vault-gke
dansible/vault-gke/google
Terraform module to deploy a GKE cluster with Vault using KMS encryption and GCS storage
Vault on GKE This Terraform module provisions a GKE cluster and deploys Vault onto it. It's based on Seth Vargo's Vault on GKE project. - Prerequisites - Usage - Interact with Vault - Module Details - Input Variables - Output Variables - FAQ - Links Prerequisites A Google KMS Key and Keyring are required to deploy this module. > NOTE: These cannot be created/managed by Terraform as Keyrings cannot be deleted from a project in GCP at the moment (see: https://cloud.google.com/kms/docs/faq#cannnot_delete). ``sh gcloud kms keyrings create vault-keyring --location global gcloud kms keys create vault-key --location global --keyring vault-keyring --purpose encryption ` Usage `hcl module "vault" { source = "git@github.com:dansible/terraform-google_gke_infra.git?ref=v0.5.1" name = "${var.team-name}
| Name | Type | Description | Default |
|---|---|---|---|
| kms_keyring_name | string | The name of the Cloud KMS KeyRing for asset encryption. | |
| kms_key_name | string | The name of the Cloud KMS Key used for asset encryption/decryption. | |
| project | string | The name of the GCP project. | "" |
| vault_ip_network_tier | string | The networking tier used for configuring this address. This field can take the f | "STANDARD" |
| service_account_iam_roles | list | The roles to apply to the Vault GCP Service Account. | [
"roles/resourcemanager.projectIamAdm |
| cluster_machine_type | string | The name of a Google Compute Engine machine type. Defaults to n1-standard-2. | "n1-standard-2" |
| vault_init_image | string | Name and version of the Vault Init container image to deploy. | "sethvargo/vault-init:1.0.0" |
| num_vault_pods | string | The number of Vault pods to deploy in a StatefulSet. | "3" |
| enable_pod_security_policy | string | Whether to enable the PodSecurityPolicy controller for this cluster. If enabled, | false |
| gke_oauth_scopes | list | The set of Google API scopes to enable on the GKE nodes. | [
"https://www.googleapis.com/auth/mon |
| storage_bucket_roles | list | The roles given to the Vault GCP Service Account for accessing the GCS Bucket re | [
"roles/storage.legacyBucketReader",
|
| region | string | The GCP region for the infra. | "northamerica-northeast1" |
| kms_location | string | The location of your KMS keyring and key. | "global" |
| vault_image | string | Name and version of the Vault container image to deploy. | "vault:1.0.3" |
| vault_recovery_keys | string | Number of recovery keys to generate. | "5" |
| vault_recovery_key_threshold | string | Number of recovery keys required for quorum. This must be less than or equal to | "3" |
| name | string | A string value to use as a prefix for all resource names. | "vault" |
| kms_crypto_key_roles | list | The roles given to the Vault GCP Service Account for interacting with Google KMS | [
"roles/cloudkms.cryptoKeyEncrypterDe |
| enable_network_policy | string | Whether we should enable the network policy addon for the master. This must be e | false |
network_nameservice_account_keyvault_certclient_keysubnet_nameaddressroot_tokenkubeconfigendpointcluster_ca_certificateclient_certificateservice_account