AWS dynamic host catalogs

Boundary uses dynamic host catalogs to automatically discover AWS EC2 instances and add them as hosts.

Create a host catalog to connect with AWS

Boundary uses plugins to integrate with a variety of providers. To use a dynamic host catalog to integrate with AWS, you create a host catalog of the plugin type and set the plugin-name value to aws. You must also provide the specific fields needed for Boundary to authenticate with AWS.

Complete the following steps to create a dynamic host catalog for AWS:

Log in to Boundary.
Select the org, and then select the project you want to create a host catalog for.
Select Host Catalogs.
Select New Host Catalog.
Complete the following fields:
- Name: (Optional) An optional name for identification purposes. If you enter a name, it must be unique.
- Description: (Optional) An optional description of the host catalog for identification purposes.
- Type: (Required) Select Dynamic to create a dynamic host catalog.
- Provider: (Required) Select AWS to create a dynamic host catalog for your AWS resources.
- AWS Region: (Required) Enter the AWS region of the hosts you want to add to the host catalog.
- Credential type: (Required) Select the type of credential you want to use to authenticate to the host catalog. The required fields for configuring the host catalog vary depending on whether you configure static or dynamic credentials:
  - Use an access key (Static Credentials): Authenticates to the host catalog using an access key that you generate in AWS.
  - Use Assume Role (Dynamic Credentials): Authenticates to the host catalog using credentials that AWS AssumeRole generates.
- Access Key ID: (Required) The access key ID for the IAM user to use with this host catalog.
- Secret Access Key: (Required) The secret access key for the IAM user to use with this host catalog.
- Worker Filter: (Optional) An optional filter to route requests to a designated worker.
- Role ARN: (Required) - The AWS role ARN to use for AssumeRole authentication. If you provide a role_arn value, you must also set disable_credential_rotation to true.
- Role external ID: (Optional) - The external ID for the AssumeRole provider.
- Role session name: (Optional) - The session name for the AssumeRole provider.
- Role tags: (Optional) - The key-value pair tags for the AssumeRole provider.
- Worker Filter: (Optional) - An optional filter to route requests to a designated worker.
- Disable credential rotation: - When enabled, Boundary does not rotate the credentials with AWS automatically. Credential rotation is automatically disabled when you use dynamic credentials.
Select Save.

The required fields for creating a dynamic host catalog depend on whether you configure static or dynamic credentials.

Log in to Boundary.
Use the following command to create a dynamic host catalog for AWS using static credentials:
```
$ boundary host-catalogs create plugin \
  -scope-id $BOUNDARY_PROJECT_ID \
  -plugin-name aws \
  -attr disable_credential_rotation=true \
  -attr region=us-east-1 \
  -secret access_key_id=env://AWS_ACCESS_KEY_ID \
  -secret secret_access_key=env://AWS_SECRET_ACCESS_KEY
```
The scope-id and plugin-name fields are required when you create a dynamic host catalog.
The fields following the attr and secret flags are specific to AWS and are required by Boundary for authentication. Replace the values in the command with the following required AWS secrets and any attributes you want to associate with the host catalog:
- disable_credential_rotation: When set to true, Boundary does not rotate the credentials with AWS automatically.
- region: The region to configure the host catalog for. All host sets in this catalog are configured for this region.
- access_key_id: The access key ID for the IAM user to use with this host catalog.
- secret_access_key: The secret access key for the IAM user to use with this host catalog.
Refer to the domain model documentation for additional fields that you can use when you create host catalogs.

Log in to Boundary.
Use the following command to create a dynamic host catalog using dynamic credentials:
```
$ boundary host-catalogs create plugin \
  -scope-id $BOUNDARY_PROJECT_ID \
  -plugin-name aws \
  -attr disable_credential_rotation=true \
  -attr region=us-east-1 \
  -role_arn \
  -role_external_id \
  -role_session_name \
  -role_tags
```
The scope-id and plugin-name fields are required when you create a dynamic host catalog.
Replace the values in the command with the following required AWS secrets and any attributes you want to associate with the host catalog:
- disable_credential_rotation: When set to true, Boundary does not rotate the credentials with AWS automatically. You must disable credential rotation to use dynamic credentials.
- region: The region to configure the host catalog for. All host sets in this catalog will be configured for this region.
- role_arn: The AWS role ARN used for AssumeRole authentication. If you provide a role_arn value, you must also set disable_credential_rotation to true.
- role_external_id: The external ID that you configured for the AssumeRole provider.
- role_session_name: The session name that you configured for the AssumeRole provider.
- role_tags: The key-value pair tags that you configured for the AssumeRole provider.
Refer to the domain model documentation for additional fields that you can use when you create host catalogs.

The required fields for creating a dynamic host catalog depend on whether you configure static or dynamic credentials.

