Enable Vault servers to access Kubernetes

database/setup.sql

@@ -0,0 +1,12 @@
+set time zone 'UTC';
+create extension pgcrypto;
+
+CREATE TABLE products (
+    id VARCHAR(255) PRIMARY KEY NOT NULL,
+    name VARCHAR(255) NOT NULL,
+    description VARCHAR(255) NOT NULL
+);
+
+INSERT INTO products (id, name, description) VALUES ('2310d6be-0e80-11ed-861d-0242ac120002', 'Vault', 'Secrets management');
+INSERT INTO products (id, name, description) VALUES ('b3bdc008-be8d-4e52-bd0e-73053b397322', 'Boundary', 'Modern privileged access management');
+INSERT INTO products (id, name, description) VALUES ('ed7d5231-55cd-4691-920d-34a8004bcb9f', 'Terraform', 'Infrastructure as code');

eks.tf

@@ -0,0 +1,44 @@
+data "aws_caller_identity" "current" {}
+
+data "aws_iam_session_context" "current" {
+  arn = data.aws_caller_identity.current.arn
+}
+
+data "aws_eks_node_groups" "cluster" {
+  cluster_name = data.terraform_remote_state.setup.outputs.kubernetes.id
+}
+
+data "aws_eks_node_group" "cluster" {
+  for_each = data.aws_eks_node_groups.cluster.names
+
+  cluster_name    = data.terraform_remote_state.setup.outputs.kubernetes.id
+  node_group_name = each.value
+}
+
+locals {
+  node_groups = [for group in data.aws_eks_node_group.cluster : {
+    rolearn  = group.node_role_arn
+    username = "system:node:{{EC2PrivateDNSName}}"
+    groups   = ["system:bootstrappers", "system:nodes"]
+  }]
+}
+
+module "eks_auth_configmap" {
+  source  = "terraform-aws-modules/eks/aws//modules/aws-auth"
+  version = "20.3.0"
+
+  manage_aws_auth_configmap = true
+
+  aws_auth_roles = concat(local.node_groups, [
+    {
+      rolearn  = data.aws_iam_session_context.current.issuer_arn
+      username = "admin-dev"
+      groups   = ["system:masters"]
+    },
+    {
+      rolearn  = aws_iam_role.vault_server.arn
+      username = "admin-vault"
+      groups   = ["system:masters"]
+    },
+  ])
+}

outputs.tf

@@ -0,0 +1,3 @@
+output "vault_endpoint" {
+  value = "https://${aws_lb.vault_server.dns_name}:8200"
+}

providers.tf

@@ -14,6 +14,10 @@ terraform {
       source  = "hashicorp/tls"
       version = "~> 4.0.5"
     }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.27.0"
+    }
   }
 }
 
@@ -36,4 +40,20 @@ provider "boundary" {
   addr                   = data.terraform_remote_state.setup.outputs.boundary.public_endpoint
   auth_method_login_name = data.terraform_remote_state.setup.outputs.boundary.username
   auth_method_password   = data.terraform_remote_state.setup.outputs.boundary.password
+}
+
+data "aws_eks_cluster" "cluster" {
+  name = data.terraform_remote_state.setup.outputs.kubernetes.id
+}
+data "aws_eks_cluster_auth" "cluster" {
+  name = data.terraform_remote_state.setup.outputs.kubernetes.id
+}
+provider "kubernetes" {
+  host                   = data.aws_eks_cluster.cluster.endpoint
+  cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", data.terraform_remote_state.setup.outputs.kubernetes.id]
+    command     = "aws"
+  }
 }

scripts/server.sh

@@ -2,10 +2,26 @@
 
 instance_id=$( curl -Ss -H "X-aws-ec2-metadata-token: $imds_token" 169.254.169.254/latest/meta-data/instance-id )
 
+apt update && apt -y install apt-transport-https ca-certificates curl jq unzip
+
 wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
 echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
 
-apt update && sudo apt -y install vault jq consul
+apt update && sudo apt -y install vault
+
+curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
+echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
+
+apt update && sudo apt -y install kubectl
+
+curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | sudo tee /usr/share/keyrings/helm.gpg > /dev/null
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | sudo tee /etc/apt/sources.list.d/helm-stable-debian.list
+
+apt update && sudo apt -y install helm
+
+curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+unzip awscliv2.zip
+sudo ./aws/install
 
 mkdir -p /opt/vault.d
 chown vault:vault -R /opt/vault.d

setup/eks.tf

@@ -29,4 +29,15 @@ module "eks" {
       instance_types = ["m5.large"]
     }
   }
+
+  cluster_security_group_additional_rules = {
+    vault_servers = {
+      description = "Allow Vault servers to access Kubernetes cluster"
+      protocol    = "tcp"
+      from_port   = 443
+      to_port     = 443
+      type        = "ingress"
+      cidr_blocks = [module.vpc.vpc_cidr_block]
+    }
+  }
 }

vault-server-iam.tf

@@ -77,6 +77,18 @@ data "aws_iam_policy_document" "instance_permissions_policy" {
       aws_iam_role.vault_server.arn
     ]
   }
+
+  statement {
+    sid    = "VaultEC2toAWSEKS"
+    effect = "Allow"
+    actions = [
+      "eks:DescribeCluster",
+      "eks:ListClusters"
+    ]
+    resources = [
+      "*"
+    ]
+  }
 }
 
 resource "aws_iam_role_policy" "vault_server" {