如何在DigitalOcean上使用Packer和Terraform构建Hashicorp Vault服务器[快速入门]

介绍 (Introduction)

Vault, by Hashicorp, is an open-source tool for securely storing secrets and sensitive data in dynamic cloud environments. Packer and Terraform, also developed by Hashicorp, can be used together to create and deploy images of Vault.

Hashicorp的Vault是一种开源工具，用于在动态云环境中安全存储机密和敏感数据。 同样由Hashicorp开发的Packer和Terraform可以一起用于创建和部署Vault映像。

In this tutorial, you’ll use Packer to create an immutable snapshot of the system with Vault installed, and orchestrate its deployment using Terraform.

在本教程中，您将使用Packer创建安装了Vault的系统的不变快照，并使用Terraform协调其部署。

For a more detailed version of this tutorial, please refer to How To Build a Hashicorp Vault Server Using Packer and Terraform on DigitalOcean.

有关本教程的更多详细版本，请参阅如何在DigitalOcean上使用Packer和Terraform构建Hashicorp Vault服务器 。

先决条件 (Prerequisites)

• Packer installed on your local machine. For instructions, visit the official documentation.

  Packer安装在本地计算机上。 有关说明，请访问官方文档 。

• Terraform installed on your local machine. Visit the official documentation for a guide.

  在本地计算机上安装的Terraform。 请访问官方文档以获取指南。

• A personal access token (API key) with read and write permissions for your DigitalOcean account. Visit How to Create a Personal Access Token to create one.

  具有对DigitalOcean帐户的读写权限的个人访问令牌(API密钥)。 访问如何创建个人访问令牌以创建一个。

• An SSH key you’ll use to authenticate with the deployed Vault Droplets, available on your local machine and added to your DigitalOcean account. You’ll also need its fingerprint, which you can copy from the Security page of your account once you’ve added it. See the DigitalOcean documentation for detailed instructions or the How To Set Up SSH Keys tutorial.

  用来对已部署的Vault Droplet进行身份验证的SSH密钥，可在本地计算机上使用，并添加到DigitalOcean帐户中。 您还需要其指纹，添加后即可从帐户的“ 安全性”页面复制该指纹。 请参阅DigitalOcean文档以获取详细说明，或如何设置SSH密钥教程。

第1步-创建打包程序模板 (Step 1 — Creating a Packer Template)

Create and move into the ~/vault-orchestration directory to store your Vault files:

创建并移入~/vault-orchestration目录以存储您的Vault文件：

• mkdir ~/vault-orchestration
  mkdir〜/库编排
• cd ~/vault-orchestration
  光盘〜/ vault-orchestration

Create separate directories for Packer and Terraform configuration by running:

通过运行以下命令为Packer和Terraform配置创建单独的目录：

• mkdir packer terraform
  mkdir封隔器Terraform

Navigate to the Packer directory:

导航到Packer目录：

• cd packer
  光盘打包机

使用模板变量 (Using Template Variables)

Create a variables.json in your packer subdirectory to store your private variable data:

在packer子目录中创建一个variables.json以存储您的私有变量数据：

• nano variables.json
  纳米变量.json

Add the following lines:

添加以下行：

~/vault-orchestration/packer/variables.json

〜/ vault-orchestration / packer / variables.json

{
  "do_token": "your_do_api_key",
  "base_system_image": "ubuntu-18-04-x64",
  "region": "nyc3",
  "size": "s-1vcpu-1gb"
}

You’ll use these variables in the template you are about to create. You can edit the base image, region, and Droplet size values according to the developer docs.

您将在要创建的模板中使用这些变量。 您可以根据开发人员文档编辑基本图像，区域和液滴尺寸值。

Replace your_do_api_key with your API key, then save and close the file.