Refer to the Boundary Terraform provider documentation to learn about the requirements for the following example attributes.

Apply the following Terraform policy:

resource "boundary_host_catalog_plugin" "aws_host_catalog" {
  name        = "AWS Catalog"
  description = "AWS Host Catalog"
  scope_id    = boundary_scope.project.id
  plugin_name = "aws"

  attributes_json = jsonencode({
    "region" = "eu-west-2",
    "disable_credential_rotation" = true })
  secrets_json = jsonencode({
    "access_key_id" = var.aws_access,
    "secret_access_key" = var.aws_secret})
}

The scope-id and plugin-name fields are required when you create a dynamic host catalog.

Replace the values in the configuration with the following required AWS secrets and any attributes you want to associate with the host catalog:

disable_credential_rotation: When set to true, Boundary does not rotate the credentials with AWS automatically.
region: The region to configure the host catalog for. All host sets in this catalog are configured for this region.
access_key_id: The access key ID for the IAM user to use with this host catalog.
secret_access_key: The secret access key for the IAM user to use with this host catalog.

Refer to the domain model documentation for additional fields that you can use when you create host catalogs.

Apply the following Terraform policy:

resource "boundary_host_catalog_plugin" "aws_host_catalog" {
  name        = "AWS Catalog"
  description = "AWS Host Catalog"
  scope_id    = boundary_scope.project.id
  plugin_name = "aws"

  attributes_json = jsonencode({
    "region" = "eu-west-2",
    "disable_credential_rotation" = true })
  secrets_json = jsonencode({
    "role_arn" = var.aws_access,
    "role_external_id" = var.aws_secret,
    "role_session_name" = var.aws_secret,
    "role_tags" = var.aws_secret})
}

The scope-id and plugin-name fields are required when you create a dynamic host catalog.

Replace the values in the configuration with the following required AWS secrets and any attributes you want to associate with the host catalog:

disable_credential_rotation: When set to true, Boundary does not rotate the credentials with AWS automatically. You must disable credential rotation to use dynamic credentials.
region: The region to configure the host catalog for. All host sets in this catalog are configured for this region.
role_arn: The AWS role ARN used for AssumeRole authentication. If you provide a role_arn value, you must also set disable_credential_rotation to true.
role_external_id: The external ID that you configured for the AssumeRole provider.
role_session_name: The session name that you configured for the AssumeRole provider.
role_tags: The key-value pair tags that you configured for the AssumeRole provider.

Refer to the domain model documentation for additional fields that you can use when you create host catalogs.

Create a host set to connect with AWS

Host sets specify which AWS filters should be used to identify the discovered hosts that should be added as members.

Complete the following steps to create a host set:

Log in to Boundary.
Select the org, and then select the project you want to create a host set for.
Select Host Catalogs.
Select the dynamic host catalog to which you want add a host set.
Click the Host Sets tab, and then click New.
Complete the following fields:
- Name: (Optional) An optional name for identification purposes. If you enter a name, it must be unique.
- Description: (Optional) An optional description of the host catalog for identification purposes.
Click Save.

Log in to Boundary.
Use the following command to create a host set:
```
$ boundary host-sets create plugin \
  -host-catalog-id $BOUNDARY_HOST_CATALOG_ID \
  -attr filters=tag-key=foo,bar \
  -attr filters=tag-key=baz
```
The host-catalog-id value is a required field that specifies in which host catalog to create this host set.
Like with the host catalog, the fields passed in after the attr flag are specific to AWS.
The filters field contains string filters in the format key=val1,val2. The key corresponds to a filter option, and the value(s) are a comma-separated list. For a list of filter options, refer to the describe-instances in the AWS CLI reference.
When the values in a single filters field are separated by a comma, either can be true for the host to match. When multiple filters fields are provided, they must all match for a host to match. In the example above, an instance must have either tags foo or bar, and must have the tag baz.
For more fields that you can use when creating host sets, refer to the domain model documentation.

Apply the following Terraform policy:

resource "boundary_host_set_plugin" "aws_host_set" {
  name        = "AWS Host Set"
  description = "AWS Host Set"
  host_catalog_id  = boundary_scope.aws_host_catalog.id
  attributes_json = jsonencode({
  "filters" = ["tag-key=foo,bar", "tag-key=baz"] })
}

The host-catalog-id value is a required field that specifies in which host catalog to create this host set.

The filters field contains string filters in the format key=val1,val2. The key corresponds to a filter option, and the value(s) are a comma-separated list. For a list of filter options, refer to the describe-instances in the AWS CLI reference.

When the values in a single filters field are separated by a comma, either can be true for the host to match. When multiple filters fields are provided, they must all match for a host to match. In the example above, an instance must have either tags foo or bar, and must have the tag baz.

For more fields that you can use when creating host sets, refer to the domain model documentation.