zero trust architecture

Implementing Zero Trust with HashiCorp Boundary

Implement HashiCorp Boundary for identity-aware zero trust infrastructure access management with dynamic credential brokering, session recording, and Vault integration.

boundaryhashicorpidentity-aware-proxyjust-in-time-accessprivileged-accesssession-recordingvaultzero-trust
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

Overview

HashiCorp Boundary is an identity-aware proxy that provides secure, zero trust access to infrastructure resources without traditional VPNs or direct network access. Boundary operates on a default-deny model -- users start with no access and must be explicitly granted permissions for specific resources. When integrated with HashiCorp Vault, Boundary can dynamically broker credentials, ensuring users never see or manage underlying secrets. This eliminates credential sprawl and enables just-in-time access with automatic credential revocation when sessions end. Boundary supports session recording for audit compliance, OIDC/LDAP authentication, and manages access through a hierarchical scope model of organizations and projects.

When to Use

  • When deploying or configuring implementing zero trust with hashicorp boundary capabilities in your environment
  • When establishing security controls aligned to compliance requirements
  • When building or improving security architecture for this domain
  • When conducting security assessments that require this implementation

Prerequisites

  • HashiCorp Boundary server (self-hosted or HCP Boundary)
  • HashiCorp Vault (for credential brokering)
  • Identity provider supporting OIDC (Okta, Azure AD, Auth0)
  • PostgreSQL database for Boundary's backend
  • TLS certificates for secure communication
  • Understanding of PKI and X.509 certificate management

Architecture

                    Identity Provider (OIDC)
                           |
                    Authentication
                           |
                  +--------+--------+
                  |   Boundary      |
                  |   Controller    |
                  |  (Control Plane)|
                  +--------+--------+
                           |
              +------------+------------+
              |                         |
     +--------+--------+      +--------+--------+
     | Boundary Worker |      | Boundary Worker |
     | (Data Plane)    |      | (Data Plane)    |
     +--------+--------+      +--------+--------+
              |                         |
     +--------+--------+      +--------+--------+
     |  Target Hosts   |      |  Target Hosts   |
     |  (SSH, RDP,     |      |  (Databases,    |
     |   K8s, HTTP)    |      |   APIs)         |
     +-----------------+      +-----------------+
 
     Vault (Credential Brokering)
     - Dynamic database credentials
     - SSH certificate signing
     - Credential libraries

Installation and Configuration

Boundary Server Setup

# Install Boundary
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update && sudo apt-get install boundary
 
# Initialize the database
boundary database init \
  -config=/etc/boundary/controller.hcl
 
# Start the controller
boundary server -config=/etc/boundary/controller.hcl

Controller Configuration

# /etc/boundary/controller.hcl
controller {
  name = "boundary-controller-1"
  description = "Primary Boundary Controller"
  database {
    url = "postgresql://boundary:password@localhost:5432/boundary?sslmode=require"
  }
  public_cluster_addr = "boundary.example.com"
}
 
listener "tcp" {
  address = "0.0.0.0:9200"
  purpose = "api"
  tls_cert_file = "/etc/boundary/tls/cert.pem"
  tls_key_file  = "/etc/boundary/tls/key.pem"
}
 
listener "tcp" {
  address = "0.0.0.0:9201"
  purpose = "cluster"
  tls_cert_file = "/etc/boundary/tls/cert.pem"
  tls_key_file  = "/etc/boundary/tls/key.pem"
}
 
kms "aead" {
  purpose = "root"
  aead_type = "aes-gcm"
  key = "sP1fnF5Xz85RrXM..."  # Use Vault Transit in production
  key_id = "global_root"
}
 
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEG..."
  key_id = "global_worker-auth"
}
 
kms "aead" {
  purpose = "recovery"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEG..."
  key_id = "global_recovery"
}

Worker Configuration

# /etc/boundary/worker.hcl
worker {
  name = "boundary-worker-1"
  description = "Worker in production VPC"
  public_addr = "worker1.example.com"
 
  controllers = [
    "boundary.example.com:9201"
  ]
 
  tags {
    type = ["production"]
    region = ["us-east-1"]
  }
}
 
listener "tcp" {
  address = "0.0.0.0:9202"
  purpose = "proxy"
}
 
kms "aead" {
  purpose = "worker-auth"
  aead_type = "aes-gcm"
  key = "8fZBjCUfN0TzjEG..."
  key_id = "global_worker-auth"
}

Terraform Configuration

Scope and Auth Configuration

# main.tf - Boundary resources via Terraform
terraform {
  required_providers {
    boundary = {
      source  = "hashicorp/boundary"
      version = "~> 1.1"
    }
  }
}
 
provider "boundary" {
  addr             = "https://boundary.example.com:9200"
  recovery_kms_hcl = file("recovery_kms.hcl")
}
 
