This folder contains a Terraform module that can be used to deploy an Elastic Load
Balancer (ELB) in front of the Vault cluster
from the vault-cluster module. This is useful if you need to access Vault from the public
Internet. Note that for most users, we recommend NOT making Vault accessible from the public Internet and using
DNS to access your Vault cluster instead (see the install-dnsmasq
module or setup-systemd-resolved
in the case of Ubuntu 18.04 for details).
How do you use this module?
This folder defines a Terraform module, which you can use in your
code by adding a module configuration and setting its source parameter to URL of this folder:
module"vault_elb" {
# Use version v0.0.1 of the vault-elb module
source = "github.com/hashicorp/terraform-aws-vault//modules/vault-elb?ref=v0.0.1"
vault_asg_name = "${module.vault_cluster.asg_name}"# ... See variables.tf for the other parameters you must define for the vault-cluster module
}
# Configure the Vault cluster to use the ELBmodule"vault_cluster" {
# Use version v0.0.1 of the vault-elb module
source = "github.com/hashicorp/terraform-aws-vault//modules/vault-cluster?ref=v0.0.1"# ... (other params omitted) ...
}
Note the following parameters:
source: Use this parameter to specify the URL of the vault-elb module. The double slash (//) is intentional
and required. Terraform uses it to specify subfolders within a Git repo (see module
sources). The ref parameter specifies a specific Git tag in
this repo. That way, instead of using the latest version of this module from the master branch, which
will change every time you run Terraform, you're using a fixed version of the repo.
vault_asg_name: Setting this parameter to the name of the Autoscaling group created by the
vault-cluster module
tells it to register each server with the ELB when it is booting.
You can find the other parameters in variables.tf.
Check out the root example for working sample code.
How is the ELB configured?
The ELB in this module is configured as follows:
TCP Passthrough: The ELB does NOT attempt to terminate SSL, as your Vault servers should do that themselves.
This ensures that all Vault information is encrypted end-to-end, with no middle man (including AWS) able to read
the contents. It also allows your Vault servers to do mutual TLS
authentication so that Vault clients verify the server's
certificate and the Vault server verifies the client's certificate.
Listeners: The ELB only listens on one port (default: 443) and forwards the requests to Vault's API port
(default: 8200).
Health Check: The ELB uses the /sys/health endpoint on
your Vault servers, with the standbyok flag set to true, as a health check endpoint. This way, the ELB will see
any primary or standby Vault node that is unsealed as healthy and route traffic to it.
DNS: If you set the create_dns_entry variable to true, this module will create a DNS A Record in Route
53 that points your specified domain_name at the ELB. This allows you to use
this domain name to access the ELB. Note that the TLS certificate you use with Vault should be configured with this
same domain name!
