Repo Browser: HashiCorp Vault You need to enable JavaScript to run this app.
Gruntwork Website
HashiCorp Vault Deploy a Vault cluster. Supports automatic bootstrapping, Consul and S3 backends, self-signed TLS certificates, and auto healing.
Vault AWS Module
This repo contains a set of modules in the modules folder for deploying a Vault cluster on
AWS using Terraform . Vault is an open source tool for managing
secrets. By default, this Module uses Consul as a storage
backend . You can optionally add an S3 backend for durability.
This Module includes:
How do you use this Module?
This repo has the following structure:
modules : This folder contains several standalone, reusable, production-grade modules that you can use to deploy Vault.
examples : This folder shows examples of different ways to combine the modules in the modules
folder to deploy Vault.
test : Automated tests for the modules and examples.
root folder : The root folder is an example of how to use the vault-cluster module
module to deploy a Vault cluster in AWS . The Terraform Registry requires the root of every repo to contain Terraform code, so we've put one of the examples there. This example is great for learning and experimenting, but for production use, please use the underlying modules in the modules folder directly.
To deploy Vault to production with this repo, you will need to deploy two separate clusters: one to run
Consul servers (which Vault uses as a storage
backend ) and one to run Vault servers.
To deploy the Consul server cluster, use the Consul AWS Module .
To deploy the Vault cluster:
Create an AMI that has Vault installed (using the install-vault module ) and the Consul
agent installed (using the install-consul
module ). Here is an
example Packer template .
If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs:
WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your
own AWS account.
Deploy that AMI across an Auto Scaling Group in a private subnet using the Terraform vault-cluster
module .
Execute the run-consul script
with the --client
flag during boot on each Instance to have the Consul agent connect to the Consul server cluster.
Execute the run-vault script during boot on each Instance to create the Vault cluster.
If you only need to access Vault from inside your AWS account (recommended), run the install-dnsmasq
module on each server or
setup-systemd-resolved
(in the case of Ubuntu 18.04) and
that server will be able to reach Vault using the Consul Server cluster as the DNS resolver (e.g. using an address
like vault.service.consul
). See the vault-cluster-private example for working
sample code.
If you need to access Vault from the public Internet, deploy the vault-elb module in a public
subnet and have all requests to Vault go through the ELB. See the main.tf in the root folder of this repo
example for working sample code.
Head over to the How do you use the Vault cluster? guide
to learn how to initialize, unseal, and use Vault.
What's a Module?
A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such
as a database or server cluster. Each Module is created primarily using Terraform ,
includes automated tests, examples, and documentation, and is maintained both by the open source community and
companies that provide commercial support.
Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse
existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself,
you can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through
a version number bump.
Who maintains this Module?
This Module is maintained by Gruntwork . If you're looking for help or commercial
support, send an email to modules@gruntwork.io .
Gruntwork can help with:
Setup, customization, and support for this Module.
Modules for other types of infrastructure, such as VPCs, Docker clusters, databases, and continuous integration.
Modules that meet compliance requirements, such as HIPAA.
Consulting & Training on AWS, Terraform, and DevOps.
How do I contribute to this Module?
Contributions are very welcome! Check out the Contribution Guidelines for instructions.
How is this Module versioned?
This Module follows the principles of Semantic Versioning . You can find each new release,
along with the changelog, in the Releases Page .
During initial development, the major version will be 0 (e.g., 0.x.y
), which indicates the code does not yet have a
stable API. Once we hit 1.0.0
, we will make every effort to maintain a backwards compatible API and use the MAJOR,
MINOR, and PATCH versions on each release to indicate any incompatibilities.
License
This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more
details.
Copyright © 2020 Gruntwork, Inc.
Questions? Ask away. We're here to talk about our services, answer any questions, give advice, or just to chat.
