{"id":20656315,"url":"https://github.com/flaconi/terraform-aws-vault","last_synced_at":"2025-04-19T12:21:47.018Z","repository":{"id":38241434,"uuid":"154624725","full_name":"Flaconi/terraform-aws-vault","owner":"Flaconi","description":"Terraform module to deploy HashiCorp Vault behind an ELB in a provided VPC","archived":false,"fork":false,"pushed_at":"2024-05-31T09:17:23.000Z","size":153,"stargazers_count":3,"open_issues_count":0,"forks_count":2,"subscribers_count":24,"default_branch":"master","last_synced_at":"2024-06-01T01:34:40.630Z","etag":null,"topics":["aws","terraform","terraform-module","vault"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Flaconi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-25T07:00:06.000Z","updated_at":"2024-06-01T01:34:40.631Z","dependencies_parsed_at":"2024-05-02T14:38:18.796Z","dependency_job_id":"6254afe5-83a1-4e16-9f36-70140e1e9ac1","html_url":"https://github.com/Flaconi/terraform-aws-vault","commit_stats":null,"previous_names":[],"tags_count":20,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fterraform-aws-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fterraform-aws-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fterraform-aws-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Flaconi%2Fterraform-aws-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Flaconi","download_url":"https://codeload.github.com/Flaconi/terraform-aws-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":224951615,"owners_count":17397425,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","terraform","terraform-module","vault"],"created_at":"2024-11-16T18:14:46.670Z","updated_at":"2025-04-19T12:21:47.006Z","avatar_url":"https://github.com/Flaconi.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Terraform Module: HashiCorp Vault\n\n[![lint](https://github.com/flaconi/terraform-aws-vault/workflows/lint/badge.svg)](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Alint)\n[![test](https://github.com/flaconi/terraform-aws-vault/workflows/test/badge.svg)](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Atest)\n[![Tag](https://img.shields.io/github/tag/flaconi/terraform-aws-vault.svg)](https://github.com/flaconi/terraform-aws-vault/releases)\n[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)\n\nThis Terraform module provisions HashiCorp Vault with Consul Backend into an existing VPC including\nan ELB with optionally a public Route53 DNS name fronting the Vault cluster.\n\n## Usage example\n\n```hcl\nmodule \"aws_vault\" {\n  source  = \"github.com/Flaconi/terraform-aws-vault?ref=v2.1.0\"\n\n  # Placement\n  vpc_id             = \"vpc-1234\"\n  public_subnet_ids  = [\"subnet-4321\", \"subnet-9876\"]\n  private_subnet_ids = [\"subnet-1234\", \"subnet-5678\"]\n\n  # Resource Naming/Tagging\n  name                = \"vault\"\n  consul_cluster_name = \"my-consul\"\n  vault_cluster_name  = \"my-vault\"\n\n  # Security\n  ssh_keys                 = [\"ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey\"]\n  ssh_security_group_id    = \"sg-0c12345678\"\n  vault_ingress_cidr_https = [\"0.0.0.0/0\"]\n}\n```\n\n## Examples\n\n* [Custom VPC with HashiCorp Vault](examples/custom-vpc-with-vault)\n\n\u003c!-- TFDOCS_HEADER_START --\u003e\n\n\n\u003c!-- TFDOCS_HEADER_END --\u003e\n\n\u003c!-- TFDOCS_PROVIDER_START --\u003e\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5 |\n\n\u003c!-- TFDOCS_PROVIDER_END --\u003e\n\n\u003c!-- TFDOCS_REQUIREMENTS_START --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.0 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 5 |\n\n\u003c!-- TFDOCS_REQUIREMENTS_END --\u003e\n\n\u003c!-- TFDOCS_INPUTS_START --\u003e\n## Required Inputs\n\nThe following input variables are required:\n\n### \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id)\n\nDescription: The VPC ID into which you want to provision Vault.\n\nType: `string`\n\n### \u003ca name=\"input_public_subnet_ids\"\u003e\u003c/a\u003e [public\\_subnet\\_ids](#input\\_public\\_subnet\\_ids)\n\nDescription: A list of public subnet IDs into which the Vault ELB will be provisioned.\n\nType: `list(string)`\n\n### \u003ca name=\"input_private_subnet_ids\"\u003e\u003c/a\u003e [private\\_subnet\\_ids](#input\\_private\\_subnet\\_ids)\n\nDescription: A list of private subnet IDs into which Vault and Consul will be provisioned.