This folder contains a script for installing Vault and its dependencies. You can use this script, along with the
run-vault script it installs, to create a Vault Amazon Machine Image
(AMI) that can be deployed in
AWS across an Auto Scaling Group using the vault-cluster module.
This script has been tested on the following operating systems:
Ubuntu 16.04
Ubuntu 18.04
Amazon Linux 2
There is a good chance it will work on other flavors of Debian, CentOS, and RHEL as well.
Quick start
To install Vault, use git to clone this repository at a specific tag (see the releases page
for all available tags) and run the install-vault script:
The install-vault script will install Vault, its dependencies, and the run-vault script.
You can then run the run-vault script when the server is booting to start Vault.
Creates an OS user named vault. Creates the following folders, all owned by user vault:
/opt/vault: base directory for Vault data (configurable via the --path argument).
/opt/vault/bin: directory for Vault binaries.
/opt/vault/data: directory where the Vault agent can store state.
/opt/vault/config: directory where the Vault agent looks up configuration.
/opt/vault/log: directory where the Vault agent will store log files.
/opt/vault/tls: directory where the Vault will look for TLS certs.
Installs Vault binaries and scripts
Installs the following:
vault: Either downloads the Vault zip file from the downloads page (the
version number is configurable via the --version argument) , or a package hosted on a precise url configurable with --dowload-url
(useful for installing Vault Enterprise, for example), and extracts the vault binary into /opt/vault/bin. Adds a
symlink to the vault binary in /usr/local/bin.
Gives Vault permissions to make the mlock (memory lock) syscall. This syscall is used to prevent the OS from swapping
Vault's memory to disk. For more info, see: https://www.vaultproject.io/docs/configuration/#disable_mlock.
Follow-up tasks
After the install-vault script finishes running, you may wish to do the following:
If you have custom Vault config (.hcl) files, you may want to copy them into the config directory (default:
/opt/vault/config).
If /usr/local/bin isn't already part of PATH, you should add it so you can run the vault command without
specifying the full path.
Dependencies
The install script assumes that systemd is already installed. We use it as a cross-platform supervisor to ensure Vault is started
whenever the system boots and restarted if the Vault process crashes. Additionally, it is used to store all logs which can be accessed
using journalctl.
Why use Git to install this code?
We needed an easy way to install these scripts that satisfied a number of requirements, including working on a variety
of operating systems and supported versioning. Our current solution is to use git, but this may change in the future.
See Package Managers for
a full discussion of the requirements, trade-offs, and why we picked git.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"0e379399b7494d3efca5978809c98533993290b5"}]},{"name":".gitignore","path":".gitignore","sha":"6c4ebe4426586b7febbaba178294ef59b8272c05"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"4be01a6334d39aa5bf6abe6baae701f5e2a8c5ac"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"ea1ca5c8d6ff2d0d62880ee0ea80ef86e0b87dad"},{"name":"LICENSE","path":"LICENSE","sha":"7a4a3ea2424c09fbe48d455aed1eaa94d9124835"},{"name":"NOTICE","path":"NOTICE","sha":"2288082e33ae18a610f6a7747180f7e05e47a001"},{"name":"README.md","path":"README.md","sha":"b1ffac4814fb27564190757df0ebedb4283a27a0"},{"name