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"0e379399b7494d3efca5978809c98533993290b5"}]},{"name":".gitignore","path":".gitignore","sha":"6c4ebe4426586b7febbaba178294ef59b8272c05"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"4be01a6334d39aa5bf6abe6baae701f5e2a8c5ac"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"ea1ca5c8d6ff2d0d62880ee0ea80ef86e0b87dad"},{"name":"LICENSE","path":"LICENSE","sha":"7a4a3ea2424c09fbe48d455aed1eaa94d9124835"},{"name":"NOTICE","path":"NOTICE","sha":"2288082e33ae18a610f6a7747180f7e05e47a001"},{"name":"README.md","path":"README.md","sha":"b1ffac4814fb27564190757df0ebedb4283a27a0"},{"name":"_ci","children":[{"name":"publish-amis-in-new-account.md","path":"_ci/publish-amis-in-new-account.md","sha":"3182a0a90775f7bb9622c037196ac2a1f15e455d"},{"name":"publish-amis.sh","path":"_ci/publish-amis.sh","sha":"3d4a46a02f26d45a5fc27cce07cd3db7bc140399"}]},{"name":"_docs","children":[{"name":"amazon-linux-ami-list.md","path":"_docs/amazon-linux-ami-list.md","sha":"be9f50c689839b099d0222711ec13a86108660f0"},{"name":"architecture-elb.png","path":"_docs/architecture-elb.png","sha":"9e02e4f53afdd2929ec4fc4246ae5e47bd49f295"},{"name":"architecture-with-s3.png","path":"_docs/architecture-with-s3.png","sha":"8a91ef2d06665e40fe82a8ccf7ae4281f338fd50"},{"name":"architecture.png","path":"_docs/architecture.png","sha":"a9f6098b37b1aaafe8c744b154208efc3e642881"},{"name":"ubuntu16-ami-list.md","path":"_docs/ubuntu16-ami-list.md","sha":"60caafe1f2b90046e819f373ed22c0df47043f03"}]},{"name":"examples","children":[{"name":"root-example","children":[{"name":"README.md","path":"examples/root-example/README.md","sha":"4d73916c181c9c4157905162d4ed66d2d7427342"},{"name":"user-data-consul.sh","path":"examples/root-example/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/root-example/user-data-vault.sh","sha":"26fad57bb49a78e4e2a4b7ce52427efb27e87ced"}]},{"name":"vault-agent","children":[{"name":"README.md","path":"examples/vault-agent/README.md","sha":"0a80c92a455171b6af0e1774a1e67adee32579d6"},{"name":"main.tf","path":"examples/vault-agent/main.tf","sha":"92b325fb802329e6a754a865da644bd8af547e30"},{"name":"outputs.tf","path":"examples/vault-agent/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-agent/user-data-auth-client.sh","sha":"9ff5ebc6c45f791f9357a71a7f3415f1e333b61e"},{"name":"user-data-consul.sh","path":"examples/vault-agent/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-agent/user-data-vault.sh","sha":"49983b4b543bd7d28c2adde81629d4a3867ffe13"},{"name":"variables.tf","path":"examples/vault-agent/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-auto-unseal","children":[{"name":"README.md","path":"examples/vault-auto-unseal/README.md","sha":"770b559d99f84ce103f01fddcdc10c1fef58d482"},{"name":"main.tf","path":"examples/vault-auto-unseal/main.tf","sha":"9ede6183a7c35f7d5dca9a20f5c473c6263c464e"},{"name":"outputs.tf","path":"examples/vault-auto-unseal/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-auto-unseal/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-auto-unseal/user-data-vault.sh","sha":"1d9533ea3ba6f9b89242ce503e8b7ea1e59579ba"},{"name":"variables.tf","path":"examples/vault-auto-unseal/variables.tf","sha":"03847da844d2c5a5c24a27872324da11249d11de"}]},{"name":"vault-cluster-private","children":[{"name":"README.md","path":"examples/vault-cluster-private/README.md","sha":"9467091dc