使用Terraform自动轮换凭证
At Mixpanel, keeping your data secure is of the utmost importance. We strictly adhere to security best practices, including rotating credentials often. Anyone who has to rotate credentials periodically knows that, without automation, it can be a super time consuming task. This article will discuss our novel approach to automating credential rotations using terraform.
在Mixpanel,保护您的数据安全至关重要。我们严格遵守安全最佳实践,包括定期轮换凭据。任何需要定期轮换凭据的人都知道,如果没有自动化,这可能是一项非常耗时的任务。本文将讨论我们使用terraform自动化凭据轮换的新方法。
Rotation == Toil
轮换 == 劳动
Without any automation in place, rotating credentials is pure toil. You have to have an engineer go in and create a new credential and then update everything that uses it regularly. If the credentials don’t expire, you don’t have a strong incentive to be diligent. If they do expire, you are deliberately scheduling a future outage. Obviously, both of these options are bad. As an engineer on the DevInfra team at Mixpanel, one of my main enemies is toil. So any kind of “oh, we should manually update a dozen or more secrets with new credentials every month” is just antithetical to my very role.
没有任何自动化机制,轮换凭据就是纯粹的苦差事。你必须让一位工程师进去创建一个新的凭据,然后定期更新使用它的所有内容。如果凭据不过期,你就没有强烈的动力去认真对待。如果它们过期了,你就是在有意地安排未来的停机时间。显然,这两种选择都不好。作为Mixpanel的DevInfra团队的一名工程师,我的主要敌人之一就是苦差事。所以任何一种“哦,我们应该每个月手动更新十几个或更多的凭据”都与我的角色背道而驰。
So let’s start working on how we can automate this process.
所以让我们开始着手自动化这个过程。
Terraform
Terraform
Terraform is the bog standard way of automating anything involving cloud platforms, so it seems like an obvious choice for this stuff. Let’s ensure that, though, so we’ll start by setting up an example for testing. We run on GCP, so GCP service accounts are commonly used for giving services access to various GCP resources, as well as for allowing external services to reach into our GCP stuff on our behalf.
Terraform是自动化涉及云平台的标准方式,因此对于这些东西来说似乎是一个明显的选择。让我们确保一下,我们将从设置一个测试示例开始。我们在GCP上运行,因此GCP服务帐户通常用于为服务提供对各种GCP资源的访问权限,以及允许外部服务代表我们访问我们的GCP资源。
We’ll create a simple service account:
我们将创建一个简单的服务帐号:
resource "google_service_account" "rotation-t...