title	description
HCP LEARN BOUNDARY - AZURE	HashiCorp Bounday on Azure

HCP LEARN BOUNDARY - AZURE

PREREQS

• HCP Boundary
  • Org Level Service Principal
• Boundary CLI Client
• Azure
• Terraform

OVERVIEW

INPUTS

Environment Variables

# // HCP CLOUD SERVICE PRINCIPAL
export HCP_CLIENT_ID=
export HCP_CLIENT_SECRET=
# // BOUNDARY
export BOUNDARY_ADDR=
export BOUNDARY_AUTH_METHOD_ID=
# // BOUNDARY PROVIDER INPUT VARIABLES
export TF_VAR_boundary_addr=
export TF_VAR_auth_method_id=
export TF_VAR_auth_method_login_name=
export TF_VAR_auth_method_password=

STEPS

Terraform

terraform init
terraform plan
terraform apply

Connect to Target

boundary authenticate
boundary connect ssh -target-id=$TARGET_ID -host-id=$HOST_ID -- -v
boundary connect ssh -target-id=tssh_1234567890 -host-id=hst_1234567890

TERRAFORM

Requirements

Name	Version
terraform	>=0.12
azapi	~>1.5
azurerm	~>2.0
boundary	1.1.9
hcp	0.69.0
random	~>3.0

Providers

Name	Version
azapi	1.10.0
azurerm	2.99.0
boundary	1.1.9
hcp	0.69.0
random	3.5.1

Modules

No modules.

Resources

Name	Type
azapi_resource.ssh_public_key	resource
azapi_resource_action.ssh_public_key_gen	resource
azurerm_linux_virtual_machine.my_terraform_vm	resource
azurerm_linux_virtual_machine.vm_boundary_target_remote	resource
azurerm_linux_virtual_machine.vm_boundary_worker_egress	resource
azurerm_linux_virtual_machine.vm_boundary_worker_ingress	resource
azurerm_network_interface.my_terraform_nic	resource
azurerm_network_interface.nic_boundary_target_remote	resource
azurerm_network_interface.nic_boundary_worker_egress	resource
azurerm_network_interface.nic_boundary_worker_ingress	resource
azurerm_network_interface_security_group_association.example	resource
azurerm_network_interface_security_group_association.vm_boundary_target_remote_assoc	resource
azurerm_network_interface_security_group_association.vm_boundary_worker_egress_assoc	resource
azurerm_network_interface_security_group_association.vm_boundary_worker_ingress_assoc	resource
azurerm_network_security_group.my_terraform_nsg	resource
azurerm_network_security_group.nsg_boundary_private	resource
azurerm_public_ip.public_ip_target	resource
azurerm_public_ip.public_ip_target_remote	resource
azurerm_public_ip.public_ip_worker_egress	resource
azurerm_public_ip.public_ip_worker_ingress	resource
azurerm_resource_group.rg	resource
azurerm_storage_account.my_storage_account	resource
azurerm_subnet.boundary_private_subnet	resource
azurerm_subnet.my_terraform_subnet	resource
azurerm_virtual_network.boundary_private_network	resource
azurerm_virtual_network.my_terraform_network	resource
boundary_account_password.test_account	resource
boundary_auth_method.password	resource
boundary_credential_ssh_private_key.az_vm_01	resource
boundary_credential_store_static.boundary_demo_credential_store	resource
boundary_group.group01	resource
boundary_host_catalog_static.boundary_demo	resource
boundary_host_set_static.host_set_net10_connected	resource
boundary_host_set_static.host_set_net10_direct	resource
boundary_host_set_static.host_set_net172_connected	resource
boundary_host_static.net10_target_connected	resource
boundary_host_static.net10_target_direct	resource
boundary_host_static.net10_worker_ingress	resource
boundary_host_static.net172_target_remote	resource
boundary_host_static.net172_worker_egress	resource
boundary_role.read_only	resource
boundary_scope.org	resource
boundary_scope.project	resource
boundary_target.net10_target_connected_ssh	resource
boundary_target.net10_target_direct_ssh	resource
boundary_target.net10_target_direct_tcp_22	resource
boundary_target.net10_worker_ingress_direct_ssh	resource
boundary_target.net10_worker_ingress_direct_tcp_22	resource
boundary_target.net172_target_remote_connected_ssh	resource
boundary_target.net172_worker_egress_connected_ssh	resource
boundary_user.tester01	resource
boundary_worker.vm_boundary_target_remote	resource
boundary_worker.vm_boundary_worker_egress	resource
boundary_worker.vm_boundary_worker_ingress	resource
hcp_boundary_cluster.example	resource
random_id.random_id	resource
random_pet.example	resource
random_pet.ssh_key_name	resource

