Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/xuwang/aws-terraform

Code examples to create CoreOS cluster on AWS with Terraform
https://github.com/xuwang/aws-terraform

Last synced: 11 days ago
JSON representation

Code examples to create CoreOS cluster on AWS with Terraform

Host: GitHub
URL: https://github.com/xuwang/aws-terraform
Owner: xuwang
License: mit
Created: 2015-03-12T01:59:25.000Z (over 9 years ago)
Default Branch: master
Last Pushed: 2017-05-28T17:40:08.000Z (over 7 years ago)
Last Synced: 2024-08-02T14:08:51.666Z (4 months ago)
Language: HCL
Homepage:
Size: 1.94 MB
Stars: 134
Watchers: 15
Forks: 54
Open Issues: 2
Metadata Files:
- Readme: README-vault.md
- Changelog: CHANGELOG.md
- License: LICENSE

Awesome Lists containing this project

README

This repo contains a vault cluster runs with etcd backend. By default, the vault and etcd are running
on the same instance. 3 instances are created.

With this setup, you can afford to lose one machine and still keep etcd healthy, so if needed, only reboot machines one at a time and
check etcd health before reboot another.

## Get ips of the vault servers

You can get ips of the vault servers by:

```
$ make get_vault_ips
```

The ssh access is open to your own machine's IP from where you built the vault.

## Initialize and unseal the vault

You need to run Vault initialization on one of the vault servers. The master key and 5 unsealing keys will be stored in etcd K/V store.
You need to run unseal process on all vault servers after its reboot.

* Copy scripts/setup_vault.sh to all vault servers:

```
$ scp scripts/setup_vault.sh core@:/tmp
```

* Initialize and unseal the vault servers

Run this on all vault servers - note it is okay to run setup_vault.multiple times. It will skip initialization if the vault is already
initialized.
```
$ ssh core@
$ cd /tmp
$ ./setup_vault.sh
```

## Validate vault setup

This doesn't need vault authentication

```
$ vault status
core@ip-10-10-6-72-vault /tmp $vault status
Sealed: false
Key Shares: 5
Key Threshold: 3
Unseal Progress: 0
Version: 0.6.4
Cluster Name: vault-cluster-4932646e
Cluster ID: b47b8de3-b609-e730-d2f2-c894d1c77ec8
```
Authenticate to vault and check mounts:

```
$ vault auth $(etcdctl get /service/vault/root-token)
Successfully authenticated! You are now logged in.
token: xxxxxx-ea73-1063-02bf-070f2ab60123
token_duration: 0
token_policies: [root]

$ core@ip-10-10-6-72-vault /etc/profile.d $vault mounts
Path Type Default TTL Max TTL Description
cubbyhole/ cubbyhole n/a n/a per-token private secret storage
secret/ generic system system generic secret storage
sys/ system n/a n/a system endpoints used for control, policy and debugging
```
## Validate vault elb health

You can check on AWS EC2/Loadbalancer console, or run:

```
$ aws elb --profile describe-instance-health --load-balancer-name=vault --region
```