Among the many new features in V12 are new methods available in the REST APIs. I want to highlight a few use cases this new functionality affords and share some small examples with the Veeam community as an extension of the Backups as Code blog series on Veeam.com. For those interested: see here for the post announcing our partnership with HashiCorp, and here for another post detailing a solution that automates common operations in Veeam Backup for AWS with native AWS services.
One of the new methods in V12 I want to focus on today is for managing cloud provider credentials, located at the /api/v1/cloudCredentials endpoint. A common operation in security best practices is the regular rotation of account passwords and credentials that provide access to your environment. In AWS, long-term credentials are often associated with IAM user accounts in the form of access keys, and to no surprise, AWS security best practices include rotating your access keys.
A challenge with rotating credentials regularly is updating all your downstream applications and services that use those credentials. If you do not have a regimented change process or solution in place that tracks where those credentials are used, following this best practice could result in broken applications or outages.
If you follow Veeam, you’ve probably heard of the 3-2-1-1-0 rule. That last 0 is for zero errors, and that includes when Veeam is storing or restoring data from Amazon S3. So, let’s see how we can use Veeam and Terraform together to make rotating our credentials in both AWS and Veeam as easy as running one command.
Meet your friend, the restapi provider
Terraform has a dedicated registry with thousands of providers, which are plugins that allow Terraform to interact with various platforms. For APIs that don’t have a Terraform provider, you can use a generic REST API provider published in the registry by Mastercard to make API calls for CRUD operations. Using this provider, we can call Veeam’s API from Terraform. Let me show you one example.
Earlier today I pushed a small commit to VeeamHub in the veeam-terraform repo that uses Terraform’s AWS provider and Mastercard’s REST API provider to:
- Create an S3 bucket in AWS
- Create an IAM user with scoped permissions for this S3 bucket
- Create an access key for this IAM user
- Add this IAM access key to your VBR server in the Cloud Credentials Manager
The direct link to the example project is: https://github.com/VeeamHub/veeam-terraform/tree/master/veeam-backup-and-replication/aws/s3-credentials.
This sample project allows you easily set up the necessary resources to begin storing backup data in Amazon S3, and additionally, if you were to rotate your AWS IAM user’s access key using Terraform’s replace option, Terraform would detect that this update will affect the resource which defines your Veeam server’s cloud credential for this IAM user. So when the key is updated in AWS, Terraform also updates the credential in VBR using the restapi provider.
More details and instructions are available on the project page, located here: https://github.com/VeeamHub/veeam-terraform/tree/master/veeam-backup-and-replication/aws/s3-credentials
Try it out and let me know what you think.
