npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
HashiCorp Boundary is an identity-aware proxy that provides secure, zero trust access to infrastructure resources without traditional VPNs or direct network access. Boundary operates on a default-deny model -- users start with no access and must be explicitly granted permissions for specific resources. When integrated with HashiCorp Vault, Boundary can dynamically broker credentials, ensuring users never see or manage underlying secrets. This eliminates credential sprawl and enables just-in-time access with automatic credential revocation when sessions end. Boundary supports session recording for audit compliance, OIDC/LDAP authentication, and manages access through a hierarchical scope model of organizations and projects.
When to Use
- When deploying or configuring implementing zero trust with hashicorp boundary capabilities in your environment
- When establishing security controls aligned to compliance requirements
- When building or improving security architecture for this domain
- When conducting security assessments that require this implementation
Prerequisites
- HashiCorp Boundary server (self-hosted or HCP Boundary)
- HashiCorp Vault (for credential brokering)
- Identity provider supporting OIDC (Okta, Azure AD, Auth0)
- PostgreSQL database for Boundary's backend
- TLS certificates for secure communication
- Understanding of PKI and X.509 certificate management
Architecture
Identity Provider (OIDC)
|
Authentication
|
+--------+--------+
| Boundary |
| Controller |
| (Control Plane)|
+--------+--------+
|
+------------+------------+
| |
+--------+--------+ +--------+--------+
| Boundary Worker | | Boundary Worker |
| (Data Plane) | | (Data Plane) |
+--------+--------+ +--------+--------+
| |
+--------+--------+ +--------+--------+
| Target Hosts | | Target Hosts |
| (SSH, RDP, | | (Databases, |
| K8s, HTTP) | | APIs) |
+-----------------+ +-----------------+
Vault (Credential Brokering)
- Dynamic database credentials
- SSH certificate signing
- Credential librariesInstallation and Configuration
Boundary Server Setup
# Install Boundary
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install boundary
# Initialize the database
boundary database init \
-config=/etc/boundary/controller.hcl
# Start the controller
boundary server -config=/etc/boundary/controller.hclController Configuration
# /etc/boundary/controller.hcl
controller {
name = "boundary-controller-1"
description = "Primary Boundary Controller"
database {
url = "postgresql://boundary:password@localhost:5432/boundary?sslmode=require"
}
public_cluster_addr = "boundary.example.com"
}
listener "tcp" {
address = "0.0.0.0:9200"
purpose = "api"
tls_cert_file = "/etc/boundary/tls/cert.pem"
tls_key_file = "/etc/boundary/tls/key.pem"
}
listener "tcp" {
address = "0.0.0.0:9201"
purpose = "cluster"
tls_cert_file = "/etc/boundary/tls/cert.pem"
tls_key_file = "/etc/boundary/tls/key.pem"
}
kms "aead" {
purpose = "root"
aead_type = "aes-gcm"
key = "sP1fnF5Xz85RrXM..." # Use Vault Transit in production
key_id = "global_root"
}
kms "aead" {
purpose = "worker-auth"
aead_type = "aes-gcm"
key = "8fZBjCUfN0TzjEG..."
key_id = "global_worker-auth"
}
kms "aead" {
purpose = "recovery"
aead_type = "aes-gcm"
key = "8fZBjCUfN0TzjEG..."
key_id = "global_recovery"
}Worker Configuration
# /etc/boundary/worker.hcl
worker {
name = "boundary-worker-1"
description = "Worker in production VPC"
public_addr = "worker1.example.com"
controllers = [
"boundary.example.com:9201"
]
tags {
type = ["production"]
region = ["us-east-1"]
}
}
listener "tcp" {
address = "0.0.0.0:9202"
purpose = "proxy"
}
kms "aead" {
purpose = "worker-auth"
aead_type = "aes-gcm"
key = "8fZBjCUfN0TzjEG..."