# Organization scope
resource "boundary_scope" "org" {
  scope_id                 = "global"
  name                     = "production-org"
  description              = "Production organization scope"
  auto_create_admin_role   = true
  auto_create_default_role = true
}
 
# Project scope
resource "boundary_scope" "production" {
  name                     = "production"
  description              = "Production infrastructure project"
  scope_id                 = boundary_scope.org.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}
 
# OIDC Auth Method (Okta example)
resource "boundary_auth_method_oidc" "okta" {
  scope_id               = boundary_scope.org.id
  name                   = "okta"
  description            = "Okta OIDC authentication"
  issuer                 = "https://company.okta.com/oauth2/default"
  client_id              = var.okta_client_id
  client_secret          = var.okta_client_secret
  signing_algorithms     = ["RS256"]
  api_url_prefix         = "https://boundary.example.com:9200"
  claims_scopes          = ["groups"]
  account_claim_maps     = ["oid=sub"]
  is_primary_for_scope   = true
}
 
# Managed group for auto-assignment
resource "boundary_managed_group" "sre_team" {
  auth_method_id = boundary_auth_method_oidc.okta.id
  name           = "sre-team"
  description    = "SRE team members from Okta"
  filter         = "\"sre-team\" in \"/token/groups\""
}
 
resource "boundary_managed_group" "dev_team" {
  auth_method_id = boundary_auth_method_oidc.okta.id
  name           = "dev-team"
  description    = "Development team from Okta"
  filter         = "\"dev-team\" in \"/token/groups\""
}

Host Catalogs and Targets

# Static host catalog for known infrastructure
resource "boundary_host_catalog_static" "production_servers" {
  name     = "production-servers"
  scope_id = boundary_scope.production.id
}
 
resource "boundary_host_static" "web_server" {
  name            = "web-server-1"
  host_catalog_id = boundary_host_catalog_static.production_servers.id
  address         = "10.0.1.10"
}
 
resource "boundary_host_static" "db_server" {
  name            = "db-server-1"
  host_catalog_id = boundary_host_catalog_static.production_servers.id
  address         = "10.0.2.20"
}
 
# Host set grouping
resource "boundary_host_set_static" "web_servers" {
  name            = "web-servers"
  host_catalog_id = boundary_host_catalog_static.production_servers.id
  host_ids        = [boundary_host_static.web_server.id]
}
 
resource "boundary_host_set_static" "db_servers" {
  name            = "database-servers"
  host_catalog_id = boundary_host_catalog_static.production_servers.id
  host_ids        = [boundary_host_static.db_server.id]
}
 
# SSH target
resource "boundary_target" "ssh_production" {
  name         = "ssh-production-servers"
  description  = "SSH access to production servers"
  type         = "ssh"
  scope_id     = boundary_scope.production.id
  default_port = 22
 
  host_source_ids = [
    boundary_host_set_static.web_servers.id
  ]
 
  session_max_seconds          = 3600  # 1 hour max session
  session_connection_limit     = 1
  enable_session_recording     = true
  storage_bucket_id            = boundary_storage_bucket.sessions.id
 
  injected_application_credential_source_ids = [
    boundary_credential_library_vault_ssh_certificate.ssh_cert.id
  ]
}
 
# Database target with Vault credential brokering
resource "boundary_target" "postgres_production" {
  name         = "postgres-production"
  description  = "PostgreSQL production database"
  type         = "tcp"
  scope_id     = boundary_scope.production.id
  default_port = 5432
 
  host_source_ids = [
    boundary_host_set_static.db_servers.id
  ]
 
  session_max_seconds      = 1800  # 30 min max
  session_connection_limit = 5
 
  brokered_credential_source_ids = [
    boundary_credential_library_vault.postgres_creds.id
  ]
}

Vault Integration for Credential Brokering

# Vault credential store
resource "boundary_credential_store_vault" "vault" {
  name        = "vault-store"
  scope_id    = boundary_scope.production.id
  address     = "https://vault.example.com:8200"
  token       = var.vault_token
  namespace   = "production"
}
 
# Dynamic database credentials from Vault
resource "boundary_credential_library_vault" "postgres_creds" {
  name                = "postgres-dynamic-creds"
  credential_store_id = boundary_credential_store_vault.vault.id
  path                = "database/creds/readonly"
  http_method         = "GET"
  credential_type     = "username_password"
}
 
# SSH certificate signing via Vault
resource "boundary_credential_library_vault_ssh_certificate" "ssh_cert" {
  name                = "ssh-certificate"
  credential_store_id = boundary_credential_store_vault.vault.id
  path                = "ssh-client-signer/sign/production"
  username            = "admin"
  key_type            = "ed25519"
  key_bits            = 256
  extensions = {
    "permit-pty" = ""
  }
}
 
