I cannot make certificate injection work either so I tried certificate brokering.
While trying to setup SSH Certificates as a Brokered Credentials Sources with Terraform the following error is triggered :
module.my_project.boundary_host_catalog_static.servers: Refreshing state... [id=hcst_M0SoS1sEC2]
module.my_project.boundary_credential_store_vault.foo: Refreshing state... [id=csvlt_HJ7VFn0jsm]
module.my_project.boundary_host_static.my_project: Refreshing state... [id=hst_e1TNApyv4v]
module.my_project.boundary_host_set_static.my_project: Refreshing state... [id=hsst_ZF5vWrXgBr]
module.my_project.boundary_target.ssh: Refreshing state... [id=ttcp_6L5Cr0OUss]
module.my_project.boundary_credential_library_vault_ssh_certificate.foo: Refreshing state... [id=clvsclt_nV8DMWuBcg]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# module.my_project.boundary_target.ssh will be updated in-place
~ resource "boundary_target" "ssh" {
~ brokered_credential_source_ids = [
+ "clvsclt_nV8DMWuBcg",
]
id = "ttcp_6L5Cr0OUss"
name = "ssh"
# (13 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
module.my_project.boundary_target.ssh: Modifying... [id=ttcp_6L5Cr0OUss]
╷
│ Error: error updating credential sources in target: {"kind":"InvalidArgument","message":"Errors in provided fields.","details":{"request_fields":[{"name":"brokered_credential_source_ids","description":"Incorrectly formatted credential source identifier \"clvsclt_nV8DMWuBcg\"."}]}}
│
│ with module.my_project.boundary_target.ssh,
│ on example_project_my_project/main.tf line 57, in resource "boundary_target" "ssh":
│ 57: resource "boundary_target" "ssh" {
│
A (similar?) error occurs when trying to achieve the same thing using the UI.
Here is the Terraform code:
variable "organization_id" {
}
resource "boundary_scope" "project" {
name = "project"
description = "Projet project"
# This parameter is the parent scope. It can be either the global scope, an
# org-level scope, or a project-level scope.
scope_id = var.organization_id
# Using the auto_create_x_role flags can help you get set up faster
# becasue you won't have to explicitly define these roles.
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_host_catalog_static" "servers" {
scope_id = boundary_scope.project.id
}
resource "boundary_host_static" "project" {
type = "static"
name = "project"
description = "Machine project"
address = "192.168.0.10"
host_catalog_id = boundary_host_catalog_static.servers.id
}
resource "boundary_host_set_static" "project" {
type = "static"
name = "project"
description = "Host set for project servers"
host_catalog_id = boundary_host_catalog_static.servers.id
host_ids = [boundary_host_static.project.id]
}
resource "boundary_credential_store_vault" "foo" {
name = "foo"
description = "My first Vault credential store!"
address = "http://vault:8200" # change to Vault address
token = "CENSORED" # change to valid Vault token
scope_id = boundary_scope.project.id
}
resource "boundary_credential_library_vault_ssh_certificate" "foo" {
name = "foo"
description = "My first Vault SSH certificate credential library!"
key_type = "rsa"
key_bits = 4096
credential_store_id = boundary_credential_store_vault.foo.id
path = "ssh/sign/boundary-client" # change to correct Vault endpoint and role
username = "root" # change to valid username
}
resource "boundary_target" "ssh" {
type = "tcp"
name = "ssh"
description = "SSH server"
enable_session_recording = false
scope_id = boundary_scope.project.id
session_connection_limit = -1
session_max_seconds = 3600
default_port = 22
host_source_ids = [
boundary_host_set_static.project.id
]
brokered_credential_source_ids = [
boundary_credential_library_vault_ssh_certificate.foo.id
]
# injected_application_credential_source_ids = [
# boundary_credential_library_vault_ssh_certificate.foo.id
# ]
}
Hello.
I cannot make certificate injection work either so I tried certificate brokering. While trying to setup SSH Certificates as a Brokered Credentials Sources with Terraform the following error is triggered :
A (similar?) error occurs when trying to achieve the same thing using the UI.
Here is the Terraform code: