Deploying Boundary Enterprise using Terraform
HashiCorp provides a set of official HVD modules to make it easier to deploy a Boundary Enterprise environment that adheres to the requirements and standards laid out in this HashiCorp Validated Design.
Platform-specific guidance
Deployment on AWS EC2
HashiCorp Provides official HVD Modules to deploy Boundary Enterprise controllers and workers on AWS EC2.
Before deployment, deploy the prerequisite infrastructure in AWS as below.
- A functional VPC with the required subnets.
- A Boundary Enterprise license stored in AWS Secrets Manager.
- A TLS private key and certificate, valid for the fully qualified domain name you plan to use with Boundary, that have been base64-encoded and uploaded to AWS Secrets Manager.
- The ARN of the Boundary database password secret in AWS Secrets Manager.
Use these modules with Terraform to deploy a complete, end-to-end Boundary Enterprise deployment inside of your own cloud account.
While we have made efforts throughout this document to provide prescriptive best practices, we recognize that each organization has their own unique requirements and constraints when it comes to deploying infrastructure. Where possible, we have included considerations needed when deploying Boundary in your cloud environment within the context of this Terraform module. The module contains additional capabilities that you may wish to review if the variables from this module do not suit your specific needs.
Deployment sequence overview
- Deploy the prerequisite resources.
- Obtain the license file.
- Download the Boundary command-line tool (or the Boundary desktop client).
- Download the Terraform command-line tool.
- Obtain the HashiCorp Validated Design Terraform module for deploying Boundary Enterprise controllers and workers using the links for your CSP in the preceding tab.
- Configure your cloud credentials.
- Initialize your Terraform workspace.
- Input your variables, including the values from your prerequisite deployment, in the module for deployment.
- Create a Terraform plan for the controller.
- Apply the plan.
- Bootstrap the Boundary controller.
- Create a Terraform plan for the worker(s).
- Apply the plan.
- Begin creating targets and using Boundary Enterprise.
Preparation
Create the certificate files
Create a standard X.509 certificate that to install on the Boundary servers. Refer to your organization's process on creating a new certificate that matches the DNS record you intend to direct users to when accessing Boundary.
Ensure the following files are available.
- The TLS certificate (tls-cert-secret.pub).
- The TLS private key (tls-cert-private.key).
- The CA bundle file from the certificate authority used to vend the certificate (tls-ca-bundle.pub).
Keep these files to hand, as they you need them later in the installation process.
Obtain the Boundary enterprise license file
Obtain the Boundary Enterprise license file from your HashiCorp account team. This file contains a license key unique to your environment. Name the file something like boundary.hclic.
Keep this file to hand also, as you need it later in the installation process.
Download and install the Boundary command-line tool
- Download the appropriate package for your operating system from the HashiCorp Releases site.
- Unzip the package.
- Move the boundary binary (boundary.exe for Windows) to a directory in your system's PATH.
- Optional: Install Boundary Desktop client
Download and install the Terraform command-line tool
- Download the appropriate package for your operating system from the HashiCorp Releases site.
- Unzip the package.
- Move the Terraform binary (terraform.exe for Windows) to a directory in your system's PATH.
Download the Terraform module(s)
For the purpose of an automated deployment, Use these Terraform modules for your deployment, customizing where necessary.
Once you have downloaded the module, navigate to the examples/default/ directory. Use this as the base working directory during the installation process.
Configure cloud credentials
Use the tabs below to configure cloud credentials.
Ensure the correct AWS credentials are in place and accessible to Terraform. Terraform can read credentials from:
- Credentials file: typically located at
$HOME/.aws/credentials(%UserProfile%\.aws\credentialson Windows). - Environment variables as follows.
- AWS_ACCESS_KEY_ID
- AWS_SECRET_ACCESS_KEY
- AWS_SESSION_TOKEN (if using an IAM role or other expiring credentials)
- AWS_DEFAULT_REGION
For complete details on how to configure AWS credentials for Terraform, see the HashiCorp Terraform AWS provider documentation.
Ensure that the credentials have sufficient permissions to allow Terraform to perform the necessary actions.
Ensure the credentials have sufficient permissions to perform the necessary Terraform actions.
Installation
Initialize Terraform
Run terraform init to initialize your Terraform workspace and ensure there are no outstanding errors before continuing.
Configure variables for deployment
Warning
You can only configure variables for the installation module's terraform.tfvars file after all the prerequisite resources are available. You need to supply values from the prerequisites to the Vault module.
Review the terraform.tfvars.example file HashiCorp maintains in the examples/default/ directory for explanations of each relevant variable. There is a terraform.tfvars.example file in the respective module for each public cloud provider. Copy this file to a file called terraform.tfvars, and then fill in the values for each declared variable with the applicable values for your environment.
Create and apply Terraform plan
From the examples/default/ directory, generate a Terraform plan with the following command:
terraform plan -out=tfplan
Review the plan output, then apply the changes with this command:
terraform apply tfplan
Confirm the changes by typing yes when prompted.
Validate installation
After your terraform apply finishes, you can monitor the installation progress by connecting to your Boundary controller VM instance shell via SSH, AWS SSM, or Google IAP and observing the cloud-init (user_data) logs using the commands below in separate terminal windows.
tail -f /var/log/boundary-cloud-init.log
journalctl -xu cloud-final -f
Note
The -f argument is to follow the logs as they append in real time, and is optional. You may remove the -f for a static view.
The log files should display the following message after the cloud-init (user_data) script finishes.
[INFO] boundary_custom_data script finished successfully!
Once the cloud-init script finishes, while still connected to the VM via SSH or equivalent, you can check the status of the Boundary service has the line below.
[INFO] boundary_custom_data script finished successfully!
From the terminal where you performed the terraform apply run the following command.
terraform output
Using the Terraform output command that references the load balancer name or IP address, create a new DNS entry that matches your TLS certificate and points to the load balancer for the Vault cluster. Set the following environment variable.
export BOUNDARY_ADDR="https://boundary.example.com"
Bootstrapping Boundary Enterprise
After deploying a Boundary Enterprise controller the system is in a partially initialized state. To complete initialization and configuration for initial authentication utilize the bootstrapping module.
Repeat the steps starting from the preceding Initialize Terraform section.
After bootstrapping is complete you should now be able to authenticate to the Boundary cluster via command-line tool or administrator UI.
Install Boundary workers
Note
Boundary workers in all instances require access to either the controller or the upstream workers. See the Network Connectivity page for more information.
Utilize the Boundary Enterprise worker HVD module for AWS, Azure, or GCP and repeat the steps starting from Initialize Terraform for this new module.
After your terraform apply finishes, monitor the installation progress by connecting to your Boundary worker VM instance shell via SSH, AWS SSM, or Google IAP and observing the cloud-init (user_data) logs using the commands below in different terminal windows.
tail -f /var/log/boundary-cloud-init.log
journalctl -xu cloud-final -f
Note
The -f argument is to follow the logs as they append in real time, and is optional. You may remove the -f for a static view.
The log files should display the following message after the cloud-init (user_data) script finishes.
[INFO] boundary_custom_data script finished successfully!
Once the cloud-init script finishes, while still connected to the VM via SSH you can check the status of the boundary service using the command below.
sudo systemctl status boundary
After the Boundary worker has deployed, it is visible in the Boundary clusters' workers list.