hashicorp / terraform-aws-vault Goto Github PK

View Code? Open in Web Editor NEW

656.0 27.0 465.0 3.25 MB

A Terraform Module for how to run Vault on AWS using Terraform and Packer

License: Apache License 2.0

Shell 23.34% HCL 39.49% Go 37.17%

terraform-aws-vault's Issues

Routing Traffic via the ELB to the Standby nodes?

Hi. 👋

In your ELB module documentation you state the following:

Health Check: The ELB uses the /sys/health endpoint on your Vault servers, with the standbyok flag set to true, as a health check endpoint. This way, the ELB will see any primary or standby Vault node that is unsealed as healthy and route traffic to it.

My question is that with this configuration you're going to route traffic to the *standby* nodes as well because they're going to be marked as Healthy by the ELB. Will standby nodes accept requests from the ELB? Will they be serviced properly? I was under the assumption that ONLY the Primary node should have traffic routed to it.

I am using consul as a backend, and my advertise_addr is set to http://127.0.0.1.

In vault-cluster-private, should the vault servers join Consul on startup?

In vault-cluster-private, should the vault servers join the Consul cluster when they start up? In my setup, they are not doing this. I'd like them to, but if this is not something built in I won't worry about it.

My Vault server instances are running this as their user_data script:

#!/bin/bash
 /opt/consul/bin/run-consul --client --cluster-tag-key consul-dev-servers --cluster-tag-value consul-development 
/opt/vault/bin/run-vault --s3-bucket clearcover-vault-development --s3-bucket-region us-east-2 --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem

Inconsistent with Consul module

terraform-aws-vault/modules/vault-cluster/main.tf

Line 31 in 8e8261b

tag {

Not a big deal but it would be nice if all the modules worked in more or less the way way. See https://github.com/hashicorp/terraform-aws-consul/blob/master/modules/consul-cluster/main.tf#L31-L35

module/private-tls-cert - IP Addresses Requirement

Is there a way to get around the IP addresses requirement in the private-tls-cert module? I'm generating ASG clusters using terraform in AWS, and it would be beneficial to use domains with wildcards instead of IP's since everything is generated on the fly.

My only other options seem to be:

Include the module in my project, then generating everything together (putting the private key in the remote state file) in order to dynamically generate the IP list
Set up an ELB with an elastic IP, which makes my cluster public

Is there another way?

Making Pip and Boto Installation Optional

AFAIK, pip and boto was added to the install script as part of the examples in #96

But pip and boto are strictly not required unless you are using the vault-consul-ami example. Shouldn't these installation be part of the example packer template for that example instead of being in the install-vault module? Alternatively, they can be optional.

More specific to my concern: I am using, by default, Python 3 on my Ubuntu AMIs. I am not sure what kind of issue installing pip and pip packages from Python 2 on top of Python 3 would bring. I am also not using boto in my AMI.

Use systemd instead of supervisord

On systems which have systemd available (more and more...), systemd might be used instead of supervisord. It saves runtime resources (no need to run supervisord and systemd at the same tie) and speeds up installation, hepful for autoscaling groups without pre-baked images.

Intermittent test failure

The automated tests for the S3 backend are failing intermittently. I can't repro locally and don't have enough info from CircleCI to figure out what's wrong.

Here's the info I have so far.

Example build failure: https://circleci.com/gh/hashicorp/terraform-aws-vault/11

Actual error message:

 --- FAIL: TestVaultClusterS3BackendAmazonLinuxAmi (607.76s)^M
   ssh.go:87: Process exited with status 1^M

I'd say it fails with Amazon Linux 45% of the time, Ubuntu 45% of the time, and passes with both 10% of the time.

Last useful thing in the logs before the failure happens:

TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: Apply complete! Resources: 31 added, 0 changed, 0 destroyed.
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: 
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: Outputs:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: 
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: asg_name_consul_cluster = consul-test-YnAZ122018082107313398830000000a
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: asg_name_vault_cluster = vault-test-YnAZ1220180821073133935400000009
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: aws_region = eu-west-3
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: consul_cluster_cluster_tag_key = consul-test-YnAZ12
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: consul_cluster_cluster_tag_value = consul-test-YnAZ12
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_arn_consul_cluster = arn:aws:iam::087285199408:role/consul-test-YnAZ1220180821073119836100000002
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_arn_servers = arn:aws:iam::087285199408:role/consul-test-YnAZ1220180821073119836100000002
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_arn_vault_cluster = arn:aws:iam::087285199408:role/vault-test-YnAZ1220180821073119835000000001
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_id_consul_cluster = consul-test-YnAZ1220180821073119836100000002
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_id_servers = consul-test-YnAZ1220180821073119836100000002
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: iam_role_id_vault_cluster = vault-test-YnAZ1220180821073119835000000001
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: launch_config_name_consul_cluster = consul-test-YnAZ12-20180821073123757700000008
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: launch_config_name_servers = consul-test-YnAZ12-20180821073123757700000008
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: launch_config_name_vault_cluster = vault-test-YnAZ12-20180821073123589100000007
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: s3_bucket_arn = arn:aws:s3:::vault-module-test-ynaz12
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: security_group_id_consul_cluster = sg-06468ca4dba200b0c
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: security_group_id_servers = sg-06468ca4dba200b0c
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: security_group_id_vault_cluster = sg-0469735edde9a2724
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: ssh_key_name = YnAZ12
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: vault_cluster_size = 3
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: vault_servers_cluster_tag_key = Name
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: vault_servers_cluster_tag_value = vault-test-YnAZ12
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z test_structure.go:23: The 'SKIP_validate' environment variable is not set, so executing stage 'validate'.
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z save_test_data.go:159: Loading test data from /tmp/TestVaultClusterS3BackendAmazonLinuxAmi205127556/terraform-aws-vault/examples/vault-s3-backend/.test-data/TerraformOptions.json
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z save_test_data.go:159: Loading test data from /tmp/TestVaultClusterS3BackendAmazonLinuxAmi205127556/terraform-aws-vault/examples/vault-s3-backend/.test-data/AwsRegion.json
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z save_test_data.go:159: Loading test data from /tmp/TestVaultClusterS3BackendAmazonLinuxAmi205127556/terraform-aws-vault/examples/vault-s3-backend/.test-data/Ec2KeyPair.json
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z retry.go:69: Running terraform [output -no-color asg_name_vault_cluster]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:52: Running command terraform with args [output -no-color asg_name_vault_cluster]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:24Z command.go:96: vault-test-YnAZ1220180821073133935400000009
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:25Z vault_helpers.go:396: Trying to establish SSH connection to 35.180.35.177
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:25Z retry.go:69: Trying to establish SSH connection to 35.180.35.177
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:25Z ssh.go:219: Running command 'exit' on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:26Z vault_helpers.go:396: Trying to establish SSH connection to 35.180.140.244
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:26Z retry.go:69: Trying to establish SSH connection to 35.180.140.244
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:26Z ssh.go:219: Running command 'exit' on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:27Z vault_helpers.go:396: Trying to establish SSH connection to 35.180.22.116
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:27Z retry.go:69: Trying to establish SSH connection to 35.180.22.116
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:27Z ssh.go:219: Running command 'exit' on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:29Z vault_helpers.go:411: Waiting for Vault to boot the first time on host 35.180.35.177. Expecting it to be in uninitialized status (501).
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:29Z vault_helpers.go:561: Check that the Vault node 35.180.35.177 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:29Z retry.go:69: Check that the Vault node 35.180.35.177 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:29Z vault_helpers.go:584: Using curl to check status of Vault server 35.180.35.177: curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:29Z ssh.go:219: Running command curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z vault_helpers.go:570: Got expected status code 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z vault_helpers.go:411: Waiting for Vault to boot the first time on host 35.180.140.244. Expecting it to be in uninitialized status (501).
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z vault_helpers.go:561: Check that the Vault node 35.180.140.244 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z retry.go:69: Check that the Vault node 35.180.140.244 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z vault_helpers.go:584: Using curl to check status of Vault server 35.180.140.244: curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:30Z ssh.go:219: Running command curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z vault_helpers.go:570: Got expected status code 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z vault_helpers.go:411: Waiting for Vault to boot the first time on host 35.180.22.116. Expecting it to be in uninitialized status (501).
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z vault_helpers.go:561: Check that the Vault node 35.180.22.116 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z retry.go:69: Check that the Vault node 35.180.22.116 has status 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z vault_helpers.go:584: Using curl to check status of Vault server 35.180.22.116: curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:31Z ssh.go:219: Running command curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:32Z vault_helpers.go:570: Got expected status code 501
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:32Z vault_helpers.go:418: Initializing the cluster
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:32Z ssh.go:219: Running command vault operator init on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:34Z vault_helpers.go:561: Check that the Vault node 35.180.35.177 has status 503
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:34Z retry.go:69: Check that the Vault node 35.180.35.177 has status 503
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:34Z vault_helpers.go:584: Using curl to check status of Vault server 35.180.35.177: curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:34Z ssh.go:219: Running command curl -s -o /dev/null -w '%{http_code}' https://127.0.0.1:8200/v1/sys/health on [email protected]
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:35Z vault_helpers.go:570: Got expected status code 503
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:35Z vault_helpers.go:533: Unsealing Vault on host 35.180.35.177
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:35Z ssh.go:219: Running command vault operator unseal irygA2vJnenA065rDtk8hMvWyiryU/VMsrb/bVFUaybM && vault operator unseal apmt7EDW7PAYWevEz5QZEowt4QbkmNfQuq1ECRrfhbC0 && vault operator unseal s5kJnfJQ8Lyg59yyt09pQCDFNCExYRC9yIt4FVzZTdVe on [email protected]