# Session recording storage
resource "boundary_storage_bucket" "sessions" {
  name        = "session-recordings"
  scope_id    = "global"
  plugin_name = "aws"
  bucket_name = "boundary-session-recordings"
  attributes_json = jsonencode({
    "region"                      = "us-east-1"
    "disable_credential_rotation" = true
  })
  secrets_json = jsonencode({
    "access_key_id"     = var.aws_access_key
    "secret_access_key" = var.aws_secret_key
  })
}

Role-Based Access Control

# SRE team role - full production access
resource "boundary_role" "sre_production" {
  name          = "sre-production-access"
  scope_id      = boundary_scope.production.id
  grant_strings = [
    "ids=*;type=target;actions=list,read,authorize-session",
    "ids=*;type=session;actions=list,read,cancel",
    "ids=*;type=host;actions=list,read",
  ]
  principal_ids = [
    boundary_managed_group.sre_team.id
  ]
}
 
# Dev team role - limited access
resource "boundary_role" "dev_staging" {
  name          = "dev-staging-access"
  scope_id      = boundary_scope.production.id
  grant_strings = [
    "ids=${boundary_target.ssh_production.id};type=target;actions=read,authorize-session",
  ]
  principal_ids = [
    boundary_managed_group.dev_team.id
  ]
}

Connecting to Targets

# Authenticate via OIDC
boundary authenticate oidc \
  -auth-method-id amoidc_xxxxx
 
# List available targets
boundary targets list -scope-id p_xxxxx
 
# Connect to SSH target (credentials injected by Vault)
boundary connect ssh \
  -target-id ttcp_xxxxx
 
# Connect to database (credentials brokered by Vault)
boundary connect postgres \
  -target-id ttcp_xxxxx \
  -dbname production
 
# Use Boundary Desktop client for GUI access
# Download from: https://developer.hashicorp.com/boundary/install

Session Recording and Auditing

# List session recordings
boundary session-recordings list \
  -scope-id p_xxxxx
 
# Download session recording for review
boundary session-recordings download \
  -id sr_xxxxx \
  -output recording.cast
 
# Play back with asciinema
asciinema play recording.cast

Dynamic Host Catalogs

# AWS dynamic host catalog - auto-discovers EC2 instances
resource "boundary_host_catalog_plugin" "aws_catalog" {
  scope_id    = boundary_scope.production.id
  name        = "aws-production"
  plugin_name = "aws"
 
  attributes_json = jsonencode({
    "region"                      = "us-east-1"
    "disable_credential_rotation" = true
  })
 
  secrets_json = jsonencode({
    "access_key_id"     = var.aws_access_key
    "secret_access_key" = var.aws_secret_key
  })
}
 
resource "boundary_host_set_plugin" "web_tier" {
  host_catalog_id = boundary_host_catalog_plugin.aws_catalog.id
  name            = "web-tier"
  attributes_json = jsonencode({
    "filters" = [
      "tag:Environment=production",
      "tag:Tier=web"
    ]
  })
}

Security Best Practices

  1. Use Vault KMS for key management instead of static AEAD keys in production
  2. Enable session recording for all privileged access targets
  3. Set session time limits appropriate to the resource sensitivity
  4. Use OIDC managed groups for automatic role assignment from IdP
  5. Deploy multi-hop workers for accessing resources across network boundaries
  6. Rotate Vault tokens used by credential stores regularly
  7. Enable audit logging on both controllers and workers
  8. Use credential injection (SSH certificates) over brokering when possible
  9. Implement least-privilege grants -- avoid wildcard permissions
  10. Review session recordings regularly for compliance and incident response

References

Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 3

api-reference.md1.6 KB

API Reference: HashiCorp Boundary

Boundary CLI (JSON output)

Core Commands

boundary scopes list -scope-id=global -format=json
boundary targets list -scope-id=<id> -format=json
boundary host-catalogs list -scope-id=<id> -format=json
boundary credential-stores list -scope-id=<id> -format=json
boundary sessions list -scope-id=<id> -format=json
boundary auth-methods list -scope-id=global -format=json

Environment Variables

Variable Description
BOUNDARY_ADDR Controller address (e.g., http://127.0.0.1:9200)
BOUNDARY_TOKEN Authentication token

Target Fields

Field Description
name Target display name
type tcp or ssh
session_max_seconds Maximum session duration
session_connection_limit Max concurrent connections (-1 = unlimited)

Credential Store Types

Type Description
vault Vault-brokered dynamic credentials (recommended)
static Static credentials stored in Boundary

