Gemini ‐ Packer and HashiCorp Vault - sathishkpr/ptactions GitHub Wiki

You can automate instance auto-scaling on AWS using HashiCorp Packer, GitHub Actions, and HashiCorp Vault for secure AWS key management. This setup allows you to build and deploy updated machine images automatically, triggered by code changes, while keeping your AWS credentials secure.

Here's a breakdown of how to achieve this, combining the tools you mentioned:

1. HashiCorp Packer for Image Building

  • Purpose: Packer is used to create consistent machine images for various platforms, including AWS. In this context, Packer will build the base AMI (Amazon Machine Image) that your auto-scaling group will use.
  • Key Features for Auto-Scaling:
    • Automation: Packer automates the image creation process, ensuring consistency and repeatability.
    • Customization: You can define provisioners in your Packer template to install software, configure settings, and bake in your application code directly into the AMI. This speeds up instance launch times in your auto-scaling group.
    • Version Control: Packer templates are code, allowing you to version control your infrastructure and track changes to your base images.

2. HashiCorp Vault for Secure AWS Credentials

  • Purpose: Vault acts as a secure secrets management system. Instead of hardcoding AWS access keys directly into your Packer templates or GitHub Actions workflows, you'll retrieve them dynamically from Vault.
  • Key Features for Security:
    • Dynamic Credentials: Vault can generate short-lived AWS credentials on demand, reducing the risk of long-term keys being compromised.
    • Centralized Secret Management: Vault provides a central place to manage and audit access to all your secrets, including AWS keys.
    • Auditing: Vault logs all access to secrets, providing an audit trail for security and compliance.

3. GitHub Actions for Workflow Automation

  • Purpose: GitHub Actions will orchestrate the entire auto-scaling update process. It will be triggered by events in your repository (e.g., code commits, pull requests) and will:
    1. Retrieve AWS credentials from Vault.
    2. Run Packer to build a new AMI.
    3. Update the AWS Auto Scaling Group to use the new AMI.
  • Key Features for Automation:
    • Event-Driven: GitHub Actions workflows are triggered by repository events, enabling automated pipelines.
    • Workflow Orchestration: Actions can define complex workflows with multiple steps, including interacting with Vault, Packer, and AWS.
    • Integration: GitHub Actions integrates seamlessly with GitHub repositories and various cloud providers, including AWS.

Workflow Steps:

Here's a step-by-step workflow to implement this auto-scaling setup:

  1. Set up HashiCorp Vault:

    • Deploy and configure a Vault server.
    • Enable the AWS secrets engine in Vault.
    • Configure an AWS IAM role or user that Vault can assume to generate dynamic credentials.
    • Create a Vault policy that grants access to AWS credentials for your Packer and GitHub Actions workflows.

  2. Create a Packer Template:

    • Define a Packer template (.pkr.hcl or .json) for building your base AMI.

    • Use provisioners (e.g., shell, Ansible, Chef, Puppet) to configure the instance with your application and dependencies.

    • Authentication with Vault in Packer:

      • Use the Vault Packer plugin or the vault provisioner within your Packer template to authenticate with Vault and retrieve AWS credentials dynamically.
      • Set environment variables or use the Vault agent to provide authentication details to Packer.
      • Example using the Vault provisioner:
      provisioner "vault" {
  name = "vault-aws-creds"
  namespace = "admin" # Vault namespace if applicable
  address = "https://your-vault-address:8200" # Vault address
  auth_method = "github" # Example: GitHub authentication
  github_token = "{{ env `GITHUB_TOKEN` }}" # GitHub token for auth
  secrets = [
    {
      path = "aws/creds/your-aws-role" # Path to your AWS role in Vault
      env = ["AWS_ACCESS_KEY_ID", "AWS_SECRET_ACCESS_KEY", "AWS_SESSION_TOKEN"]
    }
  ]
}

builder "amazon-ebs" {
  access_key    = "{{ env `AWS_ACCESS_KEY_ID` }}" # Credentials from Vault
  secret_key    = "{{ env `AWS_SECRET_ACCESS_KEY` }}" # Credentials from Vault
  session_token = "{{ env `AWS_SESSION_TOKEN` }}" # Credentials from Vault
  region          = "your-aws-region"
  source_ami_filter {
    filters = {
      name                = "amzn2-ami-hvm-*-x86_64-gp2"
      owners              = ["amazon"]
      root-device-type    = "ebs"
      virtualization-type = "hvm"
    }
    most_recent = true
  }
  instance_type   = "t2.micro"
  ssh_username    = "ec2-user"
  ami_name        = "your-ami-name-{{timestamp}}"
  tags = {
    Name = "Your AMi Name"
  }
}

  3. Create a GitHub Actions Workflow:

    • Define a GitHub Actions workflow file (e.g., .github/workflows/packer-autoscaling.yml) in your repository.

