terraform vault

Murodbey · Dec 30, 2020 · 0a040ca · 0a040ca
1 parent c71c8ae
commit 0a040ca
Show file tree

Hide file tree

Showing 10 changed files with 57 additions and 114 deletions.
diff --git a/terraform-aws-hashicorp-vault/configurations/regions/us-east-1.tfvars b/terraform-aws-hashicorp-vault/configurations/regions/us-east-1.tfvars
@@ -1,14 +1,4 @@
-availability_zones = "us-east-1a"
-key_name = "laptop"
+key_name = "DigOcean_key"
 aws_region = "us-east-1"
 environment_name = "learn-vault"
-ssh_key_location = "~/.ssh/id_rsa"
-user = "centos"
-ami_id = "ami-0affd4508a5d2481b" #Verified CentOS AMI should be given 
-
-vault_transit_private_ip = "10.0.101.21"
-vault_server_private_ips = [
- "10.0.101.22", 
- "10.0.101.23", 
- "10.0.101.24"
-]
+availability_zones = "us-east-1a"
diff --git a/terraform-aws-hashicorp-vault/module.tf b/terraform-aws-hashicorp-vault/module.tf
@@ -1,12 +1,7 @@
 module "vault" {
- vault_server_private_ips = var.vault_server_private_ips
- vault_transit_private_ip = var.vault_transit_private_ip
  availability_zones = var.availability_zones
  environment_name = var.environment_name
- ssh_key_location = var.ssh_key_location
  aws_region = var.aws_region
  key_name = var.key_name
- ami_id = var.ami_id
  source = "./module"
- user = var.user
 }
diff --git a/terraform-aws-hashicorp-vault/module/main.tf b/terraform-aws-hashicorp-vault/module/main.tf
@@ -1,12 +1,29 @@
 provider "aws" {
  region = var.aws_region
 }
+
+data "aws_ami" "centos" {
+ most_recent = true
+ owners = ["679593333241"]
+
+ filter {
+ name = "state"
+ values = ["available"]
+ }
+
+ filter {
+ name = "name"
+ values = ["CentOS Linux 7 x86_64 HVM EBS *"]
+ }
+}
+
+
 //--------------------------------------------------------------------
 // Master Key Encryption Provider instance
 // This node does not participate in the HA clustering
 
 resource "aws_instance" "vault-transit" {
- ami = var.ami_id
+ ami = data.aws_ami.centos.id
  instance_type = var.instance_type
  subnet_id = module.vault_demo_vpc.public_subnets[0]
  key_name = var.key_name
@@ -37,7 +54,7 @@ resource "aws_instance" "vault-transit" {
 
 resource "aws_instance" "vault-server" {
  count = length(var.vault_server_names)
- ami = var.ami_id
+ ami = data.aws_ami.centos.id
  instance_type = var.instance_type
  subnet_id = module.vault_demo_vpc.public_subnets[0]
  key_name = var.key_name

diff --git a/terraform-aws-hashicorp-vault/module/network.tf b/terraform-aws-hashicorp-vault/module/network.tf
@@ -1,5 +1,6 @@
 module "vault_demo_vpc" {
  source = "terraform-aws-modules/vpc/aws"
+ version = "2.0"
  name = "${var.environment_name}-vpc"
  cidr = "10.0.0.0/16"
  azs = [var.availability_zones]

diff --git a/terraform-aws-hashicorp-vault/module/null.tf b/terraform-aws-hashicorp-vault/module/null.tf
diff --git a/terraform-aws-hashicorp-vault/module/outputs.tf b/terraform-aws-hashicorp-vault/module/outputs.tf
@@ -17,24 +17,24 @@ output "endpoints" {
  - K/V-V2 secret engine enabled and secret stored.
  - Leader of HA cluster
 
- $ ssh -l ubuntu ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem
+ $ ssh -l centos ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem
 
