TERRAFORM AUTHENTICATION

                                                         

This hands-on will solve hard coded credential in our configuration file.

For this exercise, I used terraform documentation to specify which provider is required to configure these resources (e.g. - Development-VM). All you need is AWS path to access the config file.

Terraform is an open source and it uses declarative syntax. Meaning, you do not have to define WHAT the end result you want. 

There are three ways of authentication in terraform. 
Static credentials /Hard-coded credentials: Credentials are embedded directly into the code and are difficult to change without modifying and recompiling the application. It is considered a bad practice to hard code credentials in your code , it increases security risk.

Environment Credentials : Credentials can be declared in a separate file where your secret and access keys are stored in your local. This credentials can be ran in our local using the export command.

Shared/ CLI-based credentials: You store the configuration file in your local system which can be replaced or edited.

FOR STATIC CREDENTIALS:

STEP 1:
Create a folder  for example "Static-credential"

STEP 2:
Create a "provider.tf" file : You can notice the provider shows the secret and access keys.

terraform {

required_version = "1.3.4"

required_providers {

aws = {

source = "hashicorp/aws"

version = "4.39.0"

}

}

}

provider "aws" {

# Configuration options

region = "us-east-1"

access_key = "AKIA****KJ4******"

secret_key = "9m0******1MRAlE******5VReHj******"

}

STEP 3: 

Create an "ec2.tf" file 

resource "aws_instance" "Development-VM" {

ami = "ami-0b0d******52a63"

instance_type = "t3.micro"

tags = {

Name = "Dev-VM"

}

}

FOR ENVIRONMENT CREDENTIAL:

STEP 1: 
Create a folder for example "environment-variables"

STEP 2: 
Create a "provider.tf" file : Here, you will notice the provider does not have the "secret and access keys" exposed.

terraform {

required_version = "1.3.4"

required_providers {

aws = {

source = "hashicorp/aws"

version = "4.39.0"

}

}

}

provider "aws" {

# Configuration options

}

STEP 3:

Create  a resource "ec2-instance.tf" file 

resource "aws_instance" "Development-VM" {

ami = "ami-0b0dc****052a63"

instance_type = "t3.micro"

tags = {

Name = "Dev-VM"

}

}

STEP 4: 

The export command allows you to SSH in your terminal and it makes it save because you are running it locally without exposing the keys.

Run the following commands in your terminal/gitbash

export AWS_ACCESS_KEY_ID="AXXXXXXXXXXXXXXXXXXX"

export AWS_SECRET_ACCESS_KEY="jxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

export AWS_REGION="us-east-1"

STEP 5:

Shows the value of the environment variable name. This confirms the command and display your access key in your terminal.

echo $AWS_ACCESS_KEY_ID

echo $AWS_SECRET_ACCESS_KEY

echo $AWS_REGION

STEP 6:

Run the terraform flow command 
- "init"
- "validate"
- "plan"
- "apply"
- "destroy"

FOR SHARED CREDENTIAL:

STEP 1:

Create a folder  for example "Shared-credential"

STEP  2:

Create a "provider.tf" file 

terraform {

required_version = "1.3.4"

required_providers {

aws = {

source = "hashicorp/aws"

version = "4.39.0"

}

}

}

provider "aws" {

shared_config_files = ["~/.aws/config"]

shared_credentials_files = ["~/.aws/credentials"]

profile = "default"

}

STEP 2:

Create an "ec2.tf" file. 

resource "aws_instance" "Development-VM" {

ami = "ami-0b0dcb5067f052a63"

instance_type = "t3.micro"

tags = {

Name = "Dev-VM"

}

}

STEP 3:

Now to list what you have in the file run:

- ls -al
- cd .aws
- ls

NB: You should see config and credentials. This file houses the actual region credentials  and stores it inside config file.

STEP 4:  

Run "cat config"        
You should see the region , output after the cat config

STEP 5:

Run "cd .." 

NB: Check that you are back into the shared credential folder 

Now, you provide the path: At this point you should see your credentials

STEP 6:

You can customize your provider file with the steps below:

Copy this :

provider "aws" {

shared_config_files = ["/Users/tf_user/.aws/conf"]

shared_credentials_files = ["/Users/tf_user/.aws/creds"]

profile = "customprofile”

And we’re replacing the provider with what you have in the shared credentials.

Inside your provider : Ensure the info looks like this below, you have to make this changes  or copy and paste this.                         

provider "aws" {

shared_config_files = ["~/.aws/config"]

shared_credentials_files = ["~/.aws/credentials"]

profile = "default"

}

STEP 7:

Run the terraform flow command 
- "init"
- "validate
- "plan"
- "apply"

Your resource should be creating:

aws_instance.Development-VM: Creating...

aws_instance.Development-VM: Still creating... [10s elapsed]

aws_instance.Development-VM: Creation complete after 13s [id=i-0**cf7b291***]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

NB: Do not forget to run "Terraform destroy".

Note: This is just for beginner step: In my next post, we will  explore other ways to hide the credential using sensitive. 😊

Here, all these resources can be found in terraform documentation.

               

Sensitive link : https://www.blogger.com/blog/post/edit/5428112557550405099/1475991518124058227?hl=en

References : HashiCorp Terraform - https://www.terraform.io/

                    : AWS Amazon -  https://docs.aws.amazon.com/

                    Open this link below: terraform documentation

https://registry.terraform.io/providers/hashicorp/aws/4.39.0/docs?utm_content=documentLink&utm_medium=Visual+Studio+Code&utm_source=terraform-ls