An open API service indexing awesome lists of open source software.

https://github.com/flaconi/terraform-aws-vault

Terraform module to deploy HashiCorp Vault behind an ELB in a provided VPC
https://github.com/flaconi/terraform-aws-vault

aws terraform terraform-module vault

Last synced: about 1 year ago
JSON representation

Terraform module to deploy HashiCorp Vault behind an ELB in a provided VPC

Awesome Lists containing this project

README

          

# Terraform Module: HashiCorp Vault

[![lint](https://github.com/flaconi/terraform-aws-vault/workflows/lint/badge.svg)](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Alint)
[![test](https://github.com/flaconi/terraform-aws-vault/workflows/test/badge.svg)](https://github.com/flaconi/terraform-aws-vault/actions?query=workflow%3Atest)
[![Tag](https://img.shields.io/github/tag/flaconi/terraform-aws-vault.svg)](https://github.com/flaconi/terraform-aws-vault/releases)
[![License](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)

This Terraform module provisions HashiCorp Vault with Consul Backend into an existing VPC including
an ELB with optionally a public Route53 DNS name fronting the Vault cluster.

## Usage example

```hcl
module "aws_vault" {
source = "github.com/Flaconi/terraform-aws-vault?ref=v2.1.0"

# Placement
vpc_id = "vpc-1234"
public_subnet_ids = ["subnet-4321", "subnet-9876"]
private_subnet_ids = ["subnet-1234", "subnet-5678"]

# Resource Naming/Tagging
name = "vault"
consul_cluster_name = "my-consul"
vault_cluster_name = "my-vault"

# Security
ssh_keys = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"]
ssh_security_group_id = "sg-0c12345678"
vault_ingress_cidr_https = ["0.0.0.0/0"]
}
```

## Examples

* [Custom VPC with HashiCorp Vault](examples/custom-vpc-with-vault)

## Providers

| Name | Version |
|------|---------|
| [aws](#provider\_aws) | >= 5 |

## Requirements

| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0 |
| [aws](#requirement\_aws) | >= 5 |

## Required Inputs

The following input variables are required:

### [vpc\_id](#input\_vpc\_id)

Description: The VPC ID into which you want to provision Vault.

Type: `string`

### [public\_subnet\_ids](#input\_public\_subnet\_ids)

Description: A list of public subnet IDs into which the Vault ELB will be provisioned.

Type: `list(string)`

### [private\_subnet\_ids](#input\_private\_subnet\_ids)

Description: A list of private subnet IDs into which Vault and Consul will be provisioned.

Type: `list(string)`

### [ssh\_security\_group\_id](#input\_ssh\_security\_group\_id)

Description: Security group ID of a bastion (or other EC2 instance) from which you will be allowed to ssh into Vault and Consul.

Type: `string`

### [ssl\_certificate\_id](#input\_ssl\_certificate\_id)

Description: ARN of the certificate to be used for the Vault endpoint ELB

Type: `string`

## Optional Inputs

The following input variables are optional (have default values):

### [name](#input\_name)

Description: The name(-prefix) tag to apply to all AWS resources

Type: `string`

Default: `"vault"`

### [tags](#input\_tags)

Description: A map of additional tags to apply to all AWS resources

Type: `map(string)`

Default: `{}`

### [consul\_cluster\_name](#input\_consul\_cluster\_name)

Description: What to name the Consul server cluster and all of its associated resources

Type: `string`

Default: `"vault-consul"`

### [vault\_cluster\_name](#input\_vault\_cluster\_name)

Description: What to name the Vault server cluster and all of its associated resources

Type: `string`

Default: `"vault-vault"`

### [vault\_route53\_public\_dns\_name](#input\_vault\_route53\_public\_dns\_name)

Description: The Route53 public DNS name for the vault ELB. If not set, no Route53 record will be created.

Type: `string`

Default: `""`

### [vault\_route53\_private\_dns\_name](#input\_vault\_route53\_private\_dns\_name)

Description: The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created.

Type: `string`

Default: `""`

### [ssh\_user](#input\_ssh\_user)

Description: User name used for SSH-connections.

Type: `string`

Default: `"ubuntu"`

### [ssh\_keys](#input\_ssh\_keys)

Description: A list of public ssh keys to add to authorized\_keys files.