Inputs

Name	Description	Type	Default	Required
auth_method_id	n/a	string	n/a	yes
auth_method_login_name	HCP Boundary Cluster User.	string	"boundary-user"	no
auth_method_password	HCP Boundary Cluster Password.	string	"boundary-pass"	no
boundary_addr	n/a	string	n/a	yes
boundary_cluster_id	n/a	string	"boundary_cluster_id_default"	no
common_tags	Map of common tags for taggable Azure resources.	map(string)	{}	no
friendly_name_prefix	Friendly name prefix for unique Azure resource naming across deployments.	string	n/a	yes
hcp_boundary_cluster_tier	HCP Boundary Cluster Tier	string	"Standard"	no
location	Location of the resource group.	string	"westus3"	no
resource_group_location	Location of the resource group.	string	"westus3"	no
resource_group_name	Name of Resource Group to create.	string	"boundary-learn"	no
resource_group_name_prefix	Prefix of the resource group name that's combined with a random ID so name is unique in your Azure subscription.	string	"rg"	no
resource_group_name_suffix	Suffix of the resource group name that's combined with a random ID so name is unique in your Azure subscription.	string	"rg"	no
username	The username for the local account that will be created on the new VM.	string	"azureadmin"	no

Outputs

Name	Description
boundary_target_public_url	n/a
boundary_target_remote_public_url	n/a
boundary_worker_egress_activation_key	n/a
boundary_worker_egress_public_url	n/a
boundary_worker_ingress_activation_key	n/a
boundary_worker_inress_public_url	n/a
group_id-id	n/a
group_id-scope_id	n/a
hcp_boundary_cluster_cluster_id	n/a
hcp_boundary_cluster_id	n/a
hcp_boundary_cluster_project_id	n/a
hcp_boundary_cluster_tier	n/a
hcp_boundary_cluster_url	n/a
host_catalog_id	n/a
host_static_net10_target_connected_id	n/a
host_static_net10_target_connected_name	n/a
host_static_net10_worker_ingress_id	n/a
host_static_net10_worker_ingress_name	n/a
host_static_net172_target_remote_id	n/a
host_static_net172_target_remote_name	n/a
host_static_net172_worker_egress_id	n/a
host_static_net172_worker_egress_name	n/a
resource_group_name	n/a
scope_project-id	n/a
ssh_public_key	n/a
target_net10_target_connected_ssh_id	n/a
target_net10_target_connected_ssh_name	n/a
target_net10_worker_ingress_direct_ssh_id	n/a
target_net10_worker_ingress_direct_ssh_name	n/a
target_net172_target_remote_connected_ssh_id	n/a
target_net172_target_remote_connected_ssh_name	n/a
target_net172_worker_egress_connected_ssh_id	n/a
target_net172_worker_egress_connected_ssh_name	n/a
target_private_ip_address	n/a
target_public_ip_address	n/a

REFERENCES

AZURE

• https://registry.terraform.io/modules/Azure/virtual-machine/azurerm/latest
• https://learn.microsoft.com/en-us/azure/virtual-machines/linux/quick-create-terraform

BOUNDARY

• https://github.com/markchristopherwest/boundary-session-recording
• https://tekanaid.com/posts/hashicorp-boundary-make-sure-your-human-to-machine-access-is-secure
• https://github.com/samgabrail/boundary-intro
• https://youtu.be/pGfSITzcTQ0

CONFIG TERRAFORM

• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-intro
• https://developer.hashicorp.com/boundary/tutorials/oss-administration/oss-manage-intro
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-scopes
• https://developer.hashicorp.com/boundary/tutorials/oss-administration/oss-manage-scopes
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-targets
• https://developer.hashicorp.com/boundary/tutorials/oss-administration/oss-manage-targets
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-users-groups
• https://developer.hashicorp.com/boundary/tutorials/oss-administration/oss-manage-users-groups
• https://developer.hashicorp.com/boundary/docs/common-workflows/manage-users-groups
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-roles
• https://developer.hashicorp.com/boundary/tutorials/oss-administration/oss-manage-roles
• https://developer.hashicorp.com/boundary/docs/concepts/security/permissions#permission-grant-formats
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-ssh-cred-injection
• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-ssh-cred-injection
• https://www.hashicorp.com/resources/understanding-the-power-of-hashicorp-boundary-ssh-credential-vault-multi-hop

BOUNDARY WORKER

• https://developer.hashicorp.com/boundary/tutorials/hcp-administration/hcp-manage-workers
• https://developer.hashicorp.com/boundary/docs/configuration/worker

MISC

• https://gist.github.com/nicholasjackson/cff881edcd3e31aecb665dfc73562de2
• https://developer.hashicorp.com/terraform/language/functions/split
• https://learn.microsoft.com/en-us/azure/virtual-machines/instance-metadata-service?tabs=linux

APPENDIX

APPENDIX A: Azure VM Metadata

curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" | jq

AKNOWLEDGEMENTS

Thanks for your help @markchristopherwest