2b6475148cecf2d9c84ed387d78d4a8"},{"name":"main.tf","path":"examples/vault-cluster-private/main.tf","sha":"2f88595829383d4b992b1e5281c868c4b0c2023b"},{"name":"outputs.tf","path":"examples/vault-cluster-private/outputs.tf","sha":"9e7ebd3be30c61662e8647cfecfec210de53e6d2"},{"name":"user-data-consul.sh","path":"examples/vault-cluster-private/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-cluster-private/user-data-vault.sh","sha":"ef32d804ab9f1807730bae1551fc3fd3fff6da95"},{"name":"variables.tf","path":"examples/vault-cluster-private/variables.tf","sha":"3e919aff20454c6ef004986d3f28b7f65c5d9379"}]},{"name":"vault-consul-ami","children":[{"name":"README.md","path":"examples/vault-consul-ami/README.md","sha":"97b6eeaf3f45cb12b227eb47059042630ec342a4"},{"name":"auth","children":[{"name":"sign-request.py","path":"examples/vault-consul-ami/auth/sign-request.py","sha":"cba97708676a0d3aa8068ee1b5ecb3bf8d14067f"}]},{"name":"tls","children":[{"name":"README.md","path":"examples/vault-consul-ami/tls/README.md","sha":"92f88219562304b995bd78889a24047bdde336af"},{"name":"ca.crt.pem","path":"examples/vault-consul-ami/tls/ca.crt.pem","sha":"9bf1a62b0649d1ab5c0b16710166c146a1fd1fa3"},{"name":"vault.crt.pem","path":"examples/vault-consul-ami/tls/vault.crt.pem","sha":"e642f0b108bfdebe56331111ce9ce75f8ff42f52"},{"name":"vault.key.pem","path":"examples/vault-consul-ami/tls/vault.key.pem","sha":"0103aa55a5a68ffc002c7c9c14a292adbd97fd2d"}]},{"name":"vault-consul.json","path":"examples/vault-consul-ami/vault-consul.json","sha":"4ca1f5c3c396ab201c5521c6d9efd18fa02faca8"}]},{"name":"vault-dynamodb-backend","children":[{"name":"README.md","path":"examples/vault-dynamodb-backend/README.md","sha":"2249ed2b41e02d06f44df46da19bb344c2f3f912"},{"name":"dynamodb","children":[{"name":"main.tf","path":"examples/vault-dynamodb-backend/dynamodb/main.tf","sha":"7405fba8bd36bc376fe09282d1b2741411c5ed5f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/dynamodb/variables.tf","sha":"c48d524ca416c19f4d96a7b860342c07252a8587"}]},{"name":"main.tf","path":"examples/vault-dynamodb-backend/main.tf","sha":"1452cad776f0355c73496d9cbb5cbc79d3bcbf6a"},{"name":"outputs.tf","path":"examples/vault-dynamodb-backend/outputs.tf","sha":"f57334a298c9a9f4eb0c3aaae70619cda73ccbb9"},{"name":"user-data-vault.sh","path":"examples/vault-dynamodb-backend/user-data-vault.sh","sha":"6ff712c8839ce577cb8229df9a6e17685da2820f"},{"name":"variables.tf","path":"examples/vault-dynamodb-backend/variables.tf","sha":"928f9b9e96dda6aa85429d27ab6badb87bfd5314"}]},{"name":"vault-ec2-auth","children":[{"name":"README.md","path":"examples/vault-ec2-auth/README.md","sha":"29af1121fa99b3903b09447c79e127daecb30bfb"},{"name":"images","children":[{"name":"ec2-auth.png","path":"examples/vault-ec2-auth/images/ec2-auth.png","sha":"a98fb916ed6a32204efbc525cac59c0d570d619d"}]},{"name":"main.tf","path":"examples/vault-ec2-auth/main.tf","sha":"0ca10db2a94036ead8cee3068357871ed4279b9a"},{"name":"outputs.tf","path":"examples/vault-ec2-auth/outputs.tf","sha":"8694fbce70e13690b8bca4bab50d2570dcd7bdd9"},{"name":"user-data-auth-client.sh","path":"examples/vault-ec2-auth/user-data-auth-client.sh","sha":"e049ec6dca2d35d6fde5badec4e48ecafe8bfc38"},{"name":"user-data-consul.sh","path":"examples/vault-ec2-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-ec2-auth/user-data-vault.sh","sha":"dd8a73e43e9a4c42e4687ad4cc3c84a543ce548a"},{