1.
Terraform & Vault - Un duo d’Enfer

2.
Oxalide
Conseil, Infogérance &
Hébergement
Media / SaaS / E-commerce
$ whoami
Consultant
Architecture &
DevOps
Théo Chamley
theo.ch@mley.fr
@MrTrustor

3.
Infrastructure-as-Code
AWS, GCP, Azure, OpenStack…
Write ➢ Plan ➢ Apply
https://www.terraform.io/ https://www.vaultproject.io/
Secret management
Simple REST API
Several « secret backends »

4.
Terraform
Infrastructure-as-Code
Perfect to manage AWS (and other) resources
resource "aws_instance" "web" {
ami = “ami-xxxxxx”
instance_type = "t2.micro”
tags {
Name = "HelloHUG"
}
}

5.
DEMO 1 - Terraform

6.
Vault
Secret managment
Consul MySQL AWS etc.
Secret
backends
Vault
Encryption
Authentification
ACLs…
User
Vault CLI
Vault
client libs
etc.
REST API
Clients

7.
Vault concepts
Tokens ➢ Main authentication method. The other methods
dynamically generate tokens.
Leases, TTL, Hierarchies, etc.
Authentication ➢ Verify an identity
Several authentication backends (LDAP, App ID, etc.)
(Un)seal ➢ Decrypt the encryption key
Need a certain number of shards to get the master key
Policies ➢ ACLs associated to paths in Vault.
Given to token when they are created

8.
DEMO 2 - Vault

9.
Vault & AWS STS
Using Vault to get AWS Credentials
Vault
Root AWS Account Target AWS Account
IAM CrossAccount
target role
AssumeRole
Temporary
Credentials
AWS STS
AWS Secret
Backend
• Vault authenticates against AWS IAM
• Uses a role that can connect to another account
• Gets temporary credentials for this role from STS

10.
DEMO 3 - Vault + AWS

11.
Terraform + Vault
Vault AWS
Terraform
STS Credentials

12.
DEMO 4 - Vault + Terraform +
AWS

13.
Links
• Source: https://github.com/MrTrustor/terraform-vault-demo
• Terraform: https://www.terraform.io/
• Vault: https://www.vaultproject.io/