Skip to content

Commit

Permalink
testing vault aws engine
Browse files Browse the repository at this point in the history
  • Loading branch information
@tvo0813
tvo0813 committed Feb 24, 2025
1 parent 23c1125 commit 147881e
Show file tree
Hide file tree
Showing 2 changed files with 85 additions and 35 deletions.
87 changes: 64 additions & 23 deletions enos/modules/verify_secrets_engines/modules/create/aws.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ locals {
aws_region = var.aws_region
aws_access_key_id = var.aws_access_key_id
aws_access_secret_key = var.aws_access_secret_key
aws_precreated_role = "vault-assumed-role-credentials-demo"

// Output
aws_output = {
Expand All @@ -23,6 +24,45 @@ output "aws" {
value = local.aws_output
}

data "aws_caller_identity" "current" {}

data "aws_region" "current" {}

# Vault Mount AWS Config Setup

data "aws_iam_policy" "enos_aws_engine_test_user_permissions" {
name = "enos-aws-engine-test-user-perm"
}

resource "aws_iam_user" "enos_aws_engine_test_iam_user" {
name = "enos-aws-engine-test-iam-user"
permissions_boundary = data.aws_iam_policy.enos_aws_engine_test_user_permissions.arn
force_destroy = true
}

resource "aws_iam_user_policy_attachment" "enos_aws_engine_test_policy" {
user = aws_iam_user.enos_aws_engine_test_iam_user.name
policy_arn = data.aws_iam_policy.enos_aws_engine_test_user_permissions.arn
}

resource "aws_iam_access_key" "enos_aws_engine_test_iam_access_key" {
user = aws_iam_user.enos_aws_engine_test_iam_user.name
}

# Vault Mount AWS Role Setup

data "aws_iam_policy_document" "enos_aws_engine_test_iam_role_policy" {
statement {
sid = "EnosAwsEngineTestIamRolePolicy"
actions = ["ec2:DescribeRegions"]
resources = ["*"]
}
}

data "aws_iam_role" "vault_target_iam_role" {
name = "vault-assumed-role-credentials-demo"
}

# Enable aws secrets engine
resource "enos_remote_exec" "secrets_enable_aws_secret" {
environment = {
Expand All @@ -42,26 +82,27 @@ resource "enos_remote_exec" "secrets_enable_aws_secret" {
}
}

# Enable kv secrets engine
resource "enos_remote_exec" "aws_generate_creds" {
depends_on = [enos_remote_exec.secrets_enable_aws_secret]
for_each = var.hosts
environment = {
AWS_REGION = local.aws_region
AWS_ACCESS_KEY_ID = local.aws_access_key_id
AWS_SECRET_ACCESS_KEY = local.aws_access_secret_key
AWS_ROLE = local.aws_role
MOUNT = local.aws_mount
VAULT_ADDR = var.vault_addr
VAULT_TOKEN = var.vault_root_token
VAULT_INSTALL_DIR = var.vault_install_dir
}

scripts = [abspath("${path.module}/../../scripts/aws-generate-roles.sh")]

transport = {
ssh = {
host = var.leader_host.public_ip
}
}
}
# # Enable kv secrets engine
# resource "enos_remote_exec" "aws_generate_creds" {
# depends_on = [enos_remote_exec.secrets_enable_aws_secret]
# for_each = var.hosts
# environment = {
# AWS_PRECREATED_ROLE = local.aws_precreated_role
# AWS_REGION = local.aws_region
# AWS_ACCESS_KEY_ID = local.aws_access_key_id
# AWS_SECRET_ACCESS_KEY = local.aws_access_secret_key
# AWS_ROLE = local.aws_role
# MOUNT = local.aws_mount
# VAULT_ADDR = var.vault_addr
# VAULT_TOKEN = var.vault_root_token
# VAULT_INSTALL_DIR = var.vault_install_dir
# }
#
# scripts = [abspath("${path.module}/../../scripts/aws-generate-roles.sh")]
#
# transport = {
# ssh = {
# host = var.leader_host.public_ip
# }
# }
# }
33 changes: 21 additions & 12 deletions enos/modules/verify_secrets_engines/scripts/aws-generate-roles.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,15 +9,19 @@ fail() {
exit 1
}

# # -------PKI TESTING
MOUNT=aws
AWS_REGION=us-east-1
AWS_ROLE=test-role
VAULT_ADDR=http://127.0.0.1:8200
VAULT_INSTALL_DIR=/opt/homebrew/bin
VAULT_TOKEN=root
vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1 || echo "AWS Engine already enabled!"
## # -------PKI TESTING
# MOUNT=aws
# AWS_REGION=us-east-1
# AWS_ROLE=test-role
# VAULT_ADDR=http://127.0.0.1:8200
# VAULT_INSTALL_DIR=/opt/homebrew/bin
# VAULT_TOKEN=root
# AWS_PRECREATED_ROLE="vault-assumed-role-credentials-demo"
# ACCOUNT_NUM="774305585021"
# vault secrets enable --path=${MOUNT} aws > /dev/null 2>&1 || echo "AWS Engine already enabled!"

echo -e "------------|${AWS_REGION}|-----------|${AWS_ACCESS_KEY_ID}|-------|${AWS_SECRET_ACCESS_KEY}|-----\n"
[[ -z "$AWS_PRECREATED_ROLE" ]] && fail "AWS_PRECREATED_ROLE env variable has not been set"
[[ -z "$AWS_REGION" ]] && fail "AWS_REGION env variable has not been set"
[[ -z "$AWS_ACCESS_KEY_ID" ]] && fail "AWS_ACCESS_KEY_ID env variable has not been set"
[[ -z "$AWS_SECRET_ACCESS_KEY" ]] && fail "AWS_SECRET_ACCESS_KEY env variable has not been set"
Expand All @@ -38,21 +42,25 @@ echo "Configuring Vault AWS"
echo "Setup Vault/AWS role.."
#"$binpath" write "${MOUNT}/roles/${AWS_ROLE}" credential_type=iam_user policy_arns="arn:aws:iam::aws:policy/AdministratorAccess" ttl="1h" max_ttl="24h" || fail "Cannot create AWS role"
"$binpath" write "aws/roles/${AWS_ROLE}" \
credential_type=iam_user \
credential_type="iam_user" \
permissions_boundary_arn="arn:aws:iam::774305585021:policy/DemoUser" \
policy_document=-<<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":"VaultDemoUserDescribeEC2Regions",
"Effect": "Allow",
"Action": "ec2:*",
"Action": "ec2:DescribeRegions",
"Resource": "*"
}
]
}
EOF

echo "Verifying roles list"
"$binpath" list "${MOUNT}/roles"
"$binpath" read "${MOUNT}/roles/${AWS_ROLE}"
ROLE=$("$binpath" list "${MOUNT}/roles" | jq -r '.[]')
[[ -z "$ROLE" ]] && fail "No AWS roles created!"

Expand All @@ -61,5 +69,6 @@ echo "Verifying Root Access Key"
ROOT_ACCESS_KEY=$("$binpath" read "${MOUNT}/config/root" | jq -r '.data.access_key')
[[ "$ROOT_ACCESS_KEY" != "$AWS_ACCESS_KEY_ID" ]] && fail "AWS Access Key does not match: $ROOT_ACCESS_KEY, $AWS_ACCESS_KEY_ID"

## Read role
#"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"
# Read role
echo "Verifying New Credentials"
"$binpath" read "${MOUNT}/creds/${AWS_ROLE}"

0 comments on commit 147881e

Please sign in to comment.