当前位置: 文江博客 话题详情

当使用Terraform构建MongoDB Atlas群集时,如何通过金库使用动态秘密

发布于 2025-01-31 03:32:17 字数 2776 浏览 4 评论 0 原文

我试图使我的Terraform(管理我们的Mongo Atlas基础架构)在Terraform连接到Atlas时使用动态秘密(通过保险库,目前在Localhost上运行),但我似乎无法使其工作。

我找不到有关如何执行此操作的示例,因此我将样本组合在一起 github repo < /a>显示我到目前为止尝试做的几件事。

所有魔术都包含在3个提供商文件中。我有使用静态密钥连接到地图集的标准方法(即使以库中为临时API密钥生成的键)请参见 provider1.tf

当我尝试使用 Atlas Vault秘密引擎 for Terraform以及 Mongo Atlas提供商。只是没有例子!

我的问题是,如何使用Atlas Vault Secret Engine在为Terraform配置基础架构时生成和使用临时密钥?

我已经尝试了两种不同的方式来连接提供商,请参见文件provider2.tf和provider.3.tf,代码在此处复制:

provider2.tf 

provider "mongodbatlas" {
  public_key = vault_database_secrets_mount.db.mongodbatlas[0].public_key
  private_key  = vault_database_secrets_mount.db.mongodbatlas[0].private_key
}

provider "vault" {
  address = "http://127.0.0.1:8200"
}

resource "vault_database_secrets_mount" "db" {
  path = "db"

  mongodbatlas {
    name = "foo"
    public_key = var.mongodbatlas_org_public_key
    private_key = var.mongodbatlas_org_private_key
    project_id = var.mongodbatlas_project_id
  }
}

provider3.tf 

provider "mongodbatlas" {
  public_key = vault_database_secret_backend_connection.db2.mongodbatlas[0].public_key
  private_key  = vault_database_secret_backend_connection.db2.mongodbatlas[0].private_key
}

resource "vault_mount" "db1" {
  path = "mongodbatlas01"
  type = "database"
}

resource "vault_database_secret_backend_connection" "db2" {
  backend       = vault_mount.db1.path
  name          = "mongodbatlas02"
  allowed_roles = ["dev", "prod"]

  mongodbatlas {
    public_key = var.mongodbatlas_org_public_key
    private_key = var.mongodbatlas_org_private_key
    project_id = var.mongodbatlas_project_id
  }
}

这两种方法给出同样的错误:

mongodbatlas_cluster.cluster-terraform01: Creating...
╷
│ Error: error creating MongoDB Cluster: POST https://cloud.mongodb.com/api/atlas/v1.0/groups/10000000000000000000001/clusters: 401 (request "") You are not authorized for this resource.
│
│   with mongodbatlas_cluster.cluster-terraform01,
│   on main.tf line 1, in resource "mongodbatlas_cluster" "cluster-terraform01":
│    1: resource "mongodbatlas_cluster" "cluster-terraform01" {

任何指示或示例都将不胜

感激

原文

I'm trying to get my terraform (which manages our mongo atlas infrastructure) to use dynamic secrets (through vault, running on localhost for now) when terraform is connecting to atlas, but I cant seem to get it to work.

I can't find any examples of how to do this so I have put together a sample github repo showing the few things I've tried to do so far.

All the magic is contained in the 3 provider files. I have the standard method of connecting to atlas using static keys (even with said keys generated as temporary API keys through vault) see provider1.tf

The problem comes when I try and use the atlas vault secret engine for terraform along with the mongo atlas provider. There are just no examples!

My question is how do I use the atlas vault secret engine to generate and use temporary keys when provisioning infrastructure with terraform?

