This repository has been archived by the owner on Jan 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 465
Feature/ddb backend #77
Closed
Closed
Changes from all commits
Commits
Show all changes
26 commits
Select commit
Hold shift + click to select a range
d6f5711
added checking for supervisor existence before installing
pgr-josh-wells 6544406
added dynamo flags and logic to use either s3 or dynamo
pgr-josh-wells a8e6b72
correct useradd with --system flag
pgr-josh-wells 6cd9bfa
updated dynamo checking for config generation
pgr-josh-wells fdc8fac
add dynamo documentation
pgr-josh-wells 6d308d2
tf fmt only
pgr-josh-wells 966df0a
adding standard dynamo table and policy to iam role
pgr-josh-wells 36a74d7
adding dynamo arn output
pgr-josh-wells 0761984
adding vault dynamo variables (read/write and name)
pgr-josh-wells 36e1b94
added tf example for vault with DDB backend. lacking infrastructure …
pgr-josh-wells 8d539cd
updated main comment to specify ddb
14c4e94
updated README to specify using a vault ami only
6a55724
updated userdata 'data' block to remove consul variables and add dyna…
93fb7b6
set consul_storage and vault_storage to and removed redundant logic
f3020a8
removed logic changing dynamo/s3 values and made just list. Added lo…
2df7148
added Name tag to DDB
ffabbb8
updated dyanmo output as concat element
10b5cb1
updated ddb read/write string variables without quotes
011d71a
update userdata comment
0b74d0a
updated enable-dynamo and enable_dynamo to include 'backend' with con…
7449675
updated enable dynamo flag in userdata
45f7658
updated readme to include enable-dynamo-backend references
c5f0603
update generate vault config line to include all as list
481c675
remove checking supervisor pip
773d47a
updated to allow s3 with ddb backend
pgr-josh-wells c8d9fab
tf fmt
pgr-josh-wells File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Vault Cluster with DDB backend example | ||
|
||
This folder shows an example of Terraform code to deploy a [Vault](https://www.vaultproject.io/) cluster in | ||
[AWS](https://aws.amazon.com/) using the [vault-cluster module](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster). | ||
The Vault cluster uses [DynamoDB](https://aws.amazon.com/dynamodb/) as a high-availability storage backend. | ||
|
||
This example creates a Vault cluster spread across the subnets in the default VPC of the AWS account. For an example of a Vault cluster | ||
that is publicly accessible, see [vault-cluster-public](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-cluster-public). | ||
|
||
![Vault architecture]() | ||
|
||
You will need to create an [Amazon Machine Image (AMI)](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html) | ||
that has Vault installed, or bootstrap Vault upon launch with UserData. | ||
|
||
For more info on how the Vault cluster works, check out the [vault-cluster](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster) documentation. | ||
|
||
**Note**: To keep this example as simple to deploy and test as possible, it deploys the Vault cluster into your default | ||
VPC and default subnets, some of which might be publicly accessible. This is OK for learning and experimenting, but for | ||
production usage, we strongly recommend deploying the Vault cluster into the private subnets of a custom VPC. | ||
|
||
|
||
|
||
|
||
## Quick start | ||
|
||
To deploy a Vault Cluster: | ||
|
||
1. `git clone` this repo to your computer. | ||
1. Optional: build a Vault AMI. See the [vault-consul-ami example](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami) documentation for instructions on how to build an AMI that has both Vault and Consul installed (note that for this example, you'll only need Vault, but having both won't hurt anything). | ||
|
||
1. Install [Terraform](https://www.terraform.io/). | ||
1. Open `vars.tf`, set the environment variables specified at the top of the file, and fill in any other variables that | ||
don't have a default. If you built a custom AMI, put the AMI ID into the `ami_id` variable. Otherwise, one of our | ||
public example AMIs will be used by default. These AMIs are great for learning/experimenting, but are NOT | ||
