Managing Credentials in Terraform Cloud & Enterprise

Managing Credentials in Terraform Cloud & Enterprise

There are several ways to manage credentials or other secret types in Terraform Cloud and Terraform Enterprise, either natively, or with purpose-built secrets management utilities like HashiCorp Vault, so this is a somewhat opinionated article that lists what I believe are currently the best options. Please note this is not a replacement for some other best practices, such as keeping your Terraform CLI and code up to date.

The described patterns follow some common principles. Credentials should be:

  • As unique as possible per workspace
  • Easy to rotate
  • As dynamic as possible
  • Protected with RBAC

There are also some nuances between Terraform Cloud and Terraform Enterprise that I will call out in each section.

In terms of security, both Cloud and Enterprise products encrypt their sensitive variables using the Vault Transit secrets engine and do not allow any external API call to decrypt these values. For more details please see the Data Security page.

If you still have questions by the end of this blog post, try attending one of our community office hours or booking a 1:1 technical session.

»Managing Credentials Using Only Terraform Workspaces

Using only Terraform workspaces, your cloud vendor’s Terraform provider, and the Terraform Cloud/Enterprise provider, you can set up a “Credentials” workspace that is able to generate new credentials and rotate the ones used by other workspaces. To avoid the secret zero problem, when setting up the credentials workspaces, you can make use of the Terraform Agents pattern described in the next section.

Note: In Terraform Cloud all workspaces live in the same Organization.

Terraform

Pros

  • There’s a separation between development environments.
  • It’s possible to use different types of secrets.

Cons

  • Requires a 3rd party API trigger to force a re-deployment of all “Credentials” workspaces.
  • Complex RBAC setup that does not exist in the free tier.
  • Secrets are stored in the “Credentials” workspace state.
  • “Credentials” workspaces require a Terraform Cloud/Enterprise User or Team token to access other workspaces that reside in another Organization.

»Managing Credentials Using Only Terraform Agents

Both Terraform Cloud Business tier and Terraform Enterprise support running your code using external agents. This feature is called Terraform Agents. Any cloud provider declared in your Terraform code is able to take advantage of the credentials set in the Terraform Agent environment, which means the credentials do not need to be set at the workspace level.

HashiCorp Solutions Engineer Andy Assareh has a repo and a recording to help walk you through this pattern.

Terraform

Pros

  • There’s a separation between development environments.
  • No credentials are set in project workspaces.
  • No credentials are stored in the workspace state.
  • One of the least complex patterns.

Cons

  • Only addresses cloud access credentials, not other kinds of secrets.
  • Requires Terraform Cloud Business tier.
  • Careful RBAC is required to ensure developers are not able to change Agent Pools in the workspace.
  • Difficult to scale and audit when using multiple accounts.
  • In Terraform Cloud Business tier, there are some limits on the number of Agents and Agent Pools an Organization can have.
  • Difficult to have a 1:1 mapping between workspace and Agent.

»Managing Credentials Using Vault

It’s no secret HashiCorp Vault is able to generate dynamic credentials for all major cloud vendors, databases, etc. For those who know about Vault, this integration with Terraform is the first solution they ask about, since secrets management is Vault’s primary use case. Here are a few patterns to make that integration work.

»Direct Integration with a Vault Plugin

There isn’t much to explain in this workflow. Most of the complexity is in setting up Vault authentication and some Terraform template code.

Terraform

Pros

Cons

  • Need to install a 3rd party plugin. More details are in the plugin repo.
  • Because we are using the Vault provider, secrets will be present in the state file.
  • Requires Terraform code changes to use the Vault provider.
  • Increase in complexity to set up Vault correctly.

»Integration with CI/CD

At the heart of this integration pattern, is the ability to confidently authenticate to Vault with an identity that is unique and combines workflow, repository, and branch/environment.

This is not the case with all CI/CD implementations, so I’m only mentioning two implementations where I know it’s possible.

Vault tokens should be very short-lived and linked to an entity, to restrict access in case any token gets leaked and allow for better auditing. Avoid storing Vault tokens as secrets!

Regarding the workflow, the CI/CD runner will need to authenticate to Vault and retrieve:

Pros

  • It’s possible to have 0 hardcoded or long-lived credentials, using only identities.
  • There’s a separation between development environments.
  • Different credentials for different branches.
  • Terraform Enterprise and Terraform Cloud credentials are not stored in Terraform state or the CI/CD platform.

Cons

  • Requires a CI/CD system able to assign an identity that combines a unique run id, workflow/pipeline, repository, and commit id.
  • May lead to secret sprawl.
  • Increase in pipeline complexity.

