Terraform Module: HashiCorp Vault

This Terraform module provisions HashiCorp Vault with Consul Backend into an existing VPC including an ELB with optionally a public Route53 DNS name fronting the Vault cluster.

Usage example

module "aws_vault" {
  source  = "github.com/Flaconi/terraform-aws-vault?ref=v2.1.0"

  # Placement
  vpc_id             = "vpc-1234"
  public_subnet_ids  = ["subnet-4321", "subnet-9876"]
  private_subnet_ids = ["subnet-1234", "subnet-5678"]

  # Resource Naming/Tagging
  name                = "vault"
  consul_cluster_name = "my-consul"
  vault_cluster_name  = "my-vault"

  # Security
  ssh_keys                 = ["ssh-ed25519 AAAAC3Nznte5aaCdi1a1Lzaai/tX6Mc2E+S6g3lrClL09iBZ5cW2OZdSIqomcMko 2 mysshkey"]
  ssh_security_group_id    = "sg-0c12345678"
  vault_ingress_cidr_https = ["0.0.0.0/0"]
}

Examples

• Custom VPC with HashiCorp Vault

Providers

Name	Version
aws	>= 5

Requirements

Name	Version
terraform	>= 1.0
aws	>= 5

Required Inputs

The following input variables are required:

vpc_id

Description: The VPC ID into which you want to provision Vault.

Type: string

public_subnet_ids

Description: A list of public subnet IDs into which the Vault ELB will be provisioned.

Type: list(string)

private_subnet_ids

Description: A list of private subnet IDs into which Vault and Consul will be provisioned.

Type: list(string)

ssh_security_group_id

Description: Security group ID of a bastion (or other EC2 instance) from which you will be allowed to ssh into Vault and Consul.

Type: string

ssl_certificate_id

Description: ARN of the certificate to be used for the Vault endpoint ELB

Type: string

Optional Inputs

The following input variables are optional (have default values):

name

Description: The name(-prefix) tag to apply to all AWS resources

Type: string

Default: "vault"

tags

Description: A map of additional tags to apply to all AWS resources

Type: map(string)

Default: {}

consul_cluster_name

Description: What to name the Consul server cluster and all of its associated resources

Type: string

Default: "vault-consul"

vault_cluster_name

Description: What to name the Vault server cluster and all of its associated resources

Type: string

Default: "vault-vault"

vault_route53_public_dns_name

Description: The Route53 public DNS name for the vault ELB. If not set, no Route53 record will be created.

Type: string

Default: ""

vault_route53_private_dns_name

Description: The Route53 private DNS name for the vault ELB. If not set, no Route53 record will be created.

Type: string

Default: ""

ssh_user

Description: User name used for SSH-connections.

Type: string

Default: "ubuntu"

ssh_keys

Description: A list of public ssh keys to add to authorized_keys files.

Type: list(string)

Default: []

consul_instance_type

Description: The type of EC2 Instance to run in the Consul ASG

Type: string

Default: "t3.micro"

vault_instance_type

Description: The type of EC2 Instance to run in the Vault ASG

Type: string

Default: "t3.micro"

consul_cluster_size

Description: The number of Consul server nodes to deploy. We strongly recommend using 3 or 5.

Type: number

Default: 3

vault_cluster_size

Description: The number of Vault server nodes to deploy. We strongly recommend using 3 or 5.

Type: number

Default: 3

vault_ingress_cidr

Description: CIDR's from which you are allowed to https access the vault cluster.

Type: string

Default: "0.0.0.0/0"

security_group_names

Description: List of one or more security groups to be added to the load balancer

Type: list(string)

Default: []

enable_s3_backend

Description: Whether to configure an S3 storage backend in the same region in addition to Consul.

Type: bool

Default: false

s3_bucket_name

Description: The name of the S3 bucket in the same region to use as a storage backend. Only used if 'enable_s3_backend' is set to true.

Type: string

Default: ""

enable_s3_backend_encryption

Description: Whether to configure the S3 storage backend to be encrypted with a KMS key.

Type: bool

Default: false

kms_alias_name

Description: The name of the KMS key that is used for S3 storage backend encryption.

Type: string

Default: ""

ami_id

Description: ID of the AMI to be used for the Consul and Vault instances.

Type: string

Default: null

Outputs

Name	Description
alb_fqdn_vault	The AWS provided CNAME of the Vault ALB.
alb_route53_public_dns_name_vault	The Route53 name attached to the Vault ALB, if specified in variables.
asg_name_consul_cluster	Autoscaling group name of the Consul cluster.
asg_name_vault_cluster	Autoscaling group name of the Vault cluster.
aws_region	Used AWS region.
iam_role_arn_consul_cluster	IAM role ARN attached to the Consul cluster.
iam_role_arn_vault_cluster	IAM role ARN attached to the Vault cluster.
iam_role_id_consul_cluster	IAM role ID attached to the Consul cluster.
iam_role_id_vault_cluster	IAM role ID attached to the Vault cluster.
launch_template_name_consul_cluster	Launch template name of the Consul cluster.
launch_template_name_vault_cluster	Launch template name of the Vault cluster.
security_group_id_consul_cluster	Security group ID of the Consul cluster to attach to other security group rules.
security_group_id_vault_cluster	Security group ID of the Vault cluster to attach to other security group rules.

License

Apache 2.0

Copyright (c) 2018-2021 Flaconi GmbH