This repo is intended to be a demo of an actual deployment of Vault Enterprise into AWS, using the vault-ent-starter Terraform module.
The source code is available on GitHub and contains some sample modules that are pre-requisites for running the provider.
This repo copy/pastes the example modules referenced above (under /modules/) and provides required variables for them in the main variables.tf file.
To supply variables to Terraform, you can use a terraform.auto.tfvars file. Please see an example below.
vault_version = "1.9.4"
vault_license_filepath = "/PATH_TO_YOUR_LICENSE_FILE/vault.hclic"
vault_license_name = "vault.hclic"
resource_name_prefix = "temp-test"
common_tags = {
"product" = "vault"
"owner" = "YOUR_NAME"
}
azs = [
"eu-west-1a",
"eu-west-1b",
"eu-west-1c"
]
aws_region = "eu-west-1"In the example above, the vault_license_name property is the name of the file you want to be created in S3 when the local license file is uploaded.
vault_license_filepath property must be the absolute path to the license file on your local machine.
Please ensure that the azs you want to deploy to are part of the aws_region supplied.
You shouldn't commit terraform.auto.tfvars to any source code repository!
- AWS CLI installed
- Terraform installed
- AWS CLI configured (with relevant IAM permissions)
- Terraform configuration modified
- Valid Vault Enterprise license
We now need to create a VPC and an AWS Secrets Manager before we run the Vault provider.
In the repo, this is a one time action, but is a bit fiddly, and doesn't feel very Terraform'y.
In main.tf, you will need to comment out the module named vault-ent-starter.
/*
module "vault-ent-starter" {
source = "hashicorp/vault-ent-starter/aws"
version = "0.1.2"
vault_version = var.vault_version
lb_type = var.lb_type
vault_license_filepath = var.vault_license_filepath
vault_license_name = var.vault_license_name
resource_name_prefix = var.resource_name_prefix
vpc_id = module.vpc.vpc_id
private_subnet_tags = module.vpc.private_subnet_tags
lb_certificate_arn = module.secrets_manager.lb_certificate_arn
secrets_manager_arn = module.secrets_manager.secrets_manager_arn
leader_tls_servername = module.secrets_manager.leader_tls_servername
}
*/You can now run the standard Terraform commands in your directory:
terraform initterraform apply
Review and accept the plan output in order to apply into AWS. When this is complete you can uncomment vault-ent-starter and re-run the Terraform commands above to deploy Vault.
NOTE: These instructions are lifted from the vault-ent-starter GitHub repository linked at the top of this README.
We now need to initialize the Vault cluster. Log into a node (EC2 instance) via SSH/Session Manager etc. and run the following commands.
sudo -i
vault operator initYou should then see a Success! Vault is intialized message along with your recovery keys and a root token.
Recovery keys should be treated as secret and stored individually.
Export your Vault root token so you can interact with Vault via the CLI.
export VAULT_TOKEN="<YOUR_VAULT_TOKEN>"You can now unseal Vault using the vault operator unseal command and supplying the unseal keys one by one. Once you've unsealed the node the other nodes will automatically be unsealed via the AWS KMS.
- Your Vault license file must be stored locally on your filesystem, there currently isn't a way to supply it via
base64encoded variable etc.
This code is released under the Mozilla Public License 2.0. Please see LICENSE for more details.