1. Securing RabbitMQ credentials with Vault's secret backend

    TypeScript

    To secure RabbitMQ credentials, we'll use HashiCorp Vault with Pulumi's Vault provider. The main goal is to create a secret in Vault for RabbitMQ credentials that can be retrieved and used by applications without them being exposed in plain text.

    Here are the steps we will follow to achieve this:

    1. We'll first set up a Vault SecretBackend specific to RabbitMQ. This backend will provide a secure location for the RabbitMQ credentials.
    2. Next, we'll define a SecretBackendRole which specifies the permissions associated with the credentials managed under this backend.
    3. We will then create an actual Secret which will store the RabbitMQ credentials.

    The resources we'll use for this are:

    • vault.rabbitMq.SecretBackend: To enable and configure the RabbitMQ secret backend on Vault.
    • vault.rabbitMq.SecretBackendRole: To create a role that applications can use to generate dynamic credentials for RabbitMQ.
    • vault.generic.Secret: To create a secret for storing static credentials, if necessary.

    Below is a program that performs these steps:

    import * as pulumi from "@pulumi/pulumi"; import * as vault from "@pulumi/vault"; // Initialize the RabbitMQ Secret Backend. This configures Vault to manage RabbitMQ's credentials. const rabbitMqBackend = new vault.rabbitMq.SecretBackend("rabbitMqBackend", { connectionUri: "http://localhost:15672", // URI for the RabbitMQ instance. username: "admin", // Admin username for RabbitMQ. password: "password" // Admin password for RabbitMQ. }); // Define a role that will be used to generate dynamic RabbitMQ credentials. const rabbitMqRole = new vault.rabbitMq.SecretBackendRole("rabbitMqRole", { backend: rabbitMqBackend.name, name: "my-role", vhosts: [{ configure: ".*", read: ".*", write: ".*", host: "/" }] }); // Optionally, create a static secret for RabbitMQ if dynamic secrets are not desired. const rabbitMqCredentials = new vault.generic.Secret("rabbitMqCredentials", { path: "rabbitmq/static-creds", dataJson: pulumi.secret(JSON.stringify({ username: "static-user", password: "static-password" })).apply(JSON.stringify) }); // Export the path of the static credentials. export const rabbitMqCredentialsPath = rabbitMqCredentials.path;

    In this program:

    • We declare a rabbitMqBackend resource, which sets up the Vault secret backend for RabbitMQ by specifying the connection parameters and admin credentials required for Vault to interface with RabbitMQ.

    • The rabbitMqRole defines the permissions that any dynamic credentials generated by Vault will have in RabbitMQ. These permissions are scoped to specific virtual hosts (vhosts) in RabbitMQ.

    • Optionally, we declare rabbitMqCredentials to store static credentials in Vault. This is useful when you don't need dynamic credential generation and you have fixed credentials that applications can use to authenticate with RabbitMQ.

    • Finally, we export the path of the static credentials so that you can reference them in your application using Vault's APIs or any Vault clients configured with your Vault server.

    When you apply this program with Pulumi, it will create the resources in Vault, and you can then use the provided credentials to connect to RabbitMQ securely, without needing to hard-code credentials in your application code.

    Remember, it assumes that you have a Vault server running and is accessible from where you're running the Pulumi program. Additionally, ensure that you have the correct permissions and authentication configured to interact with Vault.