Deploys infrastructure for testing HashiCorp Boundary targets and self-managed workers with HCP Boundary.
This repo is designed to quickly create a self-managed worker in Azure, along with 3 different target types if you choose - SSH, RDP, and PostgreSQL Database, and register them in your HCP Boundary. Use it when you need to quickly test / demo these connections in Azure.
You need the following in order to use this repo:
- An existing HCP Boundary cluster
- An Organization and a Project inside of that organization
- An Azure subscription with the ability to create VNETS, VMs, and PostgreSQL Flexible servers.
Configure the Boundary provider credentials as environment variables on your system or in your Terraform Cloud Workspace. Password auth is used in this example for easy testing.
provider "boundary" {
addr = var.boundary_addr
auth_method_id = var.boundary_auth_method_id
password_auth_method_login_name = var.boundary_password_auth_method_login_name
password_auth_method_password = var.boundary_password_auth_method_password
}
The following variables can be defined to deploy different targets for testing:
The deploy_ssh_target variable is a bool variable. Setting to true creates an Azure Linux Ubuntu VM with SSH configured and registers it to the boundary_scope_project_id you define. You can initiate a connection via the Boundary desktop app and then use ssh 127.0.0.1 -p<PORT#> to connect to the SSH target, or use the boundary connect ssh -target-id tssh_Bnj6y7sVG5 command.
This will create:
- A Linux VM that is put into a seperate subnet from the worker and allows traffic from
boundary_ingress_cidr_allowon port 22 as a break glass solution, but only allows port 22 from the Boundary worker public IP for Boundary connections. - Boundary credentials and targets
The deploy_rdp_target variable is a bool variable. Setting to true creates a Windows VM with RDP configured and registers it to the boundary_scope_project_id you define. You can then initiate a sessions via the Boundary desktop app and use your RDP software of choice to connect, or run boundary connect rdp -target-id ttcp_QqwiESZwHj and if you have an RDP program installed, boundary will automatically launch that.
This will create:
- A Windows Server VM that is put into a seperate subnet from the worker and allows traffic from
boundary_ingress_cidr_allowon port 22 as a break glass solution, but only allows port 3389 from the Boundary worker public IP for Boundary connections. - Boundary credentials and targets
The deploy_database_target variable is a bool variable. Setting to true creates a PostgreSQL Flexible server in Azure (not a VM). You will see an output azurerm_postgresql_flexible_server_database_name = "database-name" when the apply finishes. You will then be able to run boundary connect postgres -target-id ttcp_oEwOMuMpfg -dbname database-name to connect to the database.
This will create:
- A PostgreSQL Flexible Server that is put into a seperate subnet from the worker and allows traffic on port 5432 from the Boundary worker public IP for Boundary connections.
- Boundary credentials and targets
Set deploy_self_managed_worker = true if you want this code to deploy a self-managed worker for connection to HCP Boundary and the infrastructure to support it. It is true by default. If set to true, the following will be created:
- A seperate subnet for the worker
- A Network Security Group allowing traffic from anywhere on 9202 and SSH from
boundary_ingress_cidr_allowon port 22 to the worker. 9202 is the default port for connecting the worker to the HCP Boundary Control Plane. 22 is enabled to allow you to SSH in an retrieve the worker auth request token. - A linux Ubuntu VM that installs the Boundary worker binary and configures it.
Once you have configured all of the inputs, do an apply and wait for resources to come up.
You must then SSH into the worker VM and retreive the auth_request_token.
ssh -i boundary.pem [email protected]
sudo cat /opt/boundary/azure-worker/auth_request_tokenThen go back to your HCP Boundary and add the worker.
You can initiate a connection via the Boundary desktop app and then use ssh 127.0.0.1 -p<PORT#> to connect to the SSH target, or use the boundary connect ssh -target-id tssh_Bnj6y7sVG5 command.
You can then initiate a sessions via the Boundary desktop app and use your RDP software of choice to connect, or run boundary connect rdp -target-id ttcp_QqwiESZwHj and if you have an RDP program installed, boundary will automatically launch that.
