Merge pull request #52 from Shayan-Ghani/49-ssh_injection-environment…

…-variable-is-not-implemented

closes #49 : conditioned ssh credential library based on SSH_INJECTION

ansible/host_vars/hashicorp

@@ -4,8 +4,11 @@ stack_dir: "/home/ubuntu/boundary-vault-stack"
 compose_dir: "{{ stack_dir }}/deploy"
 vault_addr: "192.168.1.15:8200"
 boundary_addr: "192.168.1.15:9200"
-STACK_ENV: "{{ lookup('env', 'STACK_ENV') }}"
-STACK_INIT: "{{ lookup('env', 'STACK_INIT') }}"
 handlers: "{{ playbook_dir }}/handlers"
 log_dir: "{{ playbook_dir | dirname }}/logs"
-secret_dir : "{{stack_dir}}/secrets"
+secret_dir : "{{stack_dir}}/secrets"
+
+# environment variables
+STACK_ENV: "{{ lookup('env', 'STACK_ENV') }}"
+STACK_INIT: "{{ lookup('env', 'STACK_INIT') }}"
+SSH_INJECTION: "{{lookup('env', 'SSH_INJECTION')}}"

ansible/host_vars/localhost

@@ -4,7 +4,10 @@ stack_dir: "/home/ubuntu/boundary-vault-stack"
 compose_dir: "{{ stack_dir }}/deploy"
 vault_addr: "127.0.0.1:8200"
 boundary_addr: "127.0.0.1:9200"
+handlers: "{{ playbook_dir }}/handlers"
+log_dir: "{{ playbook_dir | dirname }}/logs"
+
+# environment variables
 STACK_ENV: "{{ lookup('env', 'STACK_ENV') }}"
 STACK_INIT: "{{ lookup('env', 'STACK_INIT') }}"
-handlers: "{{ playbook_dir }}/handlers"
-log_dir: "{{ playbook_dir | dirname }}/logs"
+SSH_INJECTION: "{{lookup('env', 'SSH_INJECTION')}}"

ansible/roles/boundary/tasks/boundary_iac.yml

@@ -1,6 +1,6 @@
 ---
 - name: Run terraform configuration
-  ansible.builtin.shell: HOME_DIR={{ home_dir }} VAULT_TOKEN={{ transit_token }} bash "{{home_dir}}/scripts/init.sh" boundary
+  ansible.builtin.shell: HOME_DIR={{ home_dir }} VAULT_TOKEN={{ transit_token }} SSH_INJECTION={{SSH_INJECTION}} bash "{{home_dir}}/scripts/init.sh" boundary
   delegate_to: localhost
   ignore_errors: true
   register: terraform_boundary

ansible/roles/terraform/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-ssh_injection: Flase
+SSH_INJECTION: Flase

ansible/roles/terraform/tasks/cred_store_ssh.yml

@@ -4,9 +4,9 @@
   ansible.builtin.shell: cp {{stack_dir}}/secrets/ca-key.pub /etc/ssh/ca-key.pub && chown 1000:1000 /etc/ssh/ca-key.pub && chmod 644 /etc/ssh/ca-key.pub && echo "TrustedUserCAKeys
     /etc/ssh/ca-key.pub" >> /etc/ssh/sshd_config
   notify: restart_ssh
-  when: ssh_injection == True
+  when: SSH_INJECTION == True
 
 - name: Add ssh cred store token to variables
   ansible.builtin.shell: bash "{{home_dir}}/scripts/cleanup.sh" ssh
   delegate_to: localhost
-  when: ssh_injection == True
+  when: SSH_INJECTION == True

boundary/terraform/main.tf

@@ -165,25 +165,6 @@ resource "boundary_credential_store_static" "main_cred_store" {
   scope_id = boundary_scope.core_infra.id
 }
 
-## Uncomment the following lines if you have vault paid plan
-# resource "boundary_credential_store_vault" "vault_cert_store" {
-#   name = "vault-cred-store"
-#   address  = var.vault_address
-#   token    = var.vault_cred_store_token
-#   scope_id = boundary_scope.core_infra.id
-# }
-
-# resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
-#   name                = "certificates-library"
-#   credential_store_id = boundary_credential_store_vault.vault_cert_store.id
-#   path                = var.vault_sign_path
-#   username            = var.vault_username
-#   key_type            = "ecdsa"
-#   key_bits            = 521
-# }
-
-### end of vault ###
-
 resource "boundary_credential_ssh_private_key" "main_server_keys" {
   for_each            = { for host in var.hosts_info : host.name => host }
   name                = each.value.ssh_key_name
@@ -207,21 +188,39 @@ resource "boundary_target" "main_servers_ssh" {
   ]
 }
 
+#### Start of Vault ssh credential store
+# The following resources are only applied if SSH_INJECTION is set to True.
 