key_id = "global_worker-auth"
}Terraform Configuration
Scope and Auth Configuration
# main.tf - Boundary resources via Terraform
terraform {
required_providers {
boundary = {
source = "hashicorp/boundary"
version = "~> 1.1"
}
}
}
provider "boundary" {
addr = "https://boundary.example.com:9200"
recovery_kms_hcl = file("recovery_kms.hcl")
}
# Organization scope
resource "boundary_scope" "org" {
scope_id = "global"
name = "production-org"
description = "Production organization scope"
auto_create_admin_role = true
auto_create_default_role = true
}
# Project scope
resource "boundary_scope" "production" {
name = "production"
description = "Production infrastructure project"
scope_id = boundary_scope.org.id
auto_create_admin_role = true
auto_create_default_role = true
}
# OIDC Auth Method (Okta example)
resource "boundary_auth_method_oidc" "okta" {
scope_id = boundary_scope.org.id
name = "okta"
description = "Okta OIDC authentication"
issuer = "https://company.okta.com/oauth2/default"
client_id = var.okta_client_id
client_secret = var.okta_client_secret
signing_algorithms = ["RS256"]
api_url_prefix = "https://boundary.example.com:9200"
claims_scopes = ["groups"]
account_claim_maps = ["oid=sub"]
is_primary_for_scope = true
}
# Managed group for auto-assignment
resource "boundary_managed_group" "sre_team" {
auth_method_id = boundary_auth_method_oidc.okta.id
name = "sre-team"
description = "SRE team members from Okta"
filter = "\"sre-team\" in \"/token/groups\""
}
resource "boundary_managed_group" "dev_team" {
auth_method_id = boundary_auth_method_oidc.okta.id
name = "dev-team"
description = "Development team from Okta"
filter = "\"dev-team\" in \"/token/groups\""
}Host Catalogs and Targets
# Static host catalog for known infrastructure
resource "boundary_host_catalog_static" "production_servers" {
name = "production-servers"
scope_id = boundary_scope.production.id
}
resource "boundary_host_static" "web_server" {
name = "web-server-1"
host_catalog_id = boundary_host_catalog_static.production_servers.id
address = "10.0.1.10"
}
resource "boundary_host_static" "db_server" {
name = "db-server-1"
host_catalog_id = boundary_host_catalog_static.production_servers.id
address = "10.0.2.20"
}
# Host set grouping
resource "boundary_host_set_static" "web_servers" {
name = "web-servers"
host_catalog_id = boundary_host_catalog_static.production_servers.id
host_ids = [boundary_host_static.web_server.id]
}
resource "boundary_host_set_static" "db_servers" {
name = "database-servers"
host_catalog_id = boundary_host_catalog_static.production_servers.id
host_ids = [boundary_host_static.db_server.id]
}
# SSH target
resource "boundary_target" "ssh_production" {
name = "ssh-production-servers"
description = "SSH access to production servers"
type = "ssh"
scope_id = boundary_scope.production.id
default_port = 22
host_source_ids = [
boundary_host_set_static.web_servers.id
]
session_max_seconds = 3600 # 1 hour max session
session_connection_limit = 1
enable_session_recording = true
storage_bucket_id = boundary_storage_bucket.sessions.id
injected_application_credential_source_ids = [
boundary_credential_library_vault_ssh_certificate.ssh_cert.id
]
}
# Database target with Vault credential brokering
resource "boundary_target" "postgres_production" {
name = "postgres-production"
description = "PostgreSQL production database"
type = "tcp"
scope_id = boundary_scope.production.id
default_port = 5432
host_source_ids = [
boundary_host_set_static.db_servers.id
]
session_max_seconds = 1800 # 30 min max
session_connection_limit = 5
brokered_credential_source_ids = [
boundary_credential_library_vault.postgres_creds.id
]
}Vault Integration for Credential Brokering
# Vault credential store
resource "boundary_credential_store_vault" "vault" {
name = "vault-store"
scope_id = boundary_scope.production.id
address = "https://vault.example.com:8200"
token = var.vault_token
namespace = "production"
}
# Dynamic database credentials from Vault
resource "boundary_credential_library_vault" "postgres_creds" {
name = "postgres-dynamic-creds"
credential_store_id = boundary_credential_store_vault.vault.id
path = "database/creds/readonly"
http_method = "GET"
credential_type = "username_password"
}
# SSH certificate signing via Vault
resource "boundary_credential_library_vault_ssh_certificate" "ssh_cert" {
name = "ssh-certificate"
credential_store_id = boundary_credential_store_vault.vault.id
path = "ssh-client-signer/sign/production"
username = "admin"
key_type = "ed25519"
key_bits = 256
extensions = {
"permit-pty" = ""
}
}
# Session recording storage
resource "boundary_storage_bucket" "sessions" {
name = "session-recordings"
scope_id = "global"
plugin_name = "aws"
bucket_name = "boundary-session-recordings"
attributes_json = jsonencode({
"region" = "us-east-1"
"disable_credential_rotation" = true
})
secrets_json = jsonencode({
"access_key_id" = var.aws_access_key
"secret_access_key" = var.aws_secret_key
})
}Role-Based Access Control
