{"id":19490805,"url":"https://github.com/n3tuk/infra-vault","last_synced_at":"2025-08-09T19:55:00.438Z","repository":{"id":225546880,"uuid":"765160599","full_name":"n3tuk/infra-vault","owner":"n3tuk","description":"The general, high-level configuration for Vault, inclduing the bootstrappingof the Cluster configuration, and common service integrations and mounts.","archived":false,"fork":false,"pushed_at":"2024-03-04T00:30:22.000Z","size":149,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-01-08T08:45:42.496Z","etag":null,"topics":["github-deployment","github-workflows","hashicorp-vault","terraform","terraform-configuration","vault"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/n3tuk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":".github/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-02-29T11:52:19.000Z","updated_at":"2024-03-28T23:34:49.000Z","dependencies_parsed_at":"2024-03-02T20:29:07.859Z","dependency_job_id":"dcc4c902-826e-419e-8b39-8409022fb62b","html_url":"https://github.com/n3tuk/infra-vault","commit_stats":null,"previous_names":["n3tuk/infra-vault"],"tags_count":0,"template":false,"template_full_name":"n3tuk/template-terraform-configuration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3tuk%2Finfra-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3tuk%2Finfra-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3tuk%2Finfra-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/n3tuk%2Finfra-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/n3tuk","download_url":"https://codeload.github.com/n3tuk/infra-vault/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240738078,"owners_count":19849545,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-deployment","github-workflows","hashicorp-vault","terraform","terraform-configuration","vault"],"created_at":"2024-11-10T21:14:24.625Z","updated_at":"2025-02-25T19:43:06.956Z","avatar_url":"https://github.com/n3tuk.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# n3t.uk Terraform Configurations for Hashicorp Vault\n\n[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)\n\nThis is a [Terraform][terraform] repository for the management of multiple\n[Hashicorp Vault][vault] Clusters using (currently) local deployments from\ninternal systems as this service is not publicly accessible.\n\n[terraform]: https://terraform.io/\n[vault]: https://www.vaultproject.io\n\nThis will provide standardised configurations for services, such as:\n\n- Establishing an ODIC Connection with Auth0 for user-based authentication and\n  authorisation (normally via the User Interface);\n- Creating and signing the n3t.uk Certificate Authority configuration with an\n  Intermediate Certificate for this Cluster, allowing it to create server and\n  client certificates on demand (including using [`certbot`][certbot] and\n  [`cert-manager`][cert-manager]); and\n- Create the default key/value stores which should be available in each of the\n  Vault Clusters.\n\n[certbot]: https://certbot.eff.org/\n[cert-manager]: https://cert-manager.io/\n\n## Network\n\n![Network Diagram for Vault Cluster Networking](https://github.com/n3tuk/infra-vault/blob/main/docs/vault-networking.svg?raw=true)\n\n[Vault][vault] is currently an internal-only service and hosted outside of\nKubernetes Clusters (as they are required to provision those clusters for\ncertificates and secrets).\n\n1. Each Vault Cluster is fronted by between one and three [HAProxy][haproxy]\n   Nodes which forwards encrypted traffic onto the backend with the `PROXY`\n   protocol.\n1. Each HAProxy node listens on a dummy interface called `lb01` sharing the same\n   IPv4 and IPv6 address across all nodes in the same Cluster, and is\n   responsible for monitoring and checking the Vault backend service for\n   availability.\n1. Each HAProxy node runs `bird` to provide BGP support back to the core router\n   which will route traffic to the shared address to one of the HAProxy nodes,\n   while also using the BDF protocol to provide rapid failover of routes if the\n   primary node restarts or connectivity is otherwise lost.\n\n[haproxy]: https://www.haproxy.org/\n\nWhen a User or Service makes a request to a Vault Cluster, the request is sent\nto first via the Router (the address does not exist on a network within a\nbroadcast domain, so there can be no ARP) which forwards the traffic onto an\navailable HAProxy node. The HAProxy service on that node then forwards the\nrequest onto an available Vault backend service, which in turn internally routes\nthe request to the current primary node.