":"_ci","children":[{"name":"publish-amis-in-new-account.md","path":"_ci/publish-amis-in-new-account.md","sha":"3182a0a90775f7bb9622c037196ac2a1f15e455d"},{"name":"publish-amis.sh","path":"_ci/publish-amis.sh","sha":"3d4a46a02f26d45a5fc27cce07cd3db7bc140399"}]},{"name":"_docs","children":[{"name":"amazon-linux-ami-list.md","path":"_docs/amazon-linux-ami-list.md","sha":"be9f50c689839b099d0222711ec13a86108660f0"},{"name":"architecture-elb.png","path":"_docs/architecture-elb.png","sha":"9e02e4f53afdd2929ec4fc4246ae5e47bd49f295"},{"name":"architecture-with-s3.png","path":"_docs/architecture-with-s3.png","sha":"8a91ef2d06665e40fe82a8ccf7ae4281f338fd50"},{"name":"architecture.png","path":"_docs/architecture.png","sha":"a9f6098b37b1aaafe8c744b154208efc3e642881"},{"name":"ubuntu16-ami-list.md","path":"_docs/ubuntu16-ami-list.md","sha":"60caafe1f2b90046e819f373ed22c0df47043f03"}]},{"name":"examples","children":[{"name":"root-example","children":[{"name":"README.md","path":"examples/root-example/README.md","sha":"4d73916c181c9c4157905162d4ed66d2d7427342"},{"name":"user-data-consul.sh","path":"examples/root-example/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/root-example/user-data-vault.sh","sha":"26fad57bb49a78e4e2a4b7ce52427efb27e87ced"}]},{"name":"vault-agent","children":[{"name":"README.md","path":"examples/vault-agent/README.md","sha":"0a80c92a455171b6af0e1774a1e67adee32579d6"},{"name":"main.tf","path":"examples/vault-agent/main.tf","sha":"92b325fb802329e6a754a865da644bd8af547e30"},{"name":"outputs.tf","path":"examples/vault-agent/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-agent/user-data-auth-client.sh","sha":"9ff5ebc6c45f791f9357a71a7f3415f1e333b61e"},{"name":"user-data-consul.sh","path":"examples/vault-agent/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-agent/user-data-vault.sh","sha":"49983b4b543bd7d28c2adde81629d4a3867ffe13"},{"name":"variables.tf","path":"examples/vault-agent/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-auto-unseal","children":[{"name":"README.md","path":"examples/vault-auto-unseal/README.md","sha":"770b559d99f84ce103f01fddcdc10c1fef58d482"},{"name":"main.tf","path":"examples/vault-auto-unseal/main.tf","sha":"9ede6183a7c35f7d5dca9a20f5c473c6263c464e"},{"name":"outputs.tf","path":"examples/vault-auto-unseal/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-auto-unseal/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-auto-unseal/user-data-vault.sh","sha":"1d9533ea3ba6f9b89242ce503e8b7ea1e59579ba"},{"name":"variables.tf","path":"examples/vault-auto-unseal/variables.tf","sha":"03847da844d2c5a5c24a27872324da11249d11de"}]},{"name":"vault-cluster-private","children":[{"name":"README.md","path":"examples/vault-cluster-private/README.md","sha":"9467091dc2b6475148cecf2d9c84ed387d78d4a8"},{"name":"main.tf","path":"examples/vault-cluster-private/main.tf","sha":"2f88595829383d4b992b1e5281c868c4b0c2023b"},{"name":"outputs.tf","path":"examples/vault-cluster-private/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-cluster-private/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-cluster-private/user-data-vault.sh","sha":"ef32d804ab9f1807730bae1551fc3fd3fff6da95"},{"name":"variables.tf","path":"examples/vault-cluster-private/variables.tf","sha":"3e919aff20454c6ef004986d3f28b7f65c5d9379"}]},{"name":"vault-consul-ami","children":[{"name":"README.md","path":"examples/vault-consul-ami/README.md","sha":"97b6eeaf3f45cb12b227eb47059042630ec342a4"},{"name":"auth","children":[{"name":"sign-request.py","path":"examples/vault-consul-ami/auth/sign-request.py","sha":"cba97708676a0d3aa8068ee1b5ecb3bf8d14