Day-25: HashiCorp vault with Ansible & Terraform Integration

HashiCorp Vault is an open-source tool for managing secrets and protecting sensitive data in modern computing environments. It provides a secure way to store, access, and distribute credentials, encryption keys, and other secrets across distributed systems.

Step1:

We can now create an AWS EC2 instance named ‘hashicorpvault-server’ using our AMI image, as we can check if docker and aws cli, unzip stress net-tools jq installed or not then not installed you can install in te server.

sudo apt update

Step2:

. Now we can configure the cerbot SSL certificates for domain encryption and we can install the below command for certbot.

sudo apt install certbot

sudo certbot certonly --manual --preferred-challenges=dns --key-type rsa \
    --email msuryaprasad11@gmail.com --server https://acme-v02.api.letsencrypt.org/directory \
    --agree-tos -d *.suryaprasad.xyz

I am deploying the acme_challenge TXT record to my domain suryaprasad.xyz using AWS Route 53 to verify ownership.

. Now we can save the certificate and key in our local system and we can when it's required.

Certificate is saved at: /etc/letsencrypt/live/suryaprasad.xyz/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/suryaprasad.xyz/privkey.pem

Step3:

. Now we can install the unzip stress net-tools jq packages with the below commands.

apt update && apt install -y unzip net-tools

Step4:

To install Vault for storing secrets, first download and extract the Vault binary, then move it to the /usr/bin/ directory and create the required directories for configuration and data. After that, run vault version to verify the installation.

wget https://releases.hashicorp.com/vault/1.13.2/vault_1.13.2_linux_amd64.zip
unzip vault_1.13.2_linux_amd64.zip
cp vault /usr/bin/vault
mkdir -p /etc/vault
mkdir -p /var/lib/vault/data
vault version

Step5:

Create the config.hcl file in the /etc/vault directory and add your configuration settings. Once you've added your data, save the file to apply the changes and create record with the below record name.

nano config.hcl
cp config.hcl /etc/vault/config.hcl

disable_cache = true
disable_mlock = true
ui            = true
listener "tcp" {
  address                  = "0.0.0.0:8200"
  tls_disable              = 0
  tls_cert_file            = "/etc/letsencrypt/live/suryaprasad.xyz/fullchain.pem"
  tls_key_file             = "/etc/letsencrypt/live/suryaprasad.xyz/privkey.pem"
  tls_disable_client_certs = "true"

}
storage "file" {
  path = "/var/lib/vault/data"
}
api_addr                = "https://kmsvault.suryaprasad.xyz:8200"
max_lease_ttl           = "10h"
default_lease_ttl       = "10h"
cluster_name            = "vault"
raw_storage_endpoint    = true
disable_sealwrap        = true
disable_printable_check = true

Step6:

nano /etc/systemd/system/vault.service

[Unit]
Description=HashiCorp Vault - A tool for managing secrets
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty=/etc/vault/config.hcl

[Service]
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart=/usr/bin/vault server -config=/etc/vault/config.hcl
ExecReload=/bin/kill --signal HUP
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
StartLimitBurst=3
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Step7:

sudo systemctl daemon-reload
sudo systemctl stop vault
sudo systemctl start vault
sudo systemctl enable vault
sudo systemctl status vault --no-pager

Step8:

 #VAULT STATUS FROM CLI
ps -ef | grep -i vault | grep -v grep

Another way to check the vault status.

https://kmsvault.suryaprasad.xyz:8200

Step8:

export VAULT_ADDR=https://kmsvault.suryaprasad.xyz:8200
echo "export VAULT_ADDR=https://kmsvault.suryaprasad.xyz:8200" >>~/.bashrc

Step9:

Initialize the vault.

vault operator init | tee -a /etc/vault/init.file

Step10:

vault operator init | tee -a /etc/vault/init.file

Step11:

. Now we can create one IAM role and give the administrator access and assign the below inline policy and give the name as vault whatever you want.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "kms:*",
    "Resource": "*"
  }
}

Step12:

. Now we can configure the KMS, why we configure KMS because without KMS we can’t access the vault-server with same token that’s why we are configure the KMS for HashiCorp vault server.

Step13:

. Now we move the cd /etc/vault/ location and edit the config.hcl file with the below requirements.

cd /etc/vault/
nano config.hcl

disable_cache = true
disable_mlock = true
ui            = true
listener "tcp" {
  address                  = "0.0.0.0:8200"
  tls_disable              = 0
  tls_cert_file            = "/etc/letsencrypt/live/suryaprasad.xyz/fullchain.pem"
  tls_key_file             = "/etc/letsencrypt/live/suryaprasad.xyz/privkey.pem"
  tls_disable_client_certs = "true"

}
storage "s3" {
  bucket = "hashicorpvault-bucket"
}

seal "awskms" {
  region     = "us-east-1"
  kms_key_id = "1c8c3a0b-089b-49aa-9eaa-b58532"
  endpoint   = "kms.us-east-1.amazonaws.com"
}

api_addr                = "https://kmsvault.suryaprasad.xyz:8200"
max_lease_ttl           = "10h"
default_lease_ttl       = "10h"
cluster_name            = "vault"
raw_storage_endpoint    = true
disable_sealwrap        = true
disable_printable_check = true

vault status

Step14:

. Now we create the vault user with terraform and we can add the vault token id and in the terraform variables.tf files and enter the below commands.

git clone 
terraform init
terraform plan
terraform apply

. Now we can reboot the server and check the vault status is true the we can simply remove the old init.file and create the new file with below command and we can check vault status its false then we will end the task and check then enter terraform apply command init all the users in hashicorp vault server.