\n\nType: `list(string)`\n\n### \u003ca name=\"input_ssh_security_group_id\"\u003e\u003c/a\u003e [ssh\\_security\\_group\\_id](#input\\_ssh\\_security\\_group\\_id)\n\nDescription: Security group ID of a bastion (or other EC2 instance) from which you will be allowed to ssh into Vault and Consul.\n\nType: `string`\n\n### \u003ca name=\"input_ssl_certificate_id\"\u003e\u003c/a\u003e [ssl\\_certificate\\_id](#input\\_ssl\\_certificate\\_id)\n\nDescription: ARN of the certificate to be used for the Vault endpoint ELB\n\nType: `string`\n\n## Optional Inputs\n\nThe following input variables are optional (have default values):\n\n### \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name)\n\nDescription: The name(-prefix) tag to apply to all AWS resources\n\nType: `string`\n\nDefault: `\"vault\"`\n\n### \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags)\n\nDescription: A map of additional tags to apply to all AWS resources\n\nType: `map(string)`\n\nDefault: `{}`\n\n### \u003ca name=\"input_consul_cluster_name\"\u003e\u003c/a\u003e [consul\\_cluster\\_name](#input\\_consul\\_cluster\\_name)\n\nDescription: What to name the Consul server cluster and all of its associated resources\n\nType: `string`\n\nDefault: `\"vault-consul\"`\n\n### \u003ca name=\"input_vault_cluster_name\"\u003e\u003c/a\u003e [vault\\_cluster\\_name](#input\\_vault\\_cluster\\_name)\n\nDescription: What to name the Vault server cluster and all of its associated resources\n\nType: `string`\n\nDefault: `\"vault-vault\"`\n\n### \u003ca name=\"input_vault_route53_public_dns_name\"\u003e\u003c/a\u003e [vault\\_route53\\_public\\_dns\\_name](#input\\_vault\\_route53\\_public\\_dns\\_name)\n\nDescription: The Route53 public DNS name for the vault ELB. If not set, no Route53 record will be created.\n\nType: `string`\n\nDefault: `\"\"`\n\n### \u003ca name=\"input_vault_route53_private_dns_name\"\u003e\u003c/a\u003e [vault\\_route53\\_private\\_dns\\_name](#input\\_vault\\_route53\\_private\\_dns\\_name)\n\nDescription: The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created.\n\nType: `string`\n\nDefault: `\"\"`\n\n### \u003ca name=\"input_ssh_user\"\u003e\u003c/a\u003e [ssh\\_user](#input\\_ssh\\_user)\n\nDescription: User name used for SSH-connections.\n\nType: `string`\n\nDefault: `\"ubuntu\"`\n\n### \u003ca name=\"input_ssh_keys\"\u003e\u003c/a\u003e [ssh\\_keys](#input\\_ssh\\_keys)\n\nDescription: A list of public ssh keys to add to authorized\\_keys files.\n\nType: `list(string)`\n\nDefault: `[]`\n\n### \u003ca name=\"input_pushgateway_urls\"\u003e\u003c/a\u003e [pushgateway\\_urls](#input\\_pushgateway\\_urls)\n\nDescription: A list of Prometheus Pushgateway URLs\n\nType: `list(string)`\n\nDefault: `[]`\n\n### \u003ca name=\"input_consul_instance_type\"\u003e\u003c/a\u003e [consul\\_instance\\_type](#input\\_consul\\_instance\\_type)\n\nDescription: The type of EC2 Instance to run in the Consul ASG\n\nType: `string`\n\nDefault: `\"t3.micro\"`\n\n### \u003ca name=\"input_vault_instance_type\"\u003e\u003c/a\u003e [vault\\_instance\\_type](#input\\_vault\\_instance\\_type)\n\nDescription: The type of EC2 Instance to run in the Vault ASG\n\nType: `string`\n\nDefault: `\"t3.micro\"`\n\n### \u003ca name=\"input_consul_cluster_size\"\u003e\u003c/a\u003e [consul\\_cluster\\_size](#input\\_consul\\_cluster\\_size)\n\nDescription: The number of Consul server nodes to deploy. We strongly recommend using 3 or 5.\n\nType: `number`\n\nDefault: `3`\n\n### \u003ca name=\"input_vault_cluster_size\"\u003e\u003c/a\u003e [vault\\_cluster\\_size](#input\\_vault\\_cluster\\_size)\n\nDescription: The number of Vault server nodes to deploy. We strongly recommend using 3 or 5.\n\nType: `number`\n\nDefault: `3`\n\n### \u003ca name=\"input_vault_ingress_cidr\"\u003e\u003c/a\u003e [vault\\_ingress\\_cidr](#input\\_vault\\_ingress\\_cidr)\n\nDescription: CIDR's from which you are allowed to https access the vault cluster.\n\nType: `string`\n\nDefault: `\"0.0.0.0/0\"`\n\n### \u003ca name=\"input_security_group_names\"\u003e\u003c/a\u003e [security\\_group\\_names](#input\\_security\\_group\\_names)\n\nDescription: List of one or more security groups to be added to the load balancer\n\nType: `list(string)`\n\nDefault: `[]`\n\n### \u003ca name=\"input_enable_s3_backend\"\u003e\u003c/a\u003e [enable\\_s3\\_backend](#input\\_enable\\_s3\\_backend)\n\nDescription: Whether to configure an S3 storage backend in the same region in addition to Consul.