This repo contains a Module for how to deploy a Vault cluster on AWS using Terraform. Vault is an open source tool for managing secrets. By default, this Module uses Consul as a storage backend. You can optionally add an S3 backend for durability.
This Module includes:
-
install-vault: This module can be used to install Vault. It can be used in a Packer template to create a Vault Amazon Machine Image (AMI).
-
run-vault: This module can be used to configure and run Vault. It can be used in a User Data script to fire up Vault while the server is booting.
-
vault-cluster: Terraform code to deploy a cluster of Vault servers using an Auto Scaling Group.
-
vault-elb: Configures an Elastic Load Balancer (ELB) in front of Vault if you need to access it from the public Internet.
-
private-tls-cert: Generate a private TLS certificate for use with a private Vault cluster.
-
update-certificate-store: Add a trusted, CA public key to an OS's certificate store. This allows you to establish TLS connections to services that use this TLS certs signed by this CA without getting x509 certificate errors.
A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such as a database or server cluster. Each Module is created primarily using Terraform, includes automated tests, examples, and documentation, and is maintained both by the open source community and companies that provide commercial support.
Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself, you can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through a version number bump.
This Module is maintained by Gruntwork. If you're looking for help or commercial support, send an email to [email protected]. Gruntwork can help with:
- Setup, customization, and support for this Module.
- Modules for other types of infrastructure, such as VPCs, Docker clusters, databases, and continuous integration.
- Modules that meet compliance requirements, such as HIPAA.
- Consulting & Training on AWS, Terraform, and DevOps.
Each Module has the following folder structure:
- modules: This folder contains the reusable code for this Module, broken down into one or more modules.
- examples: This folder contains examples of how to use the modules.
- test: Automated tests for the modules and examples.
Click on each of the modules above for more details.
To deploy Vault with this Module, you will need to deploy two separate clusters: one to run Consul servers (which Vault uses as a storage backend) and one to run Vault servers.
To deploy the Consul server cluster, use the Consul AWS Module.
To deploy the Vault cluster:
-
Create an AMI that has Vault installed (using the install-vault module) and the Consul agent installed (using the install-consul module). Here is an example Packer template.
If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs:
WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your own AWS account.
-
Deploy that AMI across an Auto Scaling Group in a private subnet using the Terraform vault-cluster module.
-
Execute the run-consul script with the
--client
flag during boot on each Instance to have the Consul agent connect to the Consul server cluster. -
Execute the run-vault script during boot on each Instance to create the Vault cluster.
-
If you only need to access Vault from inside your AWS account (recommended), run the install-dnsmasq module on each server, and that server will be able to reach Vault using the Consul Server cluster as the DNS resolver (e.g. using an address like
vault.service.consul
). See the vault-cluster-private example for working sample code. -
If you need to access Vault from the public Internet, deploy the vault-elb module in a public subnet and have all requests to Vault go through the ELB. See the main.tf in the root folder of this repo example for working sample code.
-
Head over to the How do you use the Vault cluster? guide to learn how to initialize, unseal, and use Vault.
Contributions are very welcome! Check out the Contribution Guidelines for instructions.
This Module follows the principles of Semantic Versioning. You can find each new release, along with the changelog, in the Releases Page.
During initial development, the major version will be 0 (e.g., 0.x.y
), which indicates the code does not yet have a
stable API. Once we hit 1.0.0
, we will make every effort to maintain a backwards compatible API and use the MAJOR,
MINOR, and PATCH versions on each release to indicate any incompatibilities.
This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more details.
Copyright © 2017 Gruntwork, Inc.