Vault AWS Module

This repo contains a set of modules in the modules folder for deploying a Vault cluster on AWS using Terraform. Vault is an open source tool for managing secrets. By default, this Module uses Consul as a storage backend. You can optionally add an S3 backend for durability.

This Module includes:

• install-vault: This module can be used to install Vault. It can be used in a Packer template to create a Vault Amazon Machine Image (AMI).

• run-vault: This module can be used to configure and run Vault. It can be used in a User Data script to fire up Vault while the server is booting.

• vault-cluster: Terraform code to deploy a cluster of Vault servers using an Auto Scaling Group.

• vault-elb: Configures an Elastic Load Balancer (ELB) in front of Vault if you need to access it from the public Internet.

• private-tls-cert: Generate a private TLS certificate for use with a private Vault cluster.

• update-certificate-store: Add a trusted, CA public key to an OS's certificate store. This allows you to establish TLS connections to services that use this TLS certs signed by this CA without getting x509 certificate errors.

How do you use this Module?

This repo has the following structure:

• modules: This folder contains several standalone, reusable, production-grade modules that you can use to deploy Vault.
• examples: This folder shows examples of different ways to combine the modules in the modules folder to deploy Vault.
• test: Automated tests for the modules and examples.
• root folder: The root folder is an example of how to use the vault-cluster module module to deploy a Vault cluster in AWS. The Terraform Registry requires the root of every repo to contain Terraform code, so we've put one of the examples there. This example is great for learning and experimenting, but for production use, please use the underlying modules in the modules folder directly.

To deploy Vault to production with this repo, you will need to deploy two separate clusters: one to run Consul servers (which Vault uses as a storage backend) and one to run Vault servers.

To deploy the Consul server cluster, use the Consul AWS Module.

To deploy the Vault cluster:

1. Create an AMI that has Vault installed (using the install-vault module) and the Consul agent installed (using the install-consul module). Here is an example Packer template.

   If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs. Check out the aws_ami data source usage in main.tf for how to auto-discover this AMI.

   WARNING! Do NOT use these AMIs in your production setup. In production, you should build your own AMIs in your own AWS account.

2. Deploy that AMI across an Auto Scaling Group in a private subnet using the Terraform vault-cluster module.

3. Execute the run-consul script with the --client flag during boot on each Instance to have the Consul agent connect to the Consul server cluster.

4. Execute the run-vault script during boot on each Instance to create the Vault cluster.

5. If you only need to access Vault from inside your AWS account (recommended), run the install-dnsmasq module on each server or setup-systemd-resolved (in the case of Ubuntu 18.04) and that server will be able to reach Vault using the Consul Server cluster as the DNS resolver (e.g. using an address like vault.service.consul). See the vault-cluster-private example for working sample code.

6. If you need to access Vault from the public Internet, deploy the vault-elb module in a public subnet and have all requests to Vault go through the ELB. See the main.tf in the root folder of this repo example for working sample code.

7. Head over to the How do you use the Vault cluster? guide to learn how to initialize, unseal, and use Vault.

What's a Module?

A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such as a database or server cluster. Each Module is created primarily using Terraform, includes automated tests, examples, and documentation, and is maintained both by the open source community and companies that provide commercial support.

Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself, you can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through a version number bump.

Who maintains this Module?

This Module is maintained by Gruntwork. If you're looking for help or commercial support, send an email to [email protected]. Gruntwork can help with:

• Setup, customization, and support for this Module.
• Modules for other types of infrastructure, such as VPCs, Docker clusters, databases, and continuous integration.
• Modules that meet compliance requirements, such as HIPAA.
• Consulting & Training on AWS, Terraform, and DevOps.

How do I contribute to this Module?

Contributions are very welcome! Check out the Contribution Guidelines for instructions.

How is this Module versioned?

This Module follows the principles of Semantic Versioning. You can find each new release, along with the changelog, in the Releases Page.

During initial development, the major version will be 0 (e.g., 0.x.y), which indicates the code does not yet have a stable API. Once we hit 1.0.0, we will make every effort to maintain a backwards compatible API and use the MAJOR, MINOR, and PATCH versions on each release to indicate any incompatibilities.

License

This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more details.

Copyright © 2020 Gruntwork, Inc.