    • Workflow Steps:

      • Checkout Code: Checkout your repository code.

      • Authenticate with Vault:

        • Use a GitHub Action (e.g., HashiCorp Vault Secrets Action) to authenticate with Vault.
        • Provide Vault authentication credentials (e.g., GitHub token, AppRole credentials).
        • Retrieve AWS credentials from Vault using the configured path.
        • Set AWS credentials as environment variables for subsequent steps.

      • Run Packer Build:

        • Use a GitHub Action to run Packer.
        • Pass the Packer template file as input.
        • Environment variables for AWS credentials should be automatically available if set correctly in the previous step.

      • Update Auto Scaling Group:

        • Use the AWS CLI or AWS SDK (within a GitHub Action) to update your Auto Scaling Group.
        • Retrieve the AMI ID of the newly built AMI from the Packer output.
        • Update the Launch Template or Launch Configuration of your Auto Scaling Group to use the new AMI ID.

      • Example GitHub Actions workflow:

      name: Packer Auto-Scale AMI Build

on:
  push: # Trigger on code push to main branch (adjust as needed)
    branches: [ main ]

jobs:
  build-ami-and-update-asg:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Authenticate with Vault and Get AWS Credentials
        uses: hashicorp/vault-secrets-action@v2
        with:
          url: 'https://your-vault-address:8200'
          namespace: 'admin' # Vault namespace if applicable
          auth_method: 'github'
          secrets: |
            aws/creds/your-aws-role aws_creds # Retrieve AWS creds

      - name: Setup Packer
        uses: hashicorp/setup-packer@v2

      - name: Build AMI with Packer
        run: packer build your-packer-template.pkr.hcl
        env:
          AWS_ACCESS_KEY_ID: ${{ env.AWS_CREDS_AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_CREDS_AWS_SECRET_ACCESS_KEY }}
          AWS_SESSION_TOKEN: ${{ env.AWS_CREDS_AWS_SESSION_TOKEN }}

      - name: Update Auto Scaling Group
        run: |
          AMI_ID=$(grep "amazon-ebs: *ami_id" packer-result.txt | awk '{print $3}') # Extract AMI ID from Packer output
          aws autoscaling update-auto-scaling-group \
            --auto-scaling-group-name your-auto-scaling-group-name \
            --launch-configuration-name new-launch-configuration-name-{{ github.run_id }} \
            --launch-template LaunchTemplateName=your-launch-template-name,Version='$Latest' # Or update launch template
        env:
          AWS_ACCESS_KEY_ID: ${{ env.AWS_CREDS_AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ env.AWS_CREDS_AWS_SECRET_ACCESS_KEY }}
          AWS_SESSION_TOKEN: ${{ env.AWS_CREDS_AWS_SESSION_TOKEN }}
          AWS_REGION: your-aws-region # Set your AWS region

  4. Configure AWS Auto Scaling Group:

    • Create an Auto Scaling Group in AWS.
    • Initially, configure it to use a Launch Configuration or Launch Template based on a manually created AMI or a placeholder AMI.
    • The GitHub Actions workflow will update this Auto Scaling Group to use the newly built AMIs.

Key Considerations and Best Practices:

  • Security:
    • Vault Access Control: Implement strict access control policies in Vault to limit who and what can access AWS credentials.
    • Least Privilege IAM Roles: Ensure the IAM roles used by Vault and GitHub Actions have only the necessary permissions to perform their tasks.
    • Secrets Rotation: Configure Vault to rotate AWS credentials regularly for enhanced security.
  • Error Handling and Monitoring:
    • Implement error handling in your GitHub Actions workflow to gracefully handle failures in Packer builds or AWS updates.
    • Set up monitoring for your Packer builds, GitHub Actions workflows, and Auto Scaling Groups to track the process and identify issues quickly.
  • Testing:
    • Thoroughly test your Packer templates and GitHub Actions workflows in a non-production environment before deploying to production.
    • Consider using Packer's -debug mode and GitHub Actions workflow logs for troubleshooting.
  • Versioning and Rollback:
    • Version control your Packer templates and GitHub Actions workflows.
    • Implement a rollback strategy in case a new AMI causes issues in your auto-scaling group. This might involve reverting to the previous AMI version in your Auto Scaling Group.
  • Launch Templates vs. Launch Configurations: AWS recommends using Launch Templates for Auto Scaling Groups as they offer more features and flexibility. Update the Launch Template in your workflow instead of Launch Configurations if possible.

Summary:

By combining HashiCorp Packer, Vault, and GitHub Actions, you can create a robust and secure automated pipeline for building and deploying updated machine images for your AWS Auto Scaling Groups. This approach ensures consistency, improves security by managing credentials centrally with Vault, and automates the entire process, triggered by your code changes. Remember to adapt the provided examples to your specific environment, Vault setup, and AWS configurations.