vault-raft

giuliocalzolari/vault-raft/aws

Terraform Module HCL AWS

Hashicorp Vault HA cluster on AWS based on Raft Consensus Algorithm

Install

module "vault-raft" {

source = "giuliocalzolari/vault-raft/aws"

version = "0.0.1"

}

plain text: /constructs/tfmod-giuliocalzolari-vault-raft-aws/install.txt

⭐ Source on GitHub 📦 Registry page

README

Hashicorp Vault using AWS Native Overview Hashicorp Vault is becoming one of the most popular tools for secret management, every company to improve their security but sometimes setting a Vault it requires some time and deep understanding on how to configure it. To make it easy the journey to AWS Cloud and increase the level of security of all application I've decided to create an out-of-the-box solution to configure the AWS infrastructure and setting up Vault in one click. This implementation of Vault cluster is based on Raft Storage Backend announced tech preview on 1.2.0 (July 30th, 2019), introduced a beta on 1.3.0 (November 14th, 2019)) and promoted out of beta on 1.4.0 (April 7th, 2020) and is relying on native AWS tool such as AWS KMS, AWS S3, AWS Cloudwatch. >The Raft storage backen

Inputs (32)

Name	Type	Description	Default
actions_alarm	list(string)	A list of actions to take when alarms are triggered. Will likely be an SNS topic	`[]`
vault_telemetry	string	enabling Vault Telemetry (Warning!!! AWS custom metric will increase the cost of	`"false"`
public_key	string	SSH public key to install in vault	`null`
root_volume_size	string	EC2 ASG Disk Size	`"50"`
ebs_optimized	bool	If true, the launched EC2 instance will be EBS-optimized.	`false`
health_check_type	string	'EC2' or 'ELB'. Controls how health checking is done.	`"ELB"`
admin_cidr_blocks	list(string)	Admin CIDR Block to access SSH and internal Application ports	`[]`
environment	string	Environment Name (e.g. dev, test, uat, prod, etc..)	`"dev"`
suffix	string	Suffix to add on all resources	`""`
sns_email	list(string)	list of email for SNS alarm	`[]`
vault_version	string	Vault version to install	`null`
app_name	string	Application name N.1 (e.g. vault, secure, store, etc..)	`"vault"`
lb_subnets	list(string)	ALB Subnets	`[]`
zone_name	string	Public Route53 Zone name for DNS and ACM validation	`null`
arch	string	EC2 Architecture arm64/x86_64 (arm64 is suggested)	`"x86_64"`
kms_key_deletion_window_in_days	string	The waiting period, specified in number of days. After the waiting period ends,	`"7"`
root_volume_type	string	The volume type. Can be standard, gp2, gp3, io1, io2, sc1 or st1 (Default: gp2).	`"gp2"`
size	string	ASG Size	`"3"`
termination_policies	list(string)	ASG Termination Policy	`[ "Default" ]`
actions_ok	list(string)	A list of actions to take when alarms are cleared. Will likely be an SNS topic f	`[]`

Outputs (9)

ec2_iam_role_arn — IAM EC2 role ARN

admin_pass_arn — SSM vault root password ARN

root_token_arn — SSM vault root token ARN

sns_arn — SNS ARN

vault_fqdn — Vault DNS

kms_key_id — KMS key ID

vault_version — Vault Version

alb_arn — ALB ARN

alb_hostname — ALB DNS

Resources (39)

aws_acm_certificateaws_acm_certificate_validationaws_albaws_alb_listeneraws_alb_target_groupaws_autoscaling_groupaws_autoscaling_lifecycle_hookaws_cloudwatch_dashboardaws_cloudwatch_event_ruleaws_cloudwatch_event_targetaws_cloudwatch_log_groupaws_cloudwatch_metric_alarmaws_iam_instance_profileaws_iam_roleaws_iam_role_policyaws_iam_role_policy_attachmentaws_iam_service_linked_roleaws_key_pairaws_kms_aliasaws_kms_keyaws_lambda_functionaws_lambda_permissionaws_launch_templateaws_route53_recordaws_s3_bucketaws_s3_bucket_lifecycle_configurationaws_s3_bucket_policyaws_s3_bucket_public_access_blockaws_s3_bucket_server_side_encryption_configurationaws_s3_bucket_versioningaws_security_groupaws_security_group_ruleaws_sns_topicaws_sns_topic_policyaws_sns_topic_subscriptionaws_ssm_parameterrandom_uuidtls_private_keytls_self_signed_cert

Topics & Tags

cluster hashing raft-consensus-algorithm terraform aws terraform-module packer hashicorp-vault

Details

FrameworkTerraform Module

LanguageHCL

Version0.0.1

Cloud AWS

★ Stars3

Forks1

Total downloads3.5k

Inputs32

Outputs9