These pros and cons apply to the two subsections below.

»GitLab CI/CD Integration

GitLab runners are able to authenticate to Vault using the JWT auth backend, where you can configure separate roles for staging, dev, or production.

Once authentication has been solved, GitLab CI/CD will be able to retrieve the necessary secrets and interact with the Terraform Cloud/Terraform Enterprise API. Here’s an example.

For private repositories, you’ll need to have GitLab Premium.

Terraform,

»GitHub Actions Integration

For GitHub Actions to authenticate to Vault there are two options:

If you use AppRole, please make sure you also have a cron job set up to rotate the environment secrets, and use the “Repository Environments” to distinguish between production and non-production.

If you use the custom Vault GitHub Action authentication backend, right now it’s not possible to distinguish which branch is being executed.

»Pick the Solution that’s Right For You

There is no right answer or one-size-fits-all solution to managing your credentials and secrets within Terraform Cloud and Terraform Enterprise. This is highly dependent on your current requirements, environment, tools, etc, so it’s up to you to select the pattern that is best for you and your team, taking into account the pros and cons of each solution.

Please bear in mind that all of these solutions require you to plan and execute an efficient team/application onboarding process to be successful. To learn more about onboarding applications into Vault check out our other blog post Onboarding Applications to Vault Using Terraform: A Practical Guide or book a 1:1 session with one of our experts.


Source: HashiCorp Blog

HashiConf Global Preview: Sessions for Cloud Platform Teams

HashiConf Global Preview: Sessions for Cloud Platform Teams

As enterprise cloud strategies mature, “platform teams” have become a best practice. Platform teams build, run, and support infrastructure and backing services that are exposed to development teams as self-service offerings.

HashiConf Global (livestream Tuesday – Wednesday, October 19 – 20, and rebroadcast for the Asia/Pacific time zones on Wednesday – Thursday, October 20 – 21) is packed with sessions designed for platform teams. Here’s a preview of the relevant HashiConf talks grouped into popular cloud architecture pillars: Operational Excellence, Security, and Reliability.

»Operational Excellence

»Tide’s Self-Service Service Mesh With Consul

Wednesday, October 20, 12:30 p.m. ET

Tide Business Bank — a leading UK FinTech firm — tells its HashiCorp Consul adoption story. This talk is especially relevant for platform owners using Amazon Web Services (AWS). Jez Halford, Tide’s Head of Cloud Engineering, explains how Tide uses HCP Consul to wire up Amazon ECS and EC2, as well as ECS and AWS Fargate. Interestingly, the move to Consul came without downtime or a painful “big bang” migration. If you want greater networking automation across different AWS runtimes — and want to upgrade from your status quo — here’s your playbook.

»A Journey to Improving SLOs With HashiCorp Vault

Wednesday, October 20, 2:00 pm ET

Experienced cloud engineers tend to have a story or two about the expired certificate everyone forgot about. Good secrets management hygiene is essential to application — and platform — uptime and reliability. In this session, George Hantzaras, a cloud engineering leader at Citrix, explains how HashiCorp Vault improved service level objectives (SLOs) in the company’s observability infrastructure.

»Redeploying Stateless Systems in Lieu of Patching

Tuesday, October 19, 1:00 pm ET

Seasoned operators know that patching is a way of life. But does it have to be? Chris Manfre, a Senior DevOps Engineer at Petco, says “no.” In this talk, he describes a better approach to vulnerability mitigation: replace unpatched instances with new instances that feature updated templates. He explains how HashiCorp Packer and HashiCorp Terraform Enterprise can help you adopt this immutable infrastructure best practice.

»Security

»Vault for Secrets Management in Consul K8s

Tuesday, October 19, 12:30 pm ET

We’re all hearing a lot about zero trust security these days, and for good reason. It’s the modern approach to protecting critical systems and customer data. But what does implementing zero trust security really entail?

Here’s a starting point: modernize your infrastructure around the new control point for security: identity. This is what the most secure organizations have done in recent years. From there, platform teams can authenticate and authorize access for services and users alike. That sounds great, but how do you actually do that in the real world? This talk will give you a big part of the answer, especially if you’re a Kubernetes shop.

Kyle Schochenmaier, HashiCorp Senior Engineer on the Consul Ecosystem, and HashiCorp Senior Product Manager David Yu HashiCorp explain how to use Vault as the secrets management backend for Consul atop Kubernetes. They also explain how to rotate secrets in Consul on Kubernetes. Attend this talk, and you’ll be in a much stronger position to combine the protections from Vault (machine authN and authZ) with those from Consul (machine-to-machine access).

