hashicorp · kellyhair · Mar 18, 2021 · Mar 18, 2021 · Mar 20, 2021 · Mar 20, 2021
diff --git a/.gitignore b/.gitignore
@@ -23,4 +23,7 @@
 *.vagrant
 
 # Generated private key
-*.key
+*.key
+
+# Ignore local lock files 
+**/.terraform.lock.hcl
diff --git a/operations/aws-kms-unseal-ha/terraform/README.md b/operations/aws-kms-unseal-ha/terraform/README.md
@@ -1,12 +1,12 @@
 # Vault Autounseal using AWS KMS
 
-In this guide, we'll show an example of how to use Terraform to provision a cluster that can utilize an encryption key from AWS Key Management Services to unseal Vault.
+In this guide, we'll show an example of how to use Terraform to provision a cluster that can utilize an encryption key from AWS Key Management Services to unseal Vault. 
 
 ## Overview
 Vault unseal operation either requires either a number of people who each possess a shard of a key, split by Shamir's Secret sharing algorithm, or protection of the master key via an HSM or cloud key management services (Google CKMS or AWS KMS). 
 
 This guide has a guide on how to implement and use this feature in AWS. Included is a Terraform configuration that has the following features:  
-* Ubuntu 16.04 LTS with Vault Enterprise (0.9.0+prem.hsm).   
+* Ubuntu 20.04 LTS with Vault 1.x (1.6.3 for the update to the README)  
 * An instance profile granting the AWS EC2 instance to a KMS key.   
 * Vault configured with access to a KMS key.   
 
@@ -15,7 +15,7 @@ This guide has a guide on how to implement and use this feature in AWS. Included
 
 This guide assumes the following:   
 
-1. Access to Vault Enterprise > 0.9.0 which supports AWS KMS as an unseal mechanism. 
+1. Either access to Vault OSS or Enterprise > 1.0.0 which supports AWS KMS as an unseal mechanism. 
 1. A URL to download Vault Enterprise from (an S3 bucket will suffice). 
 1. AWS account for provisioning cloud resources. 
 1. Terraform installed, and basic understanding of its usage
@@ -62,36 +62,36 @@ Code: 400. Errors:
 * server is not yet initialized
 
 # Active a primary node
-# vault init -stored-shares=1 -recovery-shares=1 -recovery-threshold=1 -key-shares=1 -key-threshold=1
-Recovery Key 1: oOxAQfxcZitjqZfF3984De8rUckPeahQDUvmJ1A4JrQ=
-Initial Root Token: 54c4dbe3-d45b-79d9-18d0-602831a6a991
+# vault operator init 
 
-Vault initialized successfully.
+Recovery Key 1: OXpd/9SI8qDtChqeQcvJHcco89jcx5JV6GM6XluyiLIj
+Recovery Key 2: HW0ljJ2kDenh22Zij4Ur2snpZwAYiSkgH9415ZDOyBHT
+Recovery Key 3: 8BIfyTjbjvlvyHioc+oUt4SZ6iWDBI2Iw1LMOD43ZGv/
+Recovery Key 4: tBnPT4CpJQUAPX3EtmFYgzn9jAANhJ4wLTj/l3uoHKej
+Recovery Key 5: M62dm2KbaeaNxKHepKGJ5VtqG3dTQKnqJ3e3J+vKlrzX
 
-Recovery key initialized with 1 keys and a key threshold of 1. Please
-securely distribute the above keys.
+Initial Root Token: s.WuLv0ZUacCmieZIzTNBi4BwX
 
-# systemctl stop vault
-root@ip-192-168-100-100:~# vault status
-Error checking seal status: Get http://127.0.0.1:8200/v1/sys/seal-status: dial tcp 127.0.0.1:8200: getsockopt: connection refused
+Success! Vault is initialized
+
+Recovery key initialized with 5 key shares and a key threshold of 3. Please
+securely distribute the key shares printed above.
 
-# systemctl start vault
 $ vault status
 Key                      Value
 ---                      -----
 Recovery Seal Type       shamir
+Initialized              true
 Sealed                   false
-Total Recovery Shares    1
-Threshold                1
-Version                  0.9.4+ent
-Cluster Name             vault-cluster-17200d37
-Cluster ID               81c09b45-0ff3-a1c6-65c6-4df2964b261e
+Total Recovery Shares    5
+Threshold                3
+Version                  1.6.3
+Storage Type             consul
+Cluster Name             vault-cluster-0c8d1b28
+Cluster ID               2fdab61d-5f49-081c-f2c4-5f345c64864b
 HA Enabled               true
-HA Cluster               https://192.168.100.166:8201
-HA Mode                  standby
-Active Node Address:     http://192.168.100.166:82001
-
-High-Availability Enabled: false
+HA Cluster               https://192.168.100.4:8201
+HA Mode                  active
 
