COnjur and Terraform illustration

Using Conjur with Terraform

Published April 26th, 2019 by Matthew Brace

What is Terraform?

Terraform is a tool for managing infrastructure as code.  You define your architecture and software setup once, then use Terraform to manage everything within it. It allows you to avoid spinning up servers by hand, copying files around, adding instances to load balancers and more.  The technology in this space has come a long way over the years; it’s no longer just configuration management or infrastructure management, it’s now environment management.

At its core, a configuration of servers and software is defined and Terraform applies that configuration.  This starts or stops servers, installs software, sets up users, sets database credentials and does anything else needed to run the services.  Terraform offers an extensibility framework called Providers which allows for components to be built that can interact with an API to get data or make infrastructure changes.

This power and flexibility goes a long way, but there are some important aspects related to security that Terraform doesn’t cover, like secrets management.  Terraform is great for infrastructure management, but you still need to get database passwords or other secrets to Terraform during runtime without exposing them to source control.  To deliver secrets and controls access, the DevOps team needs to either know the secrets themselves or to use other insecure methods to store and deliver secrets.  To keep secrets safe, we developed an integration between Conjur and Terraform.

When should the Conjur Terraform Provider be used?

Conjur with Terraform works well for these use cases:

  1. You don’t currently use a secrets vault and you don’t use an infrastructure/configuration management tool yet.  There has never been a better time than now to integrate both into your process.  The earlier it’s done, the easier it is to grow as your software and infrastructure needs grow.  And, similarly, the longer you wait, the more painful it is to put in place.  This is what we call technical debt.
  2. You’re currently using Conjur (or the CyberArk PAS suite of products) and you are looking to integrate an infrastructure/configuration management tool.  Terraform is a solid, popular choice and the provider allows seamless integration with Conjur.
  3. You’re currently using Terraform, but not yet vaulting your secrets. Upgrading your security maturity level by using Conjur with Terraform can be done incrementally.  In software, all-or-nothing approaches regularly drag on and are fraught with peril.  With the Conjur Terraform Provider, the transition can be done one variable at a time, allowing a gradual transition.

Using the Conjur Terraform Provider

The Conjur Terraform Provider is designed to work as seamlessly with Terraform as possible.  Detailed usage can be found in our documentation.

There are three main steps to using the provider:

  1. Configure the provider to talk to Conjur:
    • If a user is logged into the Conjur CLI, the provider will use this data to communicate with Conjur automatically.
    • If the host is enrolled with Conjur, communication values are defined when the provider is defined in the manifest. 
      provider "conjur" {
# appliance_url = "http://localhost:8080"
# account = "quick-start"
# login = "test"
# api_key = "test"
# ssl_cert = "-----BEGIN CERTIFICATE-----..."
# ssl_cert_path = "/etc/conjur.pem"
}
    • If calling from code, Conjur can be configured via environment variables. 
      export CONJUR_APPLIANCE_URL="https://localhost:8443"
export CONJUR_ACCOUNT="quick-start"
export CONJUR_AUTHN_LOGIN="my-authn"
export CONJUR_AUTHN_API_KEY="4bideez40sdyai4hhbd5dxl4k3s9qrxeh44160z946zt3si3lat3b"
export CONJUR_CERT_FILE="/etc/conjur.pem"
  2. Access secrets from Conjur in Terraform via the conjur_secret method. 
    data "conjur_secret" "dbpass" {
name = "apps/my-app/dbpassword"
}
  3. Stop secrets from leaking within Terraform logs or from any output variables logged to the screen. 
    output "dbpass_output" {
value = "${data.conjur_secret.dbpass.value}"
sensitive = true  # toggle this off to view value
}

 

Key Benefits:

  • Strong authentication for secrets fetched from Conjur.
  • Simple setup in the Terraform manifest.
  • Restorable RBAC policy for non-human access.
  • Easy to access secrets from the Terraform manifest.
  • Prevent sensitive secret information from appearing in Terraform logs or on-screen.
  • Unified interface for managing non-human access (secrets) across multiple tools and platforms.

 

Getting Started

If you haven’t tried Conjur open source yet, you can get started with a guided tutorial hosted in Heroku here.  To learn more about the Conjur Terraform integration, read our detailed setup and installation guide here.  Be sure to keep reading our blog for interesting tutorials and practitioner content.  Also, don’t forget to join the CyberArk Commons to ask questions and chat with other community members.  This integration, as with all Conjur features, is also available in the enterprise version of Conjur, Application Access Manager.