用您的API密钥替换your_do_api_key ，然后保存并关闭文件。

创建构建器和预配器 (Creating Builders and Provisioners)

Create your Packer template for Vault in a file named template.json:

在名为template.json的文件中为Vault创建Packer template.json ：

• nano template.json
  纳米template.json

Add the following lines:

添加以下行：

~/vault-orchestration/packer/template.json

〜/ vault-orchestration / packer / template.json

{
   "builders": [{
       "type": "digitalocean",
       "api_token": "{{user `do_token`}}",
       "image": "{{user `base_system_image`}}",
       "region": "{{user `region`}}",
       "size": "{{user `size`}}",
       "ssh_username": "root"
   }],
   "provisioners": [{
       "type": "shell",
       "inline": [
           "sleep 30",
           "sudo apt-get update",
           "sudo apt-get install unzip -y",
           "curl -L https://releases.hashicorp.com/vault/1.3.2/vault_1.3.2_linux_amd64.zip -o vault.zip",
           "unzip vault.zip",
           "sudo chown root:root vault",
           "mv vault /usr/local/bin/",
           "rm -f vault.zip"
       ]
}]
}

You define a single digitalocean builder. Packer will create a temporary Droplet of the defined size, image, and region using the provided API key.

您定义一个数字digitalocean建造者。 Packer将使用提供的API密钥创建一个具有定义大小，图像和区域的临时Droplet。

The provisioner will connect to it using SSH with the specified username and will sequentially execute all defined provisioners before creating a DigitalOcean Snapshot from the Droplet and deleting it.

供应商将使用具有指定用户名的SSH使用SSH连接到供应商，并在从Droplet创建DigitalOcean快照并将其删除之前顺序执行所有定义的供应商。

It’s of type shell, which will execute given commands on the target. The commands in the template will wait 30 seconds for the system to boot up, and will then download and unpack Vault 1.3.2. Check the official Vault download page for the most up-to-date version for Linux.

它是shell类型的，它将在目标上执行给定的命令。 模板中的命令将等待30秒钟，以等待系统启动，然后下载并解压缩Vault 1.3.2 。 在Vault官方下载页面上查看Linux的最新版本。

Save and close the file.

保存并关闭文件。

Verify the validity of your template:

验证模板的有效性：

• packer validate -var-file=variables.json template.json
  打包程序验证-var-file = variables.json template.json

You’ll see the following output:

您将看到以下输出：

   
   

    
    Output
   
   
Template validated successfully.

第2步-构建快照 (Step 2 — Building the Snapshot)

Build your snapshot with the Packer build command:

使用Packer build命令构建快照：

• packer build -var-file=variables.json template.json
  打包程序build -var-file = variables.json template.json

You’ll see a lot of output, which will look like this:

您将看到很多输出，如下所示：

   
   

    
    Output
   
   
digitalocean: output will be in this color.

==> digitalocean: Creating temporary ssh key for droplet...
==> digitalocean: Creating droplet...
==> digitalocean: Waiting for droplet to become active...
==> digitalocean: Using ssh communicator to connect: ...
==> digitalocean: Waiting for SSH to become available...
==> digitalocean: Connected to SSH!
==> digitalocean: Provisioning with shell script: /tmp/packer-shell035430322
...
==> digitalocean:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
==> digitalocean:                                  Dload  Upload   Total   Spent    Left  Speed
  digitalocean: Archive:  vault.zip
==> digitalocean: 100 45.5M  100 45.5M    0     0   154M      0 --:--:-- --:--:-- --:--:--  153M
  digitalocean:   inflating: vault
==> digitalocean: Gracefully shutting down droplet...
==> digitalocean: Creating snapshot: packer-1581537927
==> digitalocean: Waiting for snapshot to complete...
==> digitalocean: Destroying droplet...
==> digitalocean: Deleting temporary ssh key...
Build 'digitalocean' finished.

==> Builds finished. The artifacts of successful builds are:
--> digitalocean: A snapshot was created: 'packer-1581537927' (ID: 58230938) in regions '...'

The last line contains the name of the snapshot (such as packer-1581537927) and its ID in parentheses, highlighted here. Note your ID of the snapshot, because you’ll need it in the next step.