So it's something to do with the unseal operation.

I tried to fetch logs from all servers here: https://github.com/hashicorp/terraform-aws-vault/blob/master/test/vault_helpers.go#L280-L282.

But for some crazy reason, the logs are printing out empty!

TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:280: Contents of /opt/vault/log/vault-stdout.log on Instance i-030d032e72c6c3497:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:281: Contents of /opt/vault/log/vault-error.log on Instance i-030d032e72c6c3497:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:282: Contents of /var/log/messages on Instance i-030d032e72c6c3497:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:280: Contents of /opt/vault/log/vault-stdout.log on Instance i-086538ebbf3c3f8a3:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:281: Contents of /opt/vault/log/vault-error.log on Instance i-086538ebbf3c3f8a3:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:282: Contents of /var/log/messages on Instance i-086538ebbf3c3f8a3:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:280: Contents of /opt/vault/log/vault-stdout.log on Instance i-0e79828fd97096eb9:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:281: Contents of /opt/vault/log/vault-error.log on Instance i-0e79828fd97096eb9:
TestVaultClusterS3BackendAmazonLinuxAmi 2018-08-21T07:32:47Z vault_helpers.go:282: Contents of /var/log/messages on Instance i-0e79828fd97096eb9:

Even the new-lines (\n) are missing above? I'm very stumped by all of this.

Question about security group

Dear Maintainer,

I have a couple of questions regarding your security group definitions.

My goal is to have least possible access and only access the vault servers via its ELB from anywhere. Apart from that each of the servers (vault and consul) should have very strict rules as there are also other EC2 instances in the same VPC which should NOT be able to access the,.

vault_cluster.allowed_inbound_cidr_blocks

Line: https://github.com/hashicorp/terraform-aws-vault/blob/master/main.tf#L78

Is this supposed to be HTTPS access to each of the vault clusters?
Is it sufficient, if I only allow the Vault ELB as inbound or does each vault cluster also need
to talk to the other vault clusters?

module "vault_cluster" {
  ...
  allowed_inbound_cidr_blocks          = ["0.0.0.0/0"]
  ...
}

security_group_rules.allowed_inbound_cidr_blocks

Line: https://github.com/hashicorp/terraform-aws-vault/blob/master/main.tf#L125

Is it safe to only specify the CIDR of the consul clusters or do I need external access here?

module "security_group_rules" {
  ...
  allowed_inbound_cidr_blocks          = ["0.0.0.0/0"]
  ...
}

consul_cluster.allowed_inbound_cidr_blocks

Line: https://github.com/hashicorp/terraform-aws-vault/blob/master/main.tf#L191

What exactly needs to connect to the consul cluster as the safest minimum?

module "consul_cluster" {
  ...
  allowed_inbound_cidr_blocks = ["0.0.0.0/0"]
  ...
}

No package aws available when running install-vault script

Hi, I'm using CentOS 7 and the package name is awscli. If there's an actual package named aws then perhaps the documentation should be updated.

terraform-aws-vault/modules/install-vault/install-vault

Line 142 in 75b3b37

sudo yum install -y aws curl unzip jq

The user-data script was interrupted with the following error:

The binary 'aws' is required by this script but is not installed or in the system's PATH.

Make the S3 backend optional

There has been some discussion around bringing back the option to configure S3 as a backend, on top of the Consul HA backend.

I'm opening this issue in preparation for a PR I'll be submitting shortly.

