/vault-oss-cluster

Exploratory implementation of a Hashicorp Vault cluster

Primary LanguageHCL

Janky Vault Cluster

This terraform project creates a vault cluster with internal storage using Raft. By default it will spin up the cluster in your default VPC, which saves costs. Pretty much any other choice (e.g. spinning it up in private subnets, or your own VPC) is untested.

Optionally, you can create a network load balancer and point a route 53 record at it using the Route 53 zone of your choice.

Root tokens will be stored in AWS Secrets Manager, in a primary and secondary AWS region, under the "/vault/init/cluster-name" secret parameter. CLI commands can be run by setting the VAULT_TOKEN environment variable on one of the nodes. The VAULT_CAPATH environment variable should be set for you (per /etc/profile.d/vault.sh). For security reasons, the vault instances have the ability to create and update parameters in AWS Secrets Manager, but not to retrieve the values.

The chief reason this project exists is to toy with the auto-unseal feature and the AWS secrets engine. Everything is in "experimental" stage right now and you may use this project at your own peril.

CA Certs

Mac users: you can import the CA cert to your system keychain using Keychain Access. This will allow you to trust the CA cert, and actually visit the vault cluster you've stood up.

Requirements

Name Version
aws 4.8.0
tls 3.2.0

Providers

Name Version
aws 4.8.0
tls 3.2.0

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.vault_node resource
aws_cloudwatch_metric_alarm.disks resource
aws_cloudwatch_metric_alarm.vault_process resource
aws_iam_instance_profile.vault resource
aws_iam_role.vault resource
aws_iam_role_policy.assume_third_party_account_role_policy resource
aws_iam_role_policy.cloudwatch_config_parameter_store resource
aws_iam_role_policy.store_vault_unseal_keys resource
aws_iam_role_policy.vault_auto_unseal resource
aws_iam_role_policy.vault_create_iam_users resource
aws_iam_role_policy.vault_describe_instances resource
aws_iam_role_policy_attachment.cloudwatch_agent resource
aws_key_pair.vault resource
aws_kms_key.vault resource
aws_launch_template.vault resource
aws_lb.vault resource
aws_lb_listener.vault resource
aws_lb_target_group.vault resource
aws_route53_record.vault resource
aws_security_group.vault resource
aws_ssm_parameter.cloudwatch_config resource
tls_private_key.ca resource
tls_private_key.ssh resource
tls_self_signed_cert.ca resource
aws_caller_identity.current data source
aws_kms_key.ebs data source
aws_partition.current data source
aws_route53_zone.selected data source
aws_ssm_parameter.amazon_linux_ami data source
aws_subnets.nlb data source
aws_subnets.vault data source
aws_vpc.selected data source

Inputs

Name Description Type Default Required
aws_region The AWS region in which to create resources string "us-east-1" no
env The name of the environment, for use in AWS resource tags string "dev" no
monitor_vault_disk_usage Set up AWS Cloudwatch alarms that trigger when a filesystem is getting full bool true no
monitor_vault_processes Set up AWS Cloudwatch alarms that trigger when a vault process is not running bool true no
nlb_create Create a network load balancer? bool true no
nlb_faces_public Create a public facing load balancer? bool true no
nlb_subnet_tag An optional tag to identify subnets for NLBs (e.g. VPC:tier = private vs public) map(string) {} no
org The name of the organization hosting the AWS resources, for use in resource tags string "GregOnAWS" no
project The name of the project served by these AWS resources, for use in resource tags string "vaultdemo" no
replica_region The AWS region in which to create resources string "us-west-2" no
route53_create_record Create a route 53 record that points to an NLB? bool true no
route53_use_public_zone Use a public Route 53 zone? bool true no
security_group_allow_https_8200_cidr A list of CIDR blocks to allow SSH access list(string) 
[
  "0.0.0.0/0"
]
 no
security_group_allow_ssh_cidr A list of CIDR blocks to allow SSH access list(string) 
[
  "0.0.0.0/0"
]
 no
tags A key/value map of additional resource tags to apply to AWS resources map(string) {} no
tls_cert_country_name The ISO-3166 country code of all SSL certs string "US" no
tls_cert_domain The domain name to use for certificate subject names string "gregonaws.net" no
tls_cert_locality_name The locality (city) name to use for all SSL certs string "Indianapolis" no
tls_cert_org The organization name to use for certificate subject names string null no
tls_cert_state_province_name The state or province to use for all SSL certs string "Indiana" no
vault_cluster_fqdn The fully qualified domain name of the vault cluster string null no
vault_cluster_id The cluster ID to use to auto-join nodes string "cluster3" no
vault_cluster_instance_type The instance type to launch string "t3.micro" no
vault_cluster_node_count The number of nodes to create number 3 no
vault_master_node_id The 'master' node ID (first node of the cluster) string "node0" no
vault_root_volume_size The amount of disk space to allocate for each vault node's root volume number 20 no
vault_subnet_tag An optional tag to identify subnets for vault nodes (e.g. VPC:tier = private vs public) map(string) {} no
vault_third_party_account_roles A list of ARNs of third party account roles that vault can assume on behalf of customers list(string) [] no
vpc_id An optional ID of a VPC in which to launch vault string null no
vpc_use_default Use the default VPC bool true no

Outputs

Name Description
ca_cert_pem n/a
ssh_private_key n/a
unseal_key_arn_prefix n/a
vault_url n/a