067f"}]},{"name":"tls","children":[{"name":"README.md","path":"examples/vault-consul-ami/tls/README.md","sha":"92f88219562304b995bd78889a24047bdde336af"},{"name":"ca.crt.pem","path":"examples/vault-consul-ami/tls/ca.crt.pem","sha":"9bf1a62b0649d1ab5c0b16710166c146a1fd1fa3"},{"name":"vault.crt.pem","path":"examples/vault-consul-ami/tls/vault.crt.pem","sha":"e642f0b108bfdebe56331111ce9ce75f8ff42f52"},{"name":"vault.key.pem","path":"examples/vault-consul-ami/tls/vault.key.pem","sha":"0103aa55a5a68ffc002c7c9c14a292adbd97fd2d"}]},{"name":"vault-consul.json","path":"examples/vault-consul-ami/vault-consul.json","sha":"4ca1f5c3c396ab201c5521c6d9efd18fa02faca8"}]},{"name":"vault-dynamodb-backend","children":[{"name":"README.md","path":"examples/vault-dynamodb-backend/README.md","sha":"2249ed2b41e02d06f44df46da19bb344c2f3f912"},{"name":"dynamodb","children":[{"name":"main.tf","path":"examples/vault-dynamodb-backend/dynamodb/main.tf","sha":"7405fba8bd36bc376fe09282d1b2741411c5ed5f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/dynamodb/variables.tf","sha":"c48d524ca416c19f4d96a7b860342c07252a8587"}]},{"name":"main.tf","path":"examples/vault-dynamodb-backend/main.tf","sha":"1452cad776f0355c73496d9cbb5cbc79d3bcbf6a"},{"name":"outputs.tf","path":"examples/vault-dynamodb-backend/outputs.tf","sha":"f57334a298c9a9f4eb0c3aaae70619cda73ccbb9"},{"name":"user-data-vault.sh","path":"examples/vault-dynamodb-backend/user-data-vault.sh","sha":"6ff712c8839ce577cb8229df9a6e17685da2820f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/variables.tf","sha":"928f9b9e96dda6aa85429d27ab6badb87bfd5314"}]},{"name":"vault-ec2-auth","children":[{"name":"README.md","path":"examples/vault-ec2-auth/README.md","sha":"29af1121fa99b3903b09447c79e127daecb30bfb"},{"name":"images","children":[{"name":"ec2-auth.png","path":"examples/vault-ec2-auth/images/ec2-auth.png","sha":"a98fb916ed6a32204efbc525cac59c0d570d619d"}]},{"name":"main.tf","path":"examples/vault-ec2-auth/main.tf","sha":"0ca10db2a94036ead8cee3068357871ed4279b9a"},{"name":"outputs.tf","path":"examples/vault-ec2-auth/outputs.tf","sha":"8694fbce70e13690b8bca4bab50d2570dcd7bdd9"},{"name":"user-data-auth-client.sh","path":"examples/vault-ec2-auth/user-data-auth-client.sh","sha":"e049ec6dca2d35d6fde5badec4e48ecafe8bfc38"},{"name":"user-data-consul.sh","path":"examples/vault-ec2-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-ec2-auth/user-data-vault.sh","sha":"dd8a73e43e9a4c42e4687ad4cc3c84a543ce548a"},{"name":"variables.tf","path":"examples/vault-ec2-auth/variables.tf","sha":"f04b84eac1668fa2ca3b92d50b27ca6139fde834"}]},{"name":"vault-examples-helper","children":[{"name":"README.md","path":"examples/vault-examples-helper/README.md","sha":"a28a95258bee372025e4282daf60a20d1bf96bdb"},{"name":"vault-examples-helper.sh","path":"examples/vault-examples-helper/vault-examples-helper.sh","sha":"ebe3d8b9bb599384add9a7c635b397529b10fde5"}]},{"name":"vault-iam-auth","children":[{"name":"README.md","path":"examples/vault-iam-auth/README.md","sha":"7557e5abb41341b82464a36eebd0e759d857625d"},{"name":"images","children":[{"name":"iam-auth.png","path":"examples/vault-iam-auth/images/iam-auth.png","sha":"095dcd0060f6cd1f5dad3be9d5ec83dcbba8316f"}]},{"name":"main.tf","path":"examples/vault-iam-auth/main.tf","sha":"9c2aa5a4d20ddaa65257f2eeee5d82d5f413154c"},{"name":"outputs.tf","path":"examples/vault-iam-auth/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-iam-auth/user-data-auth-client.sh","sha":"4122511229818b6ddf8fe03fd2c314f8a1521ee2"},{"name":"user-data-consul.sh","path":"examples/vault-iam-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