Auth Method Types

Type Zero Trust Suitability
oidc Recommended (SSO, MFA support)
ldap Acceptable with MFA
password Not recommended for zero trust

Session Recording

boundary targets update tcp -id=<id> -enable-session-recording=true \
  -storage-bucket-id=<bucket-id>

References

standards.md2.2 KB

Standards Reference: HashiCorp Boundary Zero Trust

Core Standards

NIST SP 800-207: Zero Trust Architecture

  • Boundary implements identity-aware proxy architecture (Section 3.2.2)
  • Default-deny access model aligns with ZTA core principle
  • Dynamic credential brokering eliminates standing privileges
  • Session-level authorization satisfies continuous verification

NIST SP 800-53: Security Controls

  • AC-2: Account Management (identity lifecycle via OIDC)
  • AC-3: Access Enforcement (role-based grants)
  • AC-6: Least Privilege (fine-grained permissions)
  • AU-2: Audit Events (session recording and logging)
  • AU-3: Content of Audit Records (session playback)
  • IA-2: Identification and Authentication (OIDC/LDAP)
  • SC-7: Boundary Protection (identity-aware proxy)

SOC 2 Compliance

  • CC6.1: Logical and Physical Access Controls
  • CC6.2: Prior to Access, Identity is Established
  • CC6.3: Role-Based Access Controls
  • CC7.2: Monitoring of System Components
  • CC8.1: Change Management

Boundary Security Model

Identity-Aware Access

  • Authentication via OIDC, LDAP, or password auth methods
  • Managed groups for automatic role assignment from IdP claims
  • Session tokens with configurable expiry
  • No direct network access to targets without Boundary session

Credential Management

  • Brokered credentials: Vault generates and returns credentials to user
  • Injected credentials: Boundary injects credentials directly (user never sees them)
  • SSH certificate signing: Vault CA issues short-lived SSH certificates
  • Dynamic database credentials: just-in-time access with automatic revocation

Session Controls

  • Maximum session duration enforcement
  • Connection limits per session
  • Session recording for privileged access audit
  • Automatic credential revocation on session end

Integration Standards

HashiCorp Vault Integration

  • Transit KMS for Boundary encryption keys
  • Database secrets engine for dynamic credentials
  • SSH secrets engine for certificate-based access
  • PKI secrets engine for TLS certificate management

Terraform Infrastructure as Code

  • Boundary Terraform provider for declarative configuration
  • Version-controlled access policies
  • Automated deployment and updates
  • Drift detection for access control changes
workflows.md3.4 KB

Workflows: HashiCorp Boundary Zero Trust Implementation

Workflow 1: Initial Boundary Deployment

Step 1: Infrastructure Preparation
  - Provision PostgreSQL database for Boundary backend
  - Generate TLS certificates for controller and workers
  - Configure KMS (Vault Transit or AEAD for dev)
  - Set up network connectivity between components
 
Step 2: Controller Deployment
  - Install Boundary binary on controller hosts
  - Configure controller with database, KMS, and listeners
  - Initialize database schema
  - Verify controller health and API accessibility
 
Step 3: Worker Deployment
  - Install Boundary on worker hosts in each network zone
  - Configure worker with controller address and KMS
  - Register workers with tags for routing decisions
  - Verify worker registration and health
 
Step 4: Identity Provider Integration
  - Configure OIDC auth method with organizational IdP
  - Map IdP groups to Boundary managed groups
  - Test authentication flow end-to-end
  - Configure token and session expiry policies

Workflow 2: Target Onboarding

Step 1: Create Scope Hierarchy
  - Define organization scope for each business unit
  - Create project scopes for environment isolation
  - Assign admin roles to scope owners
 
Step 2: Configure Host Catalogs
  - Static catalogs for fixed infrastructure
  - Dynamic catalogs for cloud resources (AWS, Azure, GCP)
  - Plugin-based catalogs for auto-discovery
 
Step 3: Define Targets
  - Map each target to host sets
  - Configure default ports and session limits
  - Enable session recording for privileged targets
  - Link credential sources (Vault libraries)
 
Step 4: Create Access Policies
  - Define roles with minimum necessary grants
  - Assign roles to managed groups from IdP
  - Test access with each role
  - Document access patterns and justifications

Workflow 3: Vault Credential Integration

Step 1: Configure Vault Secrets Engines
  - Enable database secrets engine for dynamic credentials
  - Configure SSH secrets engine for certificate signing
  - Set up PKI engine for TLS certificates
  - Define roles with appropriate TTL and permissions
 
Step 2: Create Boundary Credential Stores
  - Create Vault credential store in Boundary
  - Provide Vault token with appropriate policies
  - Configure namespace if using Vault Enterprise
 