# SRE team role - full production access
resource "boundary_role" "sre_production" {
name = "sre-production-access"
scope_id = boundary_scope.production.id
grant_strings = [
"ids=*;type=target;actions=list,read,authorize-session",
"ids=*;type=session;actions=list,read,cancel",
"ids=*;type=host;actions=list,read",
]
principal_ids = [
boundary_managed_group.sre_team.id
]
}
# Dev team role - limited access
resource "boundary_role" "dev_staging" {
name = "dev-staging-access"
scope_id = boundary_scope.production.id
grant_strings = [
"ids=${boundary_target.ssh_production.id};type=target;actions=read,authorize-session",
]
principal_ids = [
boundary_managed_group.dev_team.id
]
}Connecting to Targets
# Authenticate via OIDC
boundary authenticate oidc \
-auth-method-id amoidc_xxxxx
# List available targets
boundary targets list -scope-id p_xxxxx
# Connect to SSH target (credentials injected by Vault)
boundary connect ssh \
-target-id ttcp_xxxxx
# Connect to database (credentials brokered by Vault)
boundary connect postgres \
-target-id ttcp_xxxxx \
-dbname production
# Use Boundary Desktop client for GUI access
# Download from: https://developer.hashicorp.com/boundary/installSession Recording and Auditing
# List session recordings
boundary session-recordings list \
-scope-id p_xxxxx
# Download session recording for review
boundary session-recordings download \
-id sr_xxxxx \
-output recording.cast
# Play back with asciinema
asciinema play recording.castDynamic Host Catalogs
# AWS dynamic host catalog - auto-discovers EC2 instances
resource "boundary_host_catalog_plugin" "aws_catalog" {
scope_id = boundary_scope.production.id
name = "aws-production"
plugin_name = "aws"
attributes_json = jsonencode({
"region" = "us-east-1"
"disable_credential_rotation" = true
})
secrets_json = jsonencode({
"access_key_id" = var.aws_access_key
"secret_access_key" = var.aws_secret_key
})
}
resource "boundary_host_set_plugin" "web_tier" {
host_catalog_id = boundary_host_catalog_plugin.aws_catalog.id
name = "web-tier"
attributes_json = jsonencode({
"filters" = [
"tag:Environment=production",
"tag:Tier=web"
]
})
}Security Best Practices
- Use Vault KMS for key management instead of static AEAD keys in production
- Enable session recording for all privileged access targets
- Set session time limits appropriate to the resource sensitivity
- Use OIDC managed groups for automatic role assignment from IdP
- Deploy multi-hop workers for accessing resources across network boundaries
- Rotate Vault tokens used by credential stores regularly
- Enable audit logging on both controllers and workers
- Use credential injection (SSH certificates) over brokering when possible
- Implement least-privilege grants -- avoid wildcard permissions
- Review session recordings regularly for compliance and incident response
References
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md1.6 KB
API Reference: HashiCorp Boundary
Boundary CLI (JSON output)
Core Commands
boundary scopes list -scope-id=global -format=json
boundary targets list -scope-id=<id> -format=json
boundary host-catalogs list -scope-id=<id> -format=json
boundary credential-stores list -scope-id=<id> -format=json
boundary sessions list -scope-id=<id> -format=json
boundary auth-methods list -scope-id=global -format=jsonEnvironment Variables
| Variable | Description |
|---|---|
BOUNDARY_ADDR |
Controller address (e.g., http://127.0.0.1:9200) |
BOUNDARY_TOKEN |
Authentication token |
Target Fields
| Field | Description |
|---|---|
name |
Target display name |
type |
tcp or ssh |
session_max_seconds |
Maximum session duration |
session_connection_limit |
Max concurrent connections (-1 = unlimited) |
Credential Store Types
| Type | Description |
|---|---|
vault |
Vault-brokered dynamic credentials (recommended) |
static |
Static credentials stored in Boundary |
Auth Method Types
| Type | Zero Trust Suitability |
|---|---|
oidc |
Recommended (SSO, MFA support) |
ldap |
Acceptable with MFA |
password |
Not recommended for zero trust |
Session Recording
boundary targets update tcp -id=<id> -enable-session-recording=true \
-storage-bucket-id=<bucket-id>References
- Boundary docs: https://developer.hashicorp.com/boundary/docs
- Boundary CLI: https://developer.hashicorp.com/boundary/docs/commands
- Boundary API: https://developer.hashicorp.com/boundary/api-docs
standards.md2.2 KB
Standards Reference: HashiCorp Boundary Zero Trust
Core Standards
NIST SP 800-207: Zero Trust Architecture
- Boundary implements identity-aware proxy architecture (Section 3.2.2)
- Default-deny access model aligns with ZTA core principle
- Dynamic credential brokering eliminates standing privileges
- Session-level authorization satisfies continuous verification
NIST SP 800-53: Security Controls
- AC-2: Account Management (identity lifecycle via OIDC)
- AC-3: Access Enforcement (role-based grants)
- AC-6: Least Privilege (fine-grained permissions)
- AU-2: Audit Events (session recording and logging)
- AU-3: Content of Audit Records (session playback)
