Browse the Repo

file-type-icon.circleci
file-type-icon_ci
file-type-icon_docs
file-type-iconexamples
file-type-iconroot-example
file-type-iconvault-agent
file-type-iconvault-auto-unseal
file-type-iconvault-cluster-private
file-type-iconvault-consul-ami
file-type-iconauth
file-type-icontls
file-type-iconREADME.md
file-type-iconvault-consul.json
file-type-iconvault-dynamodb-backend
file-type-iconvault-ec2-auth
file-type-iconvault-examples-helper
file-type-iconvault-iam-auth
file-type-iconvault-s3-backend
file-type-iconmodules
file-type-icontest
file-type-icon.gitignore
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconLICENSE
file-type-iconNOTICE
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf

Browse the Repo

file-type-icon.circleci
file-type-icon_ci
file-type-icon_docs
file-type-iconexamples
file-type-iconroot-example
file-type-iconvault-agent
file-type-iconvault-auto-unseal
file-type-iconvault-cluster-private
file-type-iconvault-consul-ami
file-type-iconauth
file-type-icontls
file-type-iconREADME.md
file-type-iconvault-consul.json
file-type-iconvault-dynamodb-backend
file-type-iconvault-ec2-auth
file-type-iconvault-examples-helper
file-type-iconvault-iam-auth
file-type-iconvault-s3-backend
file-type-iconmodules
file-type-icontest
file-type-icon.gitignore
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconLICENSE
file-type-iconNOTICE
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
HashiCorp Vault

HashiCorp Vault

Deploy a Vault cluster. Supports automatic bootstrapping, Consul and S3 backends, self-signed TLS certificates, and auto healing.

Code Preview

Preview the Code

mobile file icon

README.md

down

Vault and Consul AMI

This folder shows an example of how to use the install-vault module from this Module and the install-consul and install-dnsmasq or the setup-systemd-resolved modules from the Consul AWS Module with Packer to create Amazon Machine Images (AMIs) that have Vault and Consul installed on top of:

  1. Ubuntu 18.04
  2. Ubuntu 16.04
  3. Amazon Linux 2

You can use this AMI to deploy a Vault cluster by using the vault-cluster module. This Vault cluster will use Consul as its storage backend, so you can also use the same AMI to deploy a separate Consul server cluster by using the consul-cluster module.

Check out the vault-cluster-private and the root example examples for working sample code. For more info on Vault installation and configuration, check out the install-vault documentation.

Quick start

To build the Vault and Consul AMI:

  1. git clone this repo to your computer.

  2. Install Packer.

  3. Configure your AWS credentials using one of the options supported by the AWS SDK. Usually, the easiest option is to set the AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY environment variables.

  4. Use the private-tls-cert module to generate a CA cert and public and private keys for a TLS cert:

    1. Set the dns_names parameter to vault.service.consul. If you're using the root example and want a public domain name (e.g. vault.example.com), add that domain name here too.
    2. Set the ip_addresses to 127.0.0.1.
    3. For production usage, you should take care to protect the private key by encrypting it (see Using TLS certs for more info).
  5. Update the variables section of the vault-consul.json Packer template to specify the AWS region, Vault version, Consul version, and the paths to the TLS cert files you just generated. If you want to install Consul Enterprise or Vault Enterprise, skip the version variables and instead set the consul_download_url and vault_download_url to the full urls that point to the respective enterprise zipped packages.

  6. Run packer build vault-consul.json.

When the build finishes, it will output the IDs of the new AMIs. To see how to deploy one of these AMIs, check out the vault-cluster-private and the root example examples.

NOTE: This packer template will build two versions of the AMI - an Ubuntu version and Amazon Linux 2 version. You can restrict packer to only build one of them by using the only CLI arg. For example, to only build the Amazon Linux 2 AMI, run packer build -only amazon-linux-2-ami vault-consul.json. You can use the parameter ubuntu16-ami for the ubuntu AMI.

Creating your own Packer template for production usage

When creating your own Packer template for production usage, you can copy the example in this folder more or less exactly, except for one change: we recommend replacing the file provisioner with a call to git clone in the shell provisioner. Instead of:

{
  "provisioners": [{
    "type": "file",
    "source": "{{template_dir}}/../../../terraform-aws-vault",
    "destination": "/tmp"
  },{
    "type": "shell",
    "inline": [
      "/tmp/terraform-aws-vault/modules/install-vault/install-vault --version {{user `vault_version`}}"
    ],
    "pause_before": "30s"
  }]
}

Your code should look more like this:

{
  "provisioners": [{
    "type": "shell",
    "inline": [
      "git clone --branch <MODULE_VERSION> https://github.com/hashicorp/terraform-aws-vault.git /tmp/terraform-aws-vault",
      "/tmp/terraform-aws-vault/modules/install-vault/install-vault --version {{user `vault_version`}}"
    ],
    "pause_before": "30s"
  }]
}

You should replace <MODULE_VERSION> in the code above with the version of this module that you want to use (see the Releases Page for all available versions). That's because for production usage, you should always use a fixed, known version of this Module, downloaded from the official Git repo. On the other hand, when you're just experimenting with the Module, it's OK to use a local checkout of the Module, uploaded from your own computer.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?