"name":"variables.tf","path":"examples/vault-ec2-auth/variables.tf","sha":"f04b84eac1668fa2ca3b92d50b27ca6139fde834"}]},{"name":"vault-examples-helper","children":[{"name":"README.md","path":"examples/vault-examples-helper/README.md","sha":"a28a95258bee372025e4282daf60a20d1bf96bdb"},{"name":"vault-examples-helper.sh","path":"examples/vault-examples-helper/vault-examples-helper.sh","sha":"ebe3d8b9bb599384add9a7c635b397529b10fde5"}]},{"name":"vault-iam-auth","children":[{"name":"README.md","path":"examples/vault-iam-auth/README.md","sha":"7557e5abb41341b82464a36eebd0e759d857625d"},{"name":"images","children":[{"name":"iam-auth.png","path":"examples/vault-iam-auth/images/iam-auth.png","sha":"095dcd0060f6cd1f5dad3be9d5ec83dcbba8316f"}]},{"name":"main.tf","path":"examples/vault-iam-auth/main.tf","sha":"9c2aa5a4d20ddaa65257f2eeee5d82d5f413154c"},{"name":"outputs.tf","path":"examples/vault-iam-auth/outputs.tf","sha":"16bb9676e7fa2ec2bb5148c5ca5763d7c01db837"},{"name":"user-data-auth-client.sh","path":"examples/vault-iam-auth/user-data-auth-client.sh","sha":"4122511229818b6ddf8fe03fd2c314f8a1521ee2"},{"name":"user-data-consul.sh","path":"examples/vault-iam-auth/user-data-consul.sh","sha":"0c96497e38b05e5b5a54277c95ae129827a3daa2"},{"name":"user-data-vault.sh","path":"examples/vault-iam-auth/user-data-vault.sh","sha":"1f32c36dc968467fc59b44f624638e1437703fb9"},{"name":"variables.tf","path":"examples/vault-iam-auth/variables.tf","sha":"9abf58af8a0dc24bd445a1b779f07fcf48a05a0e"}]},{"name":"vault-s3-backend","children":[{"name":"README.md","path":"examples/vault-s3-backend/README.md","sha":"e37fbaec6982c87a87a16d3499db3c17f85dbbfd"},{"name":"main.tf","path":"examples/vault-s3-backend/main.tf","sha":"3d1a11d29a2e840a04cb111f3037d433da1460ec"},{"name":"outputs.tf","path":"examples/vault-s3-backend/outputs.tf","sha":"e1af7046390871d4e63797089c39aebab5d9ac26"},{"name":"user-data-consul.sh","path":"examples/vault-s3-backend/user-data-consul.sh","sha":"5043e6904cab4564ed0c7f8337599a884f96a194"},{"name":"user-data-vault.sh","path":"examples/vault-s3-backend/user-data-vault.sh","sha":"cfc21ee0525b0cee2753e1823b8656bf504a910a"},{"name":"variables.tf","path":"examples/vault-s3-backend/variables.tf","sha":"f526eaaa0c65aa5f8be3d4dbde0dd453781d4461"}]}]},{"name":"main.tf","path":"main.tf","sha":"5ae7851952d5f109d726ecec80d41b029115f5dd"},{"name":"modules","children":[{"name":"install-vault","children":[{"name":"README.md","path":"modules/install-vault/README.md","sha":"6bb7538adb7dd8f8527690d96fc06d701cd79462"},{"name":"install-vault","path":"modules/install-vault/install-vault","sha":"e1564049029f50af3507fb2e57dc188c607cb1aa"}]},{"name":"private-tls-cert","children":[{"name":"README.md","path":"modules/private-tls-cert/README.md","sha":"42f2d131477fae97cdfaeef893b3c916f2f7f209"},{"name":"main.tf","path":"modules/private-tls-cert/main.tf","sha":"f906b61efe2b5356bcf759dc60c47a89cf853894"},{"name":"outputs.tf","path":"modules/private-tls-cert/outputs.tf","sha":"078afd869917866e91d2beab7f91fa0d14af524e"},{"name":"variables.tf","path":"modules/private-tls-cert/variables.tf","sha":"a33036ca45da4c834460d58311041401a63575b9"}]},{"name":"run-vault","children":[{"name":"README.md","path":"modules/run-vault/README.md","sha":"b2f1e1e074ffd65b4c715675bd59657c6eac6992"},{"name":"run-vault","path":"modules/run-vault/run-vault","sha":"c7982409275a9e0da41379a8eb725cbda9f932d7"}]},