/terraform-aws-vault-starter

A Terraform Module for provisioning an OSS Vault cluster (using integrated storage) as described by HashiCorp reference architecture.

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Vault AWS Module

This is Terraform module for provisioning Vault with integrated storage on AWS. This module defaults to setting up a cluster with 5 Vault nodes (as recommended by the Vault with Integrated Storage Reference Architecture).

About This Module

This module implements the Vault with Integrated Storage Reference Architecture on AWS using the Open Source version of Vault.

This module automatically initializes the Vault cluster and places the initial root token and recovery keys in AWS Secrets Manager.

For practitioners requiring Consul as a storage backend and/or a wider variety of configurable options out of the box, please see the Terraform AWS Vault Module.

How to Use This Module

Create a Terraform configuration (main.tf) that pulls in the module and specifies values of the required variables:

provider "aws" {
  region = "<your AWS region>"
}

module "vault-oss" {
  source                = "hashicorp/vault-oss/aws"
  version               = "<module version>"
  allowed_inbound_cidrs = ["<list of inbound CIDRs>"]
  vpc_id                = "<your VPC id>"
  vault_version         = "<vault version (ex: 1.5.2)>"
  owner                 = "<owner name/tag>"
  name_prefix           = "<name prefix you would like attached to your environment>"
  key_name              = "<your SSH key name>"
  elb_internal          = false
}
  • version: The Vault AWS module version to pull (e.g. 0.2.1) during the initialization
  • allowed_inbound_cidrs: Allowed CIDR blocks for SSH and API/UI access
  • vpc_id: ID of the VPC where cloud resources to be provisioned (see the Notes)
  • vault_version: Desired Vault version to install
  • key_name: The name of the SSH key pairs to use. This must exist in the specified AWS region
  • elb_internal: To connect to Vault via a load balancer from outside the VPC, set this to false

Run terraform init and terraform apply to provision a Vault cluster.

License

This code is released under the MPL 2.0 License. Please see LICENSE for more details.

Notes

  • This modules assumes you are using a default VPC and provides defaults for the variables listed below. Please change the values of these variables based on your VPC CIDR block. If you are not using a default VPC.

    • nat_gateway_subnet_cidr
    • lambda_primary_subnet_cidr
    • lambda_secondary_subnet_cidr

  • This module creates AWS Lambda functions and places them inside the VPC. Due to this and some VPC networking changes AWS has recently deployed, it can take up 45 minutes to successfully delete this environment. See the following documentation for more details on this issue.