Ready to hand off the Gruntwork? "https://cdn.gruntwork.io/gruntwork-website/"
{"index":{"js":"https://cdn.gruntwork.io/gruntwork-website/index.bundle.c7884255553b53fbca3a.js","map":"https://cdn.gruntwork.io/gruntwork-website/index.bundle.1b14c1b7d19f1f5eb35d6e118e838255.map"},"styles":{"css":"https://cdn.gruntwork.io/gruntwork-website/styles.bundle.f22938926651ddec7c49.css","js":"https://cdn.gruntwork.io/gruntwork-website/styles.bundle.e782420e74a20dcb8691.js","map":"https://cdn.gruntwork.io/gruntwork-website/styles.bundle.d5e2af49807c6ca33f8367d621ece507.map"},"vendors":{"css":"https://cdn.gruntwork.io/gruntwork-website/vendors.bundle.29f7d0366a0978763f96.css","js":"https://cdn.gruntwork.io/gruntwork-website/vendors.bundle.fa8174a130797d75d12c.js","map":"https://cdn.gruntwork.io/gruntwork-website/vendors.bundle.57243d94deeeb29d5061288a338b4eb6.map"}}
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"0e379399b7494d3efca5978809c98533993290b5"}]},{"name":".gitignore","path":".gitignore","sha":"6c4ebe4426586b7febbaba178294ef59b8272c05"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"4be01a6334d39aa5bf6abe6baae701f5e2a8c5ac"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"ea1ca5c8d6ff2d0d62880ee0ea80ef86e0b87dad"},{"name":"LICENSE","path":"LICENSE","sha":"7a4a3ea2424c09fbe48d455aed1eaa94d9124835"},{"name":"NOTICE","path":"NOTICE","sha":"2288082e33ae18a610f6a7747180f7e05e47a001"},{"name":"README.md","path":"README.md","sha":"b1ffac4814fb27564190757df0ebedb4283a27a0","toggled":true},{"name":"_ci","children":[{"name":"publish-amis-in-new-account.md","path":"_ci/publish-amis-in-new-account.md","sha":"3182a0a90775f7bb9622c037196ac2a1f15e455d"},{"name":"publish-amis.sh","path":"_ci/publish-amis.sh","sha":"3d4a46a02f26d45a5fc27cce07cd3db7bc140399"}]},{"name":"_docs","children":[{"name":"amazon-linux-ami-list.md","path":"_docs/amazon-linux-ami-list.md","sha":"be9f50c689839b099d0222711ec13a86108660f0"},{"name":"architecture-elb.png","path":"_docs/architecture-elb.png","sha":"9e02e4f53afdd2929ec4fc4246ae5e47bd49f295"},{"name":"architecture-with-s3.png","path":"_docs/architecture-with-s3.png","sha":"8a91ef2d06665e40fe82a8ccf7ae4281f338fd50"},{"name":"architecture.png","path":"_docs/architecture.png","sha":"a9f6098b37b1aaafe8c744b154208efc3e642881"},{"name":"ubuntu16-ami-list.md","path":"_docs/ubuntu16-ami-list.md","sha":"60caafe1f2b90046e819f373ed22c0df47043f03"}]},{"name":"examples","children":[{"name":"root-example","children":[{"name":"README.md","path":"examples/root-example/README.md","sha":"4d73916c181c9c4157905162d4ed66d2d7427342"},{"name":"user-data-consul.sh","path":"examples/root-example/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/root-example/user-data-vault.sh","sha":"26fad57bb49a78e4e2a4b7ce52427efb27e87ced"}]},{"name":"vault-agent","children":[{"name":"README.md","path":"examples/vault-agent/README.md","sha":"0a80c92a455171b6af0e1774a1e67adee32579d6"},{"name":"main.tf","path":"examples/vault-agent/main.tf","sha":"92b325fb802329e6a754a865da644bd8af547e30"},{"name":"outputs.tf","path":"examples/vault-agent/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-agent/user-data-auth-client.sh","sha":"9ff5ebc6c45f791f9357a71a7f3415f1e333b61e"},{"name":"user-data-consul.sh","path":"examples/vault-agent/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-agent/user-data-vault.sh","sha":"49983b4b543bd7d28c2adde81629d4a3867ffe13"},{"name":"variables.tf","path":"examples/vault-agent/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-auto-unseal","children":[{"name":"README.md","path":"examples/vault-auto-unseal/README.md","sha":"770b559d99f84ce103f01fddcdc10c1fef58d482"},{"name":"main.tf","path":"examples/vault-auto-unseal/main.tf","sha":"9ede6183a7c35f7d5dca9a20f5c473c6263c464e"},{"name":"outputs.tf","path":"examples/vault-auto-unseal/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-auto-unseal/