Jeremy Cooper [AFS MBP] 50c459706b Updates tfsec & checkov ignores + syntax updates		3 jaren geleden
..
cloud-init	5a768b977f Improves consistency in static grains during cloud-init	4 jaren geleden
README.md	ea15a2cb82 Adds Secrets for Vault Auth	3 jaren geleden
amis.tf	2cf5b83c20 Adds Vault	4 jaren geleden
certificate.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 jaren geleden
constants.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 jaren geleden
dynamodb.tf	67c98b7677 Updates IMDS & ECR encryption syntax \| tfsec/chekov ignores \|	3 jaren geleden
elb.tf	50c459706b Updates tfsec & checkov ignores + syntax updates	3 jaren geleden
globals.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 jaren geleden
instance_profile.tf	50c459706b Updates tfsec & checkov ignores + syntax updates	3 jaren geleden
kms.tf	baa1f43824 Applied `terraform fmt` to all modules	3 jaren geleden
main.tf	50c459706b Updates tfsec & checkov ignores + syntax updates	3 jaren geleden
outputs.tf	baa1f43824 Applied `terraform fmt` to all modules	3 jaren geleden
vars.tf	7a08ba10cf Migrated most variables out of xdr-terraform-live and into xdr-terraform-modules	3 jaren geleden

Vault Setup Steps

Run the 090-instance-vault module first
- terragrunt apply
Run these salt states on the Vault instances
- salt vault*com saltutil.sync_all
- salt vault*com saltutil.refresh_pillar
- salt vault*com state.sls os_modifications test=true --state-output=changes
- salt vault*com state.highstate test=true --state-output=changes
- salt vault*com state.sls salt_minion.salt_minion_proxy test=true --state-output=changes
- salt vault*com state.sls vault test=true --state-output=changes
- salt vault*com state.sls vault pillar='{"kms_key_id": "<new-kms-key>"}' test=true --state-output=changes
Ensure Vault is running and unseal the Vault via CLI on ONE of the Vault servers
- export VAULT_ADDR=https://127.0.0.1
- export VAULT_SKIP_VERIFY=1
- vault status
- vault operator init -recovery-shares=5 -recovery-threshold=2
- Copy root token and 5 recovery shares to safe place
On your Laptop, use the root Vault token to run the Terraform 099-vault-configuration module
- vim ~/.vault-token
- The DNS in the Terraform Vault provider will be used. To test connectivity be sure to run this command: export VAULT_ADDR=https://internal-vault-alb-test-778772793.us-gov-east-1.elb.amazonaws.com. Replace the ALB address with the current ALB DNS address. This is due to Golang DNS not updating when connected to XDR over VPN. Vault binary is written in Go.
- Why not use the accenturefederal address? This is due to golang DNS issues.
- Download the Vault binary ( might not be needed? Is the binary in the TF provider? )
- terragrunt apply
- Might need this command as well. See main.tf in module for more information.
- vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-east-1.amazonaws.com sts_region=us-gov-east-1
- The Terraform Vault provider will look at ~/.vault-token for the token and the bash variables for the address to connect to. You can also add it to the command line (see below).
Revoke the root token
- vault token revoke <root-token>
Distribute Vault shareds to the appriopriate individuals.
Export/Import secrets
- https://github.com/adamdecaf/vault-backend-migrator
This module is dependent on AWS Secrets Manager for creds to authenticate to OKTA via OIDC and OKTA auth. For additional Vault documentation see these locations:

https://github.mdr.defpoint.com/mdr-engineering/infrastructure-notes/blob/master/Vault%20Notes.md

https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/blob/develop/salt/fileroots/vault/README.md

To apply Terraform Changes without putting credentials in the terragrunt.hcl

VAULT_TOKEN: Login to vault, and click your name dropdown, then copy token. You'll need it more than once.

Then apply:

VAULT_TOKEN=<fromvault> terragrunt apply