Use Terraform to spin up a recommended HashiCorp Vault architecture and then have Vault feed secrets into the Terraform provisioning workflow in this demo.
One of the HashiCorp tools' greatest strengths is their modularity—the way in which all of the tools tightly integrate to produce elegant DevOps workflows that span security, provisioning, networking, and development. Maybe you use HashiCorp Vault for security and secrets management. Maybe you use HashiCorp Terraform for rapid, safe provisioning. But if you start using both, your teams are empowered with even more capabilities for protecting things like database credentials, certs, and cloud API keys in the provisioning workflow.
HashiCorp Vault engineer Becca Petrin shows how powerful the combination of Terraform and Vault can be. Many developers have made the mistake of publishing their cloud keys into a public GitHub repository.
But by using Terraform to spin up and connect with a Vault cluster backed by Consul and running on AWS, Petrin shows how you can easily harness dynamic secrets and never publish any plaintext secrets into configuration files or version control while provisioning infrastructure. And using dynamic secrets means that no long-lived secrets live in your Terraform configuration files.
So if a malicious actor finds your Terraform state file, or you accidentally publish it to GitHub, those credentials are useless in a few hours or minutes if your setup cycles secrets quickly.
Watch this live demo to see how a real-world Terraform + Vault workflow looks.
0:00 — Agenda and introduction to the HashiCorp suite
4:30 — How to use Terraform to spin up a 3-node Vault cluster backed by Consul and running on AWS
9:42 — Reviewing the recommended, single-datacenter architecture for Vault
14:50 — Unsealing Vault
20:33 — How dynamic secrets work in a Terraform + Vault setup
24:57 — Setting up Vault user roles and configuring Vault to generate dynamic AWS secrets
30:00 — Setting up Terraform to pull secrets from Vault
35:00 — Q&A
terraform applystep running in a single thread?
vault logincommand, you would first need to ssh into the bastion and then to the Vault instance, correct?