Comments (8)
Read about them here:
https://www.vaultproject.io/docs/configuration/storage/consul.html
https://www.vaultproject.io/docs/configuration/storage/s3.html
from terraform-aws-vault.
For durability. S3 helps ensure that you don't lose all your secrets by accidentally killing off the Consul cluster. https://github.com/hashicorp/terraform-aws-vault/tree/master/modules/vault-cluster#s3-bucket
from terraform-aws-vault.
Howdy. I see that we've now actually removed S3 backend in current code. I liked the durability provided by an S3 backend as @brikis98 mentioned above. I had already pinned my modules to 0.0.8, so I can keep the old model for a while before a transition. Is there a form of Consul deployment that can closely mimic the durability that an S3 backend provides? I have tested many times this feature, where I can tear down my whole environment, except for the S3 buckets, and bring it back up again, and not miss any secrets! :D Can I do that with Consul, as constructed with this module and examples? Thanks.
from terraform-aws-vault.
We did remove it, as HashiCorp recommends using Consul as the primary store. You could use S3 with this module by overriding the configuration. Alternatively, if someone wants to make a PR to the run-vault
script that supports S3 as a (non-default) alternative to Consul, I'd also welcome that.
from terraform-aws-vault.
Consul is now the default backend, but with #41, you can now optionally enable S3 as a storage backend and use Consul solely for HA.
from terraform-aws-vault.
Hello everyone
I build a project and i want use a remote backend for the team can work, i saw that consul and s3 are a good options for that but i don't sure which is the best.
from terraform-aws-vault.
@brikis98 you mentioned that Hashicorp recommends consul as a primary backend but I can't find an explanation in the documentation of why this is the better idea.
The way I understand it these are the two options:
Option a) Use consul as only backend HA storage and do periodic snapshots to be copied over to a bucket, let's say every 15 minutes? Downside of this approach is that if I accidentally destroy a consul server I may lose up to 15 minutes data. Upgrading consul servers in an automated and disposable way can be a pain when following this approach and downtime may be unavoidable.
Option b) Use s3 as backend but also use consul as HA for locking. Here is where I get really confused. What happens if I grab a snapshot from option a and restore in option b? Would that overwrite the data on the bucket? Can you still do snapshots of consul when you are doing this? Or do you backup in different ways?
This is the kind of information that's missing in the documentation (Or I can't find it, if you know where please point me in the right direction). It would be helpful and would save time in experimenting and trying to figure things out on your own.
Another thing that seems very tedious is upgrading consul, the procedure described here:
https://www.consul.io/docs/upgrading.html
Feels very "retro".
I managed to automate the upgrading of vault itself with the method described here:
https://groups.google.com/forum/#!msg/terraform-tool/7Gdhv1OAc80/iNQ93riiLwAJ
Which works amazing, but doing that for consul sadly wouldn't work so well, so I am wondering if option b would be easier to automate an upgrade with no downtime.
from terraform-aws-vault.
https://learn.hashicorp.com/vault/operations/ops-reference-architecture is probably a good starting point.
from terraform-aws-vault.
Related Issues (20)
- Remove availability_zones from autoscaling group HOT 5
- DNS functionality failing HOT 1
- Vault service isn't registered in consul. UI not available via vault.service.consul HOT 13
- vault-examples-helper error HOT 4
- Packer build failed due to permission error HOT 4
- Example request: Best practice KMS usage for vault in AWS HOT 2
- No apt update in packer build? HOT 6
- When using S3 bucket for vault backend, can we destroy this module without destroying the bucket? HOT 1
- Add logging configuration to the ELB HOT 2
- Upgrading private vault cluster HOT 2
- Cannot install vault from latest 0.17 module on ARM
- Support gp3 for vault-cluster storage
- [Feature Request] add vault plugin setting
- KMS Key Creation for Vault auto unseal
- [Question] How can we renew Vault TLS certificates? HOT 1
- Make instance IAM role set-up optional
- sign-request script timeout
- Terraform Provider got updated and s3 bucket res changes exists HOT 1
- install-vault uses a deprecated method to install awscli v1. Should be v2 HOT 1
- Can AWS PCA be used to create the TLS certificates?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-vault.