\n\nThis traffic flow should allow the failover of any Vault node and any HAProxy\nnode (assuming there are more than one of each) and still be able to service\nrequests within the network.\n\n## Bootstrapping\n\nThe [`terraform/bootstrap/`][bootstrap] directory which is used to host the initial\nTerraform configuration which will configure the initial authentication and\nauthorisation in the Vault Cluster.\n\nThis explicitly uses the `root` token provided by Vault during the\ninitialisation of the data store. However, the configuration will create the\ninitial authentication methods as well as the Roles and Policies needed so the\nCluster can be subsequently be managed without the `root` Token.\n\n[bootstrap]: https://github.com/n3tuk/infra-vault/tree/main/terraform/bootstrap/\n\n```console\n$ cd terraform/bootstrap/\n$ task workspace:{environment}\n[terraform:bootstrap:workspace] Switched to workspace \"vault.{e}.cym-south-1.kub3.uk\".\n[terraform:bootstrap:workspace] vault.{e}.cym-south-1.kub3.uk Active\n$ task plan\n$ task apply\n```\n\n\u003e [!IMPORTANT]\n\u003e The `root` token for the cluster should only be used for bootstrapping and\n\u003e emergencies. If something happens which prevents normal authentication to the\n\u003e Vault Cluster, then this bootstrap configuration and the `root` Token should\n\u003e be used to restore it. All other uses should be avoided.\n\n### Initial Authentication\n\nOnce the Vault Cluster has been bootstrapped, there are three ways to log into\nthe system:\n\n1. Go to https://vault.{e}.cym-south-1.kub3.uk and select _OIDC_ from the\n   drop-down and enter either `administrator` or `reader` to the _Role_. The\n   button should show _Sign in with Auth0_. Click it and sign in.\n1. Open the console and log in with the `oidc` method and either the\n   `administrator` or `reader` roles, and once the browser\n\n   ```console\n   $ vault login -method=oidc role={name}\n   Complete the login via your OIDC provider. Launching browser to:\n\n        https://n3tuk.uk.auth0.com/authorize?client_id={id}\u0026...\n\n    Waiting for OIDC authentication to complete...\n   ```\n\n## Common Configuration\n\nThe [`terraform/common/`][common] workspace hosts the configuration for the\nmanagement and configuration of Hashicorp Vault resources. The\n[`README.md`][readme] therein for further information on supported `variables`\nand `outputs`, as well as the what is managed by the workspace.\n\n[common]: https://github.com/n3tuk/infra-vault/tree/main/terraform/common/\n[readme]: https://github.com/n3tuk/infra-vault/blob/main/terraform/common/README.md\n\n\u003e [!TIP]\n\u003e Ensure that you have authenticated against the Vault Cluster with your `vault`\n\u003e CLI application before running the `plan` or `apply` tasks, or Terraform may\n\u003e not be able to connect to the Cluster to review, create, or delete resources.\n\n```console\n$ cd terraform/common/\n$ task workspace:{environment}\n[terraform:common:workspace] Switched to workspace \"vault.{e}.cym-south-1.kub3.uk\".\n[terraform:common:workspace] vault.{e}.cym-south-1.kub3.uk Active\n$ task plan\n$ task apply\n```\n\n## License\n\nCopyright (c) 2024 Jonathan Wright\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of\nthis software and associated documentation files (the \"Software\"), to deal in\nthe Software without restriction, including without limitation the rights to\nuse, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of\nthe Software, and to permit persons to whom the Software is furnished to do so,\nsubject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS\nFOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR\nCOPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER\nIN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN\nCONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.\n\n## Authors\n\n- Jonathan Wright (\u003cjon@than.io\u003e)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3tuk%2Finfra-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fn3tuk%2Finfra-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fn3tuk%2Finfra-vault/lists"}