-#### uncomment the following block if you have pain boundary plan to use cred injection
-# resource "boundary_target" "test_server_ssh" {
-#   type                           = "tcp"
-#   name                           = "${var.test_server_name}_ssh_server"
-#   description                    = "test servers SSH target"
-#   scope_id                       = boundary_scope.core_infra.id
-#   default_port                   = var.ssh_port
+resource "boundary_credential_store_vault" "vault_cert_store" {
+  count = var.SSH_INJECTION ? 1 : 0
+  name = "vault-cred-store"
+  address  = var.vault_address
+  token    = var.vault_cred_store_token
+  scope_id = boundary_scope.core_infra.id
+}
 
-#   injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh.id]
+resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
+  count = var.SSH_INJECTION ? 1 : 0
+  name                = "certificates-library"
+  credential_store_id = boundary_credential_store_vault.vault_cert_store[count.index].id
+  path                = var.vault_sign_path
+  username            = var.vault_username
+  key_type            = "ecdsa"
+  key_bits            = 521
+}
 
-#   host_source_ids = [
-#     boundary_host_set_static.main_servers_ssh.id
-#   ]
-# }
+resource "boundary_target" "test_server_ssh" {
+  count = var.SSH_INJECTION ? 1 : 0
+  type                           = "tcp"
+  name                           = "${var.test_server_name}_ssh_server"
+  description                    = "test servers SSH target"
+  scope_id                       = boundary_scope.core_infra.id
+  default_port                   = var.test_ssh_port
+  injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh[count.index].id]
+  host_source_ids = [
+    boundary_host_set_static.main_servers_ssh.id
+  ]
+}
 ### End of cred injection
 
 # TODO: break resources into seperate tf files

boundary/terraform/terraform.tfvars

@@ -34,6 +34,7 @@ main_server_names = [
   ]
 
 test_server_name = "testing"
+test_ssh_port = 22
 
 # provider variables
 boundary_address = "https://boundary.dvh.tech"
@@ -80,4 +81,4 @@ session_recording_read_list = "id=*;type=session-recording;actions=list,read"
 # vault cred store
 vault_sign_path = "ssh-signer/issue/boundary-client"
 vault_username  = "admin"
-vault_address   = "http://vault:8200"
+vault_address   = "http://vault:8200"

boundary/terraform/variables.tf

@@ -69,24 +69,41 @@ variable "main_cred_store_name" {
   description = "main servers credential store name"
 }
 
+## start of SSH_INJECTION
+variable "SSH_INJECTION" {
+  type = bool
+  default = false
+  description = "wehter to use ssh credential library"
+}
+
+variable "test_ssh_port" {
+  type = string
+  description = "ssh port for the test target"
+}
 variable "vault_address" {
   type        = string
   sensitive   = true
   description = "address to vault server"
 }
 
-# variable "vault_cred_store_token" {
-#   type        = string
-#   sensitive   = true
-#   description = "vault token for credential store"
-# }
+variable "vault_cred_store_token" {
+  type        = string
+  sensitive   = true
+  default = "hvs.test"
+  description = "vault token for credential store"
+}
 
 variable "vault_sign_path" {
   type = string
+  description = "Path to the Vault key to sign boundary client"
 }
 variable "vault_username" {
   type = string
 }
+
+## end of SSH_INJECTION
+
+
 # permissions and roles
 
 ## all grants

scripts/init.sh

@@ -61,7 +61,7 @@ function init_boundary_iac(){
   token=$(cat $secret_file | grep "transit-token" | awk '{print $2}')
   export VAULT_TOKEN="$token"
   export BOUNDARY_ADDR="$BOUNDARY_ADDR"
-
+  export TF_VAR_SSH_INJECTION=$SSH_INJECTION
   terraform apply --auto-approve 2>&1 | sed -r "s/\x1B\[[0-9;]*[mGKH]//g" > "${HOME_DIR}/logs/terraform/boundary-logs.txt"
   return 0
 }