Step 3: Create Credential Libraries
  - Map Vault paths to Boundary credential libraries
  - Configure credential type (username_password, ssh_certificate)
  - Link libraries to targets as brokered or injected sources
 
Step 4: Test and Validate
  - Connect to target with dynamic credentials
  - Verify credentials are revoked after session end
  - Confirm session recording captures access
  - Validate audit logs contain credential events

Workflow 4: Access Review and Audit

Step 1: Regular Access Review
  - Export role assignments and grant strings
  - Review with resource owners quarterly
  - Remove stale or unnecessary access
  - Update managed group filters if IdP groups change
 
Step 2: Session Recording Review
  - Review session recordings for privileged targets
  - Investigate anomalous session patterns
  - Export recordings for compliance evidence
  - Archive recordings per retention policy
 
Step 3: Compliance Reporting
  - Generate access control matrix from Boundary
  - Map controls to compliance framework requirements
  - Document exceptions and compensating controls
  - Present findings to audit and compliance teams

Scripts 2

agent.py6.7 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for auditing HashiCorp Boundary zero trust access configuration."""

import os
import subprocess
import json
import argparse
from datetime import datetime, timezone


def run_boundary_cmd(args_list, addr, token):
    """Execute a boundary CLI command and return parsed JSON."""
    env_vars = {"BOUNDARY_ADDR": addr, "BOUNDARY_TOKEN": token}
    cmd = ["boundary"] + args_list + ["-format=json"]
    result = subprocess.run(cmd, capture_output=True, text=True, env={**dict(os.environ), **env_vars}, timeout=30)
    if result.returncode != 0:
        print(f"  [-] Error: {result.stderr.strip()[:200]}")
        return {}
    return json.loads(result.stdout) if result.stdout else {}


def list_scopes(addr, token):
    """List organization and project scopes."""
    data = run_boundary_cmd(["scopes", "list", "-scope-id=global"], addr, token)
    scopes = data.get("items", [])
    print(f"[*] Scopes: {len(scopes)}")
    for s in scopes:
        print(f"  {s.get('id')}: {s.get('name', 'unnamed')} (type={s.get('type')})")
    return scopes


def list_targets(addr, token, scope_id):
    """List targets (resources users can connect to) in a scope."""
    data = run_boundary_cmd(["targets", "list", f"-scope-id={scope_id}"], addr, token)
    targets = data.get("items", [])
    findings = []
    print(f"\n[*] Targets in scope {scope_id}: {len(targets)}")
    for t in targets:
        session_max = t.get("session_max_seconds", 0)
        conn_limit = t.get("session_connection_limit", -1)
        print(f"  {t.get('name')}: type={t.get('type')}, "
              f"max_sec={session_max}, conn_limit={conn_limit}")
        if conn_limit == -1:
            findings.append({"target": t.get("name"), "issue": "Unlimited connections",
                             "severity": "MEDIUM"})
        if session_max == 0 or session_max > 28800:
            findings.append({"target": t.get("name"),
                             "issue": f"Long session timeout ({session_max}s)", "severity": "HIGH"})
    return targets, findings


def list_host_catalogs(addr, token, scope_id):
    """List host catalogs (static or dynamic)."""
    data = run_boundary_cmd(["host-catalogs", "list", f"-scope-id={scope_id}"], addr, token)
    catalogs = data.get("items", [])
    print(f"\n[*] Host Catalogs in scope {scope_id}: {len(catalogs)}")
    for c in catalogs:
        print(f"  {c.get('id')}: {c.get('name', 'unnamed')} (type={c.get('type')})")
    return catalogs


def list_credential_stores(addr, token, scope_id):
    """List credential stores (Vault integration check)."""
    data = run_boundary_cmd(["credential-stores", "list", f"-scope-id={scope_id}"], addr, token)
    stores = data.get("items", [])
    print(f"\n[*] Credential Stores in scope {scope_id}: {len(stores)}")
    vault_stores = [s for s in stores if s.get("type") == "vault"]
    static_stores = [s for s in stores if s.get("type") == "static"]
    print(f"  Vault-backed: {len(vault_stores)}, Static: {len(static_stores)}")
    findings = []
    if static_stores:
        for s in static_stores:
            findings.append({"store": s.get("name"), "type": "static",
                             "issue": "Static credentials (not Vault-brokered)", "severity": "MEDIUM"})
    return stores, findings


def list_sessions(addr, token, scope_id):
    """List active sessions for audit."""
    data = run_boundary_cmd(["sessions", "list", f"-scope-id={scope_id}"], addr, token)
    sessions = data.get("items", [])
    print(f"\n[*] Active Sessions in scope {scope_id}: {len(sessions)}")
    for s in sessions[:10]:
        print(f"  {s.get('id')[:12]}... user={s.get('user_id', 'N/A')} "
              f"target={s.get('target_id', 'N/A')} status={s.get('status')}")
    return sessions


