From d6f5711a27719de7e513679e7033cc80b83133e3 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 09:59:56 -0400 Subject: [PATCH 01/26] added checking for supervisor existence before installing --- modules/install-vault/install-vault | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/modules/install-vault/install-vault b/modules/install-vault/install-vault index 2a05e1ae..abf34598 100755 --- a/modules/install-vault/install-vault +++ b/modules/install-vault/install-vault @@ -102,6 +102,8 @@ function two_way_symlink() { # Install steps are based on: http://stackoverflow.com/a/31576473/483528 function install_supervisord_amazon_linux { + if [[ ! $(pip list |grep supervisor) ]]; then + sudo pip install supervisor # On Amazon Linux, /usr/local/bin is not in PATH for the root user, so we add symlinks to /usr/bin, which is in PATH @@ -115,6 +117,7 @@ function install_supervisord_amazon_linux { create_supervisor_config sudo chkconfig --add supervisor sudo chkconfig supervisor on + fi } function create_supervisor_config { @@ -159,7 +162,7 @@ function create_vault_user { echo "User $username already exists. Will not create again." else log_info "Creating user named $username" - sudo useradd --system "$username" + sudo useradd "$username" fi } From 6544406c33ac3da37fefe8889e08d08d82719330 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 10:00:18 -0400 Subject: [PATCH 02/26] added dynamo flags and logic to use either s3 or dynamo --- modules/run-vault/run-vault | 75 ++++++++++++++++++++++++++++++++++--- 1 file changed, 69 insertions(+), 6 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index e2097d04..4db1e664 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -35,7 +35,10 @@ function print_usage { echo -e " --skip-vault-config\tIf this flag is set, don't generate a Vault configuration file. Optional. Default is false." echo -e " --enable-s3-backend\tIf this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. Default is false." echo -e " --s3-bucket\tSpecifies the S3 bucket to use to store Vault data. Only used if '--enable-s3-backend' is set." - echo -e " --s3-bucket-region\tSpecifies the AWS region where `--s3-bucket` lives. Only used if `--enable-s3-backend` is set." + echo -e " --s3-bucket-region\tSpecifies the AWS region where '--s3-bucket' lives. Only used if '--enable-s3-backend' is set." + echo -e " --enable-dynamo\tIf this flag is set, DynamoDB will be enabled as the backend storage (HA)" + echo -e " --dynamo-region\tSpecifies the AWS region where --dynamo-table lives. Only used if '--enable-dynamo is on'" + echo -e " --dynamo--table\tSpecifies the DynamoDB table to use for HA Storage. Only used if '--enable-dynamo is on'" echo echo "Examples:" echo @@ -112,9 +115,25 @@ function generate_vault_config { local readonly api_addr="$5" local readonly config_dir="$6" local readonly user="$7" - local readonly enable_s3_backend="$8" - local readonly s3_bucket="$9" - local readonly s3_bucket_region="${10}" + + if [[ "$enable_s3_backend" == "true" ]]; then + local readonly enable_s3_backend="$8" + local readonly s3_bucket="$9" + local readonly s3_bucket_region="${10}" + local readonly enable_dynamo="" + local readonly dynamo_region="" + local readonly dynamo_table="" + fi + + if [[ "$enable_dynamo" == "true" ]]; then + local readonly enable_dynamo="$8" + local readonly dynamo_region="$9" + local readonly dynamo_table="${10}" + local readonly enable_s3_backend="" + local readonly s3_bucket="" + local readonly s3_bucket_region="" + fi + local readonly config_path="$config_dir/$VAULT_CONFIG_FILE" local instance_ip_address @@ -122,6 +141,8 @@ function generate_vault_config { log_info "Creating default Vault config file in $config_path" local readonly listener_config=$(cat <> "$config_path" echo -e "$s3_config" >> "$config_path" echo -e "$consul_storage" >> "$config_path" + echo -e "$vault_storage" >> "$config_path" chown "$user:$user" "$config_path" } @@ -215,6 +257,9 @@ function run { local enable_s3_backend="false" local s3_bucket="" local s3_bucket_region="" + local enable_dynamo="false" + local dynamo_region="" + local dynamo_table="" local all_args=() while [[ $# > 0 ]]; do @@ -283,6 +328,17 @@ function run { s3_bucket_region="$2" shift ;; + --enable-dynamo) + enable_dynamo="true" + ;; + --dynamo-region) + dynamo_region="$2" + shift + ;; + --dynamo-table) + dynamo_table="$2" + shift + ;; --help) print_usage exit @@ -305,6 +361,11 @@ function run { assert_not_empty "--s3-bucket-region" "$s3_bucket_region" fi + if [[ "$enable_dynamo" == "true" ]]; then + assert_not_empty "--dynamo-table" "$dynamo_table" + assert_not_empty "--dynamo-region" "$dynamo_region" + fi + assert_is_installed "supervisorctl" assert_is_installed "aws" assert_is_installed "curl" @@ -336,8 +397,10 @@ function run { if [[ "$skip_vault_config" == "true" ]]; then log_info "The --skip-vault-config flag is set, so will not generate a default Vault config file." - else + elif [[ "$enable_s3_backend" == "true" ]]; then generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" + elif [[ "$enable_dynamo" == "true" ]]; then + generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_dynamo" "$dynamo_region" "$dynamo_table" fi generate_supervisor_config "$SUPERVISOR_CONFIG_PATH" "$config_dir" "$bin_dir" "$log_dir" "$log_level" "$user" From a8e6b72d1bfbee8894a3d5930a1b52e98cd6eef1 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 10:05:24 -0400 Subject: [PATCH 03/26] correct useradd with --system flag --- modules/install-vault/install-vault | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/install-vault/install-vault b/modules/install-vault/install-vault index abf34598..9f8bc38f 100755 --- a/modules/install-vault/install-vault +++ b/modules/install-vault/install-vault @@ -162,7 +162,7 @@ function create_vault_user { echo "User $username already