https://github.com/flaconi/terraform-aws-vault
Terraform module to deploy HashiCorp Vault behind an ELB in a provided VPC
https://github.com/flaconi/terraform-aws-vault
aws terraform terraform-module vault
Last synced: about 1 year ago
JSON representation
Terraform module to deploy HashiCorp Vault behind an ELB in a provided VPC
- Host: GitHub
- URL: https://github.com/flaconi/terraform-aws-vault
- Owner: Flaconi
- License: apache-2.0
- Created: 2018-10-25T07:00:06.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2024-05-31T09:17:23.000Z (about 2 years ago)
- Last Synced: 2024-06-01T01:34:40.630Z (about 2 years ago)
- Topics: aws, terraform, terraform-module, vault
- Language: HCL
- Homepage:
- Size: 149 KB
- Stars: 3
- Watchers: 24
- Forks: 2
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
README
# Terraform Module: HashiCorp Vault
[](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Alint)
[](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Atest)
[](https://github.com/flaconi/terraform-aws-vault/releases)
[](https://opensource.org/licenses/MIT)
This Terraform module provisions HashiCorp Vault with Consul Backend into an existing VPC including
an ELB with optionally a public Route53 DNS name fronting the Vault cluster.
## Usage example
```hcl
module "aws_vault" {
source = "github.com/Flaconi/terraform-aws-vault?ref=v2.1.0"
# Placement
vpc_id = "vpc-1234"
public_subnet_ids = ["subnet-4321", "subnet-9876"]
private_subnet_ids = ["subnet-1234", "subnet-5678"]
# Resource Naming/Tagging
name = "vault"
consul_cluster_name = "my-consul"
vault_cluster_name = "my-vault"
# Security
ssh_keys = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"]
ssh_security_group_id = "sg-0c12345678"
vault_ingress_cidr_https = ["0.0.0.0/0"]
}
```
## Examples
* [Custom VPC with HashiCorp Vault](examples/custom-vpc-with-vault)
## Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 5 |
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
| [aws](#requirement\_aws) | >= 5 |
## Required Inputs
The following input variables are required:
### [vpc\_id](#input\_vpc\_id)
Description: The VPC ID into which you want to provision Vault.
Type: `string`
### [public\_subnet\_ids](#input\_public\_subnet\_ids)
Description: A list of public subnet IDs into which the Vault ELB will be provisioned.
Type: `list(string)`
### [private\_subnet\_ids](#input\_private\_subnet\_ids)
Description: A list of private subnet IDs into which Vault and Consul will be provisioned.
Type: `list(string)`
### [ssh\_security\_group\_id](#input\_ssh\_security\_group\_id)
Description: Security group ID of a bastion (or other EC2 instance) from which you will be allowed to ssh into Vault and Consul.
Type: `string`
### [ssl\_certificate\_id](#input\_ssl\_certificate\_id)
Description: ARN of the certificate to be used for the Vault endpoint ELB
Type: `string`
## Optional Inputs
The following input variables are optional (have default values):
Description: The name(-prefix) tag to apply to all AWS resources
Type: `string`
Default: `"vault"`
Description: A map of additional tags to apply to all AWS resources
Type: `map(string)`
Default: `{}`
### [consul\_cluster\_name](#input\_consul\_cluster\_name)
Description: What to name the Consul server cluster and all of its associated resources
Type: `string`
Default: `"vault-consul"`
### [vault\_cluster\_name](#input\_vault\_cluster\_name)
Description: What to name the Vault server cluster and all of its associated resources
Type: `string`
Default: `"vault-vault"`
### [vault\_route53\_public\_dns\_name](#input\_vault\_route53\_public\_dns\_name)
Description: The Route53 public DNS name for the vault ELB. If not set, no Route53 record will be created.
Type: `string`
Default: `""`
### [vault\_route53\_private\_dns\_name](#input\_vault\_route53\_private\_dns\_name)
Description: The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created.
Type: `string`
Default: `""`
### [ssh\_user](#input\_ssh\_user)
Description: User name used for SSH-connections.
Type: `string`
Default: `"ubuntu"`
### [ssh\_keys](#input\_ssh\_keys)
Description: A list of public ssh keys to add to authorized\_keys files.