最后一行包含快照的名称(例如packer-1581537927 )及其括号中的ID(在此处突出显示)。 注意快照的ID，因为下一步将需要它。

If the build process fails due to API errors, wait a few minutes and then retry.

如果构建过程由于API错误而失败，请等待几分钟，然后重试。

第3步-编写Terraform配置 (Step 3 — Writing Terraform Configuration)

Navigate to the terraform subdirectory:

导航到terraform子目录：

• cd ~/vault-orchestration/terraform
  光盘〜/ vault-orchestration / terraform

Create a file named do-provider.tf to store the provider:

创建一个名为do-provider.tf的文件来存储提供程序：

• nano do-provider.tf
  nano do-provider.tf

Add the following lines:

添加以下行：

~/vault-orchestration/terraform/do-provider.tf

〜/ vault-orchestration / terraform / do-provider.tf

variable "do_token" {
}

variable "ssh_fingerprint" {
}

variable "instance_count" {
default = "1"
}

variable "do_snapshot_id" {
}

variable "do_name" {
default = "vault"
}

variable "do_region" {
}

variable "do_size" {
}

variable "do_private_networking" {
default = true
}

provider "digitalocean" {
token = var.do_token
}

This file provides the digitalocean provider with an API key. To specify the values of these variables you’ll create a variable definitions file similarly to Packer. The filename must end in either .tfvars or .tfvars.json.

该文件为digitalocean提供者提供了API密钥。 要指定这些变量的值，您将创建一个类似于Packer的变量定义文件 。 文件名必须以.tfvars或.tfvars.json 。

Save and close the file.

保存并关闭文件。

Create a variable definitions file:

创建一个变量定义文件：

• nano definitions.tfvars
  纳米定义

Add the following lines:

添加以下行：

~/vault-orchestration/terraform/definitions.tf

〜/ vault-orchestration / terraform / definitions.tf

do_token         = "your_do_api_key"
ssh_fingerprint  = "your_ssh_key_fingerprint"
do_snapshot_id   = your_do_snapshot_id
do_name          = "vault"
do_region        = "nyc3"
do_size          = "s-1vcpu-1gb"
instance_count   = 1

Replace your_do_api_key, your_ssh_key_fingerprint, and your_do_snapshot_id (the snapshot ID you noted from the previous step). The do_region and do_size parameters must have the same values as in the Packer variables file.

替换your_do_api_key , your_ssh_key_fingerprint和your_do_snapshot_id (您在上一步中your_do_snapshot_id的快照ID)。 do_region和do_size参数的值必须与Packer变量文件中的值相同。

Save and close the file.

保存并关闭文件。

Create the following file to store the Vault snapshot deployment configuration:

创建以下文件来存储保管库快照部署配置：

• nano deployment.tf
  纳米部署

Add the following lines:

添加以下行：

~/vault-orchestration/terraform/deployment.tf

〜/ vault-orchestration / terraform / deployment.tf

resource "digitalocean_droplet" "vault" {
count              = var.instance_count
image              = var.do_snapshot_id
name               = var.do_name
region             = var.do_region
size               = var.do_size
private_networking = var.do_private_networking
ssh_keys = [
  var.ssh_fingerprint
]
}

output "instance_ip_addr" {
value = {
  for instance in digitalocean_droplet.vault:
  instance.id => instance.ipv4_address
}
description = "The IP addresses of the deployed instances, paired with their IDs."
}

You define a single resource of the type digitalocean_droplet named vault. You set its parameters according to the variable values and add an SSH key (using its fingerprint) from your DigitalOcean account to the Droplet resource. You output the IP addresses of all newly deployed instances to the console.

您定义一个名为vault digitalocean_droplet类型的单个资源 。 您可以根据变量值设置其参数，并将SSH密钥(使用其指纹)从DigitalOcean帐户添加到Droplet资源。 您将所有新部署的实例的IP地址output到控制台。

Save and close the file.