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-auto-unseal/user-data-vault.sh","sha":"1d9533ea3ba6f9b89242ce503e8b7ea1e59579ba"},{"name":"variables.tf","path":"examples/vault-auto-unseal/variables.tf","sha":"03847da844d2c5a5c24a27872324da11249d11de"}]},{"name":"vault-cluster-private","children":[{"name":"README.md","path":"examples/vault-cluster-private/README.md","sha":"9467091dc2b6475148cecf2d9c84ed387d78d4a8"},{"name":"main.tf","path":"examples/vault-cluster-private/main.tf","sha":"2f88595829383d4b992b1e5281c868c4b0c2023b"},{"name":"outputs.tf","path":"examples/vault-cluster-private/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-cluster-private/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-cluster-private/user-data-vault.sh","sha":"ef32d804ab9f1807730bae1551fc3fd3fff6da95"},{"name":"variables.tf","path":"examples/vault-cluster-private/variables.tf","sha":"3e919aff20454c6ef004986d3f28b7f65c5d9379"}]},{"name":"vault-consul-ami","children":[{"name":"README.md","path":"examples/vault-consul-ami/README.md","sha":"97b6eeaf3f45cb12b227eb47059042630ec342a4"},{"name":"auth","children":[{"name":"sign-request.py","path":"examples/vault-consul-ami/auth/sign-request.py","sha":"cba97708676a0d3aa8068ee1b5ecb3bf8d14067f"}]},{"name":"tls","children":[{"name":"README.md","path":"examples/vault-consul-ami/tls/README.md","sha":"92f88219562304b995bd78889a24047bdde336af"},{"name":"ca.crt.pem","path":"examples/vault-consul-ami/tls/ca.crt.pem","sha":"9bf1a62b0649d1ab5c0b16710166c146a1fd1fa3"},{"name":"vault.crt.pem","path":"examples/vault-consul-ami/tls/vault.crt.pem","sha":"e642f0b108bfdebe56331111ce9ce75f8ff42f52"},{"name":"vault.key.pem","path":"examples/vault-consul-ami/tls/vault.key.pem","sha":"0103aa55a5a68ffc002c7c9c14a292adbd97fd2d"}]},{"name":"vault-consul.json","path":"examples/vault-consul-ami/vault-consul.json","sha":"4ca1f5c3c396ab201c5521c6d9efd18fa02faca8"}]},{"name":"vault-dynamodb-backend","children":[{"name":"README.md","path":"examples/vault-dynamodb-backend/README.md","sha":"2249ed2b41e02d06f44df46da19bb344c2f3f912"},{"name":"dynamodb","children":[{"name":"main.tf","path":"examples/vault-dynamodb-backend/dynamodb/main.tf","sha":"7405fba8bd36bc376fe09282d1b2741411c5ed5f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/dynamodb/variables.tf","sha":"c48d524ca416c19f4d96a7b860342c07252a8587"}]},{"name":"main.tf","path":"examples/vault-dynamodb-backend/main.tf","sha":"1452cad776f0355c73496d9cbb5cbc79d3bcbf6a"},{"name":"outputs.tf","path":"examples/vault-dynamodb-backend/outputs.tf","sha":"f57334a298c9a9f4eb0c3aaae70619cda73ccbb9"},{"name":"user-data-vault.sh","path":"examples/vault-dynamodb-backend/user-data-vault.sh","sha":"6ff712c8839ce577cb8229df9a6e17685da2820f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/variables.tf","sha":"928f9b9e96dda6aa85429d27ab6badb87bfd5314"}]},{"name":"vault-ec2-auth","children":[{"name":"README.md","path":"examples/vault-ec2-auth/README.md","sha":"29af1121fa99b3903b09447c79e127daecb30bfb"},{"name":"images","children":[{"name":"ec2-auth.png","path":"examples/vault-ec2-auth/images/ec2-auth.png","sha":"a98fb916ed6a32204efbc525cac59c0d570d619d"}]},{"name":"main.tf","path":"examples/vault-ec2-auth/main.tf","sha":"0ca10db2a94036ead8cee3068357871ed4279b9a"},{"name":"outputs.tf","path":"examples/vault-ec2-auth/outputs.tf","sha":"8694fbce70e13690b8bca4bab50d2570dcd7bdd9"},{"name":"user-data-auth-client.sh","path":"examples/vault-ec2-auth/user-data-auth-client.sh","sha":"e049ec6dca2d35d6fde5badec4e48ecafe8bfc38"},{"name":"user-data-consul.sh","path":"examples/vault-ec2-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-ec2-auth/user-data-vault.sh","sha":"dd8a73e43e9a4c42e4687ad4cc3c84a543ce548a"},{"name":"variables.tf","path":"examples/vault-ec2-auth/variables.tf","sha":"f04b84eac1668fa2ca3b92d50b27ca6139fde834"}]},{"name":"vault-examples-helper","children":[{"name":"README.md","path":"examples/vault-examples-helper/README.md","sha":"a28a95258bee372025e4282daf60a20d1bf96bdb"},{"name":"vault-examples-helper.sh","path":"examples/vault-examples-helper/vault-examples-helper.sh","sha":"ebe3d8b9bb599384add9a7c635b397529b10fde5"}]},{"name":"vault-iam-auth","children":[{"name":"README.md","path":"examples/vault-iam-auth/README.md","sha":"7557e5abb41341b82464a36eebd0e759d857625d"},{"name":"images","children":[{"name":"iam-auth.png","path":"examples/vault-iam-auth/images/iam-auth.png","sha":"095dcd0060f6cd1f5dad3be9d5ec83dcbba8316f"}]},{"name":"main.tf","path":"examples/vault-iam-auth/main.tf","sha":"9c2aa5a4d20ddaa65257f2eeee5d82d5f413154c"},{"name":"outputs.tf","path":"examples/vault-iam-auth/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-iam-auth/user-data-auth-client.sh","sha":"4122511229818b6ddf8fe03fd2c314f8a1521ee2"},{"name":"user-data-consul.sh","path":"examples/vault-iam-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-iam-auth/user-data-vault.sh","sha":"1f32c36dc968467fc59b44f624638e1437703fb9"},{"name":"variables.tf","path":"examples/vault-iam-auth/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-s3-backend","children":[{"name":"README.md","path":"examples/vault-s3-backend/README.md","sha":"e37fbaec6982c87a87a16d3499db3c17f85dbbfd"},{"name":"main.tf","path":"examples/vault-s3-backend/main.tf","sha":"3d1a11d29a2e840a04cb111f3037d433da1460ec"},{"name":"outputs.tf","path":"examples/vault-s3-backend/outputs.tf","sha":"e1af7046390871d4e63797089c39aebab5d9ac26"},{"name":"user-data-consul.sh","path":"examples/vault-s3-backend/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-s3-backend/user-data-vault.sh","sha":"cfc21ee0525b0cee2753e1823b8656bf504a910a"},{"name":"variables.tf","path":"examples/vault-s3-backend/variables.tf","sha":"f526eaaa0c65aa5f8be3d4dbde0dd453781d4461"}]}]},{"name":"main.tf","path":"main.tf","sha":"5ae7851952d5f109d726ecec80d41b029115f5dd"},{"name":"modules","children":[{"name":"install-vault","children":[{"name":"README.md","path":"modules/install-vault/README.md","sha":"6bb7538adb7dd8f8527690d96fc06d701cd79462"},{"name":"install-vault","path":"modules/install-vault/install-vault","sha":"e1564049029f50af3507fb2e57dc188c607cb1aa"}]},{"name":"private-tls-cert","children":[{"name":"README.md","path":"modules/private-tls-cert/README.md","sha":"42f2d131477fae97cdfaeef893b3c916f2f7f209"},{"name":"main.tf","path":"modules/private-tls-cert/main.tf","sha":"f906b61efe2b5356bcf759dc60c47a89cf853894"},{"name":"outputs.tf","path":"modules/private-tls-cert/outputs.tf","sha":"078afd869917866e91d2beab7f91fa0d14af524e"},{"name":"variables.tf","path":"modules/private-tls-cert/variables.tf","sha":"a33036ca45da4c834460d58311041401a63575b9"}]},{"name":"run-vault","children":[{"name":"README.md","path":"modules/run-vault/README.md","sha":"b2f1e1e074ffd65b4c715675bd59657c6eac6992"},{"name":"run-vault","path":"modules/run-vault/run-vault","sha":"c7982409275a9e0da41379a8eb725cbda9f932d7"}]},{"name":"update-certificate-store","children":[{"name":"README.md","path":"modules/update-certificate-store/README.md","sha":"1348a7aba71475b5a17d31f3f8d66663f656e672"},{"name":"update-certificate-store","path":"modules/update-certificate-store/update-certificate-store","sha":"e07d9a1d997843d62033ee019121895c91e29447"}]},{"name":"vault-cluster","children":[{"name":"README.md","path":"modules/vault-cluster/README.md","sha":"7b4c4ee5f59dc3a216154c4402acd70b96d6585f"},{"name":"main.tf","path":"modules/vault-cluster/main.tf","sha":"6838267cceea00aef7446fd41e6aef5c6b123c61"},{"name":"outputs.tf","path":"modules/vault-cluster/outputs.tf","sha":"4aab60f1c88597de43165f6fe9363feb6b7aa307"},{"name":"variables.tf","path":"modules/vault-cluster/variables.tf","sha":"5d2276d06c36b71f2ecea9b48aab345e3ce9c9f0"}]},{"name":"vault-elb","children":[{"name":"README.md","path":"modules/vault-elb/README.md","sha":"9dc6564baaaaa8176f650e3c