- Microsoft Azure account
- Terraform installed and ready to use
- A Self Signed SSL Cert or a Vaild SSL Cert for the DNS name of your vault server and the localhost ip 127.0.0.1.
Terraform Azure Provider Prerequisites
A service principal is an application within Azure Active Directory which can be used to authenticate. Service principals are preferable to running an app using your own credentials. Follow the instruction in the Terraform documentation to create a service principal and then configure in Terraform.
Tips:
-
Subscription ID: Navigate to the Subscriptions blade within the Azure Portal and copy the Subscription ID
-
Tenant ID: Navigate to the Azure Active Directory > Properties in the Azure Portal, and copy the Directory ID which is your tenant ID
-
Client ID: Same as the Application ID
-
Client secret: The password (credential) set on your application
IMPORTANT: Ensure that your Service Principal has appropriate permissions to provision virtual machines, networks, as well as Azure Key Vault. Refer to the Azure documentation.
-
Clone this repo
$ git clone https://github.com/stoffee/vault-autounseal-azurerm-poc.git
-
Provide Azure credentials in the
terraform.tfvars.exampleand save it asterraform.tfvarsNOTE: Overwrite the Azure
locationorenvironmentname in theterraform.tfvarsas desired. -
Add the SSL Certs to the setup.tpl
-
Run the Terraform commands:
# Pull necessary plugins $ terraform init $ terraform plan # Output provides the SSH instruction $ terraform apply -auto-approve ... Apply complete! Resources: 12 added, 0 changed, 0 destroyed. Outputs: ip = 52.151.16.65 key_vault_name = poc-vault-90ad5386 ssh-addr = Connect to your virtual machine via SSH: $ ssh -i ssh/private/key/location azureuser@52.151.16.65
-
SSH into the virtual machine:
$ ssh -i ssh/private/key/location azureuser@52.151.16.65
-
Find your Root Token and Recovery Key
$ cat /opt/vault/setup/vault.unseal.info
Run terraform destroy when you are done exploring:
$ terraform destroy -auto-approve
$ rm -rf .terraform terraform.tfstate*