Type: `list(string)`
Default: `[]`
### [pushgateway\_urls](#input\_pushgateway\_urls)
Description: A list of Prometheus Pushgateway URLs
Type: `list(string)`
Default: `[]`
### [consul\_instance\_type](#input\_consul\_instance\_type)
Description: The type of EC2 Instance to run in the Consul ASG
Type: `string`
Default: `"t3.micro"`
### [vault\_instance\_type](#input\_vault\_instance\_type)
Description: The type of EC2 Instance to run in the Vault ASG
Type: `string`
Default: `"t3.micro"`
### [consul\_cluster\_size](#input\_consul\_cluster\_size)
Description: The number of Consul server nodes to deploy. We strongly recommend using 3 or 5.
Type: `number`
Default: `3`
### [vault\_cluster\_size](#input\_vault\_cluster\_size)
Description: The number of Vault server nodes to deploy. We strongly recommend using 3 or 5.
Type: `number`
Default: `3`
### [vault\_ingress\_cidr](#input\_vault\_ingress\_cidr)
Description: CIDR's from which you are allowed to https access the vault cluster.
Type: `string`
Default: `"0.0.0.0/0"`
### [security\_group\_names](#input\_security\_group\_names)
Description: List of one or more security groups to be added to the load balancer
Type: `list(string)`
Default: `[]`
### [enable\_s3\_backend](#input\_enable\_s3\_backend)
Description: Whether to configure an S3 storage backend in the same region in addition to Consul.
Type: `bool`
Default: `false`
### [s3\_bucket\_name](#input\_s3\_bucket\_name)
Description: The name of the S3 bucket in the same region to use as a storage backend. Only used if 'enable\_s3\_backend' is set to true.
Type: `string`
Default: `""`
### [enable\_s3\_backend\_encryption](#input\_enable\_s3\_backend\_encryption)
Description: Whether to configure the S3 storage backend to be encrypted with a KMS key.
Type: `bool`
Default: `false`
### [kms\_alias\_name](#input\_kms\_alias\_name)
Description: The name of the KMS key that is used for S3 storage backend encryption.
Type: `string`
Default: `""`
### [ami\_id](#input\_ami\_id)
Description: ID of the AMI to be used for the Consul and Vault instances.
Type: `string`
Default: `null`
## Outputs
| Name | Description |
|------|-------------|
| [alb\_fqdn\_vault](#output\_alb\_fqdn\_vault) | The AWS provided CNAME of the Vault ALB. |
| [alb\_route53\_public\_dns\_name\_vault](#output\_alb\_route53\_public\_dns\_name\_vault) | The Route53 name attached to the Vault ALB, if specified in variables. |
| [asg\_name\_consul\_cluster](#output\_asg\_name\_consul\_cluster) | Autoscaling group name of the Consul cluster. |
| [asg\_name\_vault\_cluster](#output\_asg\_name\_vault\_cluster) | Autoscaling group name of the Vault cluster. |
| [aws\_region](#output\_aws\_region) | Used AWS region. |
| [iam\_role\_arn\_consul\_cluster](#output\_iam\_role\_arn\_consul\_cluster) | IAM role ARN attached to the Consul cluster. |
| [iam\_role\_arn\_vault\_cluster](#output\_iam\_role\_arn\_vault\_cluster) | IAM role ARN attached to the Vault cluster. |
| [iam\_role\_id\_consul\_cluster](#output\_iam\_role\_id\_consul\_cluster) | IAM role ID attached to the Consul cluster. |
| [iam\_role\_id\_vault\_cluster](#output\_iam\_role\_id\_vault\_cluster) | IAM role ID attached to the Vault cluster. |
| [launch\_template\_name\_consul\_cluster](#output\_launch\_template\_name\_consul\_cluster) | Launch template name of the Consul cluster. |
| [launch\_template\_name\_vault\_cluster](#output\_launch\_template\_name\_vault\_cluster) | Launch template name of the Vault cluster. |
| [security\_group\_id\_consul\_cluster](#output\_security\_group\_id\_consul\_cluster) | Security group ID of the Consul cluster to attach to other security group rules. |
| [security\_group\_id\_vault\_cluster](#output\_security\_group\_id\_vault\_cluster) | Security group ID of the Vault cluster to attach to other security group rules. |
## License
[Apache 2.0](LICENSE)
Copyright (c) 2018-2021 [Flaconi GmbH](https://github.com/Flaconi)