548b8c8066631b6f"},{"name":"main.tf","path":"modules/vault-elb/main.tf","sha":"0f85aea4f41332461dadcda41e767f983d53ad66"},{"name":"outputs.tf","path":"modules/vault-elb/outputs.tf","sha":"024b1c73b457ed1c9256b39fc3ee283b39ed6544"},{"name":"variables.tf","path":"modules/vault-elb/variables.tf","sha":"40d18feef81848f2e1da3d293ead59438f9b9fae"}]},{"name":"vault-security-group-rules","children":[{"name":"README.md","path":"modules/vault-security-group-rules/README.md","sha":"48df12587b14b7a0d93333b6c12c19dc7082d8b0"},{"name":"main.tf","path":"modules/vault-security-group-rules/main.tf","sha":"c42c6e6d296dd17c021b134bb2f4c5774cf0079c"},{"name":"variables.tf","path":"modules/vault-security-group-rules/variables.tf","sha":"2e18f3fef1b2ff2b3a32f62a49085480ed61763e"}]}]},{"name":"outputs.tf","path":"outputs.tf","sha":"9d46ba8bb2ee80bf8bb1ba3ac5b7660280be3e1c"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"dd3f97e937dd02cdd9142d0c25006bd6367e7fef"},{"name":"aws_helpers.go","path":"test/aws_helpers.go","sha":"f686b13f45c0deafbec5215d251c8936e30de421"},{"name":"go.mod","path":"test/go.mod","sha":"ca3620dd7dd203eaf75729f2f1d0052ff5c99a7e"},{"name":"go.sum","path":"test/go.sum","sha":"f42d242737e8b02b81830be0234824df95bff55a"},{"name":"terratest_helpers.go","path":"test/terratest_helpers.go","sha":"61cb21eeaa80d5c93a2eb1d61964991b6710a770"},{"name":"tls_helpers.go","path":"test/tls_helpers.go","sha":"9b95b015104a0c7a684f6f3af999407218121619"},{"name":"vault_cluster_auth_test.go","path":"test/vault_cluster_auth_test.go","sha":"cd9c38a6c70e45694019e6fdb7ea07aa588e02ca"},{"name":"vault_cluster_autounseal_test.go","path":"test/vault_cluster_autounseal_test.go","sha":"c6a32ad54851789044b616c537770a9bd25d3e7e"},{"name":"vault_cluster_dynamodb_backend_test.go","path":"test/vault_cluster_dynamodb_backend_test.go","sha":"c2914c1ba3e7d6beda8db1c0a2b73d526b7c6155"},{"name":"vault_cluster_enterprise_test.go","path":"test/vault_cluster_enterprise_test.go","sha":"4e4aad4f69b04bf7e5233e61fd7efc107e166df0"},{"name":"vault_cluster_private_test.go","path":"test/vault_cluster_private_test.go","sha":"f115b3363e92f26f79e94e56e6551484ed74f455"},{"name":"vault_cluster_public_test.go","path":"test/vault_cluster_public_test.go","sha":"54f9497b60bb84b8383c8785ff11394abd665ba4"},{"name":"vault_cluster_s3_backend_test.go","path":"test/vault_cluster_s3_backend_test.go","sha":"4d9405cc0db461ecf249e6f4ba4098ca94066c26"},{"name":"vault_helpers.go","path":"test/vault_helpers.go","sha":"ef041cc120113a63f9c29a78ba35f110bd2bead6"},{"name":"vault_main_test.go","path":"test/vault_main_test.go","sha":"c8553814ba9d854a5258df835fc7191b3166fbfe"}]},{"name":"variables.tf","path":"variables.tf","sha":"c1e78c623452213f943f69d3a1fac13b3bc3d3d9"}]},"detailsContent":"<p><a href=\"https://gruntwork.io/?ref=repo_aws_vault\" class=\"preview__body--description--blue\" target=\"_blank\"><img src=\"https://img.shields.io/badge/maintained%20by-gruntwork.io-%235849a6.svg\" alt=\"Maintained by Gruntwork.io\" class=\"preview__body--diagram\"></a></p>\n<h1 class=\"preview__body--title\" id=\"vault-aws-module\">Vault AWS Module</h1><div class=\"preview__body--border\"></div><p>This repo contains a set of modules in the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules\" class=\"preview__body--description--blue\">modules folder</a> for deploying a <a href=\"https://www.vaultproject.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Vault</a> cluster on\n<a href=\"https://aws.amazon.com/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS</a> using <a href=\"https://www.terraform.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Terraform</a>. Vault is an open source tool for managing\nsecrets. By default, this Module uses <a href=\"https://www.consul.io\" class=\"preview__body--description--blue\" target=\"_blank\">Consul</a> as a <a href=\"https://www.vaultproject.io/docs/configuration/storage/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">storage\nbackend</a>. You can optionally add an <a href=\"https://aws.amazon.com/s3/\" class=\"preview__body--description--blue\" target=\"_blank\">S3</a> backend for durability.