Vault installer permissions on $path should be set definitively

In modules/install-vault/install-vault around line

  echo "Giving Vault permission to use the mlock syscall"
  sudo setcap cap_ipc_lock=+ep $(readlink -f $(which vault))

This fails on a linux system where the /opt/vault folder and /opt/vault/bin folder are created with a non default umask (

On line 158 in the install-vault module, should add
sudo chmod 755 "$path"
sudo chmod 755 "$path/bin"

To make sure these folders are set world readable. Probably should change the other folders to be 700 to make sure no one but vault has permissions on those.

How to configure Vault path

I've successfully deployed this module and your work is greatly appreciated. But I'm curious, if I want to run multiple vault clusters, for example a non-prod and a prod cluster, but connected to the same consul cluster, I imagine I need to set the vault path, but I'm not sure where that option exists.

I've seen in the run-vault script there is an option to specify a vault config file. How does that work? I'm assuming the cli options take precedence and since I don't see a vault path arg that should work right? My bigger question though is, is there any documentation on the best way to deploy the config file? I don't want to have to have separate packer built AMIs for each vault path I need to support. Is there an preferred way to deploy that config, and is that the only way to set the vault path?

I need to be able to add tags to the ELB created by vault-elb

#81 implements this change.

database/config always gives a diff

Hi,

With the below module, database/config path always gives a diff after first apply:


resource "vault_generic_secret" "db_config" {
  count = "${local.is_mysql}"
  path  = "database/config/${var.db_identifier}"

  data_json = <<EOT
{
  "plugin_name":"mysql-database-plugin",
   "connection_url":"${var.db_user}:${var.db_creds}@tcp(${var.rds_name}:3306)/",
    "allowed_roles":["${var.db_role}_rw","${var.db_role}_ro"]
}
EOT
}

This happens as on the vault side, connection_url is actually an object inside connection_details. so changing the data_json to:


  data_json = <<EOT
{
  "plugin_name":"mysql-database-plugin",
  "connection_details":
    {"connection_url":"${var.db_user}:${var.db_creds}@tcp(${var.rds_name}:3306)/"} ,
    "allowed_roles":["${var.db_role}_rw","${var.db_role}_ro"]
}

fixes the diff after creating the config. However, with the above json, new configs cannot be created as vault throws error saying

error creating database object: connection_url cannot be empty

Support tagged lookups on VPC & Subnets

For systems NOT using the default vpc (e.g. using the terraform vpc module), there are often public and private subnets created. This means 6 subnets 2 per AZ, which breaks this module. One thought is to add a variable

variable "subnet_tags" {
##   Tier = "Private"

}

and modify main.tf to do

data "aws_subnet_ids" "default" {
  vpc_id = "${data.aws_vpc.default.id}"
  tags = "${var.subnet_tags}"
}

Then apply similar logic to the aws_vpc block

Error running vault_cluster

Hello,

Thanks for working on terraform modules for aws vault, it's super useful!

Just ran into an issue running terraform plan which fails with the following error:

module.pg_vault_cluster.module.security_group_rules.aws_security_group_rule.allow_api_inbound_from_security_group_ids: aws_security_group_rule.allow_api_inbound_from_security_group_ids: value of 'count' cannot be computed

I narrowed it down to this line where the length function is used to pass the result to count which makes terraform with version v0.11.7 unhappy.

Do you have a solution to the problem above?

Thanks,
Alex

TLS encryption for Vault cluster behind ELB

Hi. Is it possible to use TLS on ELB (with AWS Certificate manager) instead of Vault configuration (tls_cert_file and tls_key_file)?

Need (optional) separate health-check port in vault-elb

PR #83

Need to add tags to the remaining taggable resources

Similar to my recent PR, I have a need to apply tags to all taggable resources (corporate policy). I have a commit on our fork and will be submitting a PR as soon as I test it in our environment.

instance volume tagging

I'm back again with more tagging drama...
This time it is the volumes attached to the instances created by the autoscaling group. aws_launch_configuration does not give us a way to set those but aws_launch_template does. I'm working on a solution that replaces the former with the latter. I can't find a way in HCL to allow for either-or. I'll submit a PR once I have something that works (and one for terraform-aws-consul also) but wanted to open the discussion early in case anyone else has ideas on the subject.

is consul needed?

Hey guys,

I want to use vault on AWS but I'm wondering if it can be done without consul?
If so, how does one go about that?

Terratest is not publicly available

Hey guys, Terratest isn't exist anymore.

