vault-starter
hashicorp/vault-starter/aws
A Terraform Module for provisioning an OSS Vault cluster (using integrated storage) as described by HashiCorp reference architecture.
Vault AWS Module This is a Terraform module for provisioning Vault with integrated storage on AWS. This module defaults to setting up a cluster with 5 Vault nodes (as recommended by the Vault with Integrated Storage Reference Architecture). About This Module This module implements the Vault with Integrated Storage Reference Architecture on AWS using the open source version of Vault 1.8+. How to Use This Module - Ensure your AWS credentials are configured correctly and have permission to use the following AWS services: - Amazon Certificate Manager (ACM) - Amazon EC2 - Amazon Elastic Load Balancing (ALB) - AWS Identity & Access Management (IAM) - AWS Key Management System (KMS) - Amazon Secrets Manager - AWS Systems Manager Session Manager (optional - used to connect to EC2 instances with se
| Name | Type | Description | Default |
|---|---|---|---|
| user_supplied_ami_id | string | (Optional) User-provided AMI ID to use with Vault instances. If you provide this | |
| user_supplied_iam_role_name | string | (Optional) User-provided IAM role name. This will be used for the instance profi | |
| vpc_id | string | VPC ID where Vault will be deployed | |
| allowed_inbound_cidrs_lb | list(string) | (Optional) List of CIDR blocks to permit inbound traffic from to load balancer | |
| lb_certificate_arn | string | ARN of TLS certificate imported into ACM for use with LB listener | |
| user_supplied_userdata_path | string | (Optional) File path to custom userdata script being supplied by the user | |
| key_name | string | (Optional) key pair to use for SSH access to instance | |
| leader_tls_servername | string | One of the shared DNS SAN used to create the certs use for mTLS | |
| allowed_inbound_cidrs_ssh | list(string) | (Optional) List of CIDR blocks to permit for SSH to Vault nodes | |
| user_supplied_kms_key_arn | string | (Optional) User-provided KMS key ARN. Providing this will disable the KMS submod | |
| resource_name_prefix | string | Resource name prefix used for tagging and naming AWS resources | |
| secrets_manager_arn | string | Secrets manager ARN where TLS cert info is stored | |
| private_subnet_tags | map(string) | Tags which specify the subnets to deploy Vault into | |
| lb_type | string | The type of load balancer to provision; network or application. | "application" |
| kms_key_deletion_window | number | Duration in days after which the key is deleted after destruction of the resourc | 7 |
| lb_health_check_path | string | The endpoint to check for Vault's health status. | "/v1/sys/health?activecode=200\u0026stan |
| node_count | number | Number of Vault nodes to deploy in ASG | 5 |
| ssl_policy | string | SSL policy to use on LB listener | "ELBSecurityPolicy-TLS-1-2-2017-01" |
| common_tags | map(string) | (Optional) Map of common tags for all taggable AWS resources. | {} |
| vault_version | string | Vault version | "1.8.2" |
| instance_type | string | EC2 instance type | "m5.xlarge" |
vault_lb_arn — ARN of Vault load balancervault_target_group_arn — Target group ARN to register Vault nodes withvault_lb_dns_name — DNS name of Vault load balancervault_lb_zone_id — Zone ID of Vault load balancer