</p>\n<p><img src=\"/repos/images/v0.13.10/terraform-aws-vault/_docs/architecture.png?raw=true\" alt=\"Vault architecture\" class=\"preview__body--diagram\"></p>\n<p>This Module includes:</p>\n<ul>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/install-vault\" class=\"preview__body--description--blue\">install-vault</a>: This module can be used to install Vault. It can be used in a\n<a href=\"https://www.packer.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Packer</a> template to create a Vault\n<a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Amazon Machine Image (AMI)</a>.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/run-vault\" class=\"preview__body--description--blue\">run-vault</a>: This module can be used to configure and run Vault. It can be used in a\n<a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html#user-data-shell-scripts\" class=\"preview__body--description--blue\" target=\"_blank\">User Data</a>\nscript to fire up Vault while the server is booting.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster</a>: Terraform code to deploy a cluster of Vault servers using an <a href=\"https://aws.amazon.com/autoscaling/\" class=\"preview__body--description--blue\" target=\"_blank\">Auto Scaling\nGroup</a>.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-elb\" class=\"preview__body--description--blue\">vault-elb</a>: Configures an <a href=\"https://aws.amazon.com/elasticloadbalancing/classicloadbalancer/\" class=\"preview__body--description--blue\" target=\"_blank\">Elastic Load Balancer\n(ELB)</a> in front of Vault if you need to access it\nfrom the public Internet.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/private-tls-cert\" class=\"preview__body--description--blue\">private-tls-cert</a>: Generate a private TLS certificate for use with a private Vault\ncluster.</p>\n</li>\n<li>\n<p><a href=\"/repos/v0.13.10/terraform-aws-vault/modules/update-certificate-store\" class=\"preview__body--description--blue\">update-certificate-store</a>: Add a trusted, CA public key to an OS's\ncertificate store. This allows you to establish TLS connections to services that use this TLS certs signed by this\nCA without getting x509 certificate errors.</p>\n</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this Module?</h2>\n<p>This repo has the following structure:</p>\n<ul>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault/modules\" class=\"preview__body--description--blue\">modules</a>: This folder contains several standalone, reusable, production-grade modules that you can use to deploy Vault.</li>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault/examples\" class=\"preview__body--description--blue\">examples</a>: This folder shows examples of different ways to combine the modules in the <code>modules</code> folder to deploy Vault.</li>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault/test\" class=\"preview__body--description--blue\">test</a>: Automated tests for the modules and examples.</li>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault\" class=\"preview__body--description--blue\">root folder</a>: The root folder is <em>an example</em> of how to use the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster module</a>\nmodule to deploy a <a href=\"https://www.vaultproject.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Vault</a> cluster in <a href=\"https://aws.amazon.com/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS</a>. The Terraform Registry requires the root of every repo to contain Terraform code, so we've put one of the examples there. This example is great for learning and experimenting, but for production use, please use the underlying modules in the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules\" class=\"preview__body--description--blue\">modules folder</a> directly.