Skip to content

initial pass getting the gcp reference architecture deployed in 2024.… #106

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
dgreeninger wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

initial pass getting the gcp reference architecture deployed in 2024.… #106

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ced0c02
initial pass getting the gcp reference architecture deployed in 2024.…
dgreeninger Jun 24, 2024
b73dc07
removing public ip
dgreeninger Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 0 additions & 79 deletions deployment/gcp/boundary/principals.tf
View file
Open in desktop

This file was deleted.

4 changes: 3 additions & 1 deletion deployment/gcp/gcp/compute.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ resource "google_compute_instance_template" "controller" {
}
metadata_startup_script = templatefile("${path.module}/templates/controller.hcl.tpl", {
boundary_version = var.boundary_version
ca_pool = var.tls_disabled == true ? null : google_privateca_ca_pool.default.name
ca_name = var.tls_disabled == true ? null : google_privateca_certificate_authority.this[0].certificate_authority_id
ca_issuer_location = var.tls_disabled == true ? null : var.ca_issuer_location
controller_api_listener_ip = google_compute_address.public_controller_api.address
Expand Down Expand Up @@ -135,6 +136,7 @@ resource "google_compute_instance_template" "worker" {
}
metadata_startup_script = templatefile("${path.module}/templates/worker.hcl.tpl", {
boundary_version = var.boundary_version
ca_pool = var.tls_disabled == true ? null : google_privateca_ca_pool.default.name
ca_name = var.tls_disabled == true ? null : google_privateca_certificate_authority.this[0].certificate_authority_id
ca_issuer_location = var.tls_disabled == true ? null : var.ca_issuer_location
worker_listener_ip = google_compute_address.public_worker.address
Expand Down Expand Up @@ -175,4 +177,4 @@ resource "google_compute_firewall" "ssh" {
target_tags = concat(var.boundary_controller_tags, var.boundary_worker_tags)

direction = "INGRESS"
}
}
1 change: 0 additions & 1 deletion deployment/gcp/gcp/db.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ resource "google_sql_database_instance" "this" {
ip_configuration {
ipv4_enabled = true
private_network = google_compute_network.this.id
require_ssl = false
}
}
}
Expand Down
35 changes: 26 additions & 9 deletions deployment/gcp/gcp/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,14 @@
resource "random_string" "boundary_controller" {
upper = false
special = false
number = false
numeric = false
length = 16
}

resource "random_string" "boundary_worker" {
upper = false
special = false
number = false
numeric = false
length = 16
}

Expand All @@ -38,6 +38,15 @@ data "google_iam_policy" "kms" {
"serviceAccount:${google_service_account.boundary_worker.email}"
]
}
binding {
role = "roles/cloudkms.viewer"

members = [
"serviceAccount:${google_service_account.boundary_controller.email}",
"serviceAccount:${google_service_account.boundary_worker.email}"
]
}

}

resource "google_kms_crypto_key_iam_policy" "root" {
Expand All @@ -59,7 +68,6 @@ resource "google_kms_crypto_key_iam_policy" "recovery" {
### IAM policy for certificate generation
data "google_iam_policy" "cas" {
count = var.tls_disabled == true ? 0 : 1
provider = google-beta
binding {
role = "roles/privateca.certificateManager"
members = [
Expand All @@ -69,9 +77,18 @@ data "google_iam_policy" "cas" {
}
}

resource "google_privateca_certificate_authority_iam_policy" "cas" {
count = var.tls_disabled == true ? 0 : 1
provider = google-beta
certificate_authority = google_privateca_certificate_authority.this[0].id
policy_data = data.google_iam_policy.cas[0].policy_data
}

data "google_iam_policy" "admin" {
binding {
role = "roles/privateca.certificateManager"
members = [
"serviceAccount:${google_service_account.boundary_controller.email}",
"serviceAccount:${google_service_account.boundary_worker.email}"
]
}
}

resource "google_privateca_ca_pool_iam_policy" "policy" {
ca_pool = google_privateca_ca_pool.default.id
policy_data = data.google_iam_policy.admin.policy_data
}
37 changes: 32 additions & 5 deletions deployment/gcp/gcp/pki.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,59 @@
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
resource "google_privateca_ca_pool" "default" {
name = "boundary-ca-pool"
location = var.ca_issuer_location
tier = "ENTERPRISE"
publishing_options {
publish_ca_cert = true
publish_crl = true
}
labels = {
project = "boundary"
}
}

data "google_privateca_ca_pool_iam_policy" "policy" {
ca_pool = google_privateca_ca_pool.default.id
}

resource "google_privateca_certificate_authority" "this" {
pool = google_privateca_ca_pool.default.name
count = var.tls_disabled == true ? 0 : 1
provider = google-beta
location = var.ca_issuer_location
project = var.project
certificate_authority_id = local.boundary_name
config {
subject_config {
subject {
organization = var.ca_organization
common_name = var.ca_common_name
}
common_name = var.ca_common_name
dynamic "subject_alt_name" {
for_each = var.ca_subject_alternate_names
content {
dns_names = each.value
}
}
}
reusable_config {
reusable_config = "root-unconstrained"
x509_config {
ca_options {
is_ca = true
}
key_usage {
base_key_usage {
cert_sign = true
crl_sign = true
}
extended_key_usage {
server_auth = false
}
}
}
}
key_spec {
algorithm = "RSA_PKCS1_4096_SHA256"
}
}

