Solutions Engineering Hangout: Security in Depth with Terraform and Vault

In this hangout, we covered simple strategies that combine Terraform and Vault to enable security in depth. We showed how Terraform can create random credentials for your infrastructure, such as databases and compute instances, along with how Terraform can configure access to these resources through the management of Vault policies and secrets.

Dave Arnold of HashiCorp's solutions engineering team gave a technical deep-dive of Vault with Terraform. After the 15 minute demo, we took live questions from the audience.

Questions asked during this hangout

• Can you show the dynamic credentials you spoke about?
• Does Packer have a similar integration with Vault yet?
• Is Vault compatible with PHP applications?
• Are you able to configure Terraform Enterprise to use Vault for workspace credentials?
• Can you talk about Vault's "first trust only" principal? I don't remember the exact name, but I am interested in the concept.
• What authentication is allowing Terraform to communicate with Vault?
• Are the secrets stored in Terraform state as well as Vault?
• What are the benefits of HashiCorp Vault vs AWS Secrets Manager?
• What about differences between HC Vault and Azure Vault?
• Is it possible to run Vault within Kubernetes? Or would this be advised against?
• I see Terraform use Vault as a 'resource' to pull a secret. Can it also create tokens and pass them on to the resulting VM through variables or should that be scripted?
• Say I want to use Vault to handle my production configuration deployment (ex: production AWS API keys/secrets), can I use the same approach as shown in this demo (mounting the volume to the instance), or is there a different way that the Vault community would suggest?

Additional resources

• GitHub repo of demo resources

Slides