Secrets are hard, especially for local development. This is why I took two of my favorite products (Cloudflare For Teams and HashiCorp Vault) and used them together to come up with a Zero-Trust Vault deployment that is easy to use from any of my workstations.
The focus was to achieve fast deployment and easy maintenance. Terraform takes care of the full deployment, and the full stack is deployed with two terraform apply commands, everything is configured and ready to go within minutes.
- Terraform putting everything together ❤️
- Cloudflare for Teams
- Cloudflare Tunnel (exposing Vault, SSH to internet)
- Cloudflare Access
- Vault UI (generic Cloudflare Access app)
- SSH Web Terminal (SSH access to GCE instance)
- JWT Auth backend (Vault auth)
- Cloudflare WARP to private network (through Tunnel)
- Google Cloud Platform
- GCE Instance (with deny-all incoming traffic)
- GCS Bucket (Vault storage)
- Secret Manager (Cloudflare Tunnel credentials store)
- (optional) KMS (for Vault auto-unseal)
Free. (for up to 50 users)
I cannot tell the exact GCP costs of this stack yet, but there is a Free Tier for the default machine type.
If you want to change the region, just note that only some regions are eligible for the GCP Free Tier.
The deployment process consists of two steps. The first one (Infra) is to deploy the Zero-Trust stack and the second one is configuring the Vault itself.
In order to deploy this stack, make sure you have:
-
Terraform version 1.0+
-
Google Cloud SDK setup and authenticated to a GCP project
- Its recommended creating a new GCP project, with following APIs enabled
- https://console.developers.google.com/apis/api/compute.googleapis.com/overview
- https://console.developers.google.com/apis/api/secretmanager.googleapis.com/overview
- (optional - if auto-unseal is desired - additional costs!) https://console.developers.google.com/apis/api/cloudkms.googleapis.com/overview
- Its recommended creating a new GCP project, with following APIs enabled
-
Google Storage Bucket for Terraform state
- Manually create a GCS bucket in your GCP project, name it e.g.
tf-state-vault-my-project-id
- Manually create a GCS bucket in your GCP project, name it e.g.
-
Cloudflare Account with Cloudflare for Teams enabled
Please refer to infra folder
Please refer to vault-config folder
- Cloudflare Teams tunnels IP routes are Terraformed using REST provider, this will be changed to official cloudflare provider once supported.
- OIDC auth flow or automatic WARP auth to get the JWT token would be better, this will be implemented if and once supported.
- Why? You may ask. The next step is to configure my local development to load ENV variables based on the project directory.