def check_auth_methods(addr, token, scope_id="global"):
    """Audit configured authentication methods."""
    data = run_boundary_cmd(["auth-methods", "list", f"-scope-id={scope_id}"], addr, token)
    methods = data.get("items", [])
    findings = []
    print(f"\n[*] Auth Methods: {len(methods)}")
    for m in methods:
        mtype = m.get("type", "unknown")
        print(f"  {m.get('name', 'unnamed')}: type={mtype}")
        if mtype == "password":
            findings.append({"method": m.get("name"), "type": mtype,
                             "issue": "Password-only auth (use OIDC for zero trust)", "severity": "HIGH"})
    return methods, findings


def generate_report(target_findings, cred_findings, auth_findings, output_path):
    """Generate Boundary audit report."""
    all_findings = target_findings + cred_findings + auth_findings
    report = {
        "audit_date": datetime.now(timezone.utc).isoformat(),
        "total_findings": len(all_findings),
        "target_findings": target_findings,
        "credential_findings": cred_findings,
        "auth_findings": auth_findings,
    }
    with open(output_path, "w") as f:
        json.dump(report, f, indent=2, default=str)
    print(f"\n[*] Report saved to {output_path}")


def main():
    parser = argparse.ArgumentParser(description="HashiCorp Boundary Zero Trust Audit Agent")
    parser.add_argument("action", choices=["scopes", "targets", "hosts", "creds",
                                           "sessions", "auth", "full-audit"])
    parser.add_argument("--addr", required=True, help="Boundary controller address")
    parser.add_argument("--token", required=True, help="Boundary auth token")
    parser.add_argument("--scope-id", default="global", help="Scope ID to audit")
    parser.add_argument("-o", "--output", default="boundary_audit.json")
    args = parser.parse_args()

    if args.action == "scopes":
        list_scopes(args.addr, args.token)
    elif args.action == "targets":
        list_targets(args.addr, args.token, args.scope_id)
    elif args.action == "hosts":
        list_host_catalogs(args.addr, args.token, args.scope_id)
    elif args.action == "creds":
        list_credential_stores(args.addr, args.token, args.scope_id)
    elif args.action == "sessions":
        list_sessions(args.addr, args.token, args.scope_id)
    elif args.action == "auth":
        check_auth_methods(args.addr, args.token)
    elif args.action == "full-audit":
        scopes = list_scopes(args.addr, args.token)
        all_tf, all_cf, all_af = [], [], []
        _, af = check_auth_methods(args.addr, args.token)
        all_af.extend(af)
        for s in scopes:
            sid = s.get("id")
            _, tf = list_targets(args.addr, args.token, sid)
            all_tf.extend(tf)
            _, cf = list_credential_stores(args.addr, args.token, sid)
            all_cf.extend(cf)
            list_sessions(args.addr, args.token, sid)
        generate_report(all_tf, all_cf, all_af, args.output)


if __name__ == "__main__":
    main()
process.py12.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""
HashiCorp Boundary Zero Trust Access Management.

Generates Boundary Terraform configurations, validates access policies,
and monitors session activity for compliance reporting.
"""

import json
import datetime
from dataclasses import dataclass, field
from pathlib import Path
from typing import Optional


@dataclass
class BoundaryScope:
    name: str
    description: str
    scope_type: str  # "org" or "project"
    parent_scope_id: str = "global"


@dataclass
class BoundaryTarget:
    name: str
    description: str
    target_type: str  # "ssh" or "tcp"
    default_port: int
    host_addresses: list = field(default_factory=list)
    session_max_seconds: int = 3600
    session_connection_limit: int = -1
    enable_recording: bool = False
    credential_type: str = "none"  # "none", "brokered", "injected"
    vault_path: str = ""


@dataclass
class BoundaryRole:
    name: str
    description: str
    scope_id: str
    grant_strings: list = field(default_factory=list)
    principal_groups: list = field(default_factory=list)


class BoundaryTerraformGenerator:
    """Generate Terraform configuration for Boundary resources."""

    def __init__(self, boundary_addr: str, vault_addr: str = ""):
        self.boundary_addr = boundary_addr
        self.vault_addr = vault_addr
        self.scopes: list[BoundaryScope] = []
        self.targets: list[BoundaryTarget] = []
        self.roles: list[BoundaryRole] = []
        self.oidc_config: dict = {}

    def add_scope(self, name: str, description: str, scope_type: str = "project",
                  parent: str = "global") -> BoundaryScope:
        scope = BoundaryScope(name=name, description=description,
                              scope_type=scope_type, parent_scope_id=parent)
        self.scopes.append(scope)
        return scope

    def add_target(self, name: str, description: str, target_type: str,
                   port: int, hosts: list, **kwargs) -> BoundaryTarget:
        target = BoundaryTarget(
            name=name, description=description, target_type=target_type,
            default_port=port, host_addresses=hosts, **kwargs
        )
        self.targets.append(target)
        return target

    def add_role(self, name: str, description: str, scope_id: str,
                 grants: list, groups: list) -> BoundaryRole:
        role = BoundaryRole(
            name=name, description=description, scope_id=scope_id,
            grant_strings=grants, principal_groups=groups
        )
        self.roles.append(role)
        return role

    def configure_oidc(self, issuer: str, client_id: str, scopes: list = None):
        self.oidc_config = {
            "issuer": issuer,
            "client_id": client_id,
            "scopes": scopes or ["openid", "profile", "groups"],
        }

    def generate_provider_block(self) -> str:
        return f'''terraform {{
  required_providers {{
    boundary = {{
      source  = "hashicorp/boundary"
      version = "~> 1.1"
    }}
  }}
}}

provider "boundary" {{
  addr             = "{self.boundary_addr}"
  recovery_kms_hcl = file("recovery_kms.hcl")
}}
'''

    def generate_scopes(self) -> str:
        blocks = []
        for scope in self.scopes:
            resource_name = scope.name.replace("-", "_")
            if scope.scope_type == "org":
                blocks.append(f'''
resource "boundary_scope" "{resource_name}" {{
  scope_id                 = "{scope.parent_scope_id}"
  name                     = "{scope.name}"
  description              = "{scope.description}"
  auto_create_admin_role   = true
  auto_create_default_role = true
}}
''')
            else:
                parent_ref = scope.parent_scope_id.replace("-", "_")
                blocks.append(f'''
resource "boundary_scope" "{resource_name}" {{
  name                     = "{scope.name}"
  description              = "{scope.description}"
  scope_id                 = boundary_scope.{parent_ref}.id
  auto_create_admin_role   = true
  auto_create_default_role = true
}}
''')
        return "\n".join(blocks)

    def generate_targets(self) -> str:
        blocks = []
        for target in self.targets:
            resource_name = target.name.replace("-", "_")
            recording_block = ""
            if target.enable_recording:
                recording_block = """
  enable_session_recording = true
  storage_bucket_id        = boundary_storage_bucket.sessions.id"""

            credential_block = ""
            if target.credential_type == "brokered" and target.vault_path:
                credential_block = f"""
  brokered_credential_source_ids = [
    boundary_credential_library_vault.{resource_name}_creds.id
  ]"""
            elif target.credential_type == "injected" and target.vault_path:
                credential_block = f"""
  injected_application_credential_source_ids = [
    boundary_credential_library_vault_ssh_certificate.{resource_name}_cert.id
  ]"""

            blocks.append(f'''
resource "boundary_target" "{resource_name}" {{
  name         = "{target.name}"
  description  = "{target.description}"
  type         = "{target.target_type}"
  scope_id     = boundary_scope.production.id
  default_port = {target.default_port}

  session_max_seconds      = {target.session_max_seconds}
  session_connection_limit = {target.session_connection_limit}{recording_block}{credential_block}
}}
''')
        return "\n".join(blocks)

    def generate_roles(self) -> str:
        blocks = []
        for role in self.roles:
            resource_name = role.name.replace("-", "_")
            grants = ",\n    ".join(f'"{g}"' for g in role.grant_strings)
            principals = ",\n    ".join(
                f'boundary_managed_group.{g.replace("-", "_")}.id'
                for g in role.principal_groups
            )
            blocks.append(f'''
resource "boundary_role" "{resource_name}" {{
  name          = "{role.name}"
  description   = "{role.description}"
  scope_id      = {role.scope_id}
  grant_strings = [
    {grants}
  ]
  principal_ids = [
    {principals}
  ]
}}
''')
        return "\n".join(blocks)

    def generate_full_config(self) -> str:
        sections = [
            self.generate_provider_block(),
            "# Scopes",
            self.generate_scopes(),
            "# Targets",
            self.generate_targets(),
            "# Roles",
            self.generate_roles(),
        ]
        return "\n".join(sections)

    def export_config(self, output_path: str):
        config = self.generate_full_config()
        path = Path(output_path)
        path.parent.mkdir(parents=True, exist_ok=True)
        with open(path, "w") as f:
            f.write(config)
        return config


class BoundaryAccessAuditor:
    """Audit and validate Boundary access configurations."""

