Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HashiConf EU 2016: Building secure environments...

HashiConf EU 2016: Building secure environments in clouds using HashiCorp tools

Talk given at HashiConf EU 2016 (Amsterdam). Associated video can be found here: https://www.youtube.com/watch?v=tbrQnrLExow

Nicki Watt

June 14, 2016
Tweet

More Decks by Nicki Watt

Other Decks in Technology

Transcript

  1. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 46 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn"

    { name = "${var.env-prefix}-ovpn" image_name = "${var.image_name}" flavor_name = "${var.openvpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } ## OpenVPN Public IP resource "openstack_compute_floatingip_v2" "openvpn" { region = "" pool = "${var.public-ip-pool}" ... } terraform.tf Declarative DSL (AWS) ## AWS Compute instance resource "aws_instance" "ovpn" { ami = “${var.ovpn-ami}" instance_type = “${var.m-openvpn-instance-type}" vpc_security_group_ids = [ "${aws_security_group.ovpn.id}"] subnet_id = “${aws_subnet.dmz.id}" ... } ## DMZ network exposing Public IP resource "aws_subnet" "dmz" { vpc_id = "${aws_vpc.core.id}" cidr_block = “${var.m-dmz-net-cidr}" map_public_ip_on_launch = 1 ... } terraform.tf
  2. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 48 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "ovpn"

    { name = “${var.m-env-prefix}-ovpn" image_name = “${var.m-ovpn-imgname}” flavor_name = “${var.m-ovpn-flavour-name}" floating_ip = “${openstack_compute_floatingip_v2. openvpn.address}" ... } variable “m-env-prefix" { default = "team1" } variable “m-ovpn-imgname” { default = "centos7-001"} variable “m-ovpn-flavour-name"{ default = "x1.medium" } terraform.tf inputs.tf Variables
  3. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 69 Accesses user supplied data for VM it

    is running on cloud provider metadat a service #cloud-config hostname: ${env-prefix}-jm fqdn: ${env-prefix}-jm.${domain} manage_etc_hosts: true puppet: conf: agent: server: "${env-prefix}-ipa.$ {domain}" runcmd: - until curl -ksf https://${env- prefix}-ipa.${domain}:443/ca/admin/ ca/getStatus ; do sleep 30 ; done ; ipa-client-install —domain=${domain} ... --unattended --force-join - export COUNT=0 ; until puppet agent -t ; do echo "`date` - Attempting to run puppet agent for $COUNT time" ; if [[ $COUNT -eq 3 ]] ; then break ; fi ; sleep 30 ; ((COUNT++)) ; done
  4. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "km" {

    name = "${var.env-prefix}-km" image_name = "${var.image_name}" flavor_name = "${var.km-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } 72 Passing user-data via terraform
  5. ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 73 ## OpenVPN Compute instance resource "openstack_compute_instance_v2" "km"

    { name = "${var.env-prefix}-km" image_name = "${var.image_name}" flavor_name = "${var.km-flavour-name}" user_data = "${template_file.clientconfig.rendered}" ... } ## UserData as input to cloud-init resource "template_file" "clientconfig" { filename = "${path.module}/clientconfig.template" vars { domain = "${var.domain}" env-prefix = "${var.env-prefix}" ... } } Passing user-data via terraform