From 6fe5a627df93178c6d1cd7c0254803553187c207 Mon Sep 17 00:00:00 2001
From: Shayan Ghani <shayanghani1384@gmail.com>
Date: Sun, 1 Sep 2024 16:32:41 +0330
Subject: [PATCH] closes #50 : conditioned ssh credential library based on
 SSH_INJECTION variable

---
 boundary/terraform/main.tf          | 61 ++++++++++++++---------------
 boundary/terraform/terraform.tfvars |  3 +-
 boundary/terraform/variables.tf     | 27 ++++++++++---
 3 files changed, 54 insertions(+), 37 deletions(-)

diff --git a/boundary/terraform/main.tf b/boundary/terraform/main.tf
index 24dc30c..2edb1cd 100644
--- a/boundary/terraform/main.tf
+++ b/boundary/terraform/main.tf
@@ -165,25 +165,6 @@ resource "boundary_credential_store_static" "main_cred_store" {
   scope_id = boundary_scope.core_infra.id
 }
 
-## Uncomment the following lines if you have vault paid plan
-# resource "boundary_credential_store_vault" "vault_cert_store" {
-#   name = "vault-cred-store"
-#   address  = var.vault_address
-#   token    = var.vault_cred_store_token
-#   scope_id = boundary_scope.core_infra.id
-# }
-
-# resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
-#   name                = "certificates-library"
-#   credential_store_id = boundary_credential_store_vault.vault_cert_store.id
-#   path                = var.vault_sign_path
-#   username            = var.vault_username
-#   key_type            = "ecdsa"
-#   key_bits            = 521
-# }
-
-### end of vault ###
-
 resource "boundary_credential_ssh_private_key" "main_server_keys" {
   for_each            = { for host in var.hosts_info : host.name => host }
   name                = each.value.ssh_key_name
@@ -207,21 +188,39 @@ resource "boundary_target" "main_servers_ssh" {
   ]
 }
 
+#### Start of Vault ssh credential store
+# The following resources are only applied if SSH_INJECTION is set to True.
 
-#### uncomment the following block if you have pain boundary plan to use cred injection
-# resource "boundary_target" "test_server_ssh" {
-#   type                           = "tcp"
-#   name                           = "${var.test_server_name}_ssh_server"
-#   description                    = "test servers SSH target"
-#   scope_id                       = boundary_scope.core_infra.id
-#   default_port                   = var.ssh_port
+resource "boundary_credential_store_vault" "vault_cert_store" {
+  count = var.SSH_INJECTION ? 1 : 0
+  name = "vault-cred-store"
+  address  = var.vault_address
+  token    = var.vault_cred_store_token
+  scope_id = boundary_scope.core_infra.id
+}
 
-#   injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh.id]
+resource "boundary_credential_library_vault_ssh_certificate" "vault_cred_lib_ssh" {
+  count = var.SSH_INJECTION ? 1 : 0
+  name                = "certificates-library"
+  credential_store_id = boundary_credential_store_vault.vault_cert_store.id
+  path                = var.vault_sign_path
+  username            = var.vault_username
+  key_type            = "ecdsa"
+  key_bits            = 521
+}
 
-#   host_source_ids = [
-#     boundary_host_set_static.main_servers_ssh.id
-#   ]
-# }
+resource "boundary_target" "test_server_ssh" {
+  count = var.SSH_INJECTION ? 1 : 0
+  type                           = "tcp"
+  name                           = "${var.test_server_name}_ssh_server"
+  description                    = "test servers SSH target"
+  scope_id                       = boundary_scope.core_infra.id
+  default_port                   = var.test_ssh_port
+  injected_application_credential_source_ids = [boundary_credential_library_vault_ssh_certificate.vault_cred_lib_ssh.id]
+  host_source_ids = [
+    boundary_host_set_static.main_servers_ssh.id
+  ]
+}
 ### End of cred injection
 
 # TODO: break resources into seperate tf files
\ No newline at end of file
diff --git a/boundary/terraform/terraform.tfvars b/boundary/terraform/terraform.tfvars
index 77ae69f..467872a 100644
--- a/boundary/terraform/terraform.tfvars
+++ b/boundary/terraform/terraform.tfvars
@@ -34,6 +34,7 @@ main_server_names = [
   ]
 
 test_server_name = "testing"
+test_ssh_port = 22
 
 # provider variables
 boundary_address = "https://boundary.dvh.tech"
@@ -80,4 +81,4 @@ session_recording_read_list = "id=*;type=session-recording;actions=list,read"
 # vault cred store
 vault_sign_path = "ssh-signer/issue/boundary-client"
 vault_username  = "admin"
-vault_address   = "http://vault:8200"
+vault_address   = "http://vault:8200"
\ No newline at end of file
diff --git a/boundary/terraform/variables.tf b/boundary/terraform/variables.tf
index 9d90e08..4737374 100644
--- a/boundary/terraform/variables.tf
+++ b/boundary/terraform/variables.tf
@@ -69,24 +69,41 @@ variable "main_cred_store_name" {
   description = "main servers credential store name"
 }
 
+## start of SSH_INJECTION
+variable "SSH_INJECTION" {
+  type = bool
+  default = false
+  description = "wehter to use ssh credential library"
+}
+
+variable "test_ssh_port" {
+  type = string
+  description = "ssh port for the test target"
+}
 variable "vault_address" {
   type        = string
   sensitive   = true
   description = "address to vault server"
 }
 
-# variable "vault_cred_store_token" {
-#   type        = string
-#   sensitive   = true
-#   description = "vault token for credential store"
-# }
+variable "vault_cred_store_token" {
+  type        = string
+  sensitive   = true
+  default = "hvs.test"
+  description = "vault token for credential store"
+}
 
 variable "vault_sign_path" {
   type = string
+  description = "Path to the Vault key to sign boundary client"
 }
 variable "vault_username" {
   type = string
 }
+
+## end of SSH_INJECTION
+
+
 # permissions and roles
 
 ## all grants