diff --git a/deployment/gcp/boundary/principals.tf b/deployment/gcp/boundary/principals.tf deleted file mode 100644 index a0c0948..0000000 --- a/deployment/gcp/boundary/principals.tf +++ /dev/null @@ -1,79 +0,0 @@ -# Copyright (c) HashiCorp, Inc. -# SPDX-License-Identifier: MPL-2.0 - -resource "boundary_user" "backend" { - for_each = var.backend_team - name = each.key - description = "Backend user: ${each.key}" - account_ids = [boundary_account.backend_user_acct[each.value].id] - scope_id = boundary_scope.org.id -} - -resource "boundary_user" "frontend" { - for_each = var.frontend_team - name = each.key - description = "Frontend user: ${each.key}" - account_ids = [boundary_account.frontend_user_acct[each.value].id] - scope_id = boundary_scope.org.id -} - -resource "boundary_user" "leadership" { - for_each = var.leadership_team - name = each.key - description = "WARNING: Managers should be read-only" - account_ids = [boundary_account.leadership_user_acct[each.value].id] - scope_id = boundary_scope.org.id -} - -resource "boundary_account" "backend_user_acct" { - for_each = var.backend_team - name = each.key - description = "User account for ${each.key}" - type = "password" - login_name = lower(each.key) - password = "foofoofoo" - auth_method_id = boundary_auth_method.password.id -} - -resource "boundary_account" "frontend_user_acct" { - for_each = var.frontend_team - name = each.key - description = "User account for ${each.key}" - type = "password" - login_name = lower(each.key) - password = "foofoofoo" - auth_method_id = boundary_auth_method.password.id -} - -resource "boundary_account" "leadership_user_acct" { - for_each = var.leadership_team - name = each.key - description = "User account for ${each.key}" - type = "password" - login_name = lower(each.key) - password = "foofoofoo" - auth_method_id = boundary_auth_method.password.id -} - -// organiation level group for the leadership team -resource "boundary_group" "leadership" { - name = "leadership_team" - description = "Organization group for leadership team" - member_ids = [for user in boundary_user.leadership : user.id] - scope_id = boundary_scope.org.id -} - -// project level group for backend and frontend management of core infra -resource "boundary_group" "backend_core_infra" { - name = "backend" - description = "Backend team group" - member_ids = [for user in boundary_user.backend : user.id] - scope_id = boundary_scope.core_infra.id -} - -resource "boundary_group" "frontend_core_infra" { - name = "frontend" - description = "Frontend team group" - member_ids = [for user in boundary_user.frontend : user.id] - scope_id = boundary_scope.core_infra.id -} diff --git a/deployment/gcp/gcp/compute.tf b/deployment/gcp/gcp/compute.tf index e126daa..1509c0f 100644 --- a/deployment/gcp/gcp/compute.tf +++ b/deployment/gcp/gcp/compute.tf @@ -35,6 +35,7 @@ resource "google_compute_instance_template" "controller" { } metadata_startup_script = templatefile("${path.module}/templates/controller.hcl.tpl", { boundary_version = var.boundary_version + ca_pool = var.tls_disabled == true ? null : google_privateca_ca_pool.default.name ca_name = var.tls_disabled == true ? null : google_privateca_certificate_authority.this[0].certificate_authority_id ca_issuer_location = var.tls_disabled == true ? null : var.ca_issuer_location controller_api_listener_ip = google_compute_address.public_controller_api.address @@ -135,6 +136,7 @@ resource "google_compute_instance_template" "worker" { } metadata_startup_script = templatefile("${path.module}/templates/worker.hcl.tpl", { boundary_version = var.boundary_version + ca_pool = var.tls_disabled == true ? null : google_privateca_ca_pool.default.name ca_name = var.tls_disabled == true ? null : google_privateca_certificate_authority.this[0].certificate_authority_id ca_issuer_location = var.tls_disabled == true ? null : var.ca_issuer_location worker_listener_ip = google_compute_address.public_worker.address @@ -175,4 +177,4 @@ resource "google_compute_firewall" "ssh" { target_tags = concat(var.boundary_controller_tags, var.boundary_worker_tags) direction = "INGRESS" -} \ No newline at end of file +} diff --git a/deployment/gcp/gcp/db.tf b/deployment/gcp/gcp/db.tf index 90557bb..8ca7b4e 100644 --- a/deployment/gcp/gcp/db.tf +++ b/deployment/gcp/gcp/db.tf @@ -16,7 +16,6 @@ resource "google_sql_database_instance" "this" { ip_configuration { ipv4_enabled = true private_network = google_compute_network.this.id - require_ssl = false } } } diff --git a/deployment/gcp/gcp/iam.tf b/deployment/gcp/gcp/iam.tf index 0e7afb9..488c18c 100644 --- a/deployment/gcp/gcp/iam.tf +++ b/deployment/gcp/gcp/iam.tf @@ -5,14 +5,14 @@ resource "random_string" "boundary_controller" { upper = false special = false - number = false + numeric = false length = 16 } resource "random_string" "boundary_worker" { upper = false special = false - number = false + numeric = false length = 16 } @@ -38,6 +38,15 @@ data "google_iam_policy" "kms" { "serviceAccount:${google_service_account.boundary_worker.email}" ] } + binding { + role = "roles/cloudkms.viewer" + + members = [ + "serviceAccount:${google_service_account.boundary_controller.email}", + "serviceAccount:${google_service_account.boundary_worker.email}" + ] + } + } resource "google_kms_crypto_key_iam_policy" "root" { @@ -59,7 +68,6 @@ resource "google_kms_crypto_key_iam_policy" "recovery" { ### IAM policy for certificate generation data "google_iam_policy" "cas" { count = var.tls_disabled == true ? 0 : 1 - provider = google-beta binding { role = "roles/privateca.certificateManager" members = [ @@ -69,9 +77,18 @@ data "google_iam_policy" "cas" { } } -resource "google_privateca_certificate_authority_iam_policy" "cas" { - count = var.tls_disabled == true ? 0 : 1 - provider = google-beta - certificate_authority = google_privateca_certificate_authority.this[0].id - policy_data = data.google_iam_policy.cas[0].policy_data -} \ No newline at end of file + +data "google_iam_policy" "admin" { + binding { + role = "roles/privateca.certificateManager" + members = [ + "serviceAccount:${google_service_account.boundary_controller.email}", + "serviceAccount:${google_service_account.boundary_worker.email}" + ] + } +} + +resource "google_privateca_ca_pool_iam_policy" "policy" { + ca_pool = google_privateca_ca_pool.default.id + policy_data = data.google_iam_policy.admin.policy_data +} diff --git a/deployment/gcp/gcp/pki.tf b/deployment/gcp/gcp/pki.tf index a19c17d..2fb0526 100644 --- a/deployment/gcp/gcp/pki.tf +++ b/deployment/gcp/gcp/pki.tf @@ -1,9 +1,25 @@ # Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: MPL-2.0 +resource "google_privateca_ca_pool" "default" { + name = "boundary-ca-pool" + location = var.ca_issuer_location + tier = "ENTERPRISE" + publishing_options { + publish_ca_cert = true + publish_crl = true + } + labels = { + project = "boundary" + } +} + +data "google_privateca_ca_pool_iam_policy" "policy" { + ca_pool = google_privateca_ca_pool.default.id +} resource "google_privateca_certificate_authority" "this" { + pool = google_privateca_ca_pool.default.name count = var.tls_disabled == true ? 0 : 1 - provider = google-beta location = var.ca_issuer_location project = var.project certificate_authority_id = local.boundary_name @@ -11,8 +27,8 @@ resource "google_privateca_certificate_authority" "this" { subject_config { subject { organization = var.ca_organization + common_name = var.ca_common_name } - common_name = var.ca_common_name dynamic "subject_alt_name" { for_each = var.ca_subject_alternate_names content { @@ -20,8 +36,19 @@ resource "google_privateca_certificate_authority" "this" { } } } - reusable_config { - reusable_config = "root-unconstrained" + x509_config { + ca_options { + is_ca = true + } + key_usage { + base_key_usage { + cert_sign = true + crl_sign = true + } + extended_key_usage { + server_auth = false + } + } } } key_spec { @@ -29,4 +56,4 @@ resource "google_privateca_certificate_authority" "this" { } } -## Check iam.tf for IAM priveleges related to certificate generation \ No newline at end of file +## Check iam.tf for IAM priveleges related to certificate generation diff --git a/deployment/gcp/gcp/templates/boundary.hcl.tpl b/deployment/gcp/gcp/templates/boundary.hcl.tpl index e6d3ea9..296668a 100644 --- a/deployment/gcp/gcp/templates/boundary.hcl.tpl +++ b/deployment/gcp/gcp/templates/boundary.hcl.tpl @@ -18,9 +18,9 @@ mkdir /etc/boundary.d mkdir /etc/boundary.d/tls # Install cryptography module so we can request auto-generated certs from Google CAS -sudo apt-get install python-pip -y +sudo apt-get install python3 python3-pip -y pip install --user "cryptography>=2.2.0" -export CLOUDSDK_PYTHON=python +export CLOUDSDK_PYTHON=python3 export CLOUDSDK_PYTHON_SITEPACKAGES=1 # Add the boundary system user and group to ensure we have a no-login @@ -29,23 +29,21 @@ sudo adduser --system --group boundary || true sudo chown boundary:boundary /usr/bin/boundary %{ if type == "controller" } -gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ +gcloud privateca certificates create \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/api.key \ --cert-output-file ${tls_cert_path}/api.crt \ --ip-san ${controller_api_listener_ip} \ - --reusable-config "leaf-server-tls" -gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ +gcloud privateca certificates create \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/controller.key \ --cert-output-file ${tls_cert_path}/controller.crt \ --ip-san ${controller_cluster_listener_ip} \ - --reusable-config "leaf-server-tls" export CLOUDSDK_PYTHON_SITEPACKAGES=0 # Take ownership of certificates @@ -125,14 +123,13 @@ EOF %{ endif } %{ if type == "worker" } -gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ +gcloud privateca certificates create \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/worker.key \ --cert-output-file ${tls_cert_path}/worker.crt \ --ip-san ${worker_listener_ip} \ - --reusable-config "leaf-server-tls" export CLOUDSDK_PYTHON_SITEPACKAGES=0 # Take ownership of certificates diff --git a/deployment/gcp/gcp/templates/controller.hcl.tpl b/deployment/gcp/gcp/templates/controller.hcl.tpl index 5a52790..7021b00 100644 --- a/deployment/gcp/gcp/templates/controller.hcl.tpl +++ b/deployment/gcp/gcp/templates/controller.hcl.tpl @@ -23,29 +23,27 @@ sudo chown boundary:boundary /usr/bin/boundary %{ if tls_disabled == false } # Install cryptography module so we can request auto-generated certs from Google CAS -sudo apt-get install python-pip -y +sudo apt-get install python3 python3-pip -y mkdir /etc/boundary.d/tls pip install --user "cryptography>=2.2.0" -export CLOUDSDK_PYTHON=python +export CLOUDSDK_PYTHON=python3 export CLOUDSDK_PYTHON_SITEPACKAGES=1 -gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ +gcloud privateca certificates create \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/api.key \ --cert-output-file ${tls_cert_path}/api.crt \ --ip-san ${controller_api_listener_ip} \ - --reusable-config "leaf-server-tls" -gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ +gcloud privateca certificates create \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/controller.key \ --cert-output-file ${tls_cert_path}/controller.crt \ --ip-san ${controller_cluster_listener_ip} \ - --reusable-config "leaf-server-tls" export CLOUDSDK_PYTHON_SITEPACKAGES=0 # Take ownership of certificates diff --git a/deployment/gcp/gcp/templates/worker.hcl.tpl b/deployment/gcp/gcp/templates/worker.hcl.tpl index 9f5982a..ad65204 100644 --- a/deployment/gcp/gcp/templates/worker.hcl.tpl +++ b/deployment/gcp/gcp/templates/worker.hcl.tpl @@ -23,20 +23,19 @@ sudo chown boundary:boundary /usr/bin/boundary %{ if tls_disabled == false } # Install cryptography module so we can request auto-generated certs from Google CAS -sudo apt-get install python-pip -y +sudo apt-get install python3 python3-pip -y mkdir /etc/boundary.d/tls pip install --user "cryptography>=2.2.0" -export CLOUDSDK_PYTHON=python +export CLOUDSDK_PYTHON=python3 export CLOUDSDK_PYTHON_SITEPACKAGES=1 gcloud beta privateca certificates create \ - --issuer ${ca_name} \ - --issuer-location ${ca_issuer_location} \ + --issuer-pool ${ca_pool} \ + --issuer-location ${ca_issuer_location} \ --generate-key \ --key-output-file ${tls_key_path}/worker.key \ --cert-output-file ${tls_cert_path}/worker.crt \ --ip-san ${worker_listener_ip} \ - --reusable-config "leaf-server-tls" export CLOUDSDK_PYTHON_SITEPACKAGES=0 # Take ownership of certificates diff --git a/deployment/gcp/gcp/variables.tf b/deployment/gcp/gcp/variables.tf index 64fad68..666f4f4 100644 --- a/deployment/gcp/gcp/variables.tf +++ b/deployment/gcp/gcp/variables.tf @@ -93,7 +93,7 @@ variable "database_tier" { variable "compute_image_family" { type = string description = "The name of the family which you source your image from. This module leverages apt for software installation, so your choice should be a debian based distro." - default = "ubuntu-1804-lts" + default = "ubuntu-2204-lts" } variable "compute_image_project" { @@ -205,7 +205,7 @@ variable "tls_key_path" { variable "ca_issuer_location" { type = string description = "" - default = "asia-east1" + default = "us-central1" } # Debugging variables @@ -234,4 +234,4 @@ variable "enable_target" { type = bool description = "Use to toggle creating a compute instance that can be used as a target for Boundary. Note that to connect you will also need to configure the ssh_key_path variable." default = true -} \ No newline at end of file +}