This is a simple script that will install and configure a single Vault instance as well as SoftHSM2 on an Ubuntu VM.
A successful execution of the script should provide you with a Vault instance that auto-unseal using keys stored in a SoftHSM2 slot.
Please do not use this for production employments. This is for lab/testing/demonstration purposes only.
- An x86_64 Ubuntu VM (VirtualBox, AWS, gcloud, etc) - Testing was done on Jammy Jellyfish - see the tf folder for a sandbox
- Bash shell
- Vault Enterprise License (HSM support is only available for Vault Enterprise)
git clone https://github.com/florintp-onboarding/Vault_SoftHSM2.git
cd Vault_SoftHSM2
- Populate
vault_license.hclic
with your license.
variable "region" {
type = string
description = "Default Region"
sensitive = false
default = "us-east-2"
}
...
instance_type = "t3.micro"
key_name = "<your_keypair>"
user_data_replace_on_change = true
...
terraform init
terraform apply -auto-approve
...
Outputs:
configuration = <<EOT
###
ID of the EC2 instance: aws_instance.vault-debug.id
Public IP address of the EC2 instance: 3.136.58.221
###
export VAULT_ADDR=http://3.136.58.221:8200
# or
export VAULT_ADDR=http://ec2-3-136-58-221.us-east-2.compute.amazonaws.com:8200
vault status
###
# Bypass fingerprint verification
SSH to the EC2 instance: ssh -o "StrictHostKeyChecking=no" -i "mykey.pem" ec2-user@ec2-3-136-58-221.us-east-2.compute.amazonaws.com
GET the ROOT TOKEN: export VAULT_TOKEN=$(cat keys.json |jq -r '.root_token')
###
EOT
ssh -o "StrictHostKeyChecking=no" -i "mykey.pem" ec2-user@ec2-3-136-58-221.us-east-2.compute.amazonaws.com
terraform destroy -auto-approve