</li>\n</ul>\n<p>To deploy Vault to production with this repo, you will need to deploy two separate clusters: one to run\n<a href=\"https://www.consul.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Consul</a> servers (which Vault uses as a <a href=\"https://www.vaultproject.io/docs/configuration/storage/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">storage\nbackend</a>) and one to run Vault servers.</p>\n<p>To deploy the Consul server cluster, use the <a href=\"/repos/terraform-aws-consul\" class=\"preview__body--description--blue\">Consul AWS Module</a>.</p>\n<p>To deploy the Vault cluster:</p>\n<ol>\n<li>\n<p>Create an AMI that has Vault installed (using the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/install-vault\" class=\"preview__body--description--blue\">install-vault module</a>) and the Consul\nagent installed (using the <a href=\"/repos/terraform-aws-consul/modules/install-consul\" class=\"preview__body--description--blue\">install-consul\nmodule</a>). Here is an\n<a href=\"/repos/v0.13.10/terraform-aws-vault/examples/vault-consul-ami\" class=\"preview__body--description--blue\">example Packer template</a>.</p>\n<p>If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs:</p>\n<ul>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault/_docs/ubuntu16-ami-list.md\" class=\"preview__body--description--blue\">Latest Ubuntu 16 AMIs</a>.</li>\n<li><a href=\"/repos/v0.13.10/terraform-aws-vault/_docs/amazon-linux-ami-list.md\" class=\"preview__body--description--blue\">Latest Amazon Linux 2 AMIs</a>.</li>\n</ul>\n<p><strong>WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your\nown AWS account.</strong></p>\n</li>\n<li>\n<p>Deploy that AMI across an Auto Scaling Group in a private subnet using the Terraform <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster\nmodule</a>.</p>\n</li>\n<li>\n<p>Execute the <a href=\"/repos/terraform-aws-consul/modules/run-consul\" class=\"preview__body--description--blue\">run-consul script</a>\nwith the <code>--client</code> flag during boot on each Instance to have the Consul agent connect to the Consul server cluster.</p>\n</li>\n<li>\n<p>Execute the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/run-vault\" class=\"preview__body--description--blue\">run-vault</a> script during boot on each Instance to create the Vault cluster.</p>\n</li>\n<li>\n<p>If you only need to access Vault from inside your AWS account (recommended), run the <a href=\"/repos/terraform-aws-consul/modules/install-dnsmasq\" class=\"preview__body--description--blue\">install-dnsmasq\nmodule</a> on each server or\n<a href=\"/repos/terraform-aws-consul/modules/setup-systemd-resolved\" class=\"preview__body--description--blue\">setup-systemd-resolved</a>\n(in the case of Ubuntu 18.04) and\nthat server will be able to reach Vault using the Consul Server cluster as the DNS resolver (e.g. using an address\nlike <code>vault.service.consul</code>). See the <a href=\"/repos/v0.13.10/terraform-aws-vault/examples/vault-cluster-private\" class=\"preview__body--description--blue\">vault-cluster-private example</a> for working\nsample code.</p>\n</li>\n<li>\n<p>If you need to access Vault from the public Internet, deploy the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-elb\" class=\"preview__body--description--blue\">vault-elb module</a> in a public\nsubnet and have all requests to Vault go through the ELB. See the <a href=\"/repos/v0.13.10/terraform-aws-vault/main.tf\" class=\"preview__body--description--blue\">main.tf in the root folder of this repo\nexample</a> for working sample code.</p>\n</li>\n<li>\n<p>Head over to the <a href=\"/repos/v0.13.10/terraform-aws-vault/modules/vault-cluster#how-do-you-use-the-vault-cluster\" class=\"preview__body--description--blue\">How do you use the Vault cluster?