- IA-2: Identification and Authentication (OIDC/LDAP)
- SC-7: Boundary Protection (identity-aware proxy)
SOC 2 Compliance
- CC6.1: Logical and Physical Access Controls
- CC6.2: Prior to Access, Identity is Established
- CC6.3: Role-Based Access Controls
- CC7.2: Monitoring of System Components
- CC8.1: Change Management
Boundary Security Model
Identity-Aware Access
- Authentication via OIDC, LDAP, or password auth methods
- Managed groups for automatic role assignment from IdP claims
- Session tokens with configurable expiry
- No direct network access to targets without Boundary session
Credential Management
- Brokered credentials: Vault generates and returns credentials to user
- Injected credentials: Boundary injects credentials directly (user never sees them)
- SSH certificate signing: Vault CA issues short-lived SSH certificates
- Dynamic database credentials: just-in-time access with automatic revocation
Session Controls
- Maximum session duration enforcement
- Connection limits per session
- Session recording for privileged access audit
- Automatic credential revocation on session end
Integration Standards
HashiCorp Vault Integration
- Transit KMS for Boundary encryption keys
- Database secrets engine for dynamic credentials
- SSH secrets engine for certificate-based access
- PKI secrets engine for TLS certificate management
Terraform Infrastructure as Code
- Boundary Terraform provider for declarative configuration
- Version-controlled access policies
- Automated deployment and updates
- Drift detection for access control changes
workflows.md3.4 KB
Workflows: HashiCorp Boundary Zero Trust Implementation
Workflow 1: Initial Boundary Deployment
Step 1: Infrastructure Preparation
- Provision PostgreSQL database for Boundary backend
- Generate TLS certificates for controller and workers
- Configure KMS (Vault Transit or AEAD for dev)
- Set up network connectivity between components
Step 2: Controller Deployment
- Install Boundary binary on controller hosts
- Configure controller with database, KMS, and listeners
- Initialize database schema
- Verify controller health and API accessibility
Step 3: Worker Deployment
- Install Boundary on worker hosts in each network zone
- Configure worker with controller address and KMS
- Register workers with tags for routing decisions
- Verify worker registration and health
Step 4: Identity Provider Integration
- Configure OIDC auth method with organizational IdP
- Map IdP groups to Boundary managed groups
- Test authentication flow end-to-end
- Configure token and session expiry policiesWorkflow 2: Target Onboarding
Step 1: Create Scope Hierarchy
- Define organization scope for each business unit
- Create project scopes for environment isolation
- Assign admin roles to scope owners
Step 2: Configure Host Catalogs
- Static catalogs for fixed infrastructure
- Dynamic catalogs for cloud resources (AWS, Azure, GCP)
- Plugin-based catalogs for auto-discovery
Step 3: Define Targets
- Map each target to host sets
- Configure default ports and session limits
- Enable session recording for privileged targets
- Link credential sources (Vault libraries)
Step 4: Create Access Policies
- Define roles with minimum necessary grants
- Assign roles to managed groups from IdP
- Test access with each role
- Document access patterns and justificationsWorkflow 3: Vault Credential Integration
Step 1: Configure Vault Secrets Engines
- Enable database secrets engine for dynamic credentials
- Configure SSH secrets engine for certificate signing
- Set up PKI engine for TLS certificates
- Define roles with appropriate TTL and permissions
Step 2: Create Boundary Credential Stores
- Create Vault credential store in Boundary
- Provide Vault token with appropriate policies
- Configure namespace if using Vault Enterprise
Step 3: Create Credential Libraries
- Map Vault paths to Boundary credential libraries
- Configure credential type (username_password, ssh_certificate)
- Link libraries to targets as brokered or injected sources
Step 4: Test and Validate
- Connect to target with dynamic credentials
- Verify credentials are revoked after session end
- Confirm session recording captures access
- Validate audit logs contain credential eventsWorkflow 4: Access Review and Audit
Step 1: Regular Access Review
- Export role assignments and grant strings
- Review with resource owners quarterly
- Remove stale or unnecessary access
- Update managed group filters if IdP groups change
Step 2: Session Recording Review
- Review session recordings for privileged targets
- Investigate anomalous session patterns
- Export recordings for compliance evidence
- Archive recordings per retention policy
Step 3: Compliance Reporting
- Generate access control matrix from Boundary
- Map controls to compliance framework requirements
- Document exceptions and compensating controls
- Present findings to audit and compliance teamsScripts 2
agent.py6.7 KB
#!/usr/bin/env python3
"""Agent for auditing HashiCorp Boundary zero trust access configuration."""
