Terraform repo containing modules for the Presentation and DEMO at HASHICONF EUROPE 2022
SLIDES: {TO BE INSERTED}
PRESENTATION: {TO BE INSERTED}
This repo contains the module to deploy 4 AWS lambda functions with their related AWS and Hashicorp Vault resources to make a sub-minute recovery in case of a disaster.
-
2 Vault clusters deployed in AWS with 2
Route53records for your hosted zone:HIGH LEVEL ARCHITECTURE:
Two Vault clusters under autoscaling groups and behind Network Load Balancers with 2 Route53 records, one for the primary cluster and one for the secondary cluster (in DR Replication). Then a higher level endpoint, pointing to both the other two endpoints with a weighted policy; max weight for the primary cluster and minimum weight for the secondary cluster.
-
Docker Container Tagged
centos:my-centosin you Jenkins instance (Jenkinsfileline 4). This container can be built from thejenkins-containerfolder (simplecentosrendition withpython3.8&gitinstalled plus other basic tools). -
Jenkins plugins:
-
CloudBees AWS Credentials https://plugins.jenkins.io/aws-credentials/
- And AWS credentials in jenkins with id
my-aws-credentials(Jenkinsfileline 27)
- And AWS credentials in jenkins with id
-
Pipeline: AWS Steps https://plugins.jenkins.io/pipeline-aws/#documentation (
Jenkinsfileline 27) -
Docker Pipeline https://plugins.jenkins.io/docker-workflow/
-
-
Place your
Hashicorp Vaultendpoints into the corresponding variables intest/example/main.tffile.
In order to test the modules locally, first, build the container:
cd jenkins-container
docker build -t centos:my-centos .After the build has completed, go back into the root folder and just enter the container mounting the file system:
cd ..
docker run -it --rm -v $(pwd):/workspace centos:my-centos /bin/bashOnce inside the container, export the necessary variables (like the AWS credentials), enter the workspace directory and issue a make install-dependencies command:
export AWS_ACCESS_KEY_ID=.....
export AWS_SECRET_ACCESS_KEY=....
cd workspace
make install-dependenciesThis command will install terraform, go and nodejs.
After that, grab a Vault Token and issue:
VAULT_TOKEN=s.123451234 make test/allThe tests are placed in test folder, in particular, there is a single main_test.go file which consume the test/example folder which itself consume the terraform/ module.
The go script simply deploy the lambda functions and the Vault resources (everything is in the terraform/ module) and then destroy everything.
Clearly more comprehensive tests
The continuous integration is done through Jenkins. The step are simply:
- Insert Vault Token
- Install Dependencies
- Run tests
Continuous delivery/deploy is not implemented.
Simple integration would be: Adding a stage in the Jenkinsfile that will be triggered only upon a merge onto master branch and tagging the commit with the next version following semantic versioning.