-iam-auth/user-data-vault.sh","sha":"1f32c36dc968467fc59b44f624638e1437703fb9"},{"name":"variables.tf","path":"examples/vault-iam-auth/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-s3-backend","children":[{"name":"README.md","path":"examples/vault-s3-backend/README.md","sha":"e37fbaec6982c87a87a16d3499db3c17f85dbbfd"},{"name":"main.tf","path":"examples/vault-s3-backend/main.tf","sha":"3d1a11d29a2e840a04cb111f3037d433da1460ec"},{"name":"outputs.tf","path":"examples/vault-s3-backend/outputs.tf","sha":"e1af7046390871d4e63797089c39aebab5d9ac26"},{"name":"user-data-consul.sh","path":"examples/vault-s3-backend/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-s3-backend/user-data-vault.sh","sha":"cfc21ee0525b0cee2753e1823b8656bf504a910a"},{"name":"variables.tf","path":"examples/vault-s3-backend/variables.tf","sha":"f526eaaa0c65aa5f8be3d4dbde0dd453781d4461"}]}]},{"name":"main.tf","path":"main.tf","sha":"5ae7851952d5f109d726ecec80d41b029115f5dd"},{"name":"modules","children":[{"name":"install-vault","children":[{"name":"README.md","path":"modules/install-vault/README.md","sha":"6bb7538adb7dd8f8527690d96fc06d701cd79462","toggled":true},{"name":"install-vault","path":"modules/install-vault/install-vault","sha":"e1564049029f50af3507fb2e57dc188c607cb1aa"}],"toggled":true},{"name":"private-tls-cert","children":[{"name":"README.md","path":"modules/private-tls-cert/README.md","sha":"42f2d131477fae97cdfaeef893b3c916f2f7f209"},{"name":"main.tf","path":"modules/private-tls-cert/main.tf","sha":"f906b61efe2b5356bcf759dc60c47a89cf853894"},{"name":"outputs.tf","path":"modules/private-tls-cert/outputs.tf","sha":"078afd869917866e91d2beab7f91fa0d14af524e"},{"name":"variables.tf","path":"modules/private-tls-cert/variables.tf","sha":"a33036ca45da4c834460d58311041401a63575b9"}]},{"name":"run-vault","children":[{"name":"README.md","path":"modules/run-vault/README.md","sha":"b2f1e1e074ffd65b4c715675bd59657c6eac6992"},{"name":"run-vault","path":"modules/run-vault/run-vault","sha":"c7982409275a9e0da41379a8eb725cbda9f932d7"}]},{"name":"update-certificate-store","children":[{"name":"README.md","path":"modules/update-certificate-store/README.md","sha":"1348a7aba71475b5a17d31f3f8d66663f656e672"},{"name":"update-certificate-store","path":"modules/update-certificate-store/update-certificate-store","sha":"e07d9a1d997843d62033ee019121895c91e29447"}]},{"name":"vault-cluster","children":[{"name":"README.md","path":"modules/vault-cluster/README.md","sha":"7b4c4ee5f59dc3a216154c4402acd70b96d6585f"},{"name":"main.tf","path":"modules/vault-cluster/main.tf","sha":"6838267cceea00aef7446fd41e6aef5c6b123c61"},{"name":"outputs.tf","path":"modules/vault-cluster/outputs.tf","sha":"4aab60f1c88597de43165f6fe9363feb6b7aa307"},{"name":"variables.tf","path":"modules/vault-cluster/variables.tf","sha":"5d2276d06c36b71f2ecea9b48aab345e3ce9c9f0"}]},{"name":"vault-elb","children":[{"name":"README.md","path":"modules/vault-elb/README.md","sha":"9dc6564baaaaa8176f650e3c548b8c8066631b6f"},{"name":"main.tf","path":"modules/vault-elb/main.tf","sha":"0f85aea4f41332461dadcda41e767f983d53ad66"},{"name":"outputs.tf","path":"modules/vault-elb/outputs.tf","sha":"024b1c73b457ed1c9256b39fc3ee283b39ed6544"},{"name":"variables.tf","path":"modules/vault-elb/variables.tf","sha":"40d18feef81848f2e1da3d293ead59438f9b9fae"}]},{"name":"vault-security-group-rules","children":[{"name":"README.md","path":"modules/vault-security-group-rules/README.md","sha":"48df12587b14b7a0d93333b6c12c19dc7082d8b0"},{"name":"main.tf","path":"modules/vault-security-group-rules/main.tf","sha":"c42c6e6d296dd17c021b134bb2f4