S3 backend should have configurable bucket versioning

Hi there 👋

For the vault-cluster module, an optional property enable_s3_bucket_versioning could be passed in to be able to configure versioning of the objects inside the bucket.

AWS Trusted Advisor suggests all S3 buckets should have versioning enabled.

Thanks,
Paul

Consul complaining about TCP/8301 being blocked to Vault

I deployed consul/vault using the modules provided by this and the consul repos and everything is working correctly. However when adding monitoring to consul I noticed all nodes in the cluster were emitting the following error

2018/11/05 19:31:07 [ERR] memberlist: Push/Pull with i-abcefg12345 failed: dial tcp 1.1.1.1:8301: i/o timeout

I changed the IP for security reasons but it was one of the consul-clients running along side of the vault nodes. Looking at the default SG produced by "vault-security-group-rules" it's now allowing TCP/8301 from the consul SG/subnet.

Is this by design? I know this is the SERF Lan port but is there any harm in allowing it?

Why use S3 for storage instead of Consul?

I've built something that closely resembles this module, though with a few differences, one being that I'm using Consul for the Vault storage. I'm curious why you chose to use S3 as a storage backend when you already depend on Consul?

Just being curious here. 😄

awscli should be installed only if it's not available yet

Currently install scripts install awscli via yup/apt repositories. On many machines this is not needed as AWSCLI is installed beforehand / on ami. As it is a good practice to install awscli directly from amazon, not OS packages (as they are very slow with updates), installing it via package manager in such situation will install another awscli on a system and might cause issues if outdated awscli from deb/rpm is located earlier in the path definition.

New vault instance does not join cluster

First thank you for this module.
When incrementing count number of vault server and launching terraform apply again, the new one started but did not join the cluster until we log into it and enter consul join.
Why is it different when starting from scratch ?

Allow specification of non-default VPC

The Consul TF Registry module allows this. I think I see what changes were made there, and I hope I can make a PR that holds equivalent changes for this module (and how it uses the Consul module itself). I know that the code in the root of this repo is for "examples" and "testing", but I want to be fully lazy and have it also work for a real production setup as well as for testing purposes. ;)

Installing as a Vault Agent

Using the Consul module it is possible to use the run-consul script to start consul in agent mode and allow vault to connect to localhost.

There doesn't appear to be a similar provision in this module, which would allow behaviour shown in the root README diagram in which vault agents connect to the vault servers from the client applications/instances. Am I missing something, or is there missing functionality?

Add Optional IAM Role Name Variable

As is, the aws_iam_role resource created in the vault-cluster module defaults to using the cluster_name variable as the role resource's name_prefix argument (https://github.com/hashicorp/terraform-aws-vault/blob/v0.0.7/modules/vault-cluster/main.tf#L158-L159). As a result, the ultimate instance role ARN can't be determined statically. It would be helpful in my use case to have an optional iam_role_arn variable to ensure the same ARN across deployments. This variable could have a default that sees the current name_prefix value maintained. Then, if the new variable was set to a different value, name would be used in place of name_prefix on the aws_iam_role resource.

For context, the use case I am envisioning is role-based access provided to the vault nodes with the associated policy managed outside of this vault_cluster module. I.e., I need to provide the vault instance role ARN to another codebase and ideally have that ARN remain constant across vault deployments.

When creating the private-tls-cert, why set validity in hours?

In creating the private TLS certificate, one of the params to the module is validity_period_hours. It appears that the intention is to set this in a shorter period like 24 hours, rather than a longer one (which would be my inclination), like 10 years. Why is this? If I'm creating my own CA for signing these certs, and they expire in a short time, won't I have to have some way of recreating new TLS certs all the time?

I like the approach of creating your own CA for internal applications like this, I think I'm just missing a piece on the expirations. Thanks!

"Releases Page" link -> Github 404 page

On https://github.com/hashicorp/terraform-aws-vault/tree/master/examples/vault-consul-ami/README.md, last link 404s, sadly. Cheers.

module vault-elb is not idempotent

I'm creating ELB for vault with this:

module "vault_elb" {
  source                      = "git::[email protected]:hashicorp/terraform-aws-vault.git//modules/vault-elb"
  internal                    = true
  name                        = "${var.country}-${var.stage}-vault-elb"
  vpc_id                      = "${module.network-getter.vpc_id}"
  subnet_ids                  = "${module.network-getter.private_subnet_ids}"
  allowed_inbound_cidr_blocks = ["${data.aws_vpc.main.cidr_block}"]
}

everything applies with no problem. Thank you guys!
But after invoking terraform plan once again I see the following:

Terraform will perform the following actions:
  ~ module.vault_elb.aws_elb.vault
      availability_zones.#:          "3" => "0"
      availability_zones.1305112097: "us-east-1b" => ""
      availability_zones.3569565595: "us-east-1a" => ""
      availability_zones.986537655:  "us-east-1c" => ""


Plan: 0 to add, 1 to change, 0 to destroy.

$ terraform version
Terraform v0.10.7

Limiting value for EC2 instance tag

terraform-aws-vault/modules/vault-cluster/main.tf

Line 33 in 8e8261b

value = "${var.cluster_name}"

${var.cluster_tag_value} makes more sense and would make it consistent with the Consul module (https://github.com/hashicorp/terraform-aws-consul/blob/master/modules/consul-cluster/main.tf#L39). In any case, feels like each module should work in roughly the same way.

apt package dependency missing: libcap2-bin

install-vault is calling setcap command without ensuring that it is installed. In most slim debian/ubuntu images the package can be not installed by default. I suggest adding libcap2-bin for apt, libcap for yum-based distributions to dependency package list:
https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/install-vault/install-vault#L138

Alternative approach would be to disable mlock on systems where capability can't be set, but this is against vault recommended practices.

Missing SG in Private Vault Example

The consul cluster in the examples/vault-cluster-private repo is missing the security group from the vault cluster. The result is the vault nodes can't speak to the consul nodes due to lack of security group rules.

The fix is to supply the missing vault security group to the consult cluster. The submodule that relies on this security group can be found here:
https://github.com/hashicorp/terraform-aws-consul/blob/master/modules/consul-security-group-rules/variables.tf#L20

enable autoscaling group metrics

just like hashicorp/terraform-aws-consul#98 for terraform-aws-consul, I would like to be able to optionally enable specified ASG metrics

I will open a PR to address

Example "vault-cluster-private" doesn't create a private Vault cluster

Hi again. Given this VPC:

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  name = "pre-dev"
  cidr = "10.50.0.0/16"

  azs              = ["us-west-2a", "us-west-2b", "us-west-2c"]
  private_subnets  = ["10.50.1.0/24", "10.50.2.0/24", "10.50.3.0/24"]
  public_subnets   = ["10.50.11.0/24", "10.50.12.0/24", "10.50.13.0/24"]
  database_subnets = ["10.50.21.0/24", "10.50.22.0/24", "10.50.23.0/24"]

  enable_nat_gateway = true
  enable_vpn_gateway = true

  tags = {
    Terraform   = "true"
    Environment = "pre-dev"
  }
}

and this stanza

module "vault" {
  source = "github.com/boldandbusted/terraform-aws-vault/examples/vault-cluster-private"

  s3_bucket_name = "pre-dev-vault"

  ami_id              = "${data.aws_ami.vault_consul_ubuntu.id}"
  consul_cluster_name = "consul-cluster"
  vault_cluster_name  = "pre-dev-vault-cluster"
  aws_region          = "us-west-2"
  vpc_id              = "${module.vpc.vpc_id}"
  ssh_key_name        = "jesse-laptop"
}

I end up with a ASG that creates vault instances with IPs like this:

10.50.1.177 # Yay
10.50.13.34 # Boo
10.50.12.10 # Boo

Is there something obvious I'm missing (likely!)? Thanks.

NOTE: The Vault module source in the code above, is only a fork of "master", with patches I submitted in PR #26

Support option to pass in 0 or more Allowed SSH CIDR blocks to vault-cluster module

Currently the vault-cluster module requires at least 1 CIDR block to be passed in via the allowed_ssh_cidr_blocks variable. In my case, I do not want to pass in any CIDR blocks, since I use a bastion host for SSH access to the cluster. So I want to only pass in the bastion host's security group id via the allowed_inbound_security_group_ids variable.