  # Root token:
- $ ssh -l ubuntu ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem "cat ~/root_token"
+ $ ssh -l centos ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem "cat ~/root_token"
  # Recovery key:
- $ ssh -l ubuntu ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem "cat ~/recovery_key"
+ $ ssh -l centos ${aws_instance.vault-server[0].public_ip} -i ${var.key_name}.pem "cat ~/recovery_key"
 
  vault_3 (${aws_instance.vault-server[1].public_ip}) | internal: (${aws_instance.vault-server[1].private_ip})
  - Started
  - You will join it to cluster started by vault_2
 
- $ ssh -l ubuntu ${aws_instance.vault-server[1].public_ip} -i ${var.key_name}.pem
+ $ ssh -l centos ${aws_instance.vault-server[1].public_ip} -i ${var.key_name}.pem
 
  vault_4 (${aws_instance.vault-server[2].public_ip}) | internal: (${aws_instance.vault-server[2].private_ip})
  - Started
  - You will join it to cluster started by vault_2
 
- $ ssh -l ubuntu ${aws_instance.vault-server[2].public_ip} -i ${var.key_name}.pem
+ $ ssh -l centos ${aws_instance.vault-server[2].public_ip} -i ${var.key_name}.pem
 
 EOF
 }
diff --git a/terraform-aws-hashicorp-vault/module/templates/userdata-vault-server.tpl b/terraform-aws-hashicorp-vault/module/templates/userdata-vault-server.tpl
@@ -74,7 +74,6 @@ if [[ ! -z $${YUM} ]]; then
  sudo yum-config-manager --enable rhui-REGION-rhel-server-releases-optional
  sudo yum-config-manager --enable rhui-REGION-rhel-server-supplementary
  sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
- sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  sudo yum -y check-update
  sudo yum install -q -y wget unzip bind-utils ruby rubygems ntp jq
  sudo systemctl start ntpd.service
@@ -270,40 +269,20 @@ echo "${address} ${name}" | sudo tee -a /etc/hosts
 %{ if tpl_vault_node_name == "vault_2" }
 # vault_2 adds some test data to demonstrate that the cluster is connected to
 # the same data.
-if [[ ! -z $${YUM} ]]; then
- logger "Installing systemd services for RHEL/CentOS"
- sleep 5
- logger "Initializing Vault and storing results for CentOS user"
- vault operator init -recovery-shares 1 -recovery-threshold 1 -format=json > /tmp/key.json
- sudo chown centos:centos /tmp/key.json
- logger "Saving root_token and recovery key to CentOS user's home"
- VAULT_TOKEN=$(cat /tmp/key.json | jq -r ".root_token")
- echo $VAULT_TOKEN > /home/centos/root_token
- sudo chown centos:centos /home/centos/root_token
- echo $VAULT_TOKEN > /home/centos/.vault-token
- sudo chown centos:centos /home/centos/.vault-token
- echo $(cat /tmp/key.json | jq -r ".recovery_keys_b64[]") > /home/centos/recovery_key
- sudo chown centos:centos /home/centos/recovery_key
-
-elif [[ ! -z $${APT_GET} ]]; then
- logger "Installing systemd services for Debian/Ubuntu"
- sleep 5
- logger "Initializing Vault and storing results for ubuntu user"
- vault operator init -recovery-shares 1 -recovery-threshold 1 -format=json > /tmp/key.json
- sudo chown ubuntu:ubuntu /tmp/key.json
- logger "Saving root_token and recovery key to ubuntu user's home"
- VAULT_TOKEN=$(cat /tmp/key.json | jq -r ".root_token")
- echo $VAULT_TOKEN > /home/ubuntu/root_token
- sudo chown ubuntu:ubuntu /home/ubuntu/root_token
- echo $VAULT_TOKEN > /home/ubuntu/.vault-token
- sudo chown ubuntu:ubuntu /home/ubuntu/.vault-token
- echo $(cat /tmp/key.json | jq -r ".recovery_keys_b64[]") > /home/ubuntu/recovery_key
- sudo chown ubuntu:ubuntu /home/ubuntu/recovery_key
-else
- logger "Service not installed due to OS detection failure"
- exit 1;
-fi
-
+sleep 5
+logger "Initializing Vault and storing results for centos user"
+vault operator init -recovery-shares 1 -recovery-threshold 1 -format=json > /tmp/key.json
+sudo chown centos:centos /tmp/key.json
+
+logger "Saving root_token and recovery key to centos user's home"
+VAULT_TOKEN=$(cat /tmp/key.json | jq -r ".root_token")
+echo $VAULT_TOKEN > /home/centos/root_token
+sudo chown centos:centos /home/centos/root_token
+echo $VAULT_TOKEN > /home/centos/.vault-token
+sudo chown centos:centos /home/centos/.vault-token
+
+echo $(cat /tmp/key.json | jq -r ".recovery_keys_b64[]") > /home/centos/recovery_key
+sudo chown centos:centos /home/centos/recovery_key
 
