Forem: Thiago Laurito

Lab HashStack - Part 2

Thiago Laurito — Wed, 05 Feb 2020 20:11:49 +0000

Let's prepare our environment with Vault and RabbitMQ.

The Vault will do the Vault function and also provide Dynamic Secrets for both our RabbitMQ stack and our Cassandra DB stack.

We will add the generated token in Consul to the Vault in 3 files:

modules/vault/vault.tf -> Add token in "CONSUL_HTTP_TOKEN"

Later add some token in:

data/vault-server-01/config/vault-config.json

data/vault-server-02/config/vault-config.json

Both "Parameter Token".

After that we will execute the module called vault cluster.

terraform apply -target=module.vault_cluster

See that it already appears registered at the Consul but with "Sealed" status.

Let's go to the Unseal process on Vault Server 1:

docker exec -it vault-server-1 /bin/sh

vault operator init

vault operator unseal

vault status
Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    5
Threshold       3
Version         1.3.2
Cluster Name    vault-cluster-9be77481
Cluster ID      684b9232-19b4-9fb9-1b2e-8fd1ad08fdb7
HA Enabled      true
HA Cluster      https://10.5.0.2:8201
HA Mode         active

Now let's run the Unseal process on Vault Server 2

docker exec -it vault-server-2 /bin/sh

vault operator unseal

vault status
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false
Total Shares           5
Threshold              3
Version                1.3.2
Cluster Name           vault-cluster-9be77481
Cluster ID             684b9232-19b4-9fb9-1b2e-8fd1ad08fdb7
HA Enabled             true
HA Cluster             https://10.5.0.2:8201
HA Mode                standby
Active Node Address    http://10.5.0.2:8200

Now we will prepare the image of rabbitmq in the docker with the acl generated in the Consul and then execute the build.

cd /redstack_terraform_public/docker-images/rabbitmq

vim config/rabbitmq.conf 

docker build -t rabbimq .

cd ../../redstack

vim modules/rabbitmq/rabbitmq.tf

Add ACL Token "CONSUL_HTTP_TOKEN"

After completing the build of the Docker image we will run the rabbitmq_cluster module.

terraform apply -target=module.rabbitmq_cluster

We can already see the Rabbitmq stack, our Queue manager at Consul.

The rabbitmq_runtime module has the function of creating an example queue called "hello" an administrator user to access RabbitMQ's Web management.

It should be executed after deploying the rabbitmq_cluster module

terraform apply -target=module.rabbitmq_runtime

Now let's run the vault_rabbitmq_runtime module.

The function of this module is to create on the Vault Server the feature Dynamic Secrets for random user on Rabbitmq.

terraform apply -target=module.vault_rabbitmq_runtime

After applying the vault_rabbitmq_runtime module we will test the feature.

docker exec -it vault-server-1 /bin/sh

vault read rabbitmq/creds/rabbitmq_access_role
Key                Value
---                -----
lease_id           rabbitmq/creds/rabbitmq_access_role/Ff0fZcIj1SRAWeoQNHX21RzF
lease_duration     768h
lease_renewable    true
password           ea070a9f-9306-9f82-9cad-c42ab7553d02
username           root-bd54ff95-eec1-d07c-c966-6ad02ee725b4

See that the vault creates a username and password so that you can authenticate with Rabbitmq.

And it has an expiration time that can be set according to your business.

In the next Post we will deploy the Cassandra DB Stack with dynamic Secret active in the Vault and using the Consul as a Discovery service :)

Multiple Terraform Versions

Thiago Laurito — Thu, 16 Jan 2020 11:26:59 +0000

When targeting IAC (Infrastructure as Code) with terraform we can find designs that use different versions of terraform.

For scenarios like this we can use a tool written in GO called tfswitch.

https://warrensbox.github.io/terraform-switcher/

Lab HashStack - Part 1

Thiago Laurito — Tue, 14 Jan 2020 19:52:50 +0000

In this post the idea would be to set up a Lab for studies using Hashicorp solutions, such as Terraform, Vault and Consul in the construction of Stack.
We will use Consul with the Service Discovery feature and will also strengthen the security of our stack by using Acl's by restricting any attempts to access services below it without a valid token.
The vault's role is to provide the login security of our Cassandra DB and Rabbitmq with the dynamic secrets feature.
Traefik we will use to do load balancing between servers.
The terraform remote state will be using Terraform Cloud.

Requirements:

Terraform 11.4
Vault
Consul
Docker

Step 1:

Create Account Terraform Cloud.
https://www.terraform.io/docs/cloud/free/index.html

Generate your Token:
https://app.terraform.io/app/settings/tokens

Add on the home directory a file terraformrc with credentials:

cat <<EOF >~/.terraformrc
credentials "app.terraform.io" {
  token = "REPLACE_ME WITH TOKEN GENERATE"
}
EOF

Step 2

Download the repository on github
https://github.com/laund/redstack_terraform_public

Step 3 - Deploy Stack

terraform apply -target=module.network

terraform apply -target=module.traefik

Access url http://traefik.redstack.local:8081 in your browser for validate.

After validation we follow with the deployment of Consul.

terraform apply -target=module.consul_cluster

docker exec -it consul-server-1 /bin/sh

consul acl bootstrap

export CONSUL_HTTP_TOKEN=<SecretID>

exit

In the file variables.tf add your "SecretID".

variable "consul_token" {
  default     = "<SecretID>"
  description = "Secret ID"
}

In the next step, configure Acl's for the services that will be part of Consul Server.

terraform apply -target=module.consul_runtime

Access url http://consul.redstack.local:8500 in your browser and insert SecretID.

In the ACL menu you can view the Acl's created with terraform.

Access the container again and run the following command:

docker exec -it consul-server-1 /bin/sh

export CONSUL_HTTP_TOKEN=<SecretID>

consul acl set-agent-token default "<Agent Consul Token>"

First part completed, in the next article we will continue to deploy the rest of the services :)