exists. Will not create again." else log_info "Creating user named $username" - sudo useradd "$username" + sudo useradd --system "$username" fi } From 6cd9bfaa1b9a8f321ba31dcb68616935e6142c27 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 10:09:05 -0400 Subject: [PATCH 04/26] updated dynamo checking for config generation --- modules/run-vault/run-vault | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index 4db1e664..03945ba7 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -397,10 +397,10 @@ function run { if [[ "$skip_vault_config" == "true" ]]; then log_info "The --skip-vault-config flag is set, so will not generate a default Vault config file." - elif [[ "$enable_s3_backend" == "true" ]]; then - generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" elif [[ "$enable_dynamo" == "true" ]]; then - generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_dynamo" "$dynamo_region" "$dynamo_table" + generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_dynamo" "$dynamo_region" "$dynamo_table" + else + generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" fi generate_supervisor_config "$SUPERVISOR_CONFIG_PATH" "$config_dir" "$bin_dir" "$log_dir" "$log_level" "$user" From fdc8facd825b2afd3242002d834250e81c6db8ce Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 10:23:31 -0400 Subject: [PATCH 05/26] add dynamo documentation --- modules/run-vault/README.md | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/modules/run-vault/README.md b/modules/run-vault/README.md index 97f03d04..3232242d 100644 --- a/modules/run-vault/README.md +++ b/modules/run-vault/README.md @@ -63,9 +63,12 @@ The `run-vault` script accepts the following arguments: * `user` (optional): The user to run Vault as. Default is to use the owner of `config-dir`. * `skip-vault-config` (optional): If this flag is set, don't generate a Vault configuration file. This is useful if you have a custom configuration file and don't want to use any of of the default settings from `run-vault`. -* `--enable-s3-backend` (optional): If this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. +* `--enable-s3-backend` (optional): Cannot be set with `--enable-dynamo`. If this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. * `--s3-bucket` (optional): Specifies the S3 bucket to use to store Vault data. Only used if `--enable-s3-backend` is set. * `--s3-bucket-region` (optional): Specifies the AWS region where `--s3-bucket` lives. Only used if `--enable-s3-backend` is set. +* `--enable-dynamo` (optional): Cannot be set with `--enable-s3-backend`. If this flag is set, a DynamoDB backend will be enabled. Consul will __NOT__ be enabled as a backend. +* `--dynamo-table` (optional): Specifies the DynamoDB table to use to store Vault data. Only used if `--enable-dynamo` is set. +* `--dynamo-region` (optional): Specifies the AWS region where `--dynamo-table` lives. Only used if `--enable-dynamo` is set. Example: @@ -73,12 +76,17 @@ Example: /opt/vault/bin/run-vault --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem ``` -Or if you want to enable an S3 backend: +If you want to enable an S3 backend: ``` /opt/vault/bin/run-vault --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem --enable-s3-backend --s3-bucket my-vault-bucket --s3-bucket-region us-east-1 ``` +OR if you want to enable DynamoDB backend: + +``` +/opt/vault/bin/run-vault --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem --enable-dynamo --dynamo-table my-dynamo-table --dynamo-region us-east-1 +``` ## Vault configuration @@ -134,6 +142,14 @@ available. * [region](https://www.vaultproject.io/docs/configuration/storage/s3.html#region): Set to the `--s3-bucket-region` parameter. +* [storage](https://www.vaultproject.io/docs/configuration/index.html#storage): Set the `--enable-dynamo` flag to + configure DynamoDB as the main (HA) storage backend for Vault: + + * [table](https://www.vaultproject.io/docs/configuration/storage/dynamodb.html#table): Set to the `--dynamo-table` + parameter. + * [region](https://www.vaultproject.io/docs/configuration/storage/dynamodb.html#region): Set to the `--dynamo-region` + parameter. + ### Overriding the configuration To override the default configuration, simply put your own configuration file in the Vault config folder (default: From 6d308d209fcaad80b01e3f16536bb2005e3f5adb Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 13:21:27 -0400 Subject: [PATCH 06/26] tf fmt only --- modules/vault-elb/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vault-elb/main.tf b/modules/vault-elb/main.tf index 1d6b39aa..502acc45 100644 --- a/modules/vault-elb/main.tf +++ b/modules/vault-elb/main.tf @@ -19,8 +19,8 @@ resource "aws_elb" "vault" { connection_draining = "${var.connection_draining}" connection_draining_timeout = "${var.connection_draining_timeout}" - security_groups = ["${aws_security_group.vault.id}"] - subnets = ["${var.subnet_ids}"] + security_groups = ["${aws_security_group.vault.id}"] + subnets = ["${var.subnet_ids}"] # Run the ELB in TCP passthrough mode listener { From 966df0ad3dada19041f619331d3df9a89037f31f Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 13:21:57 -0400 Subject: [PATCH 07/26] adding standard dynamo table and policy to iam role --- modules/vault-cluster/main.tf | 46 ++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 2c4b698f..4c873764 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -194,6 +194,29 @@ resource "aws_s3_bucket" "vault_storage" { } } +resource "aws_dynamodb_table" "vault_dynamo" { + count = "${var.enable_dynamo_backend ? 1 : 0}" + name = "${var.dynamo_table_name}" + hash_key = "Path" + range_key = "Key" + read_capacity = "${var.dynamo_read_capacity}" #Defaults to 5 + write_capacity = "${var.dynamo_write_capacity}" #Defaults to 5 + + attribute { + name = "Path" + type = "S" + } + + attribute { + name = "Key" + type = "S" + } + + tags { + Description = "Used for HA storage with Vault." + } +} + resource "aws_iam_role_policy" "vault_s3" { count = "${var.enable_s3_backend ? 