import os
import subprocess
import json
import argparse
from datetime import datetime, timezone
def run_boundary_cmd(args_list, addr, token):
"""Execute a boundary CLI command and return parsed JSON."""
env_vars = {"BOUNDARY_ADDR": addr, "BOUNDARY_TOKEN": token}
cmd = ["boundary"] + args_list + ["-format=json"]
result = subprocess.run(cmd, capture_output=True, text=True, env={**dict(os.environ), **env_vars}, timeout=30)
if result.returncode != 0:
print(f" [-] Error: {result.stderr.strip()[:200]}")
return {}
return json.loads(result.stdout) if result.stdout else {}
def list_scopes(addr, token):
"""List organization and project scopes."""
data = run_boundary_cmd(["scopes", "list", "-scope-id=global"], addr, token)
scopes = data.get("items", [])
print(f"[*] Scopes: {len(scopes)}")
for s in scopes:
print(f" {s.get('id')}: {s.get('name', 'unnamed')} (type={s.get('type')})")
return scopes
def list_targets(addr, token, scope_id):
"""List targets (resources users can connect to) in a scope."""
data = run_boundary_cmd(["targets", "list", f"-scope-id={scope_id}"], addr, token)
targets = data.get("items", [])
findings = []
print(f"\n[*] Targets in scope {scope_id}: {len(targets)}")
for t in targets:
session_max = t.get("session_max_seconds", 0)
conn_limit = t.get("session_connection_limit", -1)
print(f" {t.get('name')}: type={t.get('type')}, "
f"max_sec={session_max}, conn_limit={conn_limit}")
if conn_limit == -1:
findings.append({"target": t.get("name"), "issue": "Unlimited connections",
"severity": "MEDIUM"})
if session_max == 0 or session_max > 28800:
findings.append({"target": t.get("name"),
"issue": f"Long session timeout ({session_max}s)", "severity": "HIGH"})
return targets, findings
def list_host_catalogs(addr, token, scope_id):
"""List host catalogs (static or dynamic)."""
data = run_boundary_cmd(["host-catalogs", "list", f"-scope-id={scope_id}"], addr, token)
catalogs = data.get("items", [])
print(f"\n[*] Host Catalogs in scope {scope_id}: {len(catalogs)}")
for c in catalogs:
print(f" {c.get('id')}: {c.get('name', 'unnamed')} (type={c.get('type')})")
return catalogs
def list_credential_stores(addr, token, scope_id):
"""List credential stores (Vault integration check)."""
data = run_boundary_cmd(["credential-stores", "list", f"-scope-id={scope_id}"], addr, token)
stores = data.get("items", [])
print(f"\n[*] Credential Stores in scope {scope_id}: {len(stores)}")
vault_stores = [s for s in stores if s.get("type") == "vault"]
static_stores = [s for s in stores if s.get("type") == "static"]
print(f" Vault-backed: {len(vault_stores)}, Static: {len(static_stores)}")
findings = []
if static_stores:
for s in static_stores:
findings.append({"store": s.get("name"), "type": "static",
"issue": "Static credentials (not Vault-brokered)", "severity": "MEDIUM"})
return stores, findings
def list_sessions(addr, token, scope_id):
"""List active sessions for audit."""
