {
required_version = ">= 0.12"
}

7
aws_middle/vault/10-variables.tf Normal file
View File

@@ -0,0 +1,7 @@
variable "aws_region" {
default = "ap-northeast-2"
}
variable "aws_zone" {
default = "ap-northeast-2b"
}

31
aws_middle/vault/README.md Normal file
View File

@@ -0,0 +1,31 @@
# Vault Auto-unseal using AWS KMS
These assets are provided to perform the tasks described in the [Vault Auto-unseal with AWS KMS](https://learn.hashicorp.com/vault/operations/ops-autounseal-aws-kms) guide.
---
## Demo Steps
### Setup
1. Set this location as your working directory
1. Set your AWS credentials as environment variables: `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`
1. Set Vault Enterprise URL in a file named `terraform.tfvars` (see `terraform.tfvars.example`)
### Commands Cheat Sheet
```bash
# Pull necessary plugins
$ terraform init
$ terraform plan
# Output provides the SSH instruction
$ terraform apply
#----------------------------------
# Clean up...
$ terraform destroy -force
$ rm -rf .terraform terraform.tfstate* private.key
```

272
aws_middle/vault/terraform.tfstate Normal file
View File

@@ -0,0 +1,272 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 14,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": {},
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [
{
"name": "Vault-KMS-Unseal-mighty_terrier",
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}"
}
],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": {},
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_alias",
"name": "vault-a",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:alias/prod-vault-auto-unseal",
"id": "alias/prod-vault-auto-unseal",
"name": "alias/prod-vault-auto-unseal",
"name_prefix": "",
"target_key_arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"target_key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_kms_key.vault",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}

243
aws_middle/vault/terraform.tfstate.backup Normal file
View File

@@ -0,0 +1,243 @@
{
"version": 4,
"terraform_version": "1.3.1",
"serial": 7,
"lineage": "e3e93a0f-93ed-63a2-17ab-4fa507053640",
"outputs": {},
"resources": [
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "assume_role",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "1903849331",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"sts:AssumeRole\",\n \"Principal\": {\n \"Service\": \"ec2.amazonaws.com\"\n }\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"sts:AssumeRole"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [
{
"identifiers": [
"ec2.amazonaws.com"
],
"type": "Service"
}
],
"resources": [],
"sid": ""
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "data",
"type": "aws_iam_policy_document",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "2560863897",
"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"override_json": null,
"override_policy_documents": null,
"policy_id": null,
"source_json": null,
"source_policy_documents": null,
"statement": [
{
"actions": [
"kms:Decrypt",
"kms:DescribeKey",
"kms:Encrypt"
],
"condition": [],
"effect": "Allow",
"not_actions": [],
"not_principals": [],
"not_resources": [],
"principals": [],
"resources": [
"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1"
],
"sid": "VaultKMSUnseal"
}
],
"version": "2012-10-17"
},
"sensitive_attributes": []
}
]
},
{
"mode": "managed",
"type": "aws_iam_instance_profile",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:instance-profile/vault-kms-unseal-mighty_terrier",
"create_date": "2022-12-12T08:20:12Z",
"id": "vault-kms-unseal-mighty_terrier",
"name": "vault-kms-unseal-mighty_terrier",
"name_prefix": null,
"path": "/",
"role": "vault-kms-role-mighty_terrier",
"tags": null,
"tags_all": {},
"unique_id": "AIPAXMVVF3TAVAWIQ62TS"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:iam::508259851457:role/vault-kms-role-mighty_terrier",
"assume_role_policy": "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":\"ec2.amazonaws.com\"},\"Sid\":\"\"}],\"Version\":\"2012-10-17\"}",
"create_date": "2022-12-12T08:20:10Z",
"description": "",
"force_detach_policies": false,
"id": "vault-kms-role-mighty_terrier",
"inline_policy": [],
"managed_policy_arns": [],
"max_session_duration": 3600,
"name": "vault-kms-role-mighty_terrier",
"name_prefix": "",
"path": "/",
"permissions_boundary": null,
"tags": null,
"tags_all": {},
"unique_id": "AROAXMVVF3TA3MJDOSJFJ"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"data.aws_iam_policy_document.assume_role",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_iam_role_policy",
"name": "vault-kms-unseal",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "vault-kms-role-mighty_terrier:Vault-KMS-Unseal-mighty_terrier",
"name": "Vault-KMS-Unseal-mighty_terrier",
"name_prefix": null,
"policy": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"VaultKMSUnseal\",\n \"Effect\": \"Allow\",\n \"Action\": [\n \"kms:Encrypt\",\n \"kms:DescribeKey\",\n \"kms:Decrypt\"\n ],\n \"Resource\": \"arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1\"\n }\n ]\n}",
"role": "vault-kms-role-mighty_terrier"
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"aws_iam_role.vault-kms-unseal",
"aws_kms_key.vault",
"data.aws_iam_policy_document.assume_role",
"data.aws_iam_policy_document.vault-kms-unseal",
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "aws_kms_key",
"name": "vault",
"provider": "provider[\"registry.terraform.io/hashicorp/aws\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"arn": "arn:aws:kms:ap-northeast-2:508259851457:key/c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"bypass_policy_lockout_safety_check": false,
"custom_key_store_id": "",
"customer_master_key_spec": "SYMMETRIC_DEFAULT",
"deletion_window_in_days": 10,
"description": "Vault unseal key",
"enable_key_rotation": false,
"id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"is_enabled": true,
"key_id": "c7641fb7-1689-4ec0-80ea-8b931deeb5a1",
"key_usage": "ENCRYPT_DECRYPT",
"multi_region": false,
"policy": "{\"Id\":\"key-default-1\",\"Statement\":[{\"Action\":\"kms:*\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"arn:aws:iam::508259851457:root\"},\"Resource\":\"*\",\"Sid\":\"Enable IAM User Permissions\"}],\"Version\":\"2012-10-17\"}",
"tags": {
"Name": "vault-kms-unseal-mighty_terrier"
},
"tags_all": {
"Name": "vault-kms-unseal-mighty_terrier"
}
},
"sensitive_attributes": [],
"private": "bnVsbA==",
"dependencies": [
"random_pet.env"
]
}
]
},
{
"mode": "managed",
"type": "random_pet",
"name": "env",
"provider": "provider[\"registry.terraform.io/hashicorp/random\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"id": "mighty_terrier",
"keepers": null,
"length": 2,
"prefix": null,
"separator": "_"
},
"sensitive_attributes": []
}
]
}
],
"check_results": []
}