This step use Hashicorp Vault dynamic secrets with database.
Each time you will go to the website, the application will use a new couple user/password for database access.
It use also Encryption as a Service. Each time you will go to the website, the application will Encrypt value and store the encrypted data into the database.
First, init your terraform folder:
$ docker run --rm -v $(pwd)/terraform:/app/ -w /app/ hashicorp/terraform:light init
Or if you can use Makefile: make init
As an Ops, you need to deploy the infrastructure:
$ docker-compose up
Or if you can use Makefile: make infra
- Vault address: http://127.0.0.1:8200
As an Dev, you need to deploy the infrastructure. In this case, using Vault, your application use Approle and need Role_ID and Secret_ID.
Here how to retrieve Role_ID and Secret_ID:
$ role_id=$(docker run --rm -v $(pwd)/terraform:/app/ -w /app/ hashicorp/terraform:light output -raw approle_role_id)
$ secret_id=$(docker run --rm -v $(pwd)/terraform:/app/ -w /app/ hashicorp/terraform:light output -raw approle_secret_id)
And launch your application:
$ docker-compose -f app.yml run -e VLT_ROLE_ID=$role_id -e VLT_SECRET_ID=$secret_id --service-ports web
Or if you can use Makefile: make app
- Application address: http://127.0.0.1:8080
Going into the website, you will find an encrypted data from Vault. We will decrypt this value to test if the EaaS working. Your application can only encrypt and can not decrypt (check the web.hcl).
Vault informations access for web UI:
- Connect with your web browser to the Vault URL
- Use token connection and enter as a token:
root
- Go to
transit
path and select:web
- In
key actions
, select:Decrypt
- Put your encrypted value and decrypt it
Decode from base64
and you will get the decrypt value who should be equel to the server name
Do the following commands:
$ docker-compose down
$ docker-compose -f app.yml down
$ rm terraform/terraform.tfstate
Or if you can use Makefile: make clean