data = run_boundary_cmd(["sessions", "list", f"-scope-id={scope_id}"], addr, token)
sessions = data.get("items", [])
print(f"\n[*] Active Sessions in scope {scope_id}: {len(sessions)}")
for s in sessions[:10]:
print(f" {s.get('id')[:12]}... user={s.get('user_id', 'N/A')} "
f"target={s.get('target_id', 'N/A')} status={s.get('status')}")
return sessions
def check_auth_methods(addr, token, scope_id="global"):
"""Audit configured authentication methods."""
data = run_boundary_cmd(["auth-methods", "list", f"-scope-id={scope_id}"], addr, token)
methods = data.get("items", [])
findings = []
print(f"\n[*] Auth Methods: {len(methods)}")
for m in methods:
mtype = m.get("type", "unknown")
print(f" {m.get('name', 'unnamed')}: type={mtype}")
if mtype == "password":
findings.append({"method": m.get("name"), "type": mtype,
"issue": "Password-only auth (use OIDC for zero trust)", "severity": "HIGH"})
return methods, findings
def generate_report(target_findings, cred_findings, auth_findings, output_path):
"""Generate Boundary audit report."""
all_findings = target_findings + cred_findings + auth_findings
report = {
"audit_date": datetime.now(timezone.utc).isoformat(),
"total_findings": len(all_findings),
"target_findings": target_findings,
"credential_findings": cred_findings,
"auth_findings": auth_findings,
}
with open(output_path, "w") as f:
json.dump(report, f, indent=2, default=str)
print(f"\n[*] Report saved to {output_path}")
def main():
parser = argparse.ArgumentParser(description="HashiCorp Boundary Zero Trust Audit Agent")
parser.add_argument("action", choices=["scopes", "targets", "hosts", "creds",
"sessions", "auth", "full-audit"])
parser.add_argument("--addr", required=True, help="Boundary controller address")
parser.add_argument("--token", required=True, help="Boundary auth token")
parser.add_argument("--scope-id", default="global", help="Scope ID to audit")
parser.add_argument("-o", "--output", default="boundary_audit.json")
args = parser.parse_args()
if args.action == "scopes":
list_scopes(args.addr, args.token)
elif args.action == "targets":
list_targets(args.addr, args.token, args.scope_id)
elif args.action == "hosts":
list_host_catalogs(args.addr, args.token, args.scope_id)
elif args.action == "creds":
list_credential_stores(args.addr, args.token, args.scope_id)
elif args.action == "sessions":
list_sessions(args.addr, args.token, args.scope_id)
elif args.action == "auth":
check_auth_methods(args.addr, args.token)
elif args.action == "full-audit":
scopes = list_scopes(args.addr, args.token)
all_tf, all_cf, all_af = [], [], []
_, af = check_auth_methods(args.addr, args.token)
all_af.extend(af)
for s in scopes:
sid = s.get("id")
_, tf = list_targets(args.addr, args.token, sid)
all_tf.extend(tf)
_, cf = list_credential_stores(args.addr, args.token, sid)
all_cf.extend(cf)
list_sessions(args.addr, args.token, sid)
generate_report(all_tf, all_cf, all_af, args.output)
if __name__ == "__main__":
main()
process.py12.1 KB
#!/usr/bin/env python3
"""
HashiCorp Boundary Zero Trust Access Management.
Generates Boundary Terraform configurations, validates access policies,
and monitors session activity for compliance reporting.
"""
import json
import datetime
from dataclasses import dataclass, field
from pathlib import Path
from typing import Optional
@dataclass
class BoundaryScope:
name: str
description: str
scope_type: str # "org" or "project"
parent_scope_id: str = "global"
@dataclass
class BoundaryTarget:
name: str
description: str
target_type: str # "ssh" or "tcp"
default_port: int
host_addresses: list = field(default_factory=list)
session_max_seconds: int = 3600
session_connection_limit: int = -1
enable_recording: bool = False
credential_type: str = "none" # "none", "brokered", "injected"
vault_path: str = ""
@dataclass
class BoundaryRole:
name: str
description: str
scope_id: str
grant_strings: list = field(default_factory=list)
principal_groups: list = field(default_factory=list)
class BoundaryTerraformGenerator:
"""Generate Terraform configuration for Boundary resources."""