recommended for production use. | ||
1. Run `terraform init`. | ||
1. Run `terraform apply`. | ||
1. Run the [vault-examples-helper.sh script](https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-examples-helper/vault-examples-helper.sh) to | ||
print out the IP addresses of the Vault servers and some example commands you can run to interact with the cluster: | ||
`../vault-examples-helper/vault-examples-helper.sh`. | ||
|
||
To see how to connect to the Vault cluster, initialize it, and start reading and writing secrets, head over to the | ||
[How do you use the Vault cluster?](https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#how-do-you-use-the-vault-cluster) docs. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
# DEPLOY A VAULT SERVER CLUSTER WITH DYNAMODB BACKEND IN AWS | ||
# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses DynamoDB, | ||
# running separately (built within the vault-cluster module), as its storage backend. | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
terraform { | ||
required_version = ">= 0.9.3" | ||
} | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
# DEPLOY THE VAULT SERVER CLUSTER | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
module "vault_cluster" { | ||
# When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you | ||
# to a specific version of the modules, such as the following example: | ||
# source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" | ||
source = "../../modules/vault-cluster" | ||
|
||
cluster_name = "${var.vault_cluster_name}" | ||
cluster_size = "${var.vault_cluster_size}" | ||
instance_type = "${var.vault_instance_type}" | ||
|
||
ami_id = "${var.ami_id}" | ||
user_data = "${data.template_file.user_data_vault_cluster.rendered}" | ||
|
||
enable_dynamo_backend = true | ||
dynamo_table_name = "${var.dynamo_table_name}" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Nice API 👍 |
||
|
||
vpc_id = "${data.aws_vpc.default.id}" | ||
subnet_ids = "${data.aws_subnet_ids.default.ids}" | ||
|
||
# To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* | ||
# recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. | ||
|
||
allowed_ssh_cidr_blocks = ["0.0.0.0/0"] | ||
allowed_inbound_cidr_blocks = ["0.0.0.0/0"] | ||
allowed_inbound_security_group_ids = [] | ||
allowed_inbound_security_group_count = 0 | ||
ssh_key_name = "${var.ssh_key_name}" | ||
} | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
# THE USER DATA SCRIPT THAT WILL RUN ON EACH VAULT SERVER WHEN IT'S BOOTING | ||
# This script will configure and start Vault | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
data "template_file" "user_data_vault_cluster" { | ||
template = "${file("${path.module}/user-data-vault.sh")}" | ||
|
||
vars { | ||
aws_region = "${data.aws_region.current.name}" | ||
dynamo_table_name = "${var.dynamo_table_name}" | ||
} | ||
} | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
# DEPLOY THE CLUSTERS IN THE DEFAULT VPC AND AVAILABILITY ZONES | ||
# Using the default VPC and subnets makes this example easy to run and test, but it means Consul and Vault are | ||
# accessible from the public Internet. In a production deployment, we strongly recommend deploying into a custom VPC | ||
# and private subnets. | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
data "aws_vpc" "default" { | ||
default = "${var.vpc_id == "" ? true : false}" | ||
id = "${var.vpc_id}" | ||
} | ||
|
||
data "aws_subnet_ids" "default" { | ||
vpc_id = "${data.aws_vpc.default.id}" | ||
} | ||
|
||
data "aws_region" "current" {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
output "asg_name_vault_cluster" { | ||
value = "${module.vault_cluster.asg_name}" | ||
} | ||
|
||
output "launch_config_name_vault_cluster" { | ||
value = "${module.vault_cluster.launch_config_name}" | ||
} | ||
|
||
output "iam_role_arn_vault_cluster" { | ||
value = "${module.vault_cluster.iam_role_arn}" | ||
} | ||
|
||
output "iam_role_id_vault_cluster" { | ||
value = "${module.vault_cluster.iam_role_id}" | ||
} | ||
|
||
output "security_group_id_vault_cluster" { | ||
value = "${module.vault_cluster.security_group_id}" | ||