{"name":"update-certificate-store","children":[{"name":"README.md","path":"modules/update-certificate-store/README.md","sha":"1348a7aba71475b5a17d31f3f8d66663f656e672"},{"name":"update-certificate-store","path":"modules/update-certificate-store/update-certificate-store","sha":"e07d9a1d997843d62033ee019121895c91e29447"}]},{"name":"vault-cluster","children":[{"name":"README.md","path":"modules/vault-cluster/README.md","sha":"7b4c4ee5f59dc3a216154c4402acd70b96d6585f"},{"name":"main.tf","path":"modules/vault-cluster/main.tf","sha":"6838267cceea00aef7446fd41e6aef5c6b123c61"},{"name":"outputs.tf","path":"modules/vault-cluster/outputs.tf","sha":"ab03f0accf81c6722c79656844acd1fd39b41e87"},{"name":"variables.tf","path":"modules/vault-cluster/variables.tf","sha":"5d2276d06c36b71f2ecea9b48aab345e3ce9c9f0"}]},{"name":"vault-elb","children":[{"name":"README.md","path":"modules/vault-elb/README.md","sha":"9dc6564baaaaa8176f650e3c548b8c8066631b6f","toggled":true},{"name":"main.tf","path":"modules/vault-elb/main.tf","sha":"0f85aea4f41332461dadcda41e767f983d53ad66"},{"name":"outputs.tf","path":"modules/vault-elb/outputs.tf","sha":"024b1c73b457ed1c9256b39fc3ee283b39ed6544"},{"name":"variables.tf","path":"modules/vault-elb/variables.tf","sha":"40d18feef81848f2e1da3d293ead59438f9b9fae"}],"toggled":true},{"name":"vault-security-group-rules","children":[{"name":"README.md","path":"modules/vault-security-group-rules/README.md","sha":"48df12587b14b7a0d93333b6c12c19dc7082d8b0"},{"name":"main.tf","path":"modules/vault-security-group-rules/main.tf","sha":"c42c6e6d296dd17c021b134bb2f4c5774cf0079c"},{"name":"variables.tf","path":"modules/vault-security-group-rules/variables.tf","sha":"2e18f3fef1b2ff2b3a32f62a49085480ed61763e"}]}],"toggled":true},{"name":"outputs.tf","path":"outputs.tf","sha":"9d46ba8bb2ee80bf8bb1ba3ac5b7660280be3e1c"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"dd3f97e937dd02cdd9142d0c25006bd6367e7fef"},{"name":"aws_helpers.go","path":"test/aws_helpers.go","sha":"f686b13f45c0deafbec5215d251c8936e30de421"},{"name":"go.mod","path":"test/go.mod","sha":"ca3620dd7dd203eaf75729f2f1d0052ff5c99a7e"},{"name":"go.sum","path":"test/go.sum","sha":"f42d242737e8b02b81830be0234824df95bff55a"},{"name":"terratest_helpers.go","path":"test/terratest_helpers.go","sha":"61cb21eeaa80d5c93a2eb1d61964991b6710a770"},{"name":"tls_helpers.go","path":"test/tls_helpers.go","sha":"9b95b015104a0c7a684f6f3af999407218121619"},{"name":"vault_cluster_auth_test.go","path":"test/vault_cluster_auth_test.go","sha":"cd9c38a6c70e45694019e6fdb7ea07aa588e02ca"},{"name":"vault_cluster_autounseal_test.go","path":"test/vault_cluster_autounseal_test.go","sha":"c6a32ad54851789044b616c537770a9bd25d3e7e"},{"name":"vault_cluster_dynamodb_backend_test.go","path":"test/vault_cluster_dynamodb_backend_test.go","sha":"c2914c1ba3e7d6beda8db1c0a2b73d526b7c6155"},{"name":"vault_cluster_enterprise_test.go","path":"test/vault_cluster_enterprise_test.go","sha":"4e4aad4f69b04bf7e5233e61fd7efc107e166df0"},{"name":"vault_cluster_private_test.go","path":"test/vault_cluster_private_test.go","sha":"f115b3363e92f26f79e94e56e6551484ed74f455"},{"name":"vault_cluster_public_test.go","path":"test/vault_cluster_public_test.go","sha":"54f9497b60bb84b8383c8785ff11394abd665ba4"},{"name":"vault_cluster_s3_backend_test.go","path":"test/vault_cluster_s3_backend_test.go","sha":"4d9405cc0db461ecf249e6f4ba4098ca94066c26"},{"name":"vault_helpers.go","path":"test/vault_helpers.go","sha":"ef041cc120113a63f9c29a78ba35f110bd2bead6"},{"name":"vault_main_test.go","path":"test/vault_main_test.go","sha":"c8553814ba9d854a5258df835fc7191b3166fbfe"}]},{"name":"variables.tf","path":"variables.tf","sha":"c1e78c623452213f943f69d3a1fac13b3bc3d3d9"}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"vault-elastic-load-balancer\">Vault