/iac-azure-vault-cluster-components

Terraform code for managing required resources for a HashiCorp Vault cluster on Azure - Managed by CultClassik/iac-github-mgmt (Github)

Primary LanguageHCL

iac-azure-vault-cluster-components

  • Mangages pre-requisite resources required by a HashiCorp Vault cluster and accompanying AGW configuration.
  • Note that for environment we have "production" and "nonprod" clustersonly.

Vault Cluster - order of operations

Order Repo Name Description
1. ac-azure-network Manages virtual networks and subnets
2. iac-azure-vault-cluster-components Manages ssh keys, identities, role assignments, key vault, etc
3. iac-azure-vault-agw Manages the Azure Application Gateway and multiple configurations
4. iac-azure-vault-cluster Manages VMSS for the Vault cluster
? iac-azure-dns ?

Running locally

  • Need some detail here on extracing values for backend and supplying ARM_CLIENT_SECRET (or better yet, using Azure AD creds)
export VAULT_ENV=nonprod

# ensure env file is up to date and source it
set -o allexport &&\
source variables/$VAULT_ENV.env &&\
set +o allexport

# login to az cli or supply the ARM_CLIENT_SECRET env var
export ARM_CLIENT_SECRET=xxx

terraform init

terraform plan -var-file=variables/$VAULT_ENV.tfvars

TODO

  • Update/add descriptions for all variables and outputs
  • Add managed & encrypted storage for keyvault
  • Internal tls certs good for 1 year - this needs to be monitored and automated i.e. scheduled pipeline run to update the certs or use letsencrypt etc
  • migrate tfstate - use updated method/storage account

Requirements

Name Version
terraform >= 1.2.0
azurerm ~> 3.31

Providers

Name Version
azurerm 3.32.0
tls 3.1.50

Modules

Name Source Version
iam ./modules/iam n/a
keyvault ./modules/keyvault n/a
tls ./modules/tls n/a

Resources

Name Type
azurerm_resource_group.vault resource
tls_private_key.bastion resource
tls_private_key.vault_nodes resource
azurerm_client_config.current data source

Inputs

Name Description Type Default Required
az_sub_id Azure subscription ID to create resources in string n/a yes
dns_zone_name The DNS zone name the Vault cluster will use string n/a yes
environment production or nonprod string n/a yes
git_repo The name of the IAC repo that manages these resources string n/a yes
keyvault_readers Map of objects IDs to grant read access on certificates and secrets for.
Ex:
{ devops = "8f2fccad-59de-4699-8e72-33adea4bcc8b" }		 map(string) n/a yes
location n/a string n/a yes

Outputs

Name Description
akv_secret_id_root_ca_pem Secret ID of AKV secret for private root CA certificate
akv_secret_id_vault_server_cert Secret ID of AKV Certificate for Vault nodes
akv_secret_id_vault_vm_tls Secret ID of AKV secret for Vault Cluster nodes TLS certificate
key_vault_id Key Vault ID
keyvault_name Name of the keyvault - autogenerated if one is not specified.
lb_identity_id n/a
resource_group The resource group that was created for Vault cluster resources
root_ca_pem n/a
shared_san n/a
vault_server_cert_pfx n/a
vm_identity_client_id n/a
vm_identity_id n/a