This repo contains a file storage based Vault single server in AWS.
_ THIS IS NOT FOR PRODUCTION _

• Deply Vault with Auto Uneal
• • https://www.vaultproject.io/docs/concepts/seal/
• Deploy Vault Database Secrets Engine to manage Postgres RDS instances
• • https://www.vaultproject.io/docs/secrets/databases/postgresql/
• Database Root Credential Password Rotation with Vault
• • https://learn.hashicorp.com/vault/secrets-management/db-root-rotation

1. Set this location as your working directory
2. Set your AWS credentials as environment variables: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
3. Set option variables by renaming terraform.tfvars.example to terraform.tfvars and edit the values to your needs.
4. Grab the latest version of [Terraform https://www.terraform.io/downloads.html] (https://www.terraform.io/downloads.html)

$ terraform init

$ terraform plan

$ terraform apply

• Look in the terraform output for the server ssh info
  $ ssh -i private.key ubuntu@<IP_ADDRESS>

$ vault status

$ cat /opt/vault/setup/vault.unseal.info

$ vault login <INITIAL_ROOT_TOKEN>

Run the scipt /opt/vault/nginx_demo.sh

$ vault login <INITIAL_ROOT_TOKEN>
$ vault read database/creds/admin-role
$ psql -h <YOUR_AMAZON_PUBILC_DNS> -d proddb -U

USERNAME -W
SELECT u.usename AS "Role name",
  CASE WHEN u.usesuper AND u.usecreatedb THEN CAST('superuser, create
database' AS pg_catalog.text)
       WHEN u.usesuper THEN CAST('superuser' AS pg_catalog.text)
       WHEN u.usecreatedb THEN CAST('create database' AS
pg_catalog.text)
       ELSE CAST('' AS pg_catalog.text)
  END AS "Attributes"
FROM pg_catalog.pg_user u
ORDER BY 1;

$ vault login
$ vault write transit/encrypt/orders plaintext=$(base64 <<< "4111 1111 1111 1111")
$ vault write transit/decrypt/orders ciphertext=“CIPHER"
$ base64 -d <<< <RESULTOFABOVE>

THIS IS IN THE OUTPUT OF TERRAFORM

$ sudo curl -o /etc/ssh/trusted-user-ca-keys.pem http://54.176.94.52:8200/v1/ssh-client-signer/public_key
or
$ sudo su - $ VAULT_ADDR=http://54.176.94.52:8200 vault read -field=public_key ssh-client-signer/config/ca > /etc/ssh/trusted-user-ca-keys.pem

$ sudo vi /etc/ssh/sshd_config

# ...
TrustedUserCAKeys /etc/ssh/trusted-user-ca-keys.pem

$ sudo systemctl restart sshd

$ ssh-keygen -t rsa -C "ubuntu"

$ vault login
$ vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub

$ vault write -field=signed_key ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub > signed-cert.pub

$ ssh -i signed-cert.pub -i ~/.ssh/id_rsa ubuntu@13.57.195.23

Host bastion
  Hostname <BASTION_HOST>
  IdentityFile ~/.ssh/id_rsa
  CertificateFile ~/.ssh/signed-cert.pub
  User ubuntu
Host <SSH_HOST>
  IdentityFile ~/.ssh/id_rsa
  ProxyCommand ssh -F uname bastion nc %h %p
  User ubuntu

$ ssh -i signed-cert.pub -i ~/.ssh/id_rsa ubuntu@<YOUR_AWS_HOST>

$ terraform destroy -force
$ rm -rf .terraform terraform.tfstate*