1 : 0}" name = "vault_s3" @@ -201,8 +224,16 @@ resource "aws_iam_role_policy" "vault_s3" { policy = "${element(concat(data.aws_iam_policy_document.vault_s3.*.json, list("")), 0)}" } +resource "aws_iam_role_policy" "vault_dynamo" { + count = "${var.enable_dynamo_backend ? 1 : 0}" + name = "vault_dynamo" + role = "${aws_iam_role.instance_role.id}" + policy = "${element(concat(data.aws_iam_policy_document.vault_dynamo.*.json, list("")), 0)}" +} + data "aws_iam_policy_document" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = "${var.enable_s3_backend ? 1 : 0}" + statement { effect = "Allow" actions = ["s3:*"] @@ -213,3 +244,16 @@ data "aws_iam_policy_document" "vault_s3" { ] } } + +data "aws_iam_policy_document" "vault_dynamo" { + count = "${var.enable_dynamo_backend ? 1 : 0}" + + statement { + effect = "Allow" + actions = ["dynamodb:*"] + + resources = [ + "${aws_dynamodb_table.vault_dynamo.arn}", + ] + } +} From 36a74d7efb8c5fb859d54b51c2393e9f1b4ff47f Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 13:22:11 -0400 Subject: [PATCH 08/26] adding dynamo arn output --- modules/vault-cluster/outputs.tf | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf index 1acf4b26..e4740b00 100644 --- a/modules/vault-cluster/outputs.tf +++ b/modules/vault-cluster/outputs.tf @@ -32,4 +32,8 @@ output "security_group_id" { output "s3_bucket_arn" { value = "${join(",", aws_s3_bucket.vault_storage.*.arn)}" -} \ No newline at end of file +} + +output "dynamo_table_arn" { + value = "${aws_dynamodb_table.vault_dynamo.arn}" +} From 0761984599277f1f8f470d926cc6de3d0e754145 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 13:22:30 -0400 Subject: [PATCH 09/26] adding vault dynamo variables (read/write and name) --- modules/vault-cluster/variables.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index 4533011f..d53d78b7 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -176,12 +176,32 @@ variable "enable_s3_backend" { default = false } +variable "enable_dynamo_backend" { + description = "Whether to configure a DynamoDB storage backend (No Consul)" + default = false +} + variable "s3_bucket_name" { description = "The name of the S3 bucket to create and use as a storage backend. Only used if 'enable_s3_backend' is set to true." default = "" } +variable "dynamo_table_name" { + description = "The name of the Dynamo Table to create and use as a storage backend. Only used if 'enable_dynamo_backend' is set to true." + default = "" +} + variable "force_destroy_s3_bucket" { description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true." default = false } + +variable "dynamo_read_capacity" { + description = "Sets the DynamoDB read capacity for storage backend" + default = "5" +} + +variable "dynamo_write_capacity" { + description = "Sets the DynamoDB write capacity for storage backend" + default = "5" +} From 36e1b9435618943c2712208264240c41ed256910 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Thu, 5 Jul 2018 14:03:12 -0400 Subject: [PATCH 10/26] added tf example for vault with DDB backend. lacking infrastructure drawing --- examples/vault-ddb-backend/README.md | 44 +++++++++++ examples/vault-ddb-backend/main.tf | 76 +++++++++++++++++++ examples/vault-ddb-backend/outputs.tf | 43 +++++++++++ examples/vault-ddb-backend/user-data-vault.sh | 18 +++++ examples/vault-ddb-backend/variables.tf | 51 +++++++++++++ 5 files changed, 232 insertions(+) create mode 100644 examples/vault-ddb-backend/README.md create mode 100644 examples/vault-ddb-backend/main.tf create mode 100644 examples/vault-ddb-backend/outputs.tf create mode 100644 examples/vault-ddb-backend/user-data-vault.sh create mode 100644 examples/vault-ddb-backend/variables.tf diff --git a/examples/vault-ddb-backend/README.md b/examples/vault-ddb-backend/README.md new file mode 100644 index 00000000..49014601 --- /dev/null +++ b/examples/vault-ddb-backend/README.md @@ -0,0 +1,44 @@ +# Vault Cluster with DDB backend example + +This folder shows an example of Terraform code to deploy a [Vault](https://www.vaultproject.io/) cluster in +[AWS](https://aws.amazon.com/) using the [vault-cluster module](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster). +The Vault cluster uses [DynamoDB](https://aws.amazon.com/dynamodb/) as a high-availability storage backend. + +This example creates a Vault cluster spread across the subnets in the default VPC of the AWS account. For an example of a Vault cluster +that is publicly accessible, see [vault-cluster-public](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-public). + +![Vault architecture]() + +You will need to create an [Amazon Machine Image (AMI)](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) +that has Vault installed, or bootstrap Vault upon launch with UserData. + +For more info on how the Vault cluster works, check out the [vault-cluster](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster) documentation. + +**Note**: To keep this example as simple to deploy and test as possible, it deploys the Vault cluster into your default +VPC and default subnets, some of which might be publicly accessible. This is OK for learning and experimenting, but for +production usage, we strongly recommend deploying the Vault cluster into the private subnets of a custom VPC. + + + + +## Quick start + +To deploy a Vault Cluster: + +1. `git clone` this repo to your computer. +1. Optional: build a Vault and Consul AMI. See the [vault-consul-ami + example](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami) documentation for + instructions. Make sure to note down the ID of the AMI. +1. Install [Terraform](https://www.terraform.io/). +1. Open `vars.tf`, set the environment variables specified at the top of the file, and fill in any other variables that + don't have a default. If you built a custom AMI, put the AMI ID into the `ami_id` variable. Otherwise, one of our + public example AMIs will be used by default. These AMIs are great for learning/experimenting, but are NOT + recommended for production use. +1. Run `terraform init`. +1. Run `terraform apply`. +1. Run the [vault-examples-helper.sh script](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-examples-helper/vault-examples-helper.sh) to + print out the IP addresses of the Vault servers and some example commands you can run to interact with the cluster: + `../vault-examples-helper/vault-examples-helper.sh`. + +To see how to connect to the Vault cluster, initialize it, and start reading and writing secrets, head over to the +[How do you use the Vault cluster?](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#how-do-you-use-the-vault-cluster) docs. diff --git a/examples/vault-ddb-backend/main.tf b/examples/vault-ddb-backend/main.tf new file mode 100644 index 00000000..7da28378 --- /dev/null +++ b/examples/vault-ddb-backend/main.tf @@ -0,0 +1,76 @@ +# --------------------------------------------------------------------------------------------------------------------- +# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS +# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, +# running in a separate cluster, as its storage backend. +# --------------------------------------------------------------------------------------------------------------------- + +terraform { + required_version = ">= 0.9.3" +} + +# --------------------------------------------------------------------------------------------------------------------- +# DEPLOY THE VAULT SERVER CLUSTER +# --------------------------------------------------------------------------------------------------------------------- + +module "vault_cluster" { + # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you + # to a specific version of the modules, such as the following example: + # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" + source = "../../modules/vault-cluster" + + cluster_name = "${var.vault_cluster_name}" + cluster_size = "${var.vault_cluster_size}" + instance_type = "${var.vault_instance_type}" + + ami_id = "${var.ami_id}" + user_data = "${data.template_file.user_data_vault_cluster.rendered}" + + enable_dynamo_backend = true + dynamo_table_name = "${var.dynamo_table_name}" + + vpc_id = "${data.aws_vpc.default.id}" + subnet_ids = "${data.aws_subnet_ids.default.ids}" + + # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* + # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. + + allowed_ssh_cidr_blocks = ["0.0.0.0/0"] + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] + allowed_inbound_security_group_ids = [] + allowed_inbound_security_group_count = 0 + ssh_key_name = "${var.ssh_key_name}" +} + +# --------------------------------------------------------------------------------------------------------------------- +# THE USER DATA SCRIPT THAT WILL RUN ON EACH VAULT SERVER WHEN IT'S BOOTING +# This script will configure and start Vault +# --------------------------------------------------------------------------------------------------------------------- + +data "template_file" "user_data_vault_cluster" { + template = "${file("${path.module}/user-data-vault.sh")}" + + vars { + aws_region = "${data.aws_region.current.name}" + s3_bucket_name = "${var.s3_bucket_name}" + consul_cluster_tag_key = "${var.consul_cluster_tag_key}" + consul_cluster_tag_value = "${var.consul_cluster_name}" + } +} + +# --------------------------------------------------------------------------------------------------------------------- +# DEPLOY THE CLUSTERS IN THE DEFAULT VPC AND AVAILABILITY ZONES +# Using the default VPC and subnets makes this example easy to run and test, but it means Consul and Vault are +# accessible from the public Internet. In a production deployment, we strongly recommend deploying into a custom VPC +# and private subnets. +# --------------------------------------------------------------------------------------------------------------------- + +data "aws_vpc" "default" { + default = "${var.vpc_id == "" ? true : false}" + id = "${var.vpc_id}" +} + +data "aws_subnet_ids" "default" { + vpc_id = "${data.aws_vpc.default.id}" +} + +data "aws_region" "current" {} diff --git a/examples/vault-ddb-backend/outputs.tf b/examples/vault-ddb-backend/outputs.tf new file mode 100644 index 00000000..3f83410d --- /dev/null +++ b/examples/vault-ddb-backend/outputs.tf @@ -0,0 +1,43 @@ +output "asg_name_vault_cluster" { + value = "${module.vault_cluster.asg_name}" +} + +output "launch_config_name_vault_cluster" { + value = "${module.vault_cluster.launch_config_name}" +} + +output "iam_role_arn_vault_cluster" { + value = "${module.vault_cluster.iam_role_arn}" +} + +output "iam_role_id_vault_cluster" { + value = "${module.vault_cluster.iam_role_id}" +} + +output "security_group_id_vault_cluster" { + value = "${module.vault_cluster.security_group_id}" +} + +output "aws_region" { + value = "${data.aws_region.current.name}" +} + +output "vault_servers_cluster_tag_key" { + value = "${module.vault_cluster.cluster_tag_key}" +} + +output "vault_servers_cluster_tag_value" { + value = "${module.vault_cluster.cluster_tag_value}" +} + +output "ssh_key_name" { + value = "${var.ssh_key_name}" +} + +output "vault_cluster_size" { + value = "${var.vault_cluster_size}" +} + +output "dynamo_table_arn" { + value = "${module.vault_cluster.dynamo_table_arn}" +} diff --git a/examples/vault-ddb-backend/user-data-vault.sh b/examples/vault-ddb-backend/user-data-vault.sh new file mode 100644 index 00000000..bb12d5bd --- /dev/null +++ b/examples/vault-ddb-backend/user-data-vault.sh @@ -0,0 +1,18 @@ +#!/bin/bash +# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the +# run-consul script to configure and start Consul in client mode and then the run-vault script to configure and start +# Vault in server mode. Note that this script assumes it's running in an AMI built from the Packer template in +# examples/vault-consul-ami/vault-consul.json. + +set -e + +# Send the log output from this script to user-data.log, syslog, and the console +# From: https://alestic.com/2010/12/ec2-user-data-output/ +exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 + +# The Packer template puts the TLS certs in these file paths +readonly VAULT_TLS_CERT_FILE="/opt/vault/tls/vault.crt.pem" +readonly VAULT_TLS_KEY_FILE="/opt/vault/tls/vault.key.pem" + +# The variables below are filled in via Terraform interpolation +/opt/vault/bin/run-vault --tls-cert-file "$VAULT_TLS_CERT_FILE" --tls-key-file "$VAULT_TLS_KEY_FILE" --enable-dynamo --dynamo-table "${dynamo_table_name}" --dynamo-region "${aws_region}" diff --git a/examples/vault-ddb-backend/variables.tf b/examples/vault-ddb-backend/variables.tf new file mode 100644 index 00000000..97483c9d --- /dev/null +++ b/examples/vault-ddb-backend/variables.tf @@ -0,0 +1,51 @@ +# --------------------------------------------------------------------------------------------------------------------- +# ENVIRONMENT VARIABLES +# Define these secrets as environment variables +# --------------------------------------------------------------------------------------------------------------------- + +# AWS_ACCESS_KEY_ID +# AWS_SECRET_ACCESS_KEY +# AWS_DEFAULT_REGION + +# --------------------------------------------------------------------------------------------------------------------- +# REQUIRED PARAMETERS +# You must provide a value for each of these parameters. +# --------------------------------------------------------------------------------------------------------------------- + +variable "ami_id" { + description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." +} + +variable "ssh_key_name" { + description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." +} + +# --------------------------------------------------------------------------------------------------------------------- +# OPTIONAL PARAMETERS +# These parameters have reasonable defaults. +# --------------------------------------------------------------------------------------------------------------------- + +variable "vault_cluster_name" { + description = "What to name the Vault server cluster and all of its associated resources" + default = "vault-ddb-example" +} + +variable "vault_cluster_size" { + description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + default = 3 +} + +variable "vault_instance_type" { + description = "The type of EC2 Instance to run in the Vault ASG" + default = "t2.micro" +} + +variable "vpc_id" { + description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." + default = "" +} + +variable "dynamo_table_name" { + description = "The name of an dynamo table to create and use as a storage backend (if configured). Note: Consul will not be configured" + default = "my-vault-table" +} From 8d539cdb4c1050600f0688f0aac412a4744153cb Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:32:04 -0400 Subject: [PATCH 11/26] updated main comment to specify ddb --- examples/vault-ddb-backend/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/examples/vault-ddb-backend/main.tf b/examples/vault-ddb-backend/main.tf index 7da28378..d6cc8347 100644 --- a/examples/vault-ddb-backend/main.tf +++ b/examples/vault-ddb-backend/main.tf @@ -1,7 +1,7 @@ # --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, -# running in a separate cluster, as its storage backend. +# DEPLOY A VAULT SERVER CLUSTER WITH DYNAMODB BACKEND IN AWS +# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses DynamoDB, +# running separately (built within the vault-cluster module), as its storage backend. # --------------------------------------------------------------------------------------------------------------------- terraform { From 14c4e94abf99cc818afef8e273d0bd33c704f275 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:33:38 -0400 Subject: [PATCH 12/26] updated README to specify using a vault ami only --- examples/vault-ddb-backend/README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/examples/vault-ddb-backend/README.md b/examples/vault-ddb-backend/README.md index 49014601..04a7ca7b 100644 --- a/examples/vault-ddb-backend/README.md +++ b/examples/vault-ddb-backend/README.md @@ -26,9 +26,8 @@ production usage, we strongly recommend deploying the Vault cluster into the pri To deploy a Vault Cluster: 1. `git clone` this repo to your computer. -1. Optional: build a Vault and Consul AMI. See the [vault-consul-ami - example](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami) documentation for - instructions. Make sure to note down the ID of the AMI. +1. Optional: build a Vault AMI. See the [vault-consul-ami example](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami) documentation for instructions on how to build an AMI that has both Vault and Consul installed (note that for this example, you'll only need Vault, but having both won't hurt anything). + 1. Install [Terraform](https://www.terraform.io/). 1. Open `vars.tf`, set the environment variables specified at the top of the file, and fill in any other variables that don't have a default. If you built a custom AMI, put the AMI ID into the `ami_id` variable. Otherwise, one of our From 6a5572483746614838a57da41f0d9675a34188b1 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:36:48 -0400 Subject: [PATCH 13/26] updated userdata 'data' block to remove consul variables and add dynamo table --- examples/vault-ddb-backend/main.tf | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/examples/vault-ddb-backend/main.tf b/examples/vault-ddb-backend/main.tf index d6cc8347..100d7ad1 100644 --- a/examples/vault-ddb-backend/main.tf +++ b/examples/vault-ddb-backend/main.tf @@ -50,10 +50,8 @@ data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" vars { - aws_region = "${data.aws_region.current.name}" - s3_bucket_name = "${var.s3_bucket_name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + aws_region = "${data.aws_region.current.name}" + dynamo_table_name = "${var.dynamo_table_name}" } } From 93fb7b6c3502e68c89e1558c8aef4af24dcd7f8e Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:40:44 -0400 Subject: [PATCH 14/26] set consul_storage and vault_storage to and removed redundant logic --- modules/run-vault/run-vault | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index 03945ba7..14df6957 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -154,6 +154,8 @@ EOF local consul_storage_type="storage" local s3_config="" + local consul_storage="" + local vault_storage="" if [[ "$enable_s3_backend" == "true" ]]; then s3_config=$(cat < Date: Fri, 6 Jul 2018 07:47:00 -0400 Subject: [PATCH 15/26] removed logic changing dynamo/s3 values and made just list. Added logic at bottom to check for s3, dynamo, or else --- modules/run-vault/run-vault | 28 +++++++++------------------- 1 file changed, 9 insertions(+), 19 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index 14df6957..ee9e4b58 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -115,24 +115,12 @@ function generate_vault_config { local readonly api_addr="$5" local readonly config_dir="$6" local readonly user="$7" - - if [[ "$enable_s3_backend" == "true" ]]; then - local readonly enable_s3_backend="$8" - local readonly s3_bucket="$9" - local readonly s3_bucket_region="${10}" - local readonly enable_dynamo="" - local readonly dynamo_region="" - local readonly dynamo_table="" - fi - - if [[ "$enable_dynamo" == "true" ]]; then - local readonly enable_dynamo="$8" - local readonly dynamo_region="$9" - local readonly dynamo_table="${10}" - local readonly enable_s3_backend="" - local readonly s3_bucket="" - local readonly s3_bucket_region="" - fi + local readonly enable_s3_backend="$8" + local readonly s3_bucket="$9" + local readonly s3_bucket_region="${10}" + local readonly enable_dynamo="${11}" + local readonly dynamo_region="${12}" + local readonly dynamo_table="${13}" local readonly config_path="$config_dir/$VAULT_CONFIG_FILE" @@ -400,8 +388,10 @@ function run { log_info "The --skip-vault-config flag is set, so will not generate a default Vault config file." elif [[ "$enable_dynamo" == "true" ]]; then generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_dynamo" "$dynamo_region" "$dynamo_table" - else + elif [[ "$enable_s3_backend" == "true" ]]; then generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" + else + generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" fi generate_supervisor_config "$SUPERVISOR_CONFIG_PATH" "$config_dir" "$bin_dir" "$log_dir" "$log_level" "$user" From 2df714835277a2d4693c0bdedfd2b74b10ee7a6c Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:48:41 -0400 Subject: [PATCH 16/26] added Name tag to DDB --- modules/vault-cluster/main.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 4c873764..500cd5cb 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -213,6 +213,7 @@ resource "aws_dynamodb_table" "vault_dynamo" { } tags { + Name = "${var.cluster_name}" Description = "Used for HA storage with Vault." } } From ffabbb80d88f0383bb9baf0cbdf9ed448ba66102 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:52:24 -0400 Subject: [PATCH 17/26] updated dyanmo output as concat element --- modules/vault-cluster/outputs.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf index e4740b00..7701dd69 100644 --- a/modules/vault-cluster/outputs.tf +++ b/modules/vault-cluster/outputs.tf @@ -35,5 +35,5 @@ output "s3_bucket_arn" { } output "dynamo_table_arn" { - value = "${aws_dynamodb_table.vault_dynamo.arn}" + value = "${element(concat(aws_dynamodb_table.vault_dynamo.*.arn, list("")), 0)}" } From 10b5cb1e3d44b67bfc23e907402d4e06b23b83c2 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 07:55:24 -0400 Subject: [PATCH 18/26] updated ddb read/write string variables without quotes --- modules/vault-cluster/variables.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index d53d78b7..0bcda701 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -198,10 +198,10 @@ variable "force_destroy_s3_bucket" { variable "dynamo_read_capacity" { description = "Sets the DynamoDB read capacity for storage backend" - default = "5" + default = 5 } variable "dynamo_write_capacity" { description = "Sets the DynamoDB write capacity for storage backend" - default = "5" + default = 5 } From 011d71a7ce49fa10f0f246be43bb3f6211d23a08 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 08:02:13 -0400 Subject: [PATCH 19/26] update userdata comment --- examples/vault-ddb-backend/user-data-vault.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vault-ddb-backend/user-data-vault.sh b/examples/vault-ddb-backend/user-data-vault.sh index bb12d5bd..803b4bbf 100644 --- a/examples/vault-ddb-backend/user-data-vault.sh +++ b/examples/vault-ddb-backend/user-data-vault.sh @@ -1,6 +1,6 @@ #!/bin/bash # This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the -# run-consul script to configure and start Consul in client mode and then the run-vault script to configure and start +# run-vault script to configure and start # Vault in server mode. Note that this script assumes it's running in an AMI built from the Packer template in # examples/vault-consul-ami/vault-consul.json. From 0b74d0ab5db861db99eee95b75970dc528c3e682 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 08:05:49 -0400 Subject: [PATCH 20/26] updated enable-dynamo and enable_dynamo to include 'backend' with consistency --- modules/run-vault/run-vault | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index ee9e4b58..f53b6bb2 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -36,9 +36,9 @@ function print_usage { echo -e " --enable-s3-backend\tIf this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. Default is false." echo -e " --s3-bucket\tSpecifies the S3 bucket to use to store Vault data. Only used if '--enable-s3-backend' is set." echo -e " --s3-bucket-region\tSpecifies the AWS region where '--s3-bucket' lives. Only used if '--enable-s3-backend' is set." - echo -e " --enable-dynamo\tIf this flag is set, DynamoDB will be enabled as the backend storage (HA)" - echo -e " --dynamo-region\tSpecifies the AWS region where --dynamo-table lives. Only used if '--enable-dynamo is on'" - echo -e " --dynamo--table\tSpecifies the DynamoDB table to use for HA Storage. Only used if '--enable-dynamo is on'" + echo -e " --enable-dynamo-backend\tIf this flag is set, DynamoDB will be enabled as the backend storage (HA)" + echo -e " --dynamo-region\tSpecifies the AWS region where --dynamo-table lives. Only used if '--enable-dynamo-backend is on'" + echo -e " --dynamo--table\tSpecifies the DynamoDB table to use for HA Storage. Only used if '--enable-dynamo-backend is on'" echo echo "Examples:" echo @@ -118,7 +118,7 @@ function generate_vault_config { local readonly enable_s3_backend="$8" local readonly s3_bucket="$9" local readonly s3_bucket_region="${10}" - local readonly enable_dynamo="${11}" + local readonly enable_dynamo_backend="${11}" local readonly dynamo_region="${12}" local readonly dynamo_table="${13}" @@ -157,7 +157,7 @@ EOF fi - if [[ "$enable_dynamo" == "true" ]]; then + if [[ "$enable_dynamo_backend" == "true" ]]; then vault_storage=$(cat < Date: Fri, 6 Jul 2018 08:06:22 -0400 Subject: [PATCH 21/26] updated enable dynamo flag in userdata --- examples/vault-ddb-backend/user-data-vault.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vault-ddb-backend/user-data-vault.sh b/examples/vault-ddb-backend/user-data-vault.sh index 803b4bbf..e2f4bcca 100644 --- a/examples/vault-ddb-backend/user-data-vault.sh +++ b/examples/vault-ddb-backend/user-data-vault.sh @@ -15,4 +15,4 @@ readonly VAULT_TLS_CERT_FILE="/opt/vault/tls/vault.crt.pem" readonly VAULT_TLS_KEY_FILE="/opt/vault/tls/vault.key.pem" # The variables below are filled in via Terraform interpolation -/opt/vault/bin/run-vault --tls-cert-file "$VAULT_TLS_CERT_FILE" --tls-key-file "$VAULT_TLS_KEY_FILE" --enable-dynamo --dynamo-table "${dynamo_table_name}" --dynamo-region "${aws_region}" +/opt/vault/bin/run-vault --tls-cert-file "$VAULT_TLS_CERT_FILE" --tls-key-file "$VAULT_TLS_KEY_FILE" --enable-dynamo-backend --dynamo-table "${dynamo_table_name}" --dynamo-region "${aws_region}" From 45f76581b0c9b6cdbce99d860a176d53c4c3a3d1 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 08:07:17 -0400 Subject: [PATCH 22/26] updated readme to include enable-dynamo-backend references --- modules/run-vault/README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/run-vault/README.md b/modules/run-vault/README.md index 3232242d..9e14d0fe 100644 --- a/modules/run-vault/README.md +++ b/modules/run-vault/README.md @@ -63,12 +63,12 @@ The `run-vault` script accepts the following arguments: * `user` (optional): The user to run Vault as. Default is to use the owner of `config-dir`. * `skip-vault-config` (optional): If this flag is set, don't generate a Vault configuration file. This is useful if you have a custom configuration file and don't want to use any of of the default settings from `run-vault`. -* `--enable-s3-backend` (optional): Cannot be set with `--enable-dynamo`. If this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. +* `--enable-s3-backend` (optional): Cannot be set with `--enable-dynamo-backend`. If this flag is set, an S3 backend will be enabled in addition to the HA Consul backend. * `--s3-bucket` (optional): Specifies the S3 bucket to use to store Vault data. Only used if `--enable-s3-backend` is set. * `--s3-bucket-region` (optional): Specifies the AWS region where `--s3-bucket` lives. Only used if `--enable-s3-backend` is set. -* `--enable-dynamo` (optional): Cannot be set with `--enable-s3-backend`. If this flag is set, a DynamoDB backend will be enabled. Consul will __NOT__ be enabled as a backend. -* `--dynamo-table` (optional): Specifies the DynamoDB table to use to store Vault data. Only used if `--enable-dynamo` is set. -* `--dynamo-region` (optional): Specifies the AWS region where `--dynamo-table` lives. Only used if `--enable-dynamo` is set. +* `--enable-dynamo-backend` (optional): Cannot be set with `--enable-s3-backend`. If this flag is set, a DynamoDB backend will be enabled. Consul will __NOT__ be enabled as a backend. +* `--dynamo-table` (optional): Specifies the DynamoDB table to use to store Vault data. Only used if `--enable-dynamo-backend` is set. +* `--dynamo-region` (optional): Specifies the AWS region where `--dynamo-table` lives. Only used if `--enable-dynamo-backend` is set. Example: @@ -85,7 +85,7 @@ If you want to enable an S3 backend: OR if you want to enable DynamoDB backend: ``` -/opt/vault/bin/run-vault --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem --enable-dynamo --dynamo-table my-dynamo-table --dynamo-region us-east-1 +/opt/vault/bin/run-vault --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem --enable-dynamo-backend --dynamo-table my-dynamo-table --dynamo-region us-east-1 ``` @@ -142,7 +142,7 @@ available. * [region](https://www.vaultproject.io/docs/configuration/storage/s3.html#region): Set to the `--s3-bucket-region` parameter. -* [storage](https://www.vaultproject.io/docs/configuration/index.html#storage): Set the `--enable-dynamo` flag to +* [storage](https://www.vaultproject.io/docs/configuration/index.html#storage): Set the `--enable-dynamo-backend` flag to configure DynamoDB as the main (HA) storage backend for Vault: * [table](https://www.vaultproject.io/docs/configuration/storage/dynamodb.html#table): Set to the `--dynamo-table` From c5f0603d5dd4147479fc86bad7e9b4231d471ab6 Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 08:13:21 -0400 Subject: [PATCH 23/26] update generate vault config line to include all as list --- modules/run-vault/run-vault | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index f53b6bb2..d5c60ddd 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -386,12 +386,8 @@ function run { if [[ "$skip_vault_config" == "true" ]]; then log_info "The --skip-vault-config flag is set, so will not generate a default Vault config file." - elif [[ "$enable_dynamo_backend" == "true" ]]; then - generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_dynamo_backend" "$dynamo_region" "$dynamo_table" - elif [[ "$enable_s3_backend" == "true" ]]; then - generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" else - generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" + generate_vault_config "$tls_cert_file" "$tls_key_file" "$port" "$cluster_port" "$api_addr" "$config_dir" "$user" "$enable_s3_backend" "$s3_bucket" "$s3_bucket_region" "$enable_dynamo_backend" "$dynamo_region" "$dynamo_table" fi generate_supervisor_config "$SUPERVISOR_CONFIG_PATH" "$config_dir" "$bin_dir" "$log_dir" "$log_level" "$user" From 481c675c5e73a53727606e762aa35b33585ede1a Mon Sep 17 00:00:00 2001 From: Joshua Wells Date: Fri, 6 Jul 2018 08:15:33 -0400 Subject: [PATCH 24/26] remove checking supervisor pip --- modules/install-vault/install-vault | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/install-vault/install-vault b/modules/install-vault/install-vault index 9f8bc38f..2a05e1ae 100755 --- a/modules/install-vault/install-vault +++ b/modules/install-vault/install-vault @@ -102,8 +102,6 @@ function two_way_symlink() { # Install steps are based on: http://stackoverflow.com/a/31576473/483528 function install_supervisord_amazon_linux { - if [[ ! $(pip list |grep supervisor) ]]; then - sudo pip install supervisor # On Amazon Linux, /usr/local/bin is not in PATH for the root user, so we add symlinks to /usr/bin, which is in PATH @@ -117,7 +115,6 @@ function install_supervisord_amazon_linux { create_supervisor_config sudo chkconfig --add supervisor sudo chkconfig supervisor on - fi } function create_supervisor_config { From 773d47aee8bc23c0fcac3ff2d3d1e59a934768a1 Mon Sep 17 00:00:00 2001 From: Joshua D Wells Date: Tue, 31 Jul 2018 14:23:07 -0400 Subject: [PATCH 25/26] updated to allow s3 with ddb backend --- modules/run-vault/run-vault | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/modules/run-vault/run-vault b/modules/run-vault/run-vault index d5c60ddd..7ab73ec3 100755 --- a/modules/run-vault/run-vault +++ b/modules/run-vault/run-vault @@ -141,6 +141,7 @@ EOF ) local consul_storage_type="storage" + local dynamodb_storage_type="storage" local s3_config="" local consul_storage="" local vault_storage="" @@ -154,12 +155,13 @@ storage "s3" { EOF ) consul_storage_type="ha_storage" + dynamodb_storage_type="ha_storage" fi if [[ "$enable_dynamo_backend" == "true" ]]; then vault_storage=$(cat < Date: Tue, 31 Jul 2018 14:24:06 -0400 Subject: [PATCH 26/26] tf fmt --- examples/vault-cluster-private/main.tf | 6 +++--- examples/vault-ddb-backend/main.tf | 4 ++-- examples/vault-s3-backend/main.tf | 6 +++--- examples/vault-s3-backend/outputs.tf | 2 +- examples/vault-s3-backend/variables.tf | 2 +- main.tf | 6 +++--- 6 files changed, 13 insertions(+), 13 deletions(-) diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 41229919..e984dcab 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -74,11 +74,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -141,4 +141,4 @@ data "aws_subnet_ids" "default" { vpc_id = "${data.aws_vpc.default.id}" } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} diff --git a/examples/vault-ddb-backend/main.tf b/examples/vault-ddb-backend/main.tf index 100d7ad1..a9b3df74 100644 --- a/examples/vault-ddb-backend/main.tf +++ b/examples/vault-ddb-backend/main.tf @@ -50,8 +50,8 @@ data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" vars { - aws_region = "${data.aws_region.current.name}" - dynamo_table_name = "${var.dynamo_table_name}" + aws_region = "${data.aws_region.current.name}" + dynamo_table_name = "${var.dynamo_table_name}" } } diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index b5e9251b..7e0cfaea 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -79,11 +79,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -146,4 +146,4 @@ data "aws_subnet_ids" "default" { vpc_id = "${data.aws_vpc.default.id}" } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} diff --git a/examples/vault-s3-backend/outputs.tf b/examples/vault-s3-backend/outputs.tf index e71de3a5..850bce74 100644 --- a/examples/vault-s3-backend/outputs.tf +++ b/examples/vault-s3-backend/outputs.tf @@ -84,4 +84,4 @@ output "consul_cluster_cluster_tag_value" { output "s3_bucket_arn" { value = "${module.vault_cluster.s3_bucket_arn}" -} \ No newline at end of file +} diff --git a/examples/vault-s3-backend/variables.tf b/examples/vault-s3-backend/variables.tf index ecea70ed..2ed6b2b0 100644 --- a/examples/vault-s3-backend/variables.tf +++ b/examples/vault-s3-backend/variables.tf @@ -73,4 +73,4 @@ variable "s3_bucket_name" { variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." default = false -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 245c57c6..851c62fa 100644 --- a/main.tf +++ b/main.tf @@ -117,11 +117,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -223,4 +223,4 @@ data "aws_subnet_ids" "default" { tags = "${var.subnet_tags}" } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {}