A Terraform module for creating a HashiCorp Vault cluster
This repository contains a Packer template and Terraform configurations for creating and provisioning a HashiCorp Vault cluster.
Note: Before running any Packer or Terraform commands, ensure that the following environment variables are assigned:
| Name | Description |
|---|---|
AWS_ACCESS_KEY_ID |
Specifies an AWS access key associated with an IAM user or role |
AWS_SECRET_ACCESS_KEY |
Specifies the secret key associated with the access key |
AWS_DEFAULT_REGION |
Specifies the AWS Region to send the request to |
See environment variables for more details.
What is HashiCorp Vault?
HashiCorp Vault is software for managing secrets and protecting sensitive data. To learn more about Vault, visit the official documentation.
What are the use cases of HashiCorp Vault?
Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity.
Vault provides encryption as a service with centralized key management to simplify encrypting data in transit and at rest across clouds and datacenters.
This module assumes that an Amazon Machine Image (AMI) exists in the Amazon account used by the Terraform AWS Provider. The packer subdirectory contains a Packer template for building an AMI with the following software installed:
- HashiCorp Vault
- Amazon CloudWatch Agent (metrics and logging aggregation)
Before invoking any Terraform commands the AMI must exist in the AWS account used by Terraform.
For instructions on building the AMI using Packer, visit the README in the packer subdirectory.
After building the AMI described in the Vault Amazon Machine Image section, invoke the following Terraform commands:
$ terraform init
$ terraform apply
For a complete list of available inputs, see the Inputs section.
This module uses the notify-slack Terraform module to send messages to Slack workspaces when a CloudWatch Alarm is triggered. The alarms for this module are configured here and are changeable.
To enable alerting, create an incoming webhook in Slack. After creating the incoming wekbook, invoke terraform apply with the following variables:
| Name | Description | Type |
|---|---|---|
| channel | Channel, private group, or IM channel to send message to | string |
| username | Set your bot's user name | string |
| webhook_url | The Incoming Webhook URL | string |
$ terraform apply \
-var 'channel=vault-alarms' \
-var 'username=vault-bot' \
-var 'webhook_url=https://hooks.slack.com/services/T00000000/B00000000/XXXXXXXXXXXXXXXXXXXXXXXX'
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| channel | Channel, private group, or IM channel to send message to | string | "" |
no |
| cidr_block | The IPv4 network range for the VPC, in CIDR notation | string | "10.0.0.0/16" |
no |
| desired_capacity | The number of Amazon EC2 instances that the Auto Scaling group attempts to maintain | number | "null" |
no |
| domain_name | Fully qualified domain name (FQDN), such as www.example.com, that you want to secure with an ACM certificate | string | "vault.corp.mongodb.com" |
no |
| health_check_grace_period | The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status of an EC2 instance that has come into service | number | "300" |
no |
| health_check_type | The service to use for the health checks | string | "EC2" |
no |
| hosted_zone_id | The ID of the hosted zone that you want to create the record in | string | "ZYSJTA7XCIHDB" |
no |
| hosted_zone_name | The name of the domain for the hosted zone where you want to add the resource record set | string | "vault.route53.build.10gen.cc" |
no |
| ingress_ips | Allow traffic from the specified IPv4 or IPv6 CIDR addresses | list(string) | [ "0.0.0.0/0" ] |
no |
| instance_type | Specifies the instance type of the EC2 instance | string | "m5.2xlarge" |
no |
| key_name | Provides the name of the EC2 key pair | string | "" |
no |
| max_size | The maximum number of Amazon EC2 instances in the Auto Scaling group | number | n/a | yes |
| min_size | The minimum number of Amazon EC2 instances in the Auto Scaling group | number | n/a | yes |
| provisioned_throughput | Throughput for the specified table, which consists of values for ReadCapacityUnits and WriteCapacityUnits | map(number) | { "read_capacity_units": 10, "write_capacity_units": 10 } |
no |
| retention_in_days | The number of days to retain the log events in the specified log group | number | "7" |
no |
| subnets | The IDs of the subnets for the load balancer | list(string) | [] |
no |
| table_name | The name of the table to create | string | "vault-dynamodb-backend" |
no |
| tags | Adds or overwrites the specified tags for the specified resources | map(string) | {} |
no |
| username | Set your bot's user name | string | "" |
no |
| vpc_id | The ID of the VPC | string | "" |
no |
| vpc_zone_identifier | A list of subnet IDs for a virtual private cloud | list(string) | [] |
no |
| webhook_url | The Incoming Webhook URL | string | "" |
no |
| Name | Description |
|---|---|
| dashboard | URL to launch the CloudWatch dashboard for monitoring |
| dns_name | The DNS name of the load balancer |