This folder shows an example of how to use the install-vault module from this Module and the install-consul and install-dnsmasq or the setup-systemd-resolved modules from the Consul AWS Module with Packer to create Amazon Machine Images (AMIs) that have Vault and Consul installed on top of:
- Ubuntu 18.04
- Ubuntu 16.04
- Amazon Linux 2
You can use this AMI to deploy a Vault cluster by using the vault-cluster module. This Vault cluster will use Consul as its storage backend, so you can also use the same AMI to deploy a separate Consul server cluster by using the consul-cluster module.
Check out the vault-cluster-private and the root example examples for working sample code. For more info on Vault installation and configuration, check out the install-vault documentation.
To build the Vault and Consul AMI:
-
git clone
this repo to your computer. -
Install Packer.
-
Configure your AWS credentials using one of the options supported by the AWS SDK. Usually, the easiest option is to set the
AWS_ACCESS_KEY_ID
andAWS_SECRET_ACCESS_KEY
environment variables. -
Use the private-tls-cert module to generate a CA cert and public and private keys for a TLS cert:
- Set the
dns_names
parameter tovault.service.consul
. If you're using the root example and want a public domain name (e.g.vault.example.com
), add that domain name here too. - Set the
ip_addresses
to127.0.0.1
. - For production usage, you should take care to protect the private key by encrypting it (see Using TLS certs for more info).
- Set the
-
Update the
variables
section of thevault-consul.json
Packer template to specify the AWS region, Vault version, Consul version, and the paths to the TLS cert files you just generated. If you want to install Consul Enterprise or Vault Enterprise, skip the version variables and instead set theconsul_download_url
andvault_download_url
to the full urls that point to the respective enterprise zipped packages. -
Run
packer build vault-consul.json
.
When the build finishes, it will output the IDs of the new AMIs. To see how to deploy one of these AMIs, check out the vault-cluster-private and the root example examples.
NOTE: This packer template will build two versions of the AMI - an Ubuntu version and Amazon Linux 2 version. You
can restrict packer to only build one of them by using the only
CLI arg. For example, to only build the Amazon Linux 2
AMI, run packer build -only amazon-linux-2-ami vault-consul.json
. You can use the parameter ubuntu16-ami
for the
ubuntu AMI.
When creating your own Packer template for production usage, you can copy the example in this folder more or less
exactly, except for one change: we recommend replacing the file
provisioner with a call to git clone
in the shell
provisioner. Instead of:
{
"provisioners": [{
"type": "file",
"source": "{{template_dir}}/../../../terraform-aws-vault",
"destination": "/tmp"
},{
"type": "shell",
"inline": [
"/tmp/terraform-aws-vault/modules/install-vault/install-vault --version {{user `vault_version`}}"
],
"pause_before": "30s"
}]
}
Your code should look more like this:
{
"provisioners": [{
"type": "shell",
"inline": [
"git clone --branch <MODULE_VERSION> https://github.com/hashicorp/terraform-aws-vault.git /tmp/terraform-aws-vault",
"/tmp/terraform-aws-vault/modules/install-vault/install-vault --version {{user `vault_version`}}"
],
"pause_before": "30s"
}]
}
You should replace <MODULE_VERSION>
in the code above with the version of this module that you want to use (see
the Releases Page for all available versions). That's because for production usage, you should always
use a fixed, known version of this Module, downloaded from the official Git repo. On the other hand, when you're
just experimenting with the Module, it's OK to use a local checkout of the Module, uploaded from your own
computer.