Elastic Load Balancer</h1><div class=\"preview__body--border\"></div><p>This folder contains a <a href=\"https://www.terraform.io/\" class=\"preview__body--description--blue\" target=\"_blank\">Terraform</a> module that can be used to deploy an <a href=\"https://aws.amazon.com/elasticloadbalancing/classicloadbalancer/\" class=\"preview__body--description--blue\" target=\"_blank\">Elastic Load\nBalancer (ELB)</a> in front of the Vault cluster\nfrom the <a href=\"/repos/v0.14.2/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster module</a>. This is useful if you need to access Vault from the public\nInternet. Note that for most users, we recommend NOT making Vault accessible from the public Internet and using\nDNS to access your Vault cluster instead (see the <a href=\"/repos/terraform-aws-consul/modules/install-dnsmasq\" class=\"preview__body--description--blue\">install-dnsmasq\nmodule</a> or <a href=\"/repos/terraform-aws-consul/modules/setup-systemd-resolved\" class=\"preview__body--description--blue\">setup-systemd-resolved</a>\nin the case of Ubuntu 18.04 for details).</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<p>This folder defines a <a href=\"https://www.terraform.io/docs/modules/usage.html\" class=\"preview__body--description--blue\" target=\"_blank\">Terraform module</a>, which you can use in your\ncode by adding a <code>module</code> configuration and setting its <code>source</code> parameter to URL of this folder:</p>\n<pre><span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"vault_elb\"</span> {\n <span class=\"hljs-comment\"># Use version v0.0.1 of the vault-elb module</span>\n source = <span class=\"hljs-string\">\"github.com/hashicorp/terraform-aws-vault//modules/vault-elb?ref=v0.0.1\"</span>\n\n vault_asg_name = <span class=\"hljs-string\">\"<span class=\"hljs-variable\">${module.vault_cluster.asg_name}</span>\"</span>\n\n <span class=\"hljs-comment\"># ... See variables.tf for the other parameters you must define for the vault-cluster module</span>\n}\n\n<span class=\"hljs-comment\"># Configure the Vault cluster to use the ELB</span>\n<span class=\"hljs-keyword\">module</span> <span class=\"hljs-string\">\"vault_cluster\"</span> {\n <span class=\"hljs-comment\"># Use version v0.0.1 of the vault-elb module</span>\n source = <span class=\"hljs-string\">\"github.com/hashicorp/terraform-aws-vault//modules/vault-cluster?ref=v0.0.1\"</span>\n\n <span class=\"hljs-comment\"># ... (other params omitted) ...</span>\n}\n</pre>\n<p>Note the following parameters:</p>\n<ul>\n<li>\n<p><code>source</code>: Use this parameter to specify the URL of the vault-elb module. The double slash (<code>//</code>) is intentional\nand required. Terraform uses it to specify subfolders within a Git repo (see <a href=\"https://www.terraform.io/docs/modules/sources.html\" class=\"preview__body--description--blue\" target=\"_blank\">module\nsources</a>). The <code>ref</code> parameter specifies a specific Git tag in\nthis repo. That way, instead of using the latest version of this module from the <code>master</code> branch, which\nwill change every time you run Terraform, you're using a fixed version of the repo.</p>\n</li>\n<li>\n<p><code>vault_asg_name</code>: Setting this parameter to the name of the Autoscaling group created by the\n<a href=\"/repos/v0.14.2/terraform-aws-vault/modules/vault-cluster\" class=\"preview__body--description--blue\">vault-cluster module</a>\ntells it to register each server with the ELB when it is booting.</p>\n</li>\n</ul>\n<p>You can find the other parameters in <a href=\"/repos/v0.14.2/terraform-aws-vault/modules/vault-elb/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a>.</p>\n<p>Check out the <a href=\"/repos/v0.14.2/terraform-aws-vault/examples/root-example\" class=\"preview__body--description--blue\">root example</a> for working sample code.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-is-the-elb-configured\">How is the ELB configured?</h2>\n<p>The ELB in this module is configured as follows:</p>\n<ol>\n<li>\n<p><strong>TCP Passthrough</strong>: The ELB does NOT attempt to terminate SSL, as your Vault servers should do that themselves.\nThis ensures that all Vault information is encrypted end-to-end, with no middle man (including AWS) able to read\nthe contents. It also allows your Vault servers to do <a href=\"https://en.wikipedia.org/wiki/Mutual_authentication\" class=\"preview__body--description--blue\" target=\"_blank\">mutual TLS\nauthentication</a> so that Vault clients verify the server's\ncertificate and the Vault server verifies the client's certificate.</p>\n</li>\n<li>\n<p><strong>Listeners</strong>: The ELB only listens on one port (default: 443) and forwards the requests to Vault's API port\n(default: 8200).</p>\n</li>\n<li>\n<p><strong>Health Check</strong>: The ELB uses the <a href=\"https://www.vaultproject.io/api/system/health.html\" class=\"preview__body--description--blue\" target=\"_blank\">/sys/health endpoint</a> on\nyour Vault servers, with the <code>standbyok</code> flag set to <code>true</code>, as a health check endpoint. This way, the ELB will see\nany primary or standby Vault node that is unsealed as healthy and route traffic to it.</p>\n</li>\n<li>\n<p><strong>DNS</strong>: If you set the <code>create_dns_entry</code> variable to <code>true</code>, this module will create a DNS A Record in <a href=\"https://aws.amazon.com/route53/\" class=\"preview__body--description--blue\" target=\"_blank\">Route\n53</a> that points your specified <code>domain_name</code> at the ELB. This allows you to use\nthis domain name to access the ELB. Note that the TLS certificate you use with Vault should be configured with this\nsame domain name!</p>\n</li>\n</ol>\n","repoName":"terraform-aws-vault","repoRef":"v0.13.9","serviceDescriptor":{"serviceName":"HashiCorp Vault","serviceRepoName":"terraform-aws-vault","serviceRepoOrg":"hashicorp","cloudProviders":["aws"],"description":"Deploy a Vault cluster. Supports automatic bootstrapping, Consul and S3 backends, self-signed TLS certificates, and auto healing.","imageUrl":"vault.png","licenseType":"open-source","technologies":["Terraform","Bash"],"compliance":[],"tags":[""]},"serviceCategoryName":"Secrets management","fileName":"README.md","filePath":"/modules/vault-elb","title":"Repo Browser: HashiCorp Vault","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}