Type: `list(string)`

Default: `[]`

### [pushgateway\_urls](#input\_pushgateway\_urls)

Description: A list of Prometheus Pushgateway URLs

Type: `list(string)`

Default: `[]`

### [consul\_instance\_type](#input\_consul\_instance\_type)

Description: The type of EC2 Instance to run in the Consul ASG

Type: `string`

Default: `"t3.micro"`

### [vault\_instance\_type](#input\_vault\_instance\_type)

Description: The type of EC2 Instance to run in the Vault ASG

Type: `string`

Default: `"t3.micro"`

### [consul\_cluster\_size](#input\_consul\_cluster\_size)

Description: The number of Consul server nodes to deploy. We strongly recommend using 3 or 5.

Type: `number`

Default: `3`

### [vault\_cluster\_size](#input\_vault\_cluster\_size)

Description: The number of Vault server nodes to deploy. We strongly recommend using 3 or 5.

Type: `number`

Default: `3`

### [vault\_ingress\_cidr](#input\_vault\_ingress\_cidr)

Description: CIDR's from which you are allowed to https access the vault cluster.

Type: `string`

Default: `"0.0.0.0/0"`

### [security\_group\_names](#input\_security\_group\_names)

Description: List of one or more security groups to be added to the load balancer

Type: `list(string)`

Default: `[]`

### [enable\_s3\_backend](#input\_enable\_s3\_backend)

Description: Whether to configure an S3 storage backend in the same region in addition to Consul.

Type: `bool`

Default: `false`

### [s3\_bucket\_name](#input\_s3\_bucket\_name)

Description: The name of the S3 bucket in the same region to use as a storage backend. Only used if 'enable\_s3\_backend' is set to true.

Type: `string`

Default: `""`

### [enable\_s3\_backend\_encryption](#input\_enable\_s3\_backend\_encryption)

Description: Whether to configure the S3 storage backend to be encrypted with a KMS key.

Type: `bool`

Default: `false`

### [kms\_alias\_name](#input\_kms\_alias\_name)

Description: The name of the KMS key that is used for S3 storage backend encryption.

Type: `string`

Default: `""`

### [ami\_id](#input\_ami\_id)

Description: ID of the AMI to be used for the Consul and Vault instances.

Type: `string`

Default: `null`

## Outputs

| Name | Description |
|------|-------------|
| [alb\_fqdn\_vault](#output\_alb\_fqdn\_vault) | The AWS provided CNAME of the Vault ALB. |
| [alb\_route53\_public\_dns\_name\_vault](#output\_alb\_route53\_public\_dns\_name\_vault) | The Route53 name attached to the Vault ALB, if specified in variables. |
| [asg\_name\_consul\_cluster](#output\_asg\_name\_consul\_cluster) | Autoscaling group name of the Consul cluster. |
| [asg\_name\_vault\_cluster](#output\_asg\_name\_vault\_cluster) | Autoscaling group name of the Vault cluster. |
| [aws\_region](#output\_aws\_region) | Used AWS region. |
| [iam\_role\_arn\_consul\_cluster](#output\_iam\_role\_arn\_consul\_cluster) | IAM role ARN attached to the Consul cluster. |
| [iam\_role\_arn\_vault\_cluster](#output\_iam\_role\_arn\_vault\_cluster) | IAM role ARN attached to the Vault cluster. |
| [iam\_role\_id\_consul\_cluster](#output\_iam\_role\_id\_consul\_cluster) | IAM role ID attached to the Consul cluster. |
| [iam\_role\_id\_vault\_cluster](#output\_iam\_role\_id\_vault\_cluster) | IAM role ID attached to the Vault cluster. |
| [launch\_template\_name\_consul\_cluster](#output\_launch\_template\_name\_consul\_cluster) | Launch template name of the Consul cluster. |
| [launch\_template\_name\_vault\_cluster](#output\_launch\_template\_name\_vault\_cluster) | Launch template name of the Vault cluster. |
| [security\_group\_id\_consul\_cluster](#output\_security\_group\_id\_consul\_cluster) | Security group ID of the Consul cluster to attach to other security group rules. |
| [security\_group\_id\_vault\_cluster](#output\_security\_group\_id\_vault\_cluster) | Security group ID of the Vault cluster to attach to other security group rules. |

## License

[Apache 2.0](LICENSE)

Copyright (c) 2018-2021 [Flaconi GmbH](https://github.com/Flaconi)