-
Notifications
You must be signed in to change notification settings - Fork 3
/
main.tf
127 lines (111 loc) · 4.35 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
provider "boundary" {
addr = var.boundary_address
auth_method_id = var.boundary_auth_method_id
password_auth_method_login_name = var.boundary_username
password_auth_method_password = var.boundary_password
}
resource "boundary_scope" "app" {
name = var.application_name
description = "scope for ${var.application_name}"
scope_id = "global"
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_scope" "app_infra" {
name = "${var.application_name}_infrastrcture"
description = "${var.application_name} project!"
scope_id = boundary_scope.app.id
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_host_catalog_static" "backend_servers" {
name = "backend_servers"
description = "Backend servers host catalog"
scope_id = boundary_scope.app_infra.id
}
resource "boundary_host_static" "backend_servers" {
for_each = toset(data.aws_instances.servers.private_ips)
type = "static"
name = "backend_server_service_${each.value}"
description = "Backend server host"
address = each.key
host_catalog_id = boundary_host_catalog_static.backend_servers.id
}
resource "boundary_host_set_static" "backend_servers_ssh" {
type = "static"
name = "backend_servers_ssh"
description = "Host set for backend servers"
host_catalog_id = boundary_host_catalog_static.backend_servers.id
host_ids = [for host in boundary_host_static.backend_servers : host.id]
}
resource "boundary_target" "nomad" {
type = "tcp"
name = "nomad"
description = "nomad servers"
scope_id = boundary_scope.app_infra.id
default_port = "4646"
session_connection_limit = -1
egress_worker_filter = " \"demostack\" in \"/tags/type\" "
host_source_ids = [
boundary_host_set_static.backend_servers_ssh.id
]
}
resource "boundary_target" "consul" {
type = "tcp"
name = "consul"
description = "consul servers"
scope_id = boundary_scope.app_infra.id
default_port = "8500"
session_connection_limit = -1
egress_worker_filter = " \"demostack\" in \"/tags/type\" "
host_source_ids = [
boundary_host_set_static.backend_servers_ssh.id
]
}
resource "boundary_target" "vault" {
type = "tcp"
name = "vault"
description = "vault servers"
scope_id = boundary_scope.app_infra.id
default_port = "8200"
session_connection_limit = -1
egress_worker_filter = " \"demostack\" in \"/tags/type\" "
host_source_ids = [
boundary_host_set_static.backend_servers_ssh.id
]
}
# create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
type = "ssh"
name = "Nomad Workers SSH Injected creds"
description = "Nomad Workers SSH target"
scope_id = boundary_scope.app_infra.id
default_port = "22"
session_connection_limit = -1
egress_worker_filter = " \"demostack\" in \"/tags/type\" "
host_source_ids = [
boundary_host_set_static.backend_servers_ssh.id
]
injected_application_credential_source_ids = [
boundary_credential_library_vault_ssh_certificate.vault_ssh_cert.id
]
enable_session_recording = true
storage_bucket_id = boundary_storage_bucket.doormat_example.id
}
resource "boundary_credential_store_vault" "app_vault" {
name = "appHCP_Vault"
description = "app Vault Credential Store"
# address = "https://vault.service.consul:8200"
address = var.vault_address
token = vault_token.boundary.client_token
# token = var.vault_token
namespace = "admin/${var.application_name}"
scope_id = boundary_scope.app_infra.id
}
resource "boundary_credential_library_vault" "ssh" {
name = "vault_token"
description = "Credential Library for Vault Token"
credential_store_id = boundary_credential_store_vault.app_vault.id
path = "boundary_creds/data/ssh" # change to Vault backend path
http_method = "GET"
}