 logger "Setting VAULT_ADDR and VAULT_TOKEN"
 export VAULT_ADDR=https://127.0.0.1:8200

diff --git a/terraform-aws-hashicorp-vault/module/templates/userdata-vault-transit.tpl b/terraform-aws-hashicorp-vault/module/templates/userdata-vault-transit.tpl
@@ -73,7 +73,6 @@ sudo timedatectl set-timezone UTC
 if [[ ! -z $${YUM} ]]; then
  logger "RHEL/CentOS system detected"
  logger "Performing updates and installing prerequisites"
- sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
  sudo yum-config-manager --enable rhui-REGION-rhel-server-releases-optional
  sudo yum-config-manager --enable rhui-REGION-rhel-server-supplementary
  sudo yum-config-manager --enable rhui-REGION-rhel-server-extras

diff --git a/terraform-aws-hashicorp-vault/module/variables.tf b/terraform-aws-hashicorp-vault/module/variables.tf
@@ -1,13 +1,7 @@
 # AWS region and AZs in which to deploy
-variable "aws_region" {}
-variable "vault_transit_private_ip" {}
-
-
-# SSH key name to access EC2 instances (should already exist) in the AWS Region
-variable "key_name" {}
-variable "user" {}
-variable "ssh_key_location" {}
-variable "ami_id" {}
+variable "aws_region" {
+ default = "us-east-1"
+}
 
 variable "availability_zones" {
  default = "us-east-1a"
@@ -18,6 +12,10 @@ variable "environment_name" {
  default = "raft-demo"
 }
 
+variable "vault_transit_private_ip" {
+ description = "The private ip of the first Vault node for Auto Unsealing"
+ default = "10.0.101.21"
+}
 
 
 variable "vault_server_names" {
@@ -27,7 +25,10 @@ variable "vault_server_names" {
 }
 
 variable "vault_server_private_ips" {
+ description = "The private ips of the Vault nodes that will join the cluster"
+ # @see https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html
  type = list(string)
+ default = ["10.0.101.22", "10.0.101.23", "10.0.101.24"]
 }
 
 
@@ -38,5 +39,9 @@ variable "vault_zip_file" {
 
 # Instance size
 variable "instance_type" {
- default = "m5.large"
-}
+ default = "t2.micro"
+}
+
+# SSH key name to access EC2 instances (should already exist) in the AWS Region
+variable "key_name" {
+}
diff --git a/terraform-aws-hashicorp-vault/variables.tf b/terraform-aws-hashicorp-vault/variables.tf
@@ -2,11 +2,3 @@ variable "aws_region" {}
 variable "availability_zones" {}
 variable "environment_name" {}
 variable "key_name" {}
-variable "user" {}
-variable "ssh_key_location" {}
-variable "ami_id" {}
-variable "vault_transit_private_ip" {}
-variable "vault_server_private_ips" {
- type = list(string)
-}
-