I've successfully tested in my fork by modifying https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/vault-cluster/main.tf#L91-L99

resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" {
  count       = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}"
  type        = "ingress"
  from_port   = "${var.ssh_port}"
  to_port     = "${var.ssh_port}"
  protocol    = "tcp"
  cidr_blocks = ["${var.allowed_ssh_cidr_blocks}"]

  security_group_id = "${aws_security_group.lc_security_group.id}"
}

Wrong var referenced to allow inbound SSH security group IDs

resource "aws_security_group_rule" "allow_ssh_inbound_from_security_group_ids" {
  count                    = "${length(var.allowed_inbound_security_group_ids)}"
  type                     = "ingress"
  from_port                = "${var.ssh_port}"
  to_port                  = "${var.ssh_port}"
  protocol                 = "tcp"
  source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}"

  security_group_id = "${aws_security_group.lc_security_group.id}"
}

This resource needs to reference var.allowed_ssh_security_group_ids instead of var.allowed_inbound_security_group_ids

Vault-elb: Error reading secret/foo: Get https://<dns_name>/v1/secret/foo: dial tcp <ip>:443: i/o timeout

Hi, Got the issue Error reading secret/foo: Get https://<dns_name>/v1/secret/foo: dial tcp <ip>:443: i/o timeout when using of vault-elb module. Got the same thing for each instance from CIDR blocks for Vault security groups (ELB, LC). Certificate was generated for route53 of vault-elb (via private-tls-cert module)

AWS ELB creation fails

I'm trying to create the necessary resources, but terraform fails at creating the ELB for Vault:

Error: Error applying plan:

1 error(s) occurred:

* module.vault.module.vault_elb.aws_elb.vault: 1 error(s) occurred:

* aws_elb.vault: InvalidConfigurationRequest: ELB cannot be attached to multiple subnets in the same AZ.
        status code: 409, request id: 9f1c1eb7-520e-11e8-933d-4dca6cb89b7a

My terraform object looks like this:

module "consul" {
  source  = "hashicorp/consul/aws"
  version = "0.3.4"
  num_servers = "5"
  ssh_key_name = "foobar"
  vpc_id = "${data.terraform_remote_state.core.foobar_vpc}"
}

module "vault" {
  source  = "hashicorp/vault/aws"
  version = "0.6.2"

  create_dns_entry = false
  ssh_key_name = "foobar"
  hosted_zone_domain_name = "foobar.cloud"
  vault_domain_name = "vault.foobar.cloud"
  consul_cluster_size = "5"
  use_default_vpc = false
  vpc_tags = {
    "Name" = "FooBar"
  }
}

(Foobar is actually a placeholder for the company I'm working for.)

What am I missing?

Thanks!

vault-elb module complaining about both SubnetId and AZ being specified

I'm creating a setup with Vault and Nomad by using the registry modules.
Vault is being used like this:

module "vault" {
    source = "hashicorp/vault/aws"

    # insert the 5 required variables here
    create_dns_entry = false
    hosted_zone_domain_name = "not-valid.org"
    s3_bucket_name = "${var.vault_s3_bucket_name}"
    force_destroy_s3_bucket = true # Only for testing purposes, for production envs do NOT set this to true
    ssh_key_name = "${aws_key_pair.my-key.key_name}"
    vault_domain_name = "also-not-valid"
    ami_id = "${var.vault_ami_id}"
    consul_cluster_tag_key = "${var.cluster_tag_key}"
    consul_cluster_name = "${var.cluster_name}"
    vault_cluster_name = "${var.cluster_name}-vault"
    aws_region = "${var.aws_region}"
}

After the fix from issue #20 , the module now complains about the fact that you can only give one of SubnetIds or AvailabilityZones:

Error applying plan:

1 error(s) occurred:

module.vault.module.vault_elb.aws_elb.vault: 1 error(s) occurred:

aws_elb.vault: ValidationError: Only one of SubnetIds or AvailabilityZones may be specified
status code: 400, request id: f23945f5-bee4-11e7-9c0d-6fae286bcbde

By commenting out the subnets-part and just leaving the availability zones it seems to work.

resource "aws_elb" "vault" {
  name = "${var.name}"

  internal                    = "${var.internal}"
  cross_zone_load_balancing   = "${var.cross_zone_load_balancing}"
  idle_timeout                = "${var.idle_timeout}"
  connection_draining         = "${var.connection_draining}"
  connection_draining_timeout = "${var.connection_draining_timeout}"

  security_groups    = ["${aws_security_group.vault.id}"]
  # This split-join hack is a workaround for 'conditional operator cannot be used with list values' typecheck error.
  availability_zones = ["${split(",", length(var.availability_zones) == 0 ? join(",", data.aws_subnet.subnet.*.availability_zone) : join(",", var.availability_zones))}"]
  #subnets            = ["${var.subnet_ids}"]