c5774cf0079c"},{"name":"variables.tf","path":"modules/vault-security-group-rules/variables.tf","sha":"2e18f3fef1b2ff2b3a32f62a49085480ed61763e"}]}],"toggled":true},{"name":"outputs.tf","path":"outputs.tf","sha":"9d46ba8bb2ee80bf8bb1ba3ac5b7660280be3e1c"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"dd3f97e937dd02cdd9142d0c25006bd6367e7fef"},{"name":"aws_helpers.go","path":"test/aws_helpers.go","sha":"f686b13f45c0deafbec5215d251c8936e30de421"},{"name":"go.mod","path":"test/go.mod","sha":"ca3620dd7dd203eaf75729f2f1d0052ff5c99a7e"},{"name":"go.sum","path":"test/go.sum","sha":"f42d242737e8b02b81830be0234824df95bff55a"},{"name":"terratest_helpers.go","path":"test/terratest_helpers.go","sha":"61cb21eeaa80d5c93a2eb1d61964991b6710a770"},{"name":"tls_helpers.go","path":"test/tls_helpers.go","sha":"9b95b015104a0c7a684f6f3af999407218121619"},{"name":"vault_cluster_auth_test.go","path":"test/vault_cluster_auth_test.go","sha":"cd9c38a6c70e45694019e6fdb7ea07aa588e02ca"},{"name":"vault_cluster_autounseal_test.go","path":"test/vault_cluster_autounseal_test.go","sha":"c6a32ad54851789044b616c537770a9bd25d3e7e"},{"name":"vault_cluster_dynamodb_backend_test.go","path":"test/vault_cluster_dynamodb_backend_test.go","sha":"c2914c1ba3e7d6beda8db1c0a2b73d526b7c6155"},{"name":"vault_cluster_enterprise_test.go","path":"test/vault_cluster_enterprise_test.go","sha":"4e4aad4f69b04bf7e5233e61fd7efc107e166df0"},{"name":"vault_cluster_private_test.go","path":"test/vault_cluster_private_test.go","sha":"f115b3363e92f26f79e94e56e6551484ed74f455"},{"name":"vault_cluster_public_test.go","path":"test/vault_cluster_public_test.go","sha":"54f9497b60bb84b8383c8785ff11394abd665ba4"},{"name":"vault_cluster_s3_backend_test.go","path":"test/vault_cluster_s3_backend_test.go","sha":"4d9405cc0db461ecf249e6f4ba4098ca94066c26"},{"name":"vault_helpers.go","path":"test/vault_helpers.go","sha":"ef041cc120113a63f9c29a78ba35f110bd2bead6"},{"name":"vault_main_test.go","path":"test/vault_main_test.go","sha":"c8553814ba9d854a5258df835fc7191b3166fbfe"}]},{"name":"variables.tf","path":"variables.tf","sha":"c1e78c623452213f943f69d3a1fac13b3bc3d3d9"}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"vault-install-script\">Vault Install Script</h1><div class=\"preview__body--border\"></div><p>This folder contains a script for installing Vault and its dependencies. You can use this script, along with the\n<a href=\"/repos/v0.17.0/terraform-aws-vault/modules/run-vault\" class=\"preview__body--description--blue\">run-vault script</a> it installs, to create a Vault <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Amazon Machine Image\n(AMI)</a> that can be deployed in\n<a href=\"https://aws.amazon.com/\" class=\"preview__body--description--blue\" target=\"_blank\">AWS</a> across an Auto Scaling Group using the <a href=\"/repos/v0.17.0/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster module</a>.</p>\n<p>This script has been tested on the following operating systems:</p>\n<ul>\n<li>Ubuntu 16.04</li>\n<li>Ubuntu 18.04</li>\n<li>Amazon Linux 2</li>\n</ul>\n<p>There is a good chance it will work on other flavors of Debian, CentOS, and RHEL as well.</p>\n<h2 class=\"preview__body--subtitle\" id=\"quick-start\">Quick start</h2>\n<p>To install Vault, use <code>git</code> to clone this repository at a specific tag (see the <a href=\"/repos/releases\" class=\"preview__body--description--blue\">releases page</a>\nfor all available tags) and run the <code>install-vault</code> script:</p>\n<pre>git clone --branch <VERSION> https://github.com/hashicorp/<span class=\"hljs-keyword\">terraform</span>-aws-vault.git\n<span class=\"hljs-keyword\">terraform</span>-aws-vault/modules/install-vault/install-vault --version <span class=\"hljs-number\">0.10</span>.