</a> guide\nto learn how to initialize, unseal, and use Vault.</p>\n</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"whats-a-module\">What's a Module?</h2>\n<p>A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such\nas a database or server cluster. Each Module is created primarily using <a href=\"https://www.terraform.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Terraform</a>,\nincludes automated tests, examples, and documentation, and is maintained both by the open source community and\ncompanies that provide commercial support.</p>\n<p>Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse\nexisting code that has been proven in production. And instead of maintaining all that infrastructure code yourself,\nyou can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through\na version number bump.</p>\n<h2 class=\"preview__body--subtitle\" id=\"who-maintains-this-module\">Who maintains this Module?</h2>\n<p>This Module is maintained by <a href=\"http://www.gruntwork.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Gruntwork</a>. If you're looking for help or commercial\nsupport, send an email to <a href=\"mailto:modules@gruntwork.io?Subject=Vault%20Module\" class=\"preview__body--description--blue\" target=\"_blank\">modules@gruntwork.io</a>.\nGruntwork can help with:</p>\n<ul>\n<li>Setup, customization, and support for this Module.</li>\n<li>Modules for other types of infrastructure, such as VPCs, Docker clusters, databases, and continuous integration.</li>\n<li>Modules that meet compliance requirements, such as HIPAA.</li>\n<li>Consulting & Training on AWS, Terraform, and DevOps.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-contribute-to-this-module\">How do I contribute to this Module?</h2>\n<p>Contributions are very welcome! Check out the <a href=\"/repos/v0.13.10/terraform-aws-vault/CONTRIBUTING.md\" class=\"preview__body--description--blue\">Contribution Guidelines</a> for instructions.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-is-this-module-versioned\">How is this Module versioned?</h2>\n<p>This Module follows the principles of <a href=\"http://semver.org/\" class=\"preview__body--description--blue\" target=\"_blank\">Semantic Versioning</a>. You can find each new release,\nalong with the changelog, in the <a href=\"/repos/releases\" class=\"preview__body--description--blue\">Releases Page</a>.</p>\n<p>During initial development, the major version will be 0 (e.g., <code>0.x.y</code>), which indicates the code does not yet have a\nstable API. Once we hit <code>1.0.0</code>, we will make every effort to maintain a backwards compatible API and use the MAJOR,\nMINOR, and PATCH versions on each release to indicate any incompatibilities.</p>\n<h2 class=\"preview__body--subtitle\" id=\"license\">License</h2>\n<p>This code is released under the Apache 2.0 License. Please see <a href=\"/repos/v0.13.10/terraform-aws-vault/LICENSE\" class=\"preview__body--description--blue\">LICENSE</a> and <a href=\"/repos/v0.13.10/terraform-aws-vault/NOTICE\" class=\"preview__body--description--blue\">NOTICE</a> for more\ndetails.</p>\n<p>Copyright © 2020 Gruntwork, Inc.</p>\n","repoName":"terraform-aws-vault","repoRef":"v0.13.10","serviceDescriptor":{"serviceName":"HashiCorp Vault","serviceRepoName":"terraform-aws-vault","serviceRepoOrg":"hashicorp","cloudProviders":["aws"],"description":"Deploy a Vault cluster. Supports automatic bootstrapping, Consul and S3 backends, self-signed TLS certificates, and auto healing.","imageUrl":"vault.png","licenseType":"open-source","technologies":["Terraform","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Secrets management","fileName":"README.md","filePath":"","title":"Repo Browser: HashiCorp Vault","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}