保存并关闭文件。

Initialize the directory as a Terraform project:

将目录初始化为Terraform项目：

• terraform init
  地形初始化

You’ll see the following output:

您将看到以下输出：

   
   

    
    Output
   
   
Initializing the backend...

Initializing provider plugins...

The following providers do not have any version constraints in configuration,
so the latest version was installed.

To prevent automatic upgrades to new major versions that may contain breaking
changes, it is recommended to add version = "..." constraints to the
corresponding provider blocks in configuration, with the constraint strings
suggested below.

* provider.digitalocean: version = "~> 1.14"

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

步骤4 —使用Terraform部署保管库 (Step 4 — Deploying Vault Using Terraform)

Test the validity of your configuration:

测试配置的有效性：

• terraform validate
  地形验证

You’ll see the following output:

您将看到以下输出：

   
   

    
    Output
   
   
Success! The configuration is valid.

Run the plan command to see what Terraform will attempt when it comes to provision the infrastructure:

运行plan命令以查看Terraform在配置基础结构时将尝试什么：

• terraform plan -var-file="definitions.tfvars"
  terraform plan -var-file =“ definitions.tfvars”

The output will look similar to:

输出将类似于：

   
   

    
    Output
   
   
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.


------------------------------------------------------------------------

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

# digitalocean_droplet.vault[0] will be created
+ resource "digitalocean_droplet" "vault" {
  ...
  }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

Execute the plan:

执行计划：

• terraform apply -var-file="definitions.tfvars"
  terraform apply -var-file =“ definitions.tfvars”

The Droplet will finish provisioning and you’ll see output similar to this:

Droplet将完成配置，您将看到类似于以下的输出：

   
   

    
    Output
   
   
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
+ create

Terraform will perform the following actions:

+ digitalocean_droplet.vault-droplet

...

Plan: 1 to add, 0 to change, 0 to destroy.

...

digitalocean_droplet.vault-droplet: Creating...

...

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

instance_ip_addr = {
"181254240" = "your_new_server_ip"
}

步骤5 —验证已部署的Droplet (Step 5 — Verifying Your Deployed Droplet)

Run the following to connect to your new Droplet:

运行以下命令以连接到新的Droplet：

• ssh root@your_server_ip

  ssh root @ your_server_ip

Once you are logged in, run Vault with:

登录后，请使用以下命令运行保险柜：

• vault
  跳马

You’ll see its “help” output:

您将看到其“帮助”输出：

   
   

    
    Output
   
   
Usage: vault <command> [args]

Common commands:
  read        Read data and retrieves secrets
  write       Write data, configuration, and secrets
  delete      Delete secrets and configuration
  list        List data or secrets
  login       Authenticate locally
  agent       Start a Vault agent
  server      Start a Vault server
  status      Print seal and HA status
  unwrap      Unwrap a wrapped secret

Other commands:
  audit          Interact with audit devices
  auth           Interact with auth methods
  debug          Runs the debug command
  kv             Interact with Vault's Key-Value storage
  lease          Interact with leases
  namespace      Interact with namespaces
  operator       Perform operator-specific tasks
  path-help      Retrieve API help for paths
  plugin         Interact with Vault plugins and catalog
  policy         Interact with policies
  print          Prints runtime configurations
  secrets        Interact with secrets engines
  ssh            Initiate an SSH session
  token          Interact with tokens

结论 (Conclusion)

You now have an automated system for deploying Hashicorp Vault on DigitalOcean Droplets using Terraform and Packer. To start using Vault, you’ll need to initialize it and further configure it. For instructions on how to do that, visit the official docs.

您现在有了一个自动化系统，该系统可以使用Terraform和Packer在DigitalOcean Droplet上部署Hashicorp Vault。 要开始使用保险柜，您需要对其进行初始化并进一步配置。 有关如何执行此操作的说明，请访问官方文档 。

For more tutorials using Terraform, check out our Terraform content page.

有关使用Terraform的更多教程，请查看我们的Terraform内容页面 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-build-a-hashicorp-vault-server-using-packer-and-terraform-on-digitalocean-quickstart