<span class=\"hljs-number\">0</span>\n</pre>\n<p>The <code>install-vault</code> script will install Vault, its dependencies, and the <a href=\"/repos/v0.17.0/terraform-aws-vault/modules/run-vault\" class=\"preview__body--description--blue\">run-vault script</a>.\nYou can then run the <code>run-vault</code> script when the server is booting to start Vault.</p>\n<p>We recommend running the <code>install-vault</code> script as part of a <a href=\"https://www.packer.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Packer</a> template to create a\nVault <a href=\"http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html\" class=\"preview__body--description--blue\" target=\"_blank\">Amazon Machine Image (AMI)</a> (see the\n<a href=\"/repos/v0.17.0/terraform-aws-vault/examples/vault-consul-ami\" class=\"preview__body--description--blue\">vault-consul-ami example</a> for sample code). You can then deploy the AMI across an Auto\nScaling Group using the <a href=\"/repos/v0.17.0/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster module</a> (see the\n<a href=\"/repos/v0.17.0/terraform-aws-vault/examples/root-example\" class=\"preview__body--description--blue\">root example</a> and <a href=\"/repos/v0.17.0/terraform-aws-vault/examples/vault-cluster-private\" class=\"preview__body--description--blue\">vault-cluster-private</a>\nexamples for fully-working sample code).</p>\n<h2 class=\"preview__body--subtitle\" id=\"command-line-arguments\">Command line Arguments</h2>\n<p>The <code>install-vault</code> script accepts the following arguments:</p>\n<ul>\n<li><code>version VERSION</code>: Install Vault version VERSION. Optional if download-url is provided.</li>\n<li><code>download-url URL</code>: Install the Vault package hosted in this url. Optional if version is provided.</li>\n<li><code>path DIR</code>: Install Vault into folder DIR. Optional.</li>\n<li><code>user USER</code>: The install dirs will be owned by user USER. Optional.</li>\n</ul>\n<p>Example:</p>\n<pre>install-vault --version <span class=\"hljs-number\">0.10</span><span class=\"hljs-number\">.4</span>\n</pre>\n<h2 class=\"preview__body--subtitle\" id=\"how-it-works\">How it works</h2>\n<p>The <code>install-vault</code> script does the following:</p>\n<ol>\n<li><a href=\"#create-a-user-and-folders-for-vault\" class=\"preview__body--description--blue\">Creates a user and folders for Vault</a></li>\n<li><a href=\"#install-vault-binaries-and-scripts\" class=\"preview__body--description--blue\">Installs Vault binaries and scripts</a></li>\n<li><a href=\"#configure-mlock\" class=\"preview__body--description--blue\">Configures mlock</a></li>\n<li><a href=\"#follow-up-tasks\" class=\"preview__body--description--blue\">Follow-up tasks</a></li>\n</ol>\n<h3 class=\"preview__body--subtitle\" id=\"creates-a-user-and-folders-for-vault\">Creates a user and folders for Vault</h3>\n<p>Creates an OS user named <code>vault</code>. Creates the following folders, all owned by user <code>vault</code>:</p>\n<ul>\n<li><code>/opt/vault</code>: base directory for Vault data (configurable via the <code>--path</code> argument).</li>\n<li><code>/opt/vault/bin</code>: directory for Vault binaries.</li>\n<li><code>/opt/vault/data</code>: directory where the Vault agent can store state.</li>\n<li><code>/opt/vault/config</code>: directory where the Vault agent looks up configuration.</li>\n<li><code>/opt/vault/log</code>: directory where the Vault agent will store log files.