https://pulumi.com logo
Title
f

full-artist-27215

09/29/2021, 4:20 PM
I'm automating the setup of a Hashicorp Vault server, and setting up an AWS secrets backend (https://www.vaultproject.io/docs/secrets/aws) Part of that entails passing the secret key and access key of an IAM user to allow Vault to interact with AWS. I can use a
pulumi_vault.aws.SecretBackend
(https://www.pulumi.com/docs/reference/pkg/vault/aws/secretbackend/) along with a
pulumi_aws.iam.User
(https://www.pulumi.com/docs/reference/pkg/aws/iam/user/) and a
pulumi_aws.iam.AccessKey
(https://www.pulumi.com/docs/reference/pkg/aws/iam/accesskey/) to do the initial setup. The wrinkle comes in where Vault allows you to automatically rotate the credentials with
vault write -f aws/config/rotate-root
(https://www.vaultproject.io/api-docs/secret/aws#rotate-root-iam-credentials). This changes what Pulumi thinks it knows about the state of the world. Things are fine as long as you continue to
pulumi up
, but once you run
pulumi refresh
, the difference is discovered, steps are taken to remediate the situation, and things get messy. Initially, I was thinking I could use Pulumi to do the initial setup, then remove the
pulumi_aws.iam.AccessKey
resource (after I had Vault rotate it the first time), and add an
ignore_changes
(https://www.pulumi.com/docs/intro/concepts/resources/#ignorechanges) option on the
pulumi_vault.aws.SecretBackend
. However, when I run
pulumi refresh
after having Vault rotate the key, it still shows that an update needs to happen. The diff doesn't show anything, but if I compare the stack outputs before and after (using
pulumi stack export
) I see a bunch of ciphertext changes that I'm having trouble making heads or tails of. I'm curious if anyone else has had any success with a similar setup in Pulumi. Is there a better way to do this using Pulumi? Or would it be better to manually create these things outside of Pulumi, and then perhaps adopt the resources into Pulumi? Thanks.
r

red-fish-22980

10/06/2021, 2:57 PM
Hi, I'm mixing both AWS IAM and Hashicorp Vault in a Pulumi project
I use pulumi.ComponentResource to create some custom resources (HVault Policies, groups, appRole, and IAM roles)
The Pulumi doc is ... really light and I've struggle to make it work but for the moment I've got something
1. I create my aws roles with Pulumi
2. I create my vault.aws.SecretBackend with my aws access keys
3. I create my appRoleBackend with vault.AuthBackend
4. I create my HVault Policy & secretBackendRole that link my HVault Role to AWS Role with "assume_role"
5. I create my AuthBackendRole for my appRole to link an app role to a token policy
6. I create my HVault Groups that link a Group to a HVault Policy
What is working so far :
I can retrieve a connection token with an appRole
With these connection token my app or ci can connect to HVault for a limited amount of time and with a limited rights
When connected, my app or ci can retrieve a aws access_key and secret_key for a limited amount of time and with limited rights fullfiled by aws role
User (entities) linked to group can also retrieve aws acces-key and secret with the same limited rights
What is not working for the moment:
f

full-artist-27215

10/06/2021, 3:08 PM
@red-fish-22980 Yeah, I've been able to do similar setup with Pulumi and it works fine. My particular concern is just about the patterns of using Pulumi to manage the IAM user and key pair that back an AWS secret method in Vault while also allowing Vault to be in charge of rotating that key. It seems as though using Pulumi for that particular bit of set-up may not be great, but I'm not sure if there's something I'm missing
r

red-fish-22980

10/06/2021, 3:10 PM
Well we use HVault to manage our user and aws is only used through roles
So I don't think I've got the same problem than you
but again, I'm not an expert on the subject, I'm still learning
f

full-artist-27215

10/06/2021, 3:13 PM
So when you set up your AWS secrets backend in Vault, do you set it up with credentials of its own, or do you use ambient credentials (e.g., your Vault is running in AWS, and it just uses your EC2 instance credentials)? If the backend has its own credentials, what creates those? Pulumi, or a separate process?
r

red-fish-22980

10/06/2021, 3:15 PM
for the moment, I create AWS credentials with an other step of my CI and I put them manually in pulumi config
and in my Pulumi code, I use the config to create the AWS Secret Backend
* AWS Secret backend
*/
const awsBackend = new vault.aws.SecretBackend("aws", {
accessKey: cfg.require("aws_access_key"),
secretKey: cfg.requireSecret("aws_secret_key"),
region: cfg.require("aws_region")
})
f

full-artist-27215

10/06/2021, 3:17 PM
OK 👍
My problem is that I'd like to be able to have Vault rotate those keys, which will then bring it into conflict with Pulumi
r

red-fish-22980

10/06/2021, 3:19 PM
yes I understand, I will have to do the same in the future
I have no clue of how to manage that for the moment
f

full-artist-27215

10/06/2021, 3:22 PM
Well, let me know if you find something that works, and I'll do the same for you 😅
r

red-fish-22980

10/06/2021, 3:22 PM
👍
my main problem with pulumi is the doc
on how to manage pulumi.ComponentResource
f

full-artist-27215

10/06/2021, 3:23 PM
what do you mean by managing a ComponentResource?
r

red-fish-22980

10/06/2021, 3:23 PM
the doc is spread among tons of unusefull other topics
creating my own ComponentResource like I create classes in other languages
how does dependsOn works really, ...
f

full-artist-27215

10/06/2021, 3:29 PM
dependsOn is generally useful for when you have resources that logically depend on each other, but where that dependency isn't represented in the inputs for that resource. That is, A actually depends on C, but A's constructor only takes B as an argument (and B doesn't directly depend on C). I had to do this with some Vault resources when I created a Namespace, but then needed to create a number of resources inside that Namespace. Unfortunately, because of the way the underlying Terraform Vault provider is designed, you don't actually pass a Namespace as an argument; you have to use an entirely separate provider instance. Because of this, I had to explicitly wire up that dependency with a
depends_on
.
I do know that the Pulumi folks are actively soliciting feedback on the usability of the documentation, though... you might reach out to @brainy-church-78120 to share your concerns on that point.
r

red-fish-22980

10/06/2021, 3:30 PM
ok, I'll do