This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
# Send the log output from this script to user-data.log, syslog, and the console | |
# From: https://alestic.com/2010/12/ec2-user-data-output/ | |
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 | |
sudo apt update && sudo apt install -y unzip jq |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
sudo apt update && sudo apt install -y unzip | |
VAULT_ZIP="vault.zip" | |
VAULT_URL="https://releases.hashicorp.com/vault/1.4.3+ent/vault_1.4.3+ent_linux_amd64.zip" | |
curl --silent --output /tmp/$${VAULT_ZIP} $${VAULT_URL} | |
unzip -o /tmp/$${VAULT_ZIP} -d /usr/local/bin/ | |
chmod 0755 /usr/local/bin/vault |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#enable azure auth method | |
vault auth enable azure | |
#configure azure auth method using azure service principal | |
vault write auth/azure/config tenant_id="${tenant_id}" \ | |
resource="https://management.azure.com/" client_id="${client_id}" \ | |
client_secret="${client_secret}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
sudo cat << 'EOF' > /tmp/webapppolicy.hcl | |
path "data_protection/database/creds/vault-demo-app" { | |
capabilities = ["read"] | |
} | |
EOF | |
vault policy write webapp /tmp/webapppolicy.hcl |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
vault secrets enable -path=data_protection/database database | |
# Configure the database secrets engine to talk to MySQL | |
vault write data_protection/database/config/wsmysqldatabase \ | |
plugin_name=mysql-database-plugin \ | |
connection_url="{{username}}:{{password}}@tcp(mydemoserver.mysql.database.azure.com)/" \ | |
allowed_roles="vault-demo-app","vault-demo-app-long" \ | |
username="myadmin@mydemoserve" \ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
path "data_protection/database/creds/vault-demo-app" { | |
capabilities = ["read"] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[DATABASE] | |
Address=mydemoserver.mysql.database.azure.com | |
Port=3306 | |
{{ with secret "data_protection/database/creds/vault-demo-app" -}} | |
User={{ .Data.username }}@mydemoserver | |
Password={{ .Data.password }} | |
{{- end }} | |
Database=my_app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault { | |
address = "https://10.10.10.1:8200 | |
} | |
auto_auth { | |
method "azure" { | |
mount_path = "auth/azure" | |
namespace = "dev" | |
config = { | |
resource = "https://management.azure.com/" | |
role = "dev-role" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
vault { | |
address = "https://10.10.10.1:8200 | |
} | |
auto_auth { | |
method "azure" { | |
mount_path = "auth/azure" | |
namespace = "dev" | |
config = { | |
resource = "https://management.azure.com/" | |
role = "dev-role" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
#enable the transform secret engine for masking | |
vault secrets enable -path=/data-protection/masking/transform transform | |
#Define a role ccn with transformation ccn | |
vault write /data-protection/masking/transform/role/ccn transformations=ccn | |
#create a transformation of type masking using a template (defined in next step ) | |
#and assign role ccn to it that we created earlier |
NewerOlder