/infrastructure-pipeline

An example pipeline for executing HashiCorp Terraform with ephemeral cloud provider credentials managed by HashiCorp Vault

Primary LanguageHCL

An Example Infrastructure Pipeline

This example uses:

  • Amazon Web Services
  • GitHub Actions
  • Terraform 0.14+
  • Vault 1.5+
  • HashiCorp Cloud Platform Vault (managed Vault offering)
  • Terraform Cloud (for configuring Vault, uses vault/ directory)

The infrastructure pipeline runs Terraform to create a PostgreSQL database in AWS. It securely retrieves secrets from HashiCorp Vault.

Diagram with HCP Vault, AWS, and peered connection

Usage

  1. In your CLI, set the Vault address, token, and namespace.

    $ export VAULT_ADDR=
    $ export VAULT_TOKEN=
    $ export VAULT_NAMESPACE=
  2. Get Vault secret ID.

    $ make get-secret
  3. Go to the GitHub repository's secrets.

  4. Set the following repository secrets:

    1. VAULT_ADDR: address of Vault
    2. VAULT_NAMESPACE: admin
    3. VAULT_ROLE_ID: infrastructure-pipeline
    4. VAULT_SECRET_ID: add secret ID from CLI
  5. Make changes to this repository to execute Terraform.

Notes

  1. The GitHub Actions workflow accesses Vault over public internet. To access Vault over private connection, you will want to deploy a self-hosted runner or GitHub Enterprise. Vault configures the PostgreSQL database over a private connection.

  2. The demo uses HashiCorp Cloud Platform. You can substitute the Vault endpoint with your own Vault instance, as long as it can connect to AWS.## Requirements