You will see an output azurerm_postgresql_flexible_server_database_name = "database-name" when the apply finishes. You will then be able to run boundary connect postgres -target-id ttcp_oEwOMuMpfg -dbname database-name to connect to the database.
| Name | Version |
|---|---|
| azurerm | 3.58.0 |
| boundary | 1.1.7 |
| Name | Version |
|---|---|
| azurerm | 3.58.0 |
| boundary | 1.1.7 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| boundary_addr | The Boundary address to authenticate against. | string |
n/a | yes |
| boundary_auth_method_id | The Boundary auth method ID. | string |
n/a | yes |
| boundary_ingress_cidr_allow | List of CIDRs allowed inbound to boundary related servers via SSH (port 22) on vnet. | list(string) |
[] |
no |
| boundary_password_auth_method_login_name | The Boundary password auth method username. | string |
n/a | yes |
| boundary_password_auth_method_password | The Boundary password auth method password. | string |
n/a | yes |
| boundary_rg | The Boundary resource group name. | string |
"boundary-rg" |
no |
| boundary_rg_location | The location of the Boundary resource group. | string |
"East US" |
no |
| boundary_scope_project_id | The project scope ID to create a static host catalog inside of for SSH targets. | string |
n/a | yes |
| boundary_subnet_cidr | CIDR block for boundary subnet1. | string |
"10.0.1.0/24" |
no |
| boundary_worker_subnet_cidr | CIDR block for boundary worker subnet. | string |
"10.0.2.0/24" |
no |
| boundary_worker_version | The boundary-worker version to download to the self-managed-worker. | string |
"0.12.3+hcp-1" |
no |
| common_tags | Map of common tags for taggable Azure resources. | map(string) |
{} |
no |
| create_nat_gateway | Boolean to create a NAT Gateway. Useful when Azure Load Balancer is internal but VM(s) require outbound Internet access. | bool |
false |
no |
| database_subnet_cidr | True or False. Deploy an Azure PostgreSQL Flexible server. | string |
"10.0.3.0/24" |
no |
| database_target_password | The password of the database_target_username user that will be created. |
string |
"B0uNdairyP@ss" |
no |
| database_target_username | The username of the PostgreSQL user that will be created. | string |
"boundaryadmin" |
no |
| deploy_database_target | True or False. Deploy an Azure PostgreSQL Flexible server. | bool |
n/a | yes |
| deploy_rdp_target | True or False. Deploy an RDP Azure Windows VM. | bool |
n/a | yes |
| deploy_self_managed_worker | True of False. Deploy a self-managed Boundary worker. | bool |
true |
no |
| deploy_ssh_target | True or False. Deploy an SSH target Azure Linux VM. | bool |
n/a | yes |
| friendly_name_prefix | A prefix appended to the name of azure resources. | string |
n/a | yes |
| hcp_boundary_cluster_id | The HCP cluster ID to connect to. | string |
n/a | yes |
| rdp_target_password | The password of the rdp_target_username user that will be created on the VM. Will also be used to RDP. |
string |
"B0uNdairyP@ss" |
no |
| rdp_target_username | The username of the admin user that will be created on the VM. Will also be used to RDP. | string |
"boundaryadmin" |
no |
| sa_ingress_cidr_allow | List of CIDRs allowed to interact with Azure Blob Storage Account. | list(string) |
[] |
no |
| ssh_private_key | The name of the ssh private key that will be uploaded to boundary credential store. Must be placed relative to the working directory. | string |
n/a | yes |
| ssh_public_key | The name of the ssh public key that will be put on the SSH targett VMs. Must be placed relative to the working directory. | string |
n/a | yes |
| ssh_target_username | The username of the admin user that will be created on the VM. Will also be set to the SSH username. | string |
"boundaryadmin" |
no |
| vnet_cidr | CIDR block address space for VNet. | list(string) |
[ |
no |
| Name | Description |
|---|---|
| azurerm_postgresql_flexible_server_database_name | Name of Azurerm PostgreSQL Flexible database to connect to. |
| azurerm_postgresql_flexible_server_fqdn | FQDN of Azurerm PostgreSQL Flexible server. |
| rdp_target_private_ip_addr | n/a |
| rdp_target_public_ip_addr | n/a |
| ssh_target_private_ip_addr | n/a |
| ssh_target_public_ip_addr | n/a |
| worker_private_ip_addr | n/a |
| worker_public_ip_addr | n/a |