I've tried two different ways of wiring up the providers, see files provider2.tf and provider3.tf, code is copied here:

provider2.tf

provider "mongodbatlas" {
  public_key = vault_database_secrets_mount.db.mongodbatlas[0].public_key
  private_key  = vault_database_secrets_mount.db.mongodbatlas[0].private_key
}

provider "vault" {
  address = "http://127.0.0.1:8200"
}

resource "vault_database_secrets_mount" "db" {
  path = "db"

  mongodbatlas {
    name = "foo"
    public_key = var.mongodbatlas_org_public_key
    private_key = var.mongodbatlas_org_private_key
    project_id = var.mongodbatlas_project_id
  }
}

provider3.tf

provider "mongodbatlas" {
  public_key = vault_database_secret_backend_connection.db2.mongodbatlas[0].public_key
  private_key  = vault_database_secret_backend_connection.db2.mongodbatlas[0].private_key
}

resource "vault_mount" "db1" {
  path = "mongodbatlas01"
  type = "database"
}

resource "vault_database_secret_backend_connection" "db2" {
  backend       = vault_mount.db1.path
  name          = "mongodbatlas02"
  allowed_roles = ["dev", "prod"]

  mongodbatlas {
    public_key = var.mongodbatlas_org_public_key
    private_key = var.mongodbatlas_org_private_key
    project_id = var.mongodbatlas_project_id
  }
}

Both methods give the same sort of error:

mongodbatlas_cluster.cluster-terraform01: Creating...
╷
│ Error: error creating MongoDB Cluster: POST https://cloud.mongodb.com/api/atlas/v1.0/groups/10000000000000000000001/clusters: 401 (request "") You are not authorized for this resource.
│
│   with mongodbatlas_cluster.cluster-terraform01,
│   on main.tf line 1, in resource "mongodbatlas_cluster" "cluster-terraform01":
│    1: resource "mongodbatlas_cluster" "cluster-terraform01" {

Any pointers or examples would be greatly appreciated

many thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

巨坚强 2025-02-07 03:32:17

设置并启动保险库后,启用了Mongodbatlas,将配置和角色添加到Vault中,实际上,它使用Vault创建的动态短暂键将Terraform与Atlas连接到地图集。

首先运行这些命令以启动并在本地配置保险库:

vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
vault secrets enable mongodbatlas
# Write your master API keys into vault
vault write mongodbatlas/config public_key=org-api-public-key private_key=org-api-private-key
vault write mongodbatlas/roles/test project_id=100000000000000000000001 roles=GROUP_OWNER ttl=2h max_ttl=5h cidr_blocks=123.45.67.1/24

现在将保险库提供商和数据源添加到您的Terraform配置:

provider "vault" {
  address = "http://127.0.0.1:8200"
}

data "vault_generic_secret" "mongodbatlas" {
  path = "mongodbatlas/creds/test"
}

最后,使用保险库数据源提供的密钥添加MongodBatlas提供商:

provider "mongodbatlas" {
  public_key  = data.vault_generic_secret.mongodbatlas.data["public_key"]
  private_key = data.vault_generic_secret.mongodbatlas.data["private_key"]
}

这在此中显示了完整示例。 示例github repo

Once you have setup and started vault, enabled mongodbatlas, added config and roles to vault, its actually rather easy to connect terraform to atlas using dynamic ephemeral keys created by vault.

Run these commands first to start and configure vault locally:

vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
vault secrets enable mongodbatlas
# Write your master API keys into vault
vault write mongodbatlas/config public_key=org-api-public-key private_key=org-api-private-key
vault write mongodbatlas/roles/test project_id=100000000000000000000001 roles=GROUP_OWNER ttl=2h max_ttl=5h cidr_blocks=123.45.67.1/24

Now add the vault provider and data source to your terraform config:

provider "vault" {
  address = "http://127.0.0.1:8200"
}

data "vault_generic_secret" "mongodbatlas" {
  path = "mongodbatlas/creds/test"
}

Finally, add the mongodbatlas provider with the keys as provided by the vault data source:

provider "mongodbatlas" {
  public_key  = data.vault_generic_secret.mongodbatlas.data["public_key"]
  private_key = data.vault_generic_secret.mongodbatlas.data["private_key"]
}

This is shown in a full example in this example github repo

回复 原文
~没有更多了~

关于作者

永言不败

暂无简介

文章
评论
27 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

Mr.HU

文章 0 评论 0

疯到世界奔溃

文章 0 评论 0

隔纱相望

文章 0 评论 0

萌无敌

文章 0 评论 0

梦幻的味道

文章 0 评论 0

自在安然

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文