Is this a proper fix? If so, I'll create a PR

Option to create individual EC2 instances as Vault cluster rather than an ASG

In many ways creating individual EC2 instances is more desirable than an
Auto Scaling Group for a Vault cluster:

Since instances typically require manual action to unseal, automatic
creation of new instances doesn't buy you much.
Individual instances are created with known IPs, making it easier to
route requests to specific instances (e.g. for unsealing).
Known IPs can be used to create DNS records referring to individual
instances by name. This is as nice human affordance, but also greatly
simplifies TLS communication with individual instances (which can hold
a wildcard TLS cert valid for all instance DNS names).
DNS discovery of instance addresses for unsealing avoids a
chicken-and-egg problem with using the AWS CLI to look up instance
addresses when you are using Vault to issue all your AWS CLI creds.

We've forked the repo to do this internally. The main difficulty is that you have to be a little more careful when updating your Vault AMI; destroying all the instances simultaneously leads to an outage until you get one unsealed. We use the -target option to do a two-phase update.

See conversation at hashicorp/vault#764 (comment) for a little bit of context on ASG vs individual instances.

Vault UI support

Vault 0.10.0 now has the UI as open source. Any changes planed to update vault-elb to support UI access?

How to use this module?

Usage confusion

I am a little bit confused about the usage of this module.
Should I use it like so:

module "terraform_aws_vault" {
  source = "github.com/hashicorp/terraform-aws-vault?ref=v0.10.3"

  ...
}

But then it won't allow me to customize security groups, however in your main.tf it clearly states:

# To make testing easier, we allow Consul and SSH requests from any IP address
# here but in a production deployment, we strongly recommend you limit this to the
# IP address ranges of known, trusted servers inside your VPC.

Or am I supposed to copy main.tf, variables.tf and outputs.tf locally and create my own module based on the submodules you provide in the modules/ directory?

Something like this:

module "vault_cluster" {
  source = "github.com/hashicorp/terraform-aws-vault//modules/vault-cluster?ref=v0.0.1"
  ...
}
module "consul_iam_policies_servers" {
  source = "github.com/hashicorp/terraform-aws-consul//modules/consul-iam-policies?ref=v0.4.0"
  ...
}
module "security_group_rules" {
  source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0"
  ...
}
module "vault_elb" {
  source = "github.com/hashicorp/terraform-aws-vault//modules/vault-elb?ref=v0.0.1"
  ...
}
module "consul_cluster" {
  source = "github.com/hashicorp/terraform-aws-consul//modules/consul-cluster?ref=v0.4.0"
  ...
}
...

Edit

I was simply looking for something like this as a general guidance for how to actually use this module: https://github.com/terraform-aws-modules/terraform-aws-vpc#usage

Thanks

Allow empty list for allowed_inbound_cidr_blocks in vault-security-group-rules module

Just need to add

count       = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}"

https://github.com/hashicorp/terraform-aws-vault/blob/master/modules/vault-security-group-rules/main.tf#L5-L13

dynamodb backend

I noticed that DDB isn't a backend choice in the module. With DDB now having an SLA I think it would be useful as an HA backend without needing Consul. I've deployed this module in the enterprise and added the functionality.

Limiting value for EC2 instance tag

terraform-aws-vault/modules/vault-cluster/main.tf

Line 33 in 8e8261b

value = "${var.cluster_name}"

Fails to download consul-security-group-rules module.

Hello.

I'm attempting to use this based on the instructions in the Terraform Module Registry. Given a simple module definition:

module "vault" {
    source = "hashicorp/vault/aws"
}

Running terraform init results in:

Downloading modules...
Get: https://api.github.com/repos/hashicorp/terraform-aws-vault/tarball/v0.0.2//*?archive=tar.gz
Get: file:///Users/jefffrench/scratch/vault/test-module/.terraform/modules/416f7d448ab5f322c63d5480845dc7d8/modules/vault-cluster
Get: git::ssh://[email protected]/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.0.2
Get: file:///Users/jefffrench/scratch/vault/test-module/.terraform/modules/416f7d448ab5f322c63d5480845dc7d8/modules/vault-elb
Get: git::ssh://[email protected]/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.0.2
Error downloading modules: Error loading modules: module security_group_rules: invalid source string: ../consul-security-group-rules

Terraform version: Terraform v0.10.6

hashicorp / terraform-aws-vault Goto Github PK

terraform-aws-vault's Issues

Usage confusion

Recommend Projects

Recommend Topics

Recommend Org