## Check iam.tf for IAM priveleges related to certificate generation
## Check iam.tf for IAM priveleges related to certificate generation
25 changes: 11 additions & 14 deletions deployment/gcp/gcp/templates/boundary.hcl.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ mkdir /etc/boundary.d
mkdir /etc/boundary.d/tls

# Install cryptography module so we can request auto-generated certs from Google CAS
sudo apt-get install python-pip -y
sudo apt-get install python3 python3-pip -y
pip install --user "cryptography>=2.2.0"
export CLOUDSDK_PYTHON=python
export CLOUDSDK_PYTHON=python3
export CLOUDSDK_PYTHON_SITEPACKAGES=1

# Add the boundary system user and group to ensure we have a no-login
Expand All @@ -29,23 +29,21 @@ sudo adduser --system --group boundary || true
sudo chown boundary:boundary /usr/bin/boundary

%{ if type == "controller" }
gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
gcloud privateca certificates create \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/api.key \
--cert-output-file ${tls_cert_path}/api.crt \
--ip-san ${controller_api_listener_ip} \
--reusable-config "leaf-server-tls"

gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
gcloud privateca certificates create \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/controller.key \
--cert-output-file ${tls_cert_path}/controller.crt \
--ip-san ${controller_cluster_listener_ip} \
--reusable-config "leaf-server-tls"
export CLOUDSDK_PYTHON_SITEPACKAGES=0

# Take ownership of certificates
Expand Down Expand Up @@ -125,14 +123,13 @@ EOF
%{ endif }

%{ if type == "worker" }
gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
gcloud privateca certificates create \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/worker.key \
--cert-output-file ${tls_cert_path}/worker.crt \
--ip-san ${worker_listener_ip} \
--reusable-config "leaf-server-tls"
export CLOUDSDK_PYTHON_SITEPACKAGES=0

# Take ownership of certificates
Expand Down
18 changes: 8 additions & 10 deletions deployment/gcp/gcp/templates/controller.hcl.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,29 +23,27 @@ sudo chown boundary:boundary /usr/bin/boundary

%{ if tls_disabled == false }
# Install cryptography module so we can request auto-generated certs from Google CAS
sudo apt-get install python-pip -y
sudo apt-get install python3 python3-pip -y
mkdir /etc/boundary.d/tls
pip install --user "cryptography>=2.2.0"
export CLOUDSDK_PYTHON=python
export CLOUDSDK_PYTHON=python3
export CLOUDSDK_PYTHON_SITEPACKAGES=1

gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
gcloud privateca certificates create \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/api.key \
--cert-output-file ${tls_cert_path}/api.crt \
--ip-san ${controller_api_listener_ip} \
--reusable-config "leaf-server-tls"

gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
gcloud privateca certificates create \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/controller.key \
--cert-output-file ${tls_cert_path}/controller.crt \
--ip-san ${controller_cluster_listener_ip} \
--reusable-config "leaf-server-tls"
export CLOUDSDK_PYTHON_SITEPACKAGES=0

# Take ownership of certificates
Expand Down
9 changes: 4 additions & 5 deletions deployment/gcp/gcp/templates/worker.hcl.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,20 +23,19 @@ sudo chown boundary:boundary /usr/bin/boundary

%{ if tls_disabled == false }
# Install cryptography module so we can request auto-generated certs from Google CAS
sudo apt-get install python-pip -y
sudo apt-get install python3 python3-pip -y
mkdir /etc/boundary.d/tls
pip install --user "cryptography>=2.2.0"
export CLOUDSDK_PYTHON=python
export CLOUDSDK_PYTHON=python3
export CLOUDSDK_PYTHON_SITEPACKAGES=1

gcloud beta privateca certificates create \
--issuer ${ca_name} \
--issuer-location ${ca_issuer_location} \
--issuer-pool ${ca_pool} \
--issuer-location ${ca_issuer_location} \
--generate-key \
--key-output-file ${tls_key_path}/worker.key \
--cert-output-file ${tls_cert_path}/worker.crt \
--ip-san ${worker_listener_ip} \
--reusable-config "leaf-server-tls"
export CLOUDSDK_PYTHON_SITEPACKAGES=0

# Take ownership of certificates
Expand Down
6 changes: 3 additions & 3 deletions deployment/gcp/gcp/variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,7 @@ variable "database_tier" {
variable "compute_image_family" {
type = string
description = "The name of the family which you source your image from. This module leverages apt for software installation, so your choice should be a debian based distro."
default = "ubuntu-1804-lts"
default = "ubuntu-2204-lts"
}

variable "compute_image_project" {
Expand Down Expand Up @@ -205,7 +205,7 @@ variable "tls_key_path" {
variable "ca_issuer_location" {
type = string
description = ""
default = "asia-east1"
default = "us-central1"
}

# Debugging variables
Expand Down Expand Up @@ -234,4 +234,4 @@ variable "enable_target" {
type = bool
description = "Use to toggle creating a compute instance that can be used as a target for Boundary. Note that to connect you will also need to configure the ssh_key_path variable."
default = true
}
}