def __init__(self, boundary_addr: str, vault_addr: str = ""):
self.boundary_addr = boundary_addr
self.vault_addr = vault_addr
self.scopes: list[BoundaryScope] = []
self.targets: list[BoundaryTarget] = []
self.roles: list[BoundaryRole] = []
self.oidc_config: dict = {}
def add_scope(self, name: str, description: str, scope_type: str = "project",
parent: str = "global") -> BoundaryScope:
scope = BoundaryScope(name=name, description=description,
scope_type=scope_type, parent_scope_id=parent)
self.scopes.append(scope)
return scope
def add_target(self, name: str, description: str, target_type: str,
port: int, hosts: list, **kwargs) -> BoundaryTarget:
target = BoundaryTarget(
name=name, description=description, target_type=target_type,
default_port=port, host_addresses=hosts, **kwargs
)
self.targets.append(target)
return target
def add_role(self, name: str, description: str, scope_id: str,
grants: list, groups: list) -> BoundaryRole:
role = BoundaryRole(
name=name, description=description, scope_id=scope_id,
grant_strings=grants, principal_groups=groups
)
self.roles.append(role)
return role
def configure_oidc(self, issuer: str, client_id: str, scopes: list = None):
self.oidc_config = {
"issuer": issuer,
"client_id": client_id,
"scopes": scopes or ["openid", "profile", "groups"],
}
def generate_provider_block(self) -> str:
return f'''terraform {{
required_providers {{
boundary = {{
source = "hashicorp/boundary"
version = "~> 1.1"
}}
}}
}}
provider "boundary" {{
addr = "{self.boundary_addr}"
recovery_kms_hcl = file("recovery_kms.hcl")
}}
'''
def generate_scopes(self) -> str:
blocks = []
for scope in self.scopes:
resource_name = scope.name.replace("-", "_")
if scope.scope_type == "org":
blocks.append(f'''
resource "boundary_scope" "{resource_name}" {{
scope_id = "{scope.parent_scope_id}"
name = "{scope.name}"
description = "{scope.description}"
auto_create_admin_role = true
auto_create_default_role = true
}}
''')
else:
parent_ref = scope.parent_scope_id.replace("-", "_")
blocks.append(f'''
resource "boundary_scope" "{resource_name}" {{
name = "{scope.name}"
description = "{scope.description}"
scope_id = boundary_scope.{parent_ref}.id
auto_create_admin_role = true
auto_create_default_role = true
}}
''')
return "\n".join(blocks)
def generate_targets(self) -> str:
blocks = []
for target in self.targets:
resource_name = target.name.replace("-", "_")
recording_block = ""
if target.enable_recording:
recording_block = """
enable_session_recording = true
storage_bucket_id = boundary_storage_bucket.sessions.id"""
credential_block = ""
if target.credential_type == "brokered" and target.vault_path:
credential_block = f"""
brokered_credential_source_ids = [
boundary_credential_library_vault.{resource_name}_creds.id
]"""
elif target.credential_type == "injected" and target.vault_path:
credential_block = f"""
injected_application_credential_source_ids = [
boundary_credential_library_vault_ssh_certificate.{resource_name}_cert.id
]"""
blocks.append(f'''
resource "boundary_target" "{resource_name}" {{
name = "{target.name}"
description = "{target.description}"
type = "{target.target_type}"
scope_id = boundary_scope.production.id
default_port = {target.default_port}
session_max_seconds = {target.session_max_seconds}
session_connection_limit = {target.session_connection_limit}{recording_block}{credential_block}
}}
''')
return "\n".join(blocks)
def generate_roles(self) -> str:
blocks = []
for role in self.roles:
resource_name = role.name.replace("-", "_")
grants = ",\n ".join(f'"{g}"' for g in role.grant_strings)
principals = ",\n ".join(
f'boundary_managed_group.{g.replace("-", "_")}.id'
for g in role.principal_groups
)
blocks.append(f'''
resource "boundary_role" "{resource_name}" {{
name = "{role.name}"
description = "{role.description}"
scope_id = {role.scope_id}
grant_strings = [
{grants}
]
principal_ids = [
{principals}
]
}}
''')
return "\n".join(blocks)
def generate_full_config(self) -> str:
sections = [
self.generate_provider_block(),
"# Scopes",
self.generate_scopes(),
"# Targets",
self.generate_targets(),
"# Roles",
self.generate_roles(),
]
return "\n".join(sections)
def export_config(self, output_path: str):
config = self.generate_full_config()
path = Path(output_path)
path.parent.mkdir(parents=True, exist_ok=True)
with open(path, "w") as f:
f.write(config)
return config
class BoundaryAccessAuditor:
"""Audit and validate Boundary access configurations."""
