Skip to content

dannyjknights/transparent-sessions-secure-https-access

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
.gitignore
.gitignore
 
 
.terraform.lock.hcl
.terraform.lock.hcl
 
 
README.md
README.md
 
 
apache-aws-ec2.tf
apache-aws-ec2.tf
 
 
boundary-config-ec2.tf
boundary-config-ec2.tf
 
 
boundary-config-website.tf
boundary-config-website.tf
 
 
boundary-users.tf
boundary-users.tf
 
 
egress-worker.tf
egress-worker.tf
 
 
hcp-vault.tf
hcp-vault.tf
 
 
ingress-worker.tf
ingress-worker.tf
 
 
linux-aws-ec2.tf
linux-aws-ec2.tf
 
 
main.tf
main.tf
 
 
nat-gateway.tf
nat-gateway.tf
 
 
output.tf
output.tf
 
 
pki-int-ca.tf
pki-int-ca.tf
 
 
pki-root-ca.tf
pki-root-ca.tf
 
 
private-network.tf
private-network.tf
 
 
public-network.tf
public-network.tf
 
 
scope.tf
scope.tf
 
 
security-groups.tf
security-groups.tf
 
 
terraform.tfvarsexample
terraform.tfvarsexample
 
 
tgw.tf
tgw.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

HashiCorp Boundary Transparent Sessions

HashiCorp Boundary Logo

Overview

Transparent sessions is a new workflow within Boundary that improves end-user experience with Boundary and also facilitates securing access to HTTPS targets

This README file explains what will be deployed as part of this repo. For further information, please refer to my associated blog post: https://medium.com/hashicorp-engineering/

HCP Boundary deployment for Transaprent Sessions

To demonstrate how Boundary and transparent sessions can be used to faciliate connectivitiy to HTTPS targets, I have built a multi-hop Boundary deployment. The HTTPS target resides in a private RFC1918 address space and once deployed, you can facilitate access to the target via Boundary, but without the need of an VPN solution.

The repo deploys and configures the following:

  1. Configures HCP Boundary. The HCPb cluster will already be deployed and the code in the repo does all the logical configuration
  2. Deploys a Boundary Ingress Worker in a public network.
  3. Deploys a Boundary Egress Worker in a private network. The Egress worker is associated with the HTTPS target and by having communication with the Ingress worker, allows for a multi-hop deployment.
  4. Establishes a connection between the Boundary Controller and the Boundary Workers.
  5. Creates an A record in Route53 for test.transparentsessions.com
  6. Deploys HCP Vault Dedicated and mounts two PKI secrets engines. One as the root CA and one as the intermediary CA.
  7. Deploys a server instance in a private subnet. This server will be installed with Apache, and grab all the requisite keys and crt, generated by Vault

You will need to create a domain or have a domain to test against. For this exaple deployment I registered the domain transparentsessions.com in Route53.

Your HCP Boundary Cluster needs to be created prior to executing the Terraform code. For people new to HCP, a trial can be utilised, which will give $50 credit to try, which is ample to test this solution.

With this setup, users can securely access the HTTPS resource in the private network without needing to connect directly to the network, or expose resources publicly to the Internet

tfvars Variables

The following tfvars variables have been defined in a terraform.tfvars file.

  • boundary_addr: The HCP Boundary address, e.g. "https://xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.boundary.hashicorp. cloud"
  • password_auth_method_login_name: = ""
  • password_auth_method_password: = ""
  • private_vpc_cidr: = ""
  • private_subnet_cidr: = ""
  • aws_vpc_cidr: = ""
  • aws_subnet_cidr: = ""
  • aws_access: = ""
  • aws_secret: = ""

About

A repo to demonstrate HashiCorp Boundary transparent sessions to secure remote access to private HTTPS targets

Resources

Readme
Activity

Stars

4 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages