Skip to content

A Terraform module for provisioning and installing Vault Enterprise on Azure virtual machines as described in HashiCorp Validated Designs

License

Notifications You must be signed in to change notification settings

hashicorp/terraform-azurerm-vault-enterprise-hvd

Vault Enterprise HVD on Azure VM

Terraform module aligned with HashiCorp Validated Designs (HVD) to deploy Vault Enterprise on Azure using Virtual Machines. This module deploys Vault Enterprise with integrated storage.

HVD Vault Architecture diagram

Prerequisites

This module requires the following to already be in place in Azure:

Deployment

Upon first deployment, Vault servers will auto-join and form a fresh cluster. The cluster will be in an uninitialized, sealed state. An operator must then connect to the cluster to initialize Vault. When auto-unseal is used via Azure Key Vault, the Vault nodes will automatically unseal upon initialization.

Examples

Example deployment scenarios can be found in the examples directory of this repo here. These examples cover multiple capabilities of the module and are meant to serve as a starting point for operators.

Deployment Options

This module by default deploys on Ubuntu 22.04. This can be changed by updating the following;

  • var.vm_image_publisher
  • var.vm_image_offer
  • var.vm_image_sku
  • var.vm_image_version

TLS

There is a helper doc for tls cert generation should you need it TLS.

Load Balancing

This module supports the deployment of Azure's TCP Layer 4 load balancer to sit in front of the Vault cluster. The load balancer can be external (public IP) or internal (private IP) and is configured to use Vault's sys/health API endpoint to determine health status of Vault to ensure clients are always directed to a healthy instance when possible.

The variable lb_is_internal is used to dictate if the load balancer should be exposed publicly. The default is false.

Key Vault

This module requires auto-unseal and defaults to the Azure Key Vault seal mechanism. The module deploys both the Azure Key Vault and Key Vault Key to enable auto-unseal

Terraform configuration

Requirements

Name Version
terraform >= 1.7
azurerm ~> 3.101

Providers

Name Version
azurerm ~> 3.101

Modules

No modules.

Resources

Name Type
azurerm_dns_a_record.vault resource
azurerm_key_vault_access_policy.prereqs_kv_reader resource
azurerm_lb.vault resource
azurerm_lb_backend_address_pool.vault_servers resource
azurerm_lb_probe.vault resource
azurerm_lb_rule.vault_8200 resource
azurerm_linux_virtual_machine_scale_set.vault resource
azurerm_private_dns_a_record.vault resource
azurerm_private_dns_zone_virtual_network_link.vault resource
azurerm_public_ip.vault_lb resource
azurerm_resource_group.vault resource
azurerm_role_assignment.prereqs_kv_reader resource
azurerm_role_assignment.resource_group_reader resource
azurerm_role_assignment.vault_vmss_disk_encryption_set_reader resource
azurerm_user_assigned_identity.vault resource
azurerm_client_config.current data source
azurerm_disk_encryption_set.vmss data source
azurerm_dns_zone.vault data source
azurerm_image.custom data source
azurerm_key_vault.prereqs data source
azurerm_private_dns_zone.vault data source
azurerm_resource_group.vault data source
azurerm_virtual_machine_scale_set.vault data source

Inputs

Name Description Type Default Required
additional_package_names List of additional repository package names to install set(string) [] no
availability_zones List of Azure Availability Zones to spread Vault resources across. set(string)
[
"1",
"2",
"3"
]
no
common_tags Map of common tags for taggable Azure resources. map(string) {} no
create_lb Boolean to create an Azure Load Balancer for Vault. bool true no
create_resource_group Boolean to create a new Resource Group for this Vault deployment. bool true no
create_vault_private_dns_record Boolean to create a DNS record for Vault in a private Azure DNS zone. private_dns_zone_name must also be provided when true. bool false no
create_vault_public_dns_record Boolean to create a DNS record for Vault in a public Azure DNS zone. public_dns_zone_name must also be provided when true. bool false no
friendly_name_prefix Friendly name prefix for uniquely naming Azure resources. string n/a yes
is_govcloud_region Boolean indicating whether this Vault deployment is in an Azure Government Cloud region. bool false no
key_vault_cidr_allow_list List of CIDR blocks to allow access to the Key Vault. list(string) [] no
lb_is_internal Boolean to create an internal or external Azure Load Balancer for Vault. bool false no
lb_private_ip Private IP address for internal Azure Load Balancer. Only valid when lb_is_internal is true. string null no
lb_subnet_id Subnet ID for Azure load balancer. string null no
location Azure region for this Vault deployment. string n/a yes
prereqs_keyvault_name Name of the 'prereqs' Key Vault to use for prereqs Vault deployment. string n/a yes
prereqs_keyvault_rg_name Name of the Resource Group where the 'prereqs' Key Vault resides. string n/a yes
private_dns_zone_name Name of existing private Azure DNS zone to create DNS record in. Required when create_vault_private_dns_record is true. string null no
private_dns_zone_rg Name of Resource Group where private_dns_zone_name resides. Required when create_vault_private_dns_record is true. string null no
public_dns_zone_name Name of existing public Azure DNS zone to create DNS record in. Required when create_vault_public_dns_record is true. string null no
public_dns_zone_rg Name of Resource Group where public_dns_zone_name resides. Required when create_vault_public_dns_record is true. string null no
resource_group_name Name of Resource Group to use for Vault cluster resources string "vault-ent-rg" no
systemd_dir Path to systemd directory for unit files string "/lib/systemd/system" no
vault_default_lease_ttl_duration The default lease TTL expressed as a time duration in hours, minutes and/or seconds (e.g. 4h30m10s) string "1h" no
vault_dir_bin Path to install Vault Enterprise binary string "/usr/bin" no
vault_dir_config Path to install Vault Enterprise binary string "/etc/vault.d" no
vault_dir_home Path to hold data, plugins and license directories string "/opt/vault" no
vault_dir_logs Path to hold Vault file audit device logs string "/var/log/vault" no
vault_disable_mlock Boolean to disable mlock. Mlock should be disabled when using Raft integrated storage. bool true no
vault_enable_ui Boolean to enable Vault's web UI bool true no
vault_fqdn Fully qualified domain name of the Vault cluster. This name must match a SAN entry in the TLS server certificate. string n/a yes
vault_group_name Name of group to own Vault files and processes string "vault" no
vault_license_keyvault_secret_id ID of Key Vault secret containing Vault license. string n/a yes
vault_max_lease_ttl_duration The max lease TTL expressed as a time duration in hours, minutes and/or seconds (e.g. 4h30m10s) string "768h" no
vault_plugin_urls (optional list) List of Vault plugin fully qualified URLs (example ["https://releases.hashicorp.com/terraform-provider-oraclepaas/1.5.3/terraform-provider-oraclepaas_1.5.3_linux_amd64.zip"] for deployment to Vault plugins directory) list(string) [] no
vault_port_api TCP port for Vault API listener number 8200 no
vault_port_cluster TCP port for Vault cluster address number 8201 no
vault_seal_azurekeyvault_unseal_key_name Name of the Azure Key Vault key to use for auto-unseal string n/a yes
vault_seal_azurekeyvault_vault_name Name of the Azure Key Vault vault holding Vault's unseal key string n/a yes
vault_seal_type n/a string "azurekeyvault" no
vault_subnet_id Subnet ID for Vault server VMs. string n/a yes
vault_tls_ca_bundle_keyvault_secret_id ID of Key Vault secret containing Vault TLS custom CA bundle. string n/a yes
vault_tls_cert_keyvault_secret_id ID of Key Vault secret containing Vault TLS certificate. string n/a yes
vault_tls_disable_client_certs Disable Vault UI prompt for client certificates bool false no
vault_tls_privkey_keyvault_secret_id ID of Key Vault secret containing Vault TLS private key. string n/a yes
vault_tls_require_and_verify_client_cert Require and verify client certs on API requests bool false no
vault_user_name Name of system user to own Vault files and processes string "vault" no
vault_version Version of Vault to install. string "1.17.1+ent" no
vm_admin_username Admin username for VMs in VMSS. string "ubuntu" no
vm_boot_disk_size The disk size (GB) to use to create the boot disk number 64 no
vm_custom_image_name Name of custom VM image to use for VMSS. If not using a custom image, leave this set to null. string null no
vm_custom_image_rg_name Resource Group name where the custom VM image resides. Only valid if vm_custom_image_name is not null. string null no
vm_disk_encryption_set_name Name of the Disk Encryption Set to use for VMSS. string null no
vm_disk_encryption_set_rg Name of the Resource Group where the Disk Encryption Set to use for VMSS exists. string null no
vm_enable_boot_diagnostics Boolean to enable boot diagnostics for VMSS. bool false no
vm_image_offer Offer of the VM image. string "0001-com-ubuntu-server-jammy" no
vm_image_publisher Publisher of the VM image. string "Canonical" no
vm_image_sku SKU of the VM image. string "22_04-lts-gen2" no
vm_image_version Version of the VM image. string "latest" no
vm_sku SKU for VM size for the VMSS. string "Standard_D2s_v5" no
vm_ssh_public_key SSH public key for VMs in VMSS. string null no
vm_vault_data_disk_size The disk size (GB) to use to create the Vault data disk number 200 no
vmss_vm_count Number of VM instances in the VMSS. number 6 no
vnet_id VNet ID where Vault resources will reside. string n/a yes
worker_msi_id value of the worker MSI id string null no

Outputs

Name Description
load_balancer_ip IP address of load balancer's frontend configuration
resource_group_name Name of the Resource Group.
vault_cli_config Environment variables to configure the Vault CLI
vault_server_private_ips The Private IPs of the Vault servers that are spun up by VMSS

About

A Terraform module for provisioning and installing Vault Enterprise on Azure virtual machines as described in HashiCorp Validated Designs

Resources

License

Code of conduct

Security policy

Stars

Watchers

Forks

Packages

No packages published