Feature/ddb backend #77
Conversation
| @@ -35,7 +35,10 @@ function print_usage { | |||
| echo -e " --skip-vault-config\tIf this flag is set, don't generate a Vault configuration file. Optional. Default is false." | |||
| echo -e " --enable-s3-backend\tIf this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. Default is false." | |||
| echo -e " --s3-bucket\tSpecifies the S3 bucket to use to store Vault data. Only used if '--enable-s3-backend' is set." | |||
| echo -e " --s3-bucket-region\tSpecifies the AWS region where `--s3-bucket` lives. Only used if `--enable-s3-backend` is set." | |||
There was a problem hiding this comment.
backticks were previously used causing this function to behave unexpectedly. Replaced with single quotes per all other items in the list.
There was a problem hiding this comment.
Whoops! Good fix, thanks!
| local readonly config_path="$config_dir/$VAULT_CONFIG_FILE" | ||
|
|
||
| local instance_ip_address | ||
| instance_ip_address=$(get_instance_ip_address) | ||
|
|
||
| log_info "Creating default Vault config file in $config_path" | ||
| local readonly listener_config=$(cat <<EOF | ||
| ui = true |
There was a problem hiding this comment.
Thx! We should probably make this configurable though with a --disable-ui flag for those that want to leave it off.
| @@ -194,15 +194,46 @@ resource "aws_s3_bucket" "vault_storage" { | |||
| } | |||
| } | |||
|
|
|||
| resource "aws_dynamodb_table" "vault_dynamo" { | |||
There was a problem hiding this comment.
Default dynamo table with small read/write capacity. Anything beyond (autoscaled, global tables) would need to be added or used in client code.
There was a problem hiding this comment.
This is a fantastic PR, thank you! We were just talking about adding DynamoDB as a backend, so this is great timing.
I've made some detailed code comments below. One high level comment: we should add an automated test for this and make sure all existing tests pass. See the test folder for details.
| This example creates a Vault cluster spread across the subnets in the default VPC of the AWS account. For an example of a Vault cluster | ||
| that is publicly accessible, see [vault-cluster-public](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-public). | ||
|
|
||
| ![Vault architecture]() |
There was a problem hiding this comment.
I'm not 100% certain where to get a documentation template for Cloudcraft that includes the Hashicorp custom images. If you could point me in the right direction that would be great.
There was a problem hiding this comment.
@brikis98 Do you have a template used for previous diagrams?
There was a problem hiding this comment.
Yes, I do. I created the diagrams with CloudCraft. Let me know if these shared links work for you:
https://cloudcraft.co/view/9cf13b28-3c9b-47a6-b8f5-79b4f4be97e6?key=H-BXpuoP1I7hyjLm4LcO-Q
https://cloudcraft.co/view/8607afd0-2993-4dd9-87b4-1ada2790b3d6?key=Xlcx8IEgf9A_jBiCBf0sFA
examples/vault-ddb-backend/README.md
Outdated
| To deploy a Vault Cluster: | ||
|
|
||
| 1. `git clone` this repo to your computer. | ||
| 1. Optional: build a Vault and Consul AMI. See the [vault-consul-ami |
There was a problem hiding this comment.
Optional: build a Vault AMI. See the [vault-consul-ami example](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami) documentation for instructions on how to build an AMI that has both Vault and Consul installed (note that for this example, you'll only need Vault, but having both won't hurt anything).
examples/vault-ddb-backend/main.tf
Outdated
| # --------------------------------------------------------------------------------------------------------------------- | ||
| # DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS | ||
| # This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, | ||
| # running in a separate cluster, as its storage backend. |
| user_data = "${data.template_file.user_data_vault_cluster.rendered}" | ||
|
|
||
| enable_dynamo_backend = true | ||
| dynamo_table_name = "${var.dynamo_table_name}" |
examples/vault-ddb-backend/main.tf
Outdated
| aws_region = "${data.aws_region.current.name}" | ||
| s3_bucket_name = "${var.s3_bucket_name}" | ||
| consul_cluster_tag_key = "${var.consul_cluster_tag_key}" | ||
| consul_cluster_tag_value = "${var.consul_cluster_name}" |
There was a problem hiding this comment.
I assume these Consul and S3 params are no longer necessary, either as input variables, or to pass to User Data?
There was a problem hiding this comment.
Ahh yes. Removing these and adding the Dynamo table variable.
modules/run-vault/run-vault
Outdated
| local readonly consul_storage=$(cat <<EOF | ||
|
|
||
| if [[ "$enable_dynamo" == "true" ]]; then | ||
| consul_storage="" |
There was a problem hiding this comment.
Please declare local consul_storage and local vault_storage up above this if/else block. That way, both default to empty strings, and only one gets set to a proper value.
modules/run-vault/run-vault
Outdated
| local readonly enable_s3_backend="" | ||
| local readonly s3_bucket="" | ||
| local readonly s3_bucket_region="" | ||
| fi |
There was a problem hiding this comment.