} | ||
|
||
output "aws_region" { | ||
value = "${data.aws_region.current.name}" | ||
} | ||
|
||
output "vault_servers_cluster_tag_key" { | ||
value = "${module.vault_cluster.cluster_tag_key}" | ||
} | ||
|
||
output "vault_servers_cluster_tag_value" { | ||
value = "${module.vault_cluster.cluster_tag_value}" | ||
} | ||
|
||
output "ssh_key_name" { | ||
value = "${var.ssh_key_name}" | ||
} | ||
|
||
output "vault_cluster_size" { | ||
value = "${var.vault_cluster_size}" | ||
} | ||
|
||
output "dynamo_table_arn" { | ||
value = "${module.vault_cluster.dynamo_table_arn}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#!/bin/bash | ||
# This script is meant to be run in the User Data of each EC2 Instance while it's booting. The script uses the | ||
# run-vault script to configure and start | ||
# Vault in server mode. Note that this script assumes it's running in an AMI built from the Packer template in | ||
# examples/vault-consul-ami/vault-consul.json. | ||
|
||
set -e | ||
|
||
# Send the log output from this script to user-data.log, syslog, and the console | ||
# From: https://alestic.com/2010/12/ec2-user-data-output/ | ||
exec > >(tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 | ||
|
||
# The Packer template puts the TLS certs in these file paths | ||
readonly VAULT_TLS_CERT_FILE="/opt/vault/tls/vault.crt.pem" | ||
readonly VAULT_TLS_KEY_FILE="/opt/vault/tls/vault.key.pem" | ||
|
||
# The variables below are filled in via Terraform interpolation | ||
/opt/vault/bin/run-vault --tls-cert-file "$VAULT_TLS_CERT_FILE" --tls-key-file "$VAULT_TLS_KEY_FILE" --enable-dynamo-backend --dynamo-table "${dynamo_table_name}" --dynamo-region "${aws_region}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
# ENVIRONMENT VARIABLES | ||
# Define these secrets as environment variables | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
# AWS_ACCESS_KEY_ID | ||
# AWS_SECRET_ACCESS_KEY | ||
# AWS_DEFAULT_REGION | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
# REQUIRED PARAMETERS | ||
# You must provide a value for each of these parameters. | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
variable "ami_id" { | ||
description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." | ||
} | ||
|
||
variable "ssh_key_name" { | ||
description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." | ||
} | ||
|
||
# --------------------------------------------------------------------------------------------------------------------- | ||
# OPTIONAL PARAMETERS | ||
# These parameters have reasonable defaults. | ||
# --------------------------------------------------------------------------------------------------------------------- | ||
|
||
variable "vault_cluster_name" { | ||
description = "What to name the Vault server cluster and all of its associated resources" | ||
default = "vault-ddb-example" | ||
} | ||
|
||
variable "vault_cluster_size" { | ||
description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." | ||
default = 3 | ||
} | ||
|
||
variable "vault_instance_type" { | ||
description = "The type of EC2 Instance to run in the Vault ASG" | ||
default = "t2.micro" | ||
} | ||
|
||
variable "vpc_id" { | ||
description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." | ||
default = "" | ||
} | ||
|
||
variable "dynamo_table_name" { | ||
description = "The name of an dynamo table to create and use as a storage backend (if configured). Note: Consul will not be configured" | ||
default = "my-vault-table" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not 100% certain where to get a documentation template for Cloudcraft that includes the Hashicorp custom images. If you could point me in the right direction that would be great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@brikis98 Do you have a template used for previous diagrams?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I do. I created the diagrams with CloudCraft. Let me know if these shared links work for you:
https://cloudcraft.co/view/9cf13b28-3c9b-47a6-b8f5-79b4f4be97e6?key=H-BXpuoP1I7hyjLm4LcO-Q
https://cloudcraft.co/view/8607afd0-2993-4dd9-87b4-1ada2790b3d6?key=Xlcx8IEgf9A_jBiCBf0sFA