    def __init__(self):
        self.findings: list[dict] = []

    def check_session_limits(self, targets: list[BoundaryTarget]) -> list[dict]:
        for target in targets:
            if target.session_max_seconds > 7200:
                self.findings.append({
                    "severity": "WARNING",
                    "target": target.name,
                    "finding": f"Session max exceeds 2 hours ({target.session_max_seconds}s)",
                    "recommendation": "Reduce session duration for privileged targets",
                })
            if target.session_connection_limit == -1:
                self.findings.append({
                    "severity": "INFO",
                    "target": target.name,
                    "finding": "Unlimited connections per session",
                    "recommendation": "Consider setting connection limits for sensitive targets",
                })
            if target.default_port == 22 and not target.enable_recording:
                self.findings.append({
                    "severity": "HIGH",
                    "target": target.name,
                    "finding": "SSH target without session recording",
                    "recommendation": "Enable session recording for SSH access",
                })
            if target.credential_type == "none":
                self.findings.append({
                    "severity": "MEDIUM",
                    "target": target.name,
                    "finding": "No credential management configured",
                    "recommendation": "Use Vault credential brokering or injection",
                })
        return self.findings

    def check_role_grants(self, roles: list[BoundaryRole]) -> list[dict]:
        for role in roles:
            for grant in role.grant_strings:
                if "ids=*" in grant and "actions=*" in grant:
                    self.findings.append({
                        "severity": "CRITICAL",
                        "role": role.name,
                        "finding": "Wildcard IDs and actions grant (admin-level access)",
                        "recommendation": "Restrict to specific resource types and actions",
                    })
                if "type=target" in grant and "authorize-session" in grant and "ids=*" in grant:
                    self.findings.append({
                        "severity": "HIGH",
                        "role": role.name,
                        "finding": "Role can authorize sessions to all targets",
                        "recommendation": "Restrict to specific target IDs or use target-level grants",
                    })
        return self.findings

    def generate_report(self) -> dict:
        report = {
            "audit_date": datetime.datetime.now().isoformat(),
            "total_findings": len(self.findings),
            "by_severity": {},
            "findings": self.findings,
        }
        for finding in self.findings:
            sev = finding["severity"]
            report["by_severity"][sev] = report["by_severity"].get(sev, 0) + 1
        return report


def main():
    """Generate example Boundary Terraform configuration."""
    gen = BoundaryTerraformGenerator(
        boundary_addr="https://boundary.example.com:9200",
        vault_addr="https://vault.example.com:8200"
    )

    # Create scopes
    gen.add_scope("production-org", "Production Organization", "org")
    gen.add_scope("production", "Production Infrastructure", "project", "production-org")

    # Create targets
    gen.add_target(
        "ssh-web-servers", "SSH to production web servers", "ssh", 22,
        ["10.0.1.10", "10.0.1.11"],
        session_max_seconds=3600, enable_recording=True,
        credential_type="injected", vault_path="ssh-signer/sign/web"
    )
    gen.add_target(
        "postgres-production", "Production PostgreSQL", "tcp", 5432,
        ["10.0.2.20"],
        session_max_seconds=1800,
        credential_type="brokered", vault_path="database/creds/readonly"
    )
    gen.add_target(
        "redis-cache", "Production Redis cache", "tcp", 6379,
        ["10.0.3.30"],
        session_max_seconds=900
    )

    # Create roles
    gen.add_role(
        "sre-full-access", "SRE team full production access",
        "boundary_scope.production.id",
        [
            "ids=*;type=target;actions=list,read,authorize-session",
            "ids=*;type=session;actions=list,read,cancel",
        ],
        ["sre-team"]
    )
    gen.add_role(
        "dev-readonly", "Dev team read-only access",
        "boundary_scope.production.id",
        [
            "ids=*;type=target;actions=list,read",
        ],
        ["dev-team"]
    )

    # Generate and export
    config = gen.export_config("boundary_config.tf")
    print("Generated Terraform configuration:")
    print(config[:2000])

    # Run audit
    auditor = BoundaryAccessAuditor()
    auditor.check_session_limits(gen.targets)
    auditor.check_role_grants(gen.roles)
    report = auditor.generate_report()

    print("\n" + "=" * 60)
    print("Access Audit Report")
    print("=" * 60)
    print(f"Total findings: {report['total_findings']}")
    for sev, count in report["by_severity"].items():
        print(f"  {sev}: {count}")
    for finding in report["findings"]:
        target_or_role = finding.get("target", finding.get("role", "N/A"))
        print(f"\n  [{finding['severity']}] {target_or_role}")
        print(f"    Finding: {finding['finding']}")
        print(f"    Recommendation: {finding['recommendation']}")


if __name__ == "__main__":
    main()

Assets 1

template.mdtext/markdown · 1.3 KB
Keep exploring