 # vault auth 54c4dbe3-d45b-79d9-18d0-602831a6a991
 Successfully authenticated! You are now logged in.

diff --git a/operations/aws-kms-unseal-ha/terraform/instance-profile.tf b/operations/aws-kms-unseal-ha/terraform/instance-profile.tf
@@ -27,16 +27,17 @@ data "aws_iam_policy_document" "vault-kms-unseal" {
 
 resource "aws_iam_role" "vault-kms-unseal" {
   name               = "vault-kms-role-${random_pet.env.id}"
-  assume_role_policy = "${data.aws_iam_policy_document.assume_role.json}"
+  assume_role_policy = data.aws_iam_policy_document.assume_role.json
 }
 
 resource "aws_iam_role_policy" "vault-kms-unseal" {
   name   = "Vault-KMS-Unseal-${random_pet.env.id}"
-  role   = "${aws_iam_role.vault-kms-unseal.id}"
-  policy = "${data.aws_iam_policy_document.vault-kms-unseal.json}"
+  role   = aws_iam_role.vault-kms-unseal.id
+  policy = data.aws_iam_policy_document.vault-kms-unseal.json
+
 }
 
 resource "aws_iam_instance_profile" "vault-kms-unseal" {
   name = "vault-kms-unseal-${random_pet.env.id}"
-  role = "${aws_iam_role.vault-kms-unseal.name}"
+  role = aws_iam_role.vault-kms-unseal.name
 }
diff --git a/operations/aws-kms-unseal-ha/terraform/instance.tf b/operations/aws-kms-unseal-ha/terraform/instance.tf
@@ -2,7 +2,7 @@ resource "aws_kms_key" "vault" {
   description             = "Vault unseal key"
   deletion_window_in_days = 10
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
@@ -13,7 +13,7 @@ data "aws_ami" "ubuntu" {
 
   filter {
     name   = "name"
-    values = ["ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-*"]
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
   }
 
   filter {
@@ -23,45 +23,47 @@ data "aws_ami" "ubuntu" {
 }
 
 resource "aws_instance" "vault" {
-  ami           = "${data.aws_ami.ubuntu.id}"
+  ami           = data.aws_ami.ubuntu.id
   instance_type = "t2.micro"
   count         = 3
-  subnet_id     = "${aws_subnet.public_subnet.id}"
+  subnet_id     = aws_subnet.public_subnet.id
   key_name      = "vault-kms-unseal-${random_pet.env.id}"
 
   security_groups = [
-    "${aws_security_group.vault.id}",
+    aws_security_group.vault.id,
+
   ]
 
   associate_public_ip_address = true
   ebs_optimized               = false
-  iam_instance_profile        = "${aws_iam_instance_profile.vault-kms-unseal.id}"
+  iam_instance_profile        = aws_iam_instance_profile.vault-kms-unseal.id
+
 
-  tags {
+  tags = {
     Name = "Vault_KMS_unseal_cluster"
     environment_name = "vault-kms-unseal-${random_pet.env.id}"
   }
 
-  user_data = "${data.template_file.vault.rendered}"
+  user_data = data.template_file.vault.rendered
 }
 
 data "template_file" "vault" {
-  template = "${file("userdata.tpl")}"
+  template = file("userdata.tpl")
 
   vars = {
-    kms_key    = "${aws_kms_key.vault.id}"
-    vault_url  = "${var.vault_url}"
-    aws_region = "${var.aws_region}"
-    cluster_size = "3"
+    kms_key    = aws_kms_key.vault.id
+    vault_url  = var.vault_url
+    aws_region = var.aws_region 
+    cluster_size = var.cluster_size
     environment_name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
 
 data "template_file" "format_ssh" {
   template = "connect to host with following command: ssh ubuntu@$${admin} -i private.key"
 
-  vars {
-    admin = "${aws_instance.vault.0.public_ip}"
+  vars = {
+    admin = aws_instance.vault.0.public_ip
   }
 }
 
