## CONFIGURE PRIMARY CLUSTER

In [1]:
%env  WORKDIR=/tmp/vault

env: WORKDIR=/tmp/vault


# Set vault-primary as primary cluster on a DR relationship and obtain replication token

In [2]:
%%bash
gcloud auth login
export VAULT_ADDR=$(terraform output -raw cluster_primary_fqdn_8200)
vault_token_primary=$(terraform output -raw cluster_primary_read_vault_token)
# Execute the command stored in $vault_token
export VAULT_TOKEN=$(eval "$vault_token_primary")

vault write -f sys/replication/dr/primary/enable primary_cluster_addr=$(terraform output -raw cluster_primary_fqdn_8201)
sleep 5
vault write -format=json sys/replication/dr/primary/secondary-token id=dr12 | jq -r .wrap_info.token > $WORKDIR/dr_token.txt

Your browser has been opened to visit:

    https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=32555940559.apps.googleusercontent.com&redirect_uri=http%3A%2F%2Flocalhost%3A8085%2F&scope=openid+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcloud-platform+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fappengine.admin+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fsqlservice.login+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fcompute+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Faccounts.reauth&state=FmYrJZVdGHO6AJc8ksCp2dgwQbQ9C1&access_type=offline&code_challenge=uk6YhnKYijjQiH9LHAcP3JvON9unjXrxhWhm0uK9Fzg&code_challenge_method=S256


You are now logged in as [jose.merchan@hashicorp.com].
Your current project is [None].  You can change this setting by running:
  $ gcloud config set project PROJECT_ID

  * This cluster is being enabled as a primary for replication. Vault will be
  unavailable for a brief period and will resume servic

## CONFIGURE SECONDARY CLUSTER

In [3]:
%%bash
export VAULT_ADDR=$(terraform output -raw cluster_dr_fqdn_8200)
vault_token_dr=$(terraform output -raw cluster_dr_read_vault_token)
# Execute the command stored in $vault_token
export VAULT_TOKEN=$(eval "$vault_token_dr")

vault write sys/replication/dr/secondary/enable  \
    primary_api_addr=$(terraform output -raw cluster_primary_fqdn_8200) \
    token=$(cat $WORKDIR/dr_token.txt)


  * Vault has successfully found secondary information; it may take a while to
  perform setup tasks. Vault will be unavailable until these tasks and initial
  sync complete.



> # Note that all DR nodes with the exception of the leader have not joined the cluster, so a reload of the node is required

# Create a policy to operate with DR cluster

In [4]:
%%bash

export VAULT_ADDR=$(terraform output -raw cluster_primary_fqdn_8200)
vault_token_primary=$(terraform output -raw cluster_primary_read_vault_token)
export VAULT_TOKEN=$(eval "$vault_token_primary")

vault policy write dr-secondary-promotion - <<EOF
path "sys/replication/dr/secondary/promote" {
  capabilities = [ "update" ]
}

# To update the primary to connect
path "sys/replication/dr/secondary/update-primary" {
    capabilities = [ "update" ]
}

# Only if using integrated storage (raft) as the storage backend
# To read the current autopilot status
path "sys/storage/raft/autopilot/state" {
    capabilities = [ "update" , "read" ]
}

path "sys/storage/raft/*" {
    capabilities = [ "update" , "read", "create", "delete", "patch", "sudo" ]
}
EOF

vault write auth/token/roles/failover-handler \
    allowed_policies=dr-secondary-promotion \
    orphan=true \
    renewable=false \
    token_type=batch

vault read sys/storage/raft/autopilot/state

Success! Uploaded policy: dr-secondary-promotion
Success! Data written to: auth/token/roles/failover-handler
Key                             Value
---                             -----
failure_tolerance               2
healthy                         true
leader                          vault-primary-4
optimistic_failure_tolerance    2
servers                         map[vault-primary-0:map[address:vault-primary-0.vault-primary-internal:8201 healthy:true id:vault-primary-0 last_contact:2.58948005s last_index:1401 last_term:3 name:vault-primary-0 node_status:alive node_type:voter stable_since:2024-11-20T09:16:09.144051061Z status:voter upgrade_version:1.18.1 version:1.18.1] vault-primary-1:map[address:vault-primary-1.vault-primary-internal:8201 healthy:true id:vault-primary-1 last_contact:4.641202639s last_index:1394 last_term:3 name:vault-primary-1 node_status:alive node_type:voter stable_since:2024-11-20T09:16:09.144051061Z status:voter upgrade_version:1.18.1 version:1.18.1] vault-pri

# Create DR Operation Token

In [6]:
%%bash
export VAULT_ADDR=$(terraform output -raw cluster_primary_fqdn_8200)
vault_token_primary=$(terraform output -raw cluster_primary_read_vault_token)
export VAULT_TOKEN=$(eval "$vault_token_primary")

vault token create -role=failover-handler -ttl=8h -format=json | jq -r .auth.client_token > $WORKDIR/dr_batch_token.txt

# Verify you can see DR cluster status with DR batch token

In [7]:
%%bash
export VAULT_ADDR=$(terraform output -raw cluster_dr_fqdn_8200)
export VAULT_TOKEN=$(cat $WORKDIR/dr_batch_token.txt)

vault read sys/storage/raft/autopilot/state

Key                             Value
---                             -----
failure_tolerance               2
healthy                         true
leader                          vault-dr-4
optimistic_failure_tolerance    2
servers                         map[vault-dr-0:map[address:vault-dr-0.vault-dr-internal:8201 healthy:true id:vault-dr-0 last_contact:1.631431246s last_index:1795 last_term:4 name:vault-dr-0 node_status:alive node_type:voter stable_since:2024-11-20T09:21:00.119530286Z status:voter upgrade_version:1.18.1 version:1.18.1] vault-dr-1:map[address:vault-dr-1.vault-dr-internal:8201 healthy:true id:vault-dr-1 last_contact:2.147805367s last_index:1789 last_term:4 name:vault-dr-1 node_status:alive node_type:voter stable_since:2024-11-20T09:21:00.119530286Z status:voter upgrade_version:1.18.1 version:1.18.1] vault-dr-2:map[address:vault-dr-2.vault-dr-internal:8201 healthy:true id:vault-dr-2 last_contact:275.317159ms last_index:1797 last_term:4 name:vault-dr-2 node_status:alive 