I find changing the list of input params a bit confusing. I'd recommend making this a single list:
local readonly enable_s3_backend="$8"
local readonly s3_bucket="$9"
local readonly s3_bucket_region="${10}"
local readonly enable_dynamo="${11}"
local readonly dynamo_region="${12}"
local readonly dynamo_table="${13}"The run method should pass all these params, setting them to true, false, empty strings, or proper values, depending on what the user passed in.
There was a problem hiding this comment.
I agree, however, by default the vault config generation just adds the S3 params at the end (no harm if they are empty). I can add extra vault config generation logic (at the bottom) if you'd rather see this as a list.
There was a problem hiding this comment.
Changed it back to a list and updated logic at the bottom (vault generation script) to match
modules/vault-cluster/main.tf
Outdated
| } | ||
|
|
||
| tags { | ||
| Description = "Used for HA storage with Vault." |
There was a problem hiding this comment.
I believe we already take in a list of custom tags; we should use it here.
There was a problem hiding this comment.
Added Name tag. Didn't see any other list of tags anywhere.
modules/vault-cluster/outputs.tf
Outdated
|
|
||
| output "dynamo_table_arn" { | ||
| value = "${aws_dynamodb_table.vault_dynamo.arn}" |
There was a problem hiding this comment.
This won't work, as aws_dynamodb_table might not be created. Instead, use:
value = "${element(concat(aws_dynamodb_table.vault_dynamo.*.arn, list("")), 0)}"
modules/vault-cluster/variables.tf
Outdated
|
|
||
| variable "dynamo_write_capacity" { | ||
| description = "Sets the DynamoDB write capacity for storage backend" | ||
| default = "5" |
There was a problem hiding this comment.
Should these be numbers (i.e., not wrapped in quotes)?
There was a problem hiding this comment.
They can be but don't have to be. Changed them for consistency. Typically as tf only has 3 types of variables, I wrap all 'string' variables in double quotes for consistency. But I see this isn't done in this module.
…ic at bottom to check for s3, dynamo, or else
|
I'm merely a novice when it comes to software development. I'll do my best to look over the tests and see what I can come up with in the meantime. |
Well, learning automated testing is a very valuable skill, and we're happy to help :) There's lots of examples already in the repo, so you should be able to follow their structure. The first step, of course, is to test everything manually and make sure it works! Once it works manually, automate those steps as shown in the existing tests in the |
modules/run-vault/run-vault
Outdated
| if [[ "$enable_dynamo" == "true" ]]; then | ||
| consul_storage="" | ||
| vault_storage=$(cat <<EOF | ||
| storage "dynamodb" { |
There was a problem hiding this comment.
In order to have both dynamodb and s3 backend we would need to be able to make that block similar to how its handled for consul. Currently what I have adjusted on my end, and is working so far with manual testing:
local consul_storage_type="storage"
local dynamodb_storage_type="storage"
local s3_config=""
local consul_storage=""
local vault_storage=""
if [[ "$enable_s3_backend" == "true" ]]; then
s3_config=$(cat <<EOF
storage "s3" {
bucket = "$s3_bucket"
region = "$s3_bucket_region"
}\n
EOF
)
consul_storage_type="ha_storage"
dynamodb_storage_type="ha_storage"
fi
if [[ "$enable_dynamo_backend" == "true" ]]; then
vault_storage=$(cat <<EOF
$dynamodb_storage_type "dynamodb" {
ha_enabled = "true"
region = "$dynamo_region"
table = "$dynamo_table"
}
# HA settings
cluster_addr = "https://$instance_ip_address:$cluster_port"
api_addr = "$api_addr"
EOF
)
|
Hello, I'm checking here and it seems to be awesome and very useful, that would be sad to have this getting stale ;) |
@jp I ended up going back a different direction (Consul) due to certain encryption specifics. This module with DynamoDB was in use and functioning, I just never wrote the testing pieces for it to be merged. I haven't really had the time to do so. You're more than welcome to update the testing functionality and/or update the functionality to resolve the conflicts into the master branch if you'd like. |
|
@brikis98 can someone at Hashicorp take a look at this to take it over the finish line? |
* Backticks causing unexpected behavior * Removes backticks in favor of single quote to match other items in the list * Credit to @BonzTM in hashicorp#77 for initially finding/fixing; isolated to get fix merged
|
It's a great PR, someone is looking at this? 😄 |
|
This PR needed rebase to resolve conflicts with master, I've made them and it's working great, do you guys want to go ahead with this? If so I can send an updated PR. Best |
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes 0 out of 2 committers have signed the CLA.
Joshua Wells seems not to be a GitHub user. Have you signed the CLA already but the status is still pending? Recheck it. |
Issue: #76
ifstatement to check if supervisor is already installed and to skip (for airgapped installations that have no outbound access).print_usagefunction causing it to bomb out.