»Managing Target’s Secrets Platform

Tuesday, October 19, 1:30 p.m. ET

Every vertical industry has its own unique security challenges. Retailers around the world use HashiCorp’s tech to improve their security posture. This is a big job, and it requires constant vigilance from platform teams in this sector. Target — one of the largest retailers in the US with more than 1,900 locations — has an extraordinarily large attack surface to protect. Shane Petrich, a Target Lead Engineer, details how Target keeps its HashiCorp Vault deployment humming.

»Vault Roadmap

Tuesday, October 19, 2:00 p.m. PT

There’s a reason why Vault is the dominant secrets management solution for platform teams: it’s incredibly powerful and it continues to get even better. So what innovations do we have planned for Vault in the near future? Attend this session and hear the specifics from Darshant Bhagat, Product Head for Vault, and Naaman Newbold Vault Director of Engineering.

»Reliability

»Consul Use Cases At Stripe: Service Mesh and More

Tuesday, October 19, 1:30 p.m. PT

Interest in the service mesh pattern is surging. According to the HashiCorp State of Strategy Cloud survey, service mesh adoption is expected to grow 250% in the year ahead. If this is on your roadmap, who better to learn from than Stripe? After all, even a few seconds of downtime could cost the fintech giant millions. This company is on the cutting edge of modern networking, and there’s a lot to learn from its experience with Consul and Kubernetes.

Mark Guan and Ruoran Wang, Software Engineers at Stripe, reveal the details of their multi-region service networking tech stack. If this sounds like an impressive feat of engineering, it is. This duo gives you an inside look at their overall topology across various AWS accounts and regions, and how they federated multi-region clusters together.

»The Future of HCP Packer

Tuesday, October 20, 12:30 p.m. ET

Platform teams use Packer to create identical machine images for multiple clouds from a single source configuration. Meanwhile, these same teams use Terraform to deploy images. What if there was a way to bring these two technologies closer together? That’s the vision behind HCP Packer: bridge the image-management workflows between Packer and Terraform. This service was first announced at HashiConf Europe in June.

Megan Marsh, Packer’s Engineering Lead, will demonstrate the product and unveil exciting roadmap details. And don’t miss the hands-on lab for HCP Packer at 1:30 p.m. ET on Wednesday, October 20.

»Network Automation on Terraform Cloud With CTS

Wednesday, October 20, 1:30 p.m. PT

Ticketing systems are the enemy of the modern platform team. They served their purpose in years past; now we’re in the era of automation and self-service. Yet even the most determined enterprise likely has a few workflows that still depend on tickets. One stubborn scenario: requests for network configuration changes. Here, dev teams are ready to release new code to production, but the new code requires firewall policy updates or changes to the load balancer member pool.

This session focuses on Consul-Terraform-Sync (CTS), a new capability that automates this gap in your workflow. HashiCorp Senior Engineers Melissa Kam, and Kim Ngo show you how CTS introduces network infrastructure automation to Consul and integrates directly with Terraform Cloud. Attend this session and learn how CTS monitors changes to the L7 network layer, and subsequently uses Terraform to dynamically update infrastructure.

»Workday’s Multi-Cloud Network Fabric With Consul & Vault

Wednesday, October 20, 1:00 p.m. ET

The hallmark of a reliable distributed system is that it continues to behave as expected even as it changes rapidly. Workday’s platform team has supported rapid growth and innovation over the last few years. To handle this growth, it uses Consul and Vault as part of its critical infrastructure. Workday Principal Engineer Daniele Vazzola explains how his company uses HashiCorp’s tools to support deployments across multiple cloud providers and on-premises datacenters. He even digs into how this multi-cloud fabric empowers service teams to autonomously set up secure connections across datacenters between workloads running on heterogeneous platforms. Don’t miss it!

»Join Us for the Livestreams

These fantastic talks are only a small part of what you’ll experience at HashiConf Global, happening online Tuesday – Wednesday, October 19 – 20 (and rebroadcast for the Asia/Pacific time zones on Wednesday – Thursday, October 20 – 21). This year, in addition to the visionary keynote sessions and dozens of useful practitioner talks, we’ve added free hands-on labs. For platform teams, we recommend the labs: Vault as a Certificate Authority (CA) for Consul Connect and Create a Custom Provider With the Terraform Plugin Framework.

Register for HashiConf Global today — it’s fast and free.


Source: HashiCorp Blog