def __init__(self):
self.findings: list[dict] = []
def check_session_limits(self, targets: list[BoundaryTarget]) -> list[dict]:
for target in targets:
if target.session_max_seconds > 7200:
self.findings.append({
"severity": "WARNING",
"target": target.name,
"finding": f"Session max exceeds 2 hours ({target.session_max_seconds}s)",
"recommendation": "Reduce session duration for privileged targets",
})
if target.session_connection_limit == -1:
self.findings.append({
"severity": "INFO",
"target": target.name,
"finding": "Unlimited connections per session",
"recommendation": "Consider setting connection limits for sensitive targets",
})
if target.default_port == 22 and not target.enable_recording:
self.findings.append({
"severity": "HIGH",
"target": target.name,
"finding": "SSH target without session recording",
"recommendation": "Enable session recording for SSH access",
})
if target.credential_type == "none":
self.findings.append({
"severity": "MEDIUM",
"target": target.name,
"finding": "No credential management configured",
"recommendation": "Use Vault credential brokering or injection",
})
return self.findings
def check_role_grants(self, roles: list[BoundaryRole]) -> list[dict]:
for role in roles:
for grant in role.grant_strings:
if "ids=*" in grant and "actions=*" in grant:
self.findings.append({
"severity": "CRITICAL",
"role": role.name,
"finding": "Wildcard IDs and actions grant (admin-level access)",
"recommendation": "Restrict to specific resource types and actions",
})
if "type=target" in grant and "authorize-session" in grant and "ids=*" in grant:
self.findings.append({
"severity": "HIGH",
"role": role.name,
"finding": "Role can authorize sessions to all targets",
"recommendation": "Restrict to specific target IDs or use target-level grants",
})
return self.findings
def generate_report(self) -> dict:
report = {
"audit_date": datetime.datetime.now().isoformat(),
"total_findings": len(self.findings),
"by_severity": {},
"findings": self.findings,
}
for finding in self.findings:
sev = finding["severity"]
report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
return report
def main():
"""Generate example Boundary Terraform configuration."""
gen = BoundaryTerraformGenerator(
boundary_addr="https://boundary.example.com:9200",
vault_addr="https://vault.example.com:8200"
)
# Create scopes
gen.add_scope("production-org", "Production Organization", "org")
gen.add_scope("production", "Production Infrastructure", "project", "production-org")
# Create targets
gen.add_target(
"ssh-web-servers", "SSH to production web servers", "ssh", 22,
["10.0.1.10", "10.0.1.11"],
session_max_seconds=3600, enable_recording=True,
credential_type="injected", vault_path="ssh-signer/sign/web"
)
gen.add_target(
"postgres-production", "Production PostgreSQL", "tcp", 5432,
["10.0.2.20"],
session_max_seconds=1800,
credential_type="brokered", vault_path="database/creds/readonly"
)
gen.add_target(
"redis-cache", "Production Redis cache", "tcp", 6379,
["10.0.3.30"],
session_max_seconds=900
)
# Create roles
gen.add_role(
"sre-full-access", "SRE team full production access",
"boundary_scope.production.id",
[
"ids=*;type=target;actions=list,read,authorize-session",
"ids=*;type=session;actions=list,read,cancel",
],
["sre-team"]
)
gen.add_role(
"dev-readonly", "Dev team read-only access",
"boundary_scope.production.id",
[
"ids=*;type=target;actions=list,read",
],
["dev-team"]
)
# Generate and export
config = gen.export_config("boundary_config.tf")
print("Generated Terraform configuration:")
print(config[:2000])
# Run audit
auditor = BoundaryAccessAuditor()
auditor.check_session_limits(gen.targets)
auditor.check_role_grants(gen.roles)
report = auditor.generate_report()
print("\n" + "=" * 60)
print("Access Audit Report")
print("=" * 60)
print(f"Total findings: {report['total_findings']}")
for sev, count in report["by_severity"].items():
print(f" {sev}: {count}")
for finding in report["findings"]:
target_or_role = finding.get("target", finding.get("role", "N/A"))
print(f"\n [{finding['severity']}] {target_or_role}")
print(f" Finding: {finding['finding']}")
print(f" Recommendation: {finding['recommendation']}")
if __name__ == "__main__":
main()