</li>\n<li><code>/opt/vault/tls</code>: directory where the Vault will look for TLS certs.</li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"installs-vault-binaries-and-scripts\">Installs Vault binaries and scripts</h3>\n<p>Installs the following:</p>\n<ul>\n<li><code>vault</code>: Either downloads the Vault zip file from the <a href=\"https://www.vaultproject.io/downloads.html\" class=\"preview__body--description--blue\" target=\"_blank\">downloads page</a> (the\nversion number is configurable via the <code>--version</code> argument) , or a package hosted on a precise url configurable with <code>--dowload-url</code>\n(useful for installing Vault Enterprise, for example), and extracts the <code>vault</code> binary into <code>/opt/vault/bin</code>. Adds a\nsymlink to the <code>vault</code> binary in <code>/usr/local/bin</code>.</li>\n<li><code>run-vault</code>: Copies the <a href=\"/repos/v0.17.0/terraform-aws-vault/modules/run-vault\" class=\"preview__body--description--blue\">run-vault script</a> into <code>/opt/vault/bin</code>.</li>\n</ul>\n<h3 class=\"preview__body--subtitle\" id=\"configures-mlock\">Configures mlock</h3>\n<p>Gives Vault permissions to make the <code>mlock</code> (memory lock) syscall. This syscall is used to prevent the OS from swapping\nVault's memory to disk. For more info, see: https://www.vaultproject.io/docs/configuration/#disable_mlock.</p>\n<h3 class=\"preview__body--subtitle\" id=\"follow-up-tasks\">Follow-up tasks</h3>\n<p>After the <code>install-vault</code> script finishes running, you may wish to do the following:</p>\n<ol>\n<li>If you have custom Vault config (<code>.hcl</code>) files, you may want to copy them into the config directory (default:\n<code>/opt/vault/config</code>).</li>\n<li>If <code>/usr/local/bin</code> isn't already part of <code>PATH</code>, you should add it so you can run the <code>vault</code> command without\nspecifying the full path.</li>\n</ol>\n<h2 class=\"preview__body--subtitle\" id=\"dependencies\">Dependencies</h2>\n<p>The install script assumes that <code>systemd</code> is already installed. We use it as a cross-platform supervisor to ensure Vault is started\nwhenever the system boots and restarted if the Vault process crashes. Additionally, it is used to store all logs which can be accessed\nusing <code>journalctl</code>.</p>\n<h2 class=\"preview__body--subtitle\" id=\"why-use-git-to-install-this-code\">Why use Git to install this code?</h2>\n<p>We needed an easy way to install these scripts that satisfied a number of requirements, including working on a variety\nof operating systems and supported versioning. Our current solution is to use <code>git</code>, but this may change in the future.\nSee <a href=\"/repos/terraform-aws-consul/_docs/package-managers.md\" class=\"preview__body--description--blue\">Package Managers</a> for\na full discussion of the requirements, trade-offs, and why we picked <code>git</code>.</p>\n","repoName":"terraform-aws-vault","repoRef":"v0.13.10","serviceDescriptor":{"serviceName":"HashiCorp Vault","serviceRepoName":"terraform-aws-vault","serviceRepoOrg":"hashicorp","cloudProviders":["aws"],"description":"Deploy a Vault cluster. Supports automatic bootstrapping, Consul and S3 backends, self-signed TLS certificates, and auto healing.","imageUrl":"vault.png","licenseType":"open-source","technologies":["Terraform","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Secrets management","fileName":"README.md","filePath":"/modules/install-vault","title":"Repo Browser: HashiCorp Vault","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}