-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf_with_key_creation
115 lines (86 loc) · 3.61 KB
/
main.tf_with_key_creation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
provider "google" {
credentials = file(var.account_file_path)
project = var.gcloud-project
region = var.gcloud-region
}
resource "google_service_account" "vault_kms_service_account" {
account_id = "vault-gcpkms"
display_name = "Vault KMS for auto-unseal"
}
resource "google_compute_instance" "vault" {
name = "vault-node1"
machine_type = "n1-standard-1"
zone = var.gcloud-zone
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
# Local SSD disk
scratch_disk {
interface = "SCSI"
}
network_interface {
network = "default"
access_config {
# Ephemeral IP
}
}
allow_stopping_for_update = true
# Service account with Cloud KMS roles for the Compute Instance
service_account {
email = google_service_account.vault_kms_service_account.email
scopes = ["cloud-platform", "compute-rw", "userinfo-email", "storage-ro"]
}
metadata_startup_script = <<SCRIPT
sudo apt-get install -y unzip libtool libltdl-dev postgresql postgresql-contrib telnet netcat
curl -s -L -o ~/vault.zip ${var.vault_url}
sudo unzip ~/vault.zip
sudo install -c -m 0755 vault /usr/bin
sudo mkdir -p /test/vault
sudo echo -e '[Unit]\nDescription="HashiCorp Vault - A tool for managing secrets"\nDocumentation=https://www.vaultproject.io/docs/\nRequires=network-online.target\nAfter=network-online.target\n\n[Service]\nExecStart=/usr/bin/vault server -config=/test/vault/config.hcl\nExecReload=/bin/kill -HUP $MAINPID\nKillMode=process\nKillSignal=SIGINT\nRestart=on-failure\nRestartSec=5\n\n[Install]\nWantedBy=multi-user.target\n' > /lib/systemd/system/vault.service
sudo echo -e 'storage "file" {\n path = "/opt/vault"\n}\n\nlistener "tcp" {\n address = "127.0.0.1:8200"\n tls_disable = 1\n}\n\nseal "gcpckms" {\n project = "${var.gcloud-project}"\n region = "${var.keyring_location}"\n key_ring = "${var.key_ring}"\n crypto_key = "${var.crypto_key}"\n}\n\ndisable_mlock = true\n' > /test/vault/config.hcl
sudo chmod 0664 /lib/systemd/system/vault.service
sudo echo -e 'alias v="vault"\nalias vault="vault"\nexport VAULT_ADDR="http://127.0.0.1:8200"\n' > /etc/profile.d/vault.sh
source /etc/profile.d/vault.sh
sudo echo -e "\n#Added using Terraform\nlisten_addresses = '*'"\n" >> /etc/postgresql/*/main/postgresql.conf
sudo systemctl enable vault
sudo systemctl start vault
sudo systemctl enable postgresql
sudo systemctl start postgresql
sudo VAULT_ADDR="http://127.0.0.1:8200" vault operator init > /root/init_keys.txt
SCRIPT
}
output "project" {
value = google_compute_instance.vault.project
}
output "nodename" {
value = google_compute_instance.vault.name
}
output "zone" {
value = google_compute_instance.vault.zone
}
output "vault_server_instance_id" {
value = google_compute_instance.vault.self_link
}
# Create a KMS key ring
resource "google_kms_key_ring" "key_ring" {
project = "${var.gcloud-project}"
name = "${var.key_ring}"
location = "${var.keyring_location}"
}
# Create a crypto key for the key ring
resource "google_kms_crypto_key" "crypto_key" {
name = "${var.crypto_key}"
key_ring = "${google_kms_key_ring.key_ring.id}"
rotation_period = "100000s"
}
# Add the service account to the Keyring
resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {
key_ring_id = "${google_kms_key_ring.key_ring.id}"
#key_ring_id = "${var.gcloud-project}/${var.keyring_location}/${var.key_ring}"
role = "roles/owner"
members = [
"serviceAccount:${google_service_account.vault_kms_service_account.email}",
]
}