-
Notifications
You must be signed in to change notification settings - Fork 18
/
outputs.tf
150 lines (115 loc) · 5.82 KB
/
outputs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
output "zREADME" {
value = <<README
# ------------------------------------------------------------------------------
# ${var.name} Vault Dev Guide Setup
# ------------------------------------------------------------------------------
If you're following the "Dev Guide" with the provided defaults, Vault is
running in -dev mode and using the in-memory storage backend.
The Root token for your Vault -dev instance has been set to "root" and placed in
`/srv/vault/.vault-token`, the `VAULT_TOKEN` environment variable has already
been set by default.
$ echo $${VAULT_TOKEN} # Vault Token being used to authenticate to Vault
$ sudo cat /srv/vault/.vault-token # Vault Token has also been placed here
If you're using a storage backend other than in-mem (-dev mode), you will need
to initialize Vault using steps 2 & 3 below.
# ------------------------------------------------------------------------------
# ${var.name} Vault Quick Start/Best Practices Guide Setup
# ------------------------------------------------------------------------------
If you're following the "Quick Start Guide" or "Best Practices" guide, you won't
be able to start interacting with Vault from the Bastion host yet as the Vault
server has not been initialized & unsealed. Follow the below steps to set this
up.
1.) SSH into one of the Vault servers registered with Consul, you can use the
below command to accomplish this automatically (we'll use Consul DNS moving
forward once Vault is unsealed).
$ ssh -A ${lookup(var.users, var.os)}@$(curl http://127.0.0.1:8500/v1/agent/members | jq -M -r \
'[.[] | select(.Name | contains ("${var.name}-vault")) | .Addr][0]')
2.) Initialize Vault
$ vault operator init
3.) Unseal Vault using the "Unseal Keys" output from the `vault init` command
and check the seal status.
$ vault operator unseal <UNSEAL_KEY_1>
$ vault operator unseal <UNSEAL_KEY_2>
$ vault operator unseal <UNSEAL_KEY_3>
$ vault status
Repeat steps 1.) and 3.) to unseal the other "standby" Vault servers as well to
achieve high availablity.
4.) Logout of the Vault server (ctrl+d) and check Vault's seal status from the
Bastion host to verify you can interact with the Vault cluster from the Bastion
host Vault CLI.
$ vault status
# ------------------------------------------------------------------------------
# ${var.name} Vault Getting Started Instructions
# ------------------------------------------------------------------------------
You can interact with Vault using any of the
CLI (https://www.vaultproject.io/docs/commands/index.html) or
API (https://www.vaultproject.io/api/index.html) commands.
${__builtin_StringToFloat(replace(replace(var.vault_version, "-ent", ""), ".", "")) >= 0100 || replace(var.vault_version, "-ent", "") != var.vault_version ? format("\nVault UI: %s%s %s\n\n%s", var.use_lb_cert ? "https://" : "http://", module.vault_lb_aws.vault_lb_dns, var.public ? "(Public)" : "(Internal)", var.public ? "The Vault nodes are in a public subnet with UI & SSH access open from the\ninternet. WARNING - DO NOT DO THIS IN PRODUCTION!\n" : "The Vault node(s) are in a private subnet, UI access can only be achieved inside\nthe network through a VPN.\n") : ""}
To start interacting with Vault, set your Vault token to authenticate requests.
If using the "Vault Dev Guide", Vault is running in -dev mode & this has been set
to "root" for you. Otherwise we will use the "Initial Root Token" that was output
from the `vault operator init` command.
$ echo $${VAULT_ADDR} # Address you will be using to interact with Vault
$ echo $${VAULT_TOKEN} # Vault Token being used to authenticate to Vault
$ export VAULT_TOKEN=<ROOT_TOKEN> # If Vault token has not been set
Use the CLI to write and read a generic secret.
$ vault kv put secret/cli foo=bar
$ vault kv get secret/cli
Use the HTTP API with Consul DNS to write and read a generic secret with
Vault's KV secret engine.
${!var.use_lb_cert ?
"If you're making HTTP API requests to Vault from the Bastion host,
the below env var has been set for you.
$ export VAULT_ADDR=http://vault.service.vault:8200
$ curl \\
-H \"X-Vault-Token: $${VAULT_TOKEN}\" \\
-X POST \\
-d '{\"data\": {\"foo\":\"bar\"}}' \\
$${VAULT_ADDR}/v1/secret/data/api | jq '.' # Write a KV secret
$ curl \\
-H \"X-Vault-Token: $${VAULT_TOKEN}\" \\
$${VAULT_ADDR}/v1/secret/data/api | jq '.' # Read a KV secret"
:
"If you're making HTTPS API requests to Vault from the Bastion host,
the below env vars have been set for you.
$ export VAULT_ADDR=https://vault.service.vault:8200
$ export VAULT_CACERT=/opt/vault/tls/vault-ca.crt
$ export VAULT_CLIENT_CERT=/opt/vault/tls/vault.crt
$ export VAULT_CLIENT_KEY=/opt/vault/tls/vault.key
$ curl \\
-H \"X-Vault-Token: $VAULT_TOKEN\" \\
-X POST \\
-d '{\"data\": {\"foo\":\"bar\"}}' \\
-k --cacert $${VAULT_CACERT} --cert $${VAULT_CLIENT_CERT} --key $${VAULT_CLIENT_KEY} \\
$${VAULT_ADDR}/v1/secret/data/api | jq '.' # Write a KV secret
$ curl \\
-H \"X-Vault-Token: $VAULT_TOKEN\" \\
-k --cacert $${VAULT_CACERT} --cert $${VAULT_CLIENT_CERT} --key $${VAULT_CLIENT_KEY} \\
$${VAULT_ADDR}/v1/secret/data/api | jq '.' # Read a KV secret"
}
README
}
output "consul_sg_id" {
value = "${module.consul_client_sg.consul_client_sg_id}"
}
output "vault_sg_id" {
value = "${module.vault_server_sg.vault_server_sg_id}"
}
output "vault_lb_sg_id" {
value = "${module.vault_lb_aws.vault_lb_sg_id}"
}
output "vault_tg_http_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}"
}
output "vault_tg_https_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_https_8200_arn}"
}
output "vault_lb_dns" {
value = "${module.vault_lb_aws.vault_lb_dns}"
}
output "vault_asg_id" {
value = "${element(concat(aws_autoscaling_group.vault.*.id, list("")), 0)}"
}
output "vault_username" {
value = "${lookup(var.users, var.os)}"
}