\n\nType: `bool`\n\nDefault: `false`\n\n### \u003ca name=\"input_s3_bucket_name\"\u003e\u003c/a\u003e [s3\\_bucket\\_name](#input\\_s3\\_bucket\\_name)\n\nDescription: The name of the S3 bucket in the same region to use as a storage backend. Only used if 'enable\\_s3\\_backend' is set to true.\n\nType: `string`\n\nDefault: `\"\"`\n\n### \u003ca name=\"input_enable_s3_backend_encryption\"\u003e\u003c/a\u003e [enable\\_s3\\_backend\\_encryption](#input\\_enable\\_s3\\_backend\\_encryption)\n\nDescription: Whether to configure the S3 storage backend to be encrypted with a KMS key.\n\nType: `bool`\n\nDefault: `false`\n\n### \u003ca name=\"input_kms_alias_name\"\u003e\u003c/a\u003e [kms\\_alias\\_name](#input\\_kms\\_alias\\_name)\n\nDescription: The name of the KMS key that is used for S3 storage backend encryption.\n\nType: `string`\n\nDefault: `\"\"`\n\n### \u003ca name=\"input_ami_id\"\u003e\u003c/a\u003e [ami\\_id](#input\\_ami\\_id)\n\nDescription: ID of the AMI to be used for the Consul and Vault instances.\n\nType: `string`\n\nDefault: `null`\n\n\u003c!-- TFDOCS_INPUTS_END --\u003e\n\n\u003c!-- TFDOCS_OUTPUTS_START --\u003e\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_alb_fqdn_vault\"\u003e\u003c/a\u003e [alb\\_fqdn\\_vault](#output\\_alb\\_fqdn\\_vault) | The AWS provided CNAME of the Vault ALB. |\n| \u003ca name=\"output_alb_route53_public_dns_name_vault\"\u003e\u003c/a\u003e [alb\\_route53\\_public\\_dns\\_name\\_vault](#output\\_alb\\_route53\\_public\\_dns\\_name\\_vault) | The Route53 name attached to the Vault ALB, if specified in variables. |\n| \u003ca name=\"output_asg_name_consul_cluster\"\u003e\u003c/a\u003e [asg\\_name\\_consul\\_cluster](#output\\_asg\\_name\\_consul\\_cluster) | Autoscaling group name of the Consul cluster. |\n| \u003ca name=\"output_asg_name_vault_cluster\"\u003e\u003c/a\u003e [asg\\_name\\_vault\\_cluster](#output\\_asg\\_name\\_vault\\_cluster) | Autoscaling group name of the Vault cluster. |\n| \u003ca name=\"output_aws_region\"\u003e\u003c/a\u003e [aws\\_region](#output\\_aws\\_region) | Used AWS region. |\n| \u003ca name=\"output_iam_role_arn_consul_cluster\"\u003e\u003c/a\u003e [iam\\_role\\_arn\\_consul\\_cluster](#output\\_iam\\_role\\_arn\\_consul\\_cluster) | IAM role ARN attached to the Consul cluster. |\n| \u003ca name=\"output_iam_role_arn_vault_cluster\"\u003e\u003c/a\u003e [iam\\_role\\_arn\\_vault\\_cluster](#output\\_iam\\_role\\_arn\\_vault\\_cluster) | IAM role ARN attached to the Vault cluster. |\n| \u003ca name=\"output_iam_role_id_consul_cluster\"\u003e\u003c/a\u003e [iam\\_role\\_id\\_consul\\_cluster](#output\\_iam\\_role\\_id\\_consul\\_cluster) | IAM role ID attached to the Consul cluster. |\n| \u003ca name=\"output_iam_role_id_vault_cluster\"\u003e\u003c/a\u003e [iam\\_role\\_id\\_vault\\_cluster](#output\\_iam\\_role\\_id\\_vault\\_cluster) | IAM role ID attached to the Vault cluster. |\n| \u003ca name=\"output_launch_template_name_consul_cluster\"\u003e\u003c/a\u003e [launch\\_template\\_name\\_consul\\_cluster](#output\\_launch\\_template\\_name\\_consul\\_cluster) | Launch template name of the Consul cluster. |\n| \u003ca name=\"output_launch_template_name_vault_cluster\"\u003e\u003c/a\u003e [launch\\_template\\_name\\_vault\\_cluster](#output\\_launch\\_template\\_name\\_vault\\_cluster) | Launch template name of the Vault cluster. |\n| \u003ca name=\"output_security_group_id_consul_cluster\"\u003e\u003c/a\u003e [security\\_group\\_id\\_consul\\_cluster](#output\\_security\\_group\\_id\\_consul\\_cluster) | Security group ID of the Consul cluster to attach to other security group rules. |\n| \u003ca name=\"output_security_group_id_vault_cluster\"\u003e\u003c/a\u003e [security\\_group\\_id\\_vault\\_cluster](#output\\_security\\_group\\_id\\_vault\\_cluster) | Security group ID of the Vault cluster to attach to other security group rules. |\n\n\u003c!-- TFDOCS_OUTPUTS_END --\u003e\n\n## License\n\n[Apache 2.0](LICENSE)\n\nCopyright (c) 2018-2021 [Flaconi GmbH](https://github.com/Flaconi)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaconi%2Fterraform-aws-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflaconi%2Fterraform-aws-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflaconi%2Fterraform-aws-vault/lists"}