@@ -81,9 +83,9 @@ VAULT
 resource "aws_security_group" "vault" {
   name        = "vault-kms-unseal-${random_pet.env.id}"
   description = "vault access"
-  vpc_id      = "${aws_vpc.vpc.id}"
+  vpc_id      = aws_vpc.vpc.id
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 

diff --git a/operations/aws-kms-unseal-ha/terraform/main.tf b/operations/aws-kms-unseal-ha/terraform/main.tf
@@ -1,5 +1,5 @@
 provider "aws" {
-  region = "${var.aws_region}"
+  region = var.aws_region
 }
 
 resource "random_pet" "env" {
@@ -8,47 +8,46 @@ resource "random_pet" "env" {
 }
 
 resource "aws_vpc" "vpc" {
-  cidr_block           = "${var.vpc_cidr}"
+  cidr_block           = var.vpc_cidr
   enable_dns_hostnames = true
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
 
 resource "aws_internet_gateway" "gw" {
-  vpc_id = "${aws_vpc.vpc.id}"
+  vpc_id = aws_vpc.vpc.id
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
 
 resource "aws_subnet" "public_subnet" {
-  vpc_id                  = "${aws_vpc.vpc.id}"
-  cidr_block              = "${var.vpc_cidr}"
-  availability_zone       = "${var.aws_zone}"
+  vpc_id                  = aws_vpc.vpc.id
+  cidr_block              = var.vpc_cidr
+  availability_zone       = var.aws_zone
   map_public_ip_on_launch = true
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
 
 resource "aws_route_table" "route" {
-  vpc_id = "${aws_vpc.vpc.id}"
-
+  vpc_id = aws_vpc.vpc.id
   route {
     cidr_block = "0.0.0.0/0"
-    gateway_id = "${aws_internet_gateway.gw.id}"
+    gateway_id = aws_internet_gateway.gw.id
   }
 
-  tags {
+  tags = {
     Name = "vault-kms-unseal-${random_pet.env.id}"
   }
 }
 
 resource "aws_route_table_association" "route" {
-  subnet_id      = "${aws_subnet.public_subnet.id}"
-  route_table_id = "${aws_route_table.route.id}"
+  subnet_id      = aws_subnet.public_subnet.id
+  route_table_id = aws_route_table.route.id
 }
diff --git a/operations/aws-kms-unseal-ha/terraform/ssh-key.tf b/operations/aws-kms-unseal-ha/terraform/ssh-key.tf
@@ -14,5 +14,5 @@ resource "null_resource" "main" {
 
 resource "aws_key_pair" "main" {
   key_name   = "vault-kms-unseal-${random_pet.env.id}"
-  public_key = "${tls_private_key.main.public_key_openssh}"
+  public_key = tls_private_key.main.public_key_openssh
 }
diff --git a/operations/aws-kms-unseal-ha/terraform/userdata.tpl b/operations/aws-kms-unseal-ha/terraform/userdata.tpl
@@ -64,9 +64,12 @@ logger "User setup complete"
 
 
 
-CONSUL_VERSION="1.0.0"
+# CONSUL_VERSION="1.0.0"
+CONSUL_VERSION="1.9.4"
+OS="linux"
+ARCH="amd64"
 echo "Fetching Consul..."
-sudo curl https://releases.hashicorp.com/consul/$${CONSUL_VERSION}/consul_$${CONSUL_VERSION}_linux_amd64.zip -o /tmp/consul.zip
+sudo curl https://releases.hashicorp.com/consul/$${CONSUL_VERSION}/consul_$${CONSUL_VERSION}_$${OS}_$${ARCH}.zip -o /tmp/consul.zip
 cd /tmp
 sudo unzip consul.zip
 

diff --git a/operations/aws-kms-unseal-ha/terraform/variables.tf b/operations/aws-kms-unseal-ha/terraform/variables.tf
@@ -7,12 +7,16 @@ variable aws_zone {
 }
 
 variable vpc_cidr {
-  type        = "string"
   description = "CIDR of the VPC"
   default     = "192.168.100.0/24"
 }
 
 variable vault_url {
   description = "URL to download Vault Enterprise"
+  default = "https://releases.hashicorp.com/vault/1.6.3/vault_1.6.3_linux_amd64.zip"
 }
 
+variable cluster_size {
+  description = "Number of instances to launch in the AWS zone/AZ"
+  default = "3"
+}
diff --git a/operations/aws-kms-unseal-ha/terraform/versions.tf b/operations/aws-kms-unseal-ha/terraform/versions.tf
@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.13"
+}
diff --git a/operations/aws-kms-unseal/terraform-aws/variables.tf b/operations/aws-kms-unseal/terraform-aws/variables.tf
@@ -7,7 +7,7 @@ variable "aws_zone" {
 }
 
 variable "vault_url" {
-  default = "https://releases.hashicorp.com/vault/1.6.0/vault_1.6.0_linux_amd64.zip"
+  default = "https://releases.hashicorp.com/vault/1.6.3/vault_1.6.3_linux_amd64.zip"
 }
 
 variable "vpc_cidr" {

diff --git a/operations/aws-kms-unseal/terraform-aws/versions.tf b/operations/aws-kms-unseal/terraform-aws/versions.tf
@@ -1,3 +1,3 @@
 terraform {
-  required_version = ">= 0.12"
-}
+  required_version = ">= 0.13"
+}