https://github.com/devopshobbies/boundary-vault-stack
Deploy Self-Hosted HCP Vault and Boundary using End-To-End Automation (Terraform, Ansible, Bash, and many more)
https://github.com/devopshobbies/boundary-vault-stack
ansible bash boundary devops docker end-to-end-automation shell-scripting terraform vagrant vault
Last synced: 3 months ago
JSON representation
Deploy Self-Hosted HCP Vault and Boundary using End-To-End Automation (Terraform, Ansible, Bash, and many more)
- Host: GitHub
- URL: https://github.com/devopshobbies/boundary-vault-stack
- Owner: devopshobbies
- License: mit
- Created: 2024-07-01T08:21:56.000Z (12 months ago)
- Default Branch: main
- Last Pushed: 2024-10-20T05:58:31.000Z (8 months ago)
- Last Synced: 2025-03-25T18:16:49.619Z (3 months ago)
- Topics: ansible, bash, boundary, devops, docker, end-to-end-automation, shell-scripting, terraform, vagrant, vault
- Language: HCL
- Homepage:
- Size: 196 KB
- Stars: 14
- Watchers: 3
- Forks: 14
- Open Issues: 40
-
Metadata Files:
- Readme: README.md
- Contributing: Contributing.md
Awesome Lists containing this project
README
# HashiCorp Boundary and Vault Stack
Deploy a Self-Hosted HCP Vault and Boundary stack using end-to-end automation.
## What This Project Offers
This project provides a comprehensive, hands-on experience in Infrastructure as Code (IaC) and Configuration Management. It simulates a real-world infrastructure environment with a focus on end-to-end automation, enabling DevOps engineers to collaboratively deliver a reliable, production-ready stack. Key deliverables include detailed documentation and diagrams.
> As of [the latest release](https://github.com/devopshobbies/boundary-vault-stack/releases/latest), BVSTACK covers **steps 0-3** of the [DevOpsHobbies Ultimate Roadmap](https://github.com/devopshobbies/devops-roadmap).
## 💻 Toolchain
[](https://www.gnu.org/software/bash/)
## Pre-requisites
- [Vagrant](https://developer.hashicorp.com/vagrant/downloads)
- [Virtualbox](https://virtualbox.org/wiki/Linux_Downloads)
- Python => 3.10.12
- Pip
- venv
## How to Use
1. **Read the Documentation**: Before getting started, ensure you have thoroughly reviewed the [project documentation](https://devopshobbies.github.io/boundary-vault-stack/), the [automation workflow diagram](https://linktw.in/nWgoiO) and installed the **prerequisites**.
2. **Configure Variables**: Create your own `tfvars` file based on the samples provided in the [Boundary](./boundary/terraform/terraform.tfvars.sample) and [Vault](./vault/terraform/terraform.tfvars.sample) directories. Alternatively, you can remove the `.sample` extension from the provided sample files to use the default values.
3. **Run the Start Script**: Begin the setup by running the `start.sh` script in your desired environment:
```bash
# Run in development:
./start.sh -e development
```
> you'll be prompted to choose which NIC you want to bridge to by Vagrant.
4. **Enter Vault Password**: You will be prompted to enter the Vault password four times to decrypt Ansible Vault-encrypted files (e.g., `inventory.ini`) unless the related [issue](https://github.com/devopshobbies/boundary-vault-stack/issues/24) is resolved.
>**Note**: The default `ansible-vault-pass` is `BVSTACK`. This is provided for simplicity in the sample; ensure you use a strong password for your Ansible Vault-encrypted files.
> **Note**
> The stack assumes that your host machine acts as the Ansible/Terraform controller. If you have the resources, it's recommended to spin up a separate VM to serve as the controller by cloning and running the project on that VM. after that you can export STACK_SERVER environment variable and set it to false this enables you to keep your host machine clean and isolated. Otherwise, don't even bother you won't be losing much. [learn more about STACK_SERVER](https://devopshobbies.github.io/boundary-vault-stack/#environment-variables)
For further assistance on exit/return codes and configurations, refer to the [documentation](https://devopshobbies.github.io/boundary-vault-stack/).
## To-Do List
### Terraform
- [ ] Add a **Vagrantfile** to provision a VM using the **Vagrant** provider of your choice, based on the [specifications](./provision/specs.txt).
- [ ] Provision an **EC2** instance using the **AWS** provider based on the [specifications](./provision/specs.txt) and additional required configurations.
- [ ] Provision an **Azure** VM using the **Azure** provider based on the [specifications](./provision/specs.txt) and additional required configurations.
- [ ] Provision a VM on an ESXi server using the **vSphere** provider based on the [specifications](./provision/specs.txt).
- [ ] Add a remote backend option for Boundary and Vault.
- [ ] Implement additional Vault authentication methods.
- [ ] Enhance Terraform output values for both Boundary and Vault.
- [ ] Implement Policy as Code (PaC) to validate Terraform policies.
### Packer
- [ ] Add a Packer custom image template for VMware vSphere using the [specifications](./provision/specs.txt).
### Ansible
- [ ] Install and configure Terraform on the **control node** using the `prepare_env` role.
- [ ] Install and configure Docker on **target (managed) nodes** using the `prepare_env` role.
- [ ] Template `tfvars` files to handle specific variables for both Boundary and Vault Terraform providers.
- [ ] Create a well-organized Ansible template for Vault and Boundary configurations.
- [ ] Update environment variable declarations in Ansible roles to use the `environment` attribute instead of inline definitions in the `shell` module.
- [ ] Add proper configurations to serve the stack as a reverse proxy in the `serve` directory (tool optional).
- [ ] Update `boundary.yml` to use environment variables instead of hardcoding, then manage the export of these variables with Ansible.
- [ ] Convert Docker Compose files to corresponding Ansible modules using the `community.docker.docker_container` collection as an optional deployment method.
- [ ] Implement Ansible Molecule scenarios to test different aspects of your roles.
- [ ] Choose which provider to provision based on a user-defined or environment variable when handling provisions with Ansible.
### CI/CD
- [ ] Implement automated testing using GitHub Actions for pull requests.
### Shell Scripting
- [ ] Write a custom logger function and implement it throughout all shell scripts for better error handling and logging (in the `log` directory).
- [ ] Use `case` statements instead of `if` for argument handling in `init.sh`.
- [ ] Update `start.sh` to prompt for the Ansible Vault password once and use it for all operations.
- [ ] Replace sleep commands in `start.sh` with the appropriate Ansible `wait_for` modules.
- [ ] Remove the Vault root token in the `cleanup` script.
## Contribution
All contributions are welcome! Please read the [Contributing Guidelines](./CONTRIBUTING.md) for more information.
## Credit and Maintenance
**Copyright © 2024 [Shayan Ghani](https://github.com/Shayan-Ghani) - [email protected]**