/terraform-hcp-vault-cluster

Terraform Module: HCP Vault Cluster

Primary LanguageHCLApache License 2.0Apache-2.0

HashiCorp Cloud Platform: HCP Vault Cluster

This Terraform Module provisions a HashiCorp Vault Cluster.

Table of Contents

Requirements

  • HashiCorp Cloud Platform (HCP) Account
  • Terraform 1.3.0 or newer.

Usage

Note This module requires a Service Principal for HashiCorp Cloud Platform.

See the official documentation for instructions on how to provide these credentials.

Examples

For additional examples, see the ./examples directory.

Inputs

Name Description Type Default Required
cluster_id The ID of the HCP Vault cluster. string n/a yes
hvn_id The ID of the HVN this HCP Vault cluster is associated to. string n/a yes
project_id The ID of the HCP project where the Vault cluster is located. string n/a yes
audit_log_config Complex Object for Audit Log Configuration. Only applied on Clusters that are on a tier higher than dev. 
object({
    enabled = bool

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#cloudwatch_access_key_id
    cloudwatch_access_key_id     = optional(string)
    cloudwatch_region            = optional(string)
    cloudwatch_secret_access_key = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#datadog_api_key
    datadog_api_key = optional(string)
    datadog_region  = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#elasticsearch_endpoint
    elasticsearch_endpoint = optional(string)
    elasticsearch_password = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#grafana_endpoint
    grafana_endpoint = optional(string)
    grafana_password = optional(string)
    grafana_user     = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#http_basic_password
    http_basic_password = optional(string)
    http_basic_user     = optional(string)
    http_bearer_token   = optional(string)
    http_codec          = optional(string)
    http_compression    = optional(bool)
    http_headers        = optional(map(string))
    http_method         = optional(string)
    http_payload_prefix = optional(string)
    http_payload_suffix = optional(string)
    http_uri            = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#newrelic_account_id
    newrelic_account_id  = optional(string)
    newrelic_license_key = optional(string)
    newrelic_region      = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#splunk_hecendpoint
    splunk_hecendpoint = optional(string)
    splunk_token       = optional(string)
  })
 
{
  "cloudwatch_access_key_id": null,
  "cloudwatch_region": null,
  "cloudwatch_secret_access_key": null,
  "datadog_api_key": null,
  "datadog_region": "us1",
  "elasticsearch_endpoint": null,
  "elasticsearch_password": null,
  "enabled": false,
  "grafana_endpoint": null,
  "grafana_password": null,
  "grafana_user": null,
  "http_basic_password": null,
  "http_basic_user": null,
  "http_bearer_token": null,
  "http_codec": null,
  "http_compression": null,
  "http_headers": null,
  "http_method": null,
  "http_payload_prefix": null,
  "http_payload_suffix": null,
  "http_uri": null,
  "newrelic_account_id": null,
  "newrelic_license_key": null,
  "newrelic_region": null,
  "splunk_hecendpoint": null,
  "splunk_token": null
}
 no
ip_allowlist Allowed IPV4 address ranges (CIDRs) for inbound traffic. Each entry must be a unique CIDR. 
list(object({
    address     = string
    description = string
  }))
 [] no
major_version_upgrade_config The Major Version Upgrade configuration. Only applied on Clusters of tier standard_, or plus_. 
object({
    upgrade_type            = string
    maintenance_window_day  = optional(string)
    maintenance_window_time = optional(string)
  })
 null no
metrics_config Complex Object for Metrics Configuration. Only applied on Clusters that are on a tier higher than dev. 
object({
    enabled = bool

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#cloudwatch_access_key_id
    cloudwatch_access_key_id     = optional(string)
    cloudwatch_region            = optional(string)
    cloudwatch_secret_access_key = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#datadog_api_key
    datadog_api_key = optional(string)
    datadog_region  = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#elasticsearch_endpoint
    elasticsearch_endpoint = optional(string)
    elasticsearch_password = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#grafana_endpoint
    grafana_endpoint = optional(string)
    grafana_password = optional(string)
    grafana_user     = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#http_basic_password
    http_basic_password = optional(string)
    http_basic_user     = optional(string)
    http_bearer_token   = optional(string)
    http_codec          = optional(string)
    http_compression    = optional(bool)
    http_headers        = optional(map(string))
    http_method         = optional(string)
    http_payload_prefix = optional(string)
    http_payload_suffix = optional(string)
    http_uri            = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#newrelic_account_id
    newrelic_account_id  = optional(string)
    newrelic_license_key = optional(string)
    newrelic_region      = optional(string)

    # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#splunk_hecendpoint
    splunk_hecendpoint = optional(string)
    splunk_token       = optional(string)
  })
 
{
  "cloudwatch_access_key_id": null,
  "cloudwatch_region": null,
  "cloudwatch_secret_access_key": null,
  "datadog_api_key": null,
  "datadog_region": "us1",
  "elasticsearch_endpoint": null,
  "elasticsearch_password": null,
  "enabled": false,
  "grafana_endpoint": null,
  "grafana_password": null,
  "grafana_user": null,
  "http_basic_password": null,
  "http_basic_user": null,
  "http_bearer_token": null,
  "http_codec": null,
  "http_compression": null,
  "http_headers": null,
  "http_method": null,
  "http_payload_prefix": null,
  "http_payload_suffix": null,
  "http_uri": null,
  "newrelic_account_id": null,
  "newrelic_license_key": null,
  "newrelic_region": null,
  "splunk_hecendpoint": null,
  "splunk_token": null
}
 no
min_vault_version The minimum Vault version to use when creating the cluster. string null no
paths_filter The performance replication paths filter. list(string) null no
primary_link The self_link of the HCP Vault Plus tier cluster which is the primary in the performance replication setup. bool null no
proxy_endpoint Denotes that the cluster has a proxy endpoint. string "DISABLED" no
public_endpoint Denotes that the cluster has a public endpoint. bool false no
tier Tier of the HCP Vault cluster. string "dev" no
timeouts Amount of time (in minutes) that can elapse, before an operation is considered timed-out. 
object({
    create  = string
    default = string
    delete  = string
    update  = string
  })
 
{
  "create": "35m",
  "default": "5m",
  "delete": "25m",
  "update": "35m"
}
 no

Outputs

Name Description
cluster_audit_logs_url HCP Vault Cluster Audit Logs URL.
cluster_metrics_url HCP Vault Cluster Metrics URL.
cluster_overview_url HCP Vault Cluster Overview URL.
cluster_replication_url HCP Vault Cluster Replication URL.
cluster_snapshots_url HCP Vault Cluster Snapshots URL.
hcp_vault_cluster Exported Attributes for hcp_vault_cluster.main

Notes

This module uses Terraform's lifecycle feature to prevent destruction of an HCP Vault Cluster when the corresponding Terraform module is removed. To delete an HCP Vault Cluster, remove it from Terraform state, using the state rm command:

terraform state rm module.hcp_vault.hcp_vault_cluster.main

When done, manually carry out destructive lifecycle operations through the HCP Vault UI.

Author Information

This module is maintained by the contributors listed on GitHub.

License

Licensed under the Apache License, Version 2.0 (the "License").

You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.

See the License for the specific language governing permissions and limitations under the License.