This Terraform folder is dedicated to Gitlab-CI (your pipeline). You should use Terraform only in Gitlab-ci for this project.
It will deploy a website using Vault to get dynamic secrets to authenticate into a database.
Refer to the README to setup your Vault first.
Then check the gitlab-ci file. The gitlab-ci file will handle your CI and also execute your Terraform.
The gitlab-ci.yml will execute your CI inside Gitlab-CI and also deploy your project (using Terraform).
The gitlab-ci file have 3 stages:
test: This stage have 1 job. This job is to check if your pipeline can be authenticate into your Vault through the JWT auth backend.plan: This stage have 1 job. This job is to authenticate into your Vault through the JWT auth backend and do aterraform plan. It will also test if you can access to the AWS secret engine and generate AWS secrets.deploy: The stage have 2 jobs. The jobapplywill useterraform applybased and the previousterraform plan. The second jobdestroywill useterraform destroyand will destroy your project infrastructure. Both need to be manually execute through Gitlab-CI.
You have also a before_script where your Gitlab-ci will install Vault and Terraform binaries.
In your Gitlab project, in Settings and CI/CD, add a variable:
VAULT_ADDR: The value should be the address of your Vault server.
For the AWS side, it will create a RDS database with a mysql as a database engine and an EC2 instance with your website.
For the Vault side :
- The RDS secrets are stored into the
Database secret enginein Vault. - The EC2 have a Vault role created in the
AWS auth backendbased on the EC2 metadata (e.g: account ID, subnet ID, etc).
Your website will able to authenticate into Vault with AWS auth backend and then use Vault Database secrets to authenticate into the RDS database through the Database secret engine.
WIP
| Name | Version |
|---|---|
| aws | ~>3.23 |
| vault | ~>2.14.0 |
| Name | Version |
|---|---|
| aws | ~>3.23 |
| random | n/a |
| template | n/a |
| vault | ~>2.14.0 |
No Modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_db_instance_class | The RDS instance class (default: db.t3.micro) | string |
"db.t3.micro" |
no |
| aws_instance_type | The AWS instance EC2 type (default: t3.micro) | string |
"t3.micro" |
no |
| db_admin_username | The admin username of the database (default: admin) | string |
"admin" |
no |
| db_secret_ttl | The secret database TTL (default: 1min) | number |
60 |
no |
| project_name | Project name (default: web) | string |
"web" |
no |
| project_token_max_ttl | The Vault token max ttl (default: 2min) | number |
120 |
no |
| project_token_ttl | The Vault token default ttl (default: 1min) | number |
60 |
no |
| region | AWS regions | string |
"eu-west-1" |
no |
| secret_id_num_uses | The number uses for secret ID (default: 0) | number |
0 |
no |
| secret_id_ttl | The secret ID TTL (default: 10min) | number |
600 |
no |
| token_max_ttl | The token max TTL (default: 10min) | number |
600 |
no |
| token_num_uses | The number uses for token (default: 0) | number |
0 |
no |
| token_ttl | The token TTL (default: 1min) | number |
60 |
no |
| vault_addr | The vault address (endpoint). | any |
n/a | yes |
| vault_agent_parameters | The parameters to pass as environment variables to your Vault Agent (ex: VAULT_NAMESPACE='test') | string |
"" |
no |
| vault_agent_version | The Vault Agent version used (default: 1.6.2) | string |
"1.6.2" |
no |
| vault_backend | Vault PATH backend to be authenticate. | any |
n/a | yes |
| vault_role | Vault role name to use to be authenticate. | any |
n/a | yes |
| Name | Description |
|---|---|
| db_endpoint | The endpoint to the RDS database |
| db_engine | The database engine used by your RDS database |
| db_name | The database name created by your RDS database |
| db_user | The admin username of your database |
| vault_path_db_rotate | The Vault database secret path to rotate the root user password |
| web_endpoint | The endpoint to your website. Copy/paste the endpoint into a web browser to test it. |
| web_instance_public_ip | The AWS EC2 instnce public ipv4 |