-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add Vault LB AWS * Add LB * Add LB bucket override and bump versions * Remove f-refactor branch
- Loading branch information
Showing
21 changed files
with
751 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
# Compiled files | ||
*.tfstate | ||
*.tfstate.backup | ||
*.tfstate.lock.info | ||
|
||
# Directories | ||
.terraform/ | ||
|
||
# SSH Keys | ||
*.pem |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
# AWS Vault Load Balancer Terraform Module | ||
|
||
Provisions resources for a Vault application load balancer in AWS. | ||
|
||
Checkout [examples](./examples) for fully functioning examples. | ||
|
||
### Environment Variables | ||
|
||
- `AWS_DEFAULT_REGION` | ||
- `AWS_ACCESS_KEY_ID` | ||
- `AWS_SECRET_ACCESS_KEY` | ||
|
||
## Input Variables | ||
|
||
- `create`: [Optional] Create Module, defaults to true. | ||
- `name`: [Optional] Name for resources, defaults to "vault-aws". | ||
- `vpc_id`: [Required] VPC ID to provision LB in. | ||
- `cidr_blocks`: [Optional] CIDR blocks to provision LB across. | ||
- `subnet_ids`: [Optional] Subnet ID(s) to provision LB across. | ||
- `is_internal_lb`: [Optional] Is an internal load balancer, defaults to true. | ||
- `use_lb_cert`: [Optional] Use certificate passed in for the LB IAM listener, "lb_cert" and "lb_private_key" must be passed in if true, defaults to false. | ||
- `lb_cert`: [Optional] Certificate for LB IAM server certificate. | ||
- `lb_private_key`: [Optional] Private key for LB IAM server certificate. | ||
- `lb_cert_chain`: [Optional] Certificate chain for LB IAM server certificate. | ||
- `lb_ssl_policy`: [Optional] SSL policy for LB, defaults to "ELBSecurityPolicy-2016-08". | ||
- `lb_bucket`: [Optional] S3 bucket override for LB access logs, `lb_bucket_override` be set to true if overriding. | ||
- `lb_bucket_override`: [Optional] Override the default S3 bucket created for access logs, defaults to false, `lb_bucket` _must_ be set if true. | ||
- `lb_bucket_prefix`: [Optional] S3 bucket prefix for LB access logs. | ||
- `lb_logs_enabled`: [Optional] S3 bucket LB access logs enabled, defaults to true. | ||
- `tags`: [Optional] Optional list of tag maps to set on resources, defaults to empty list. | ||
|
||
## Outputs | ||
|
||
- `vault_lb_sg_id`: Vault load balancer security group ID. | ||
- `vault_tg_http_8200_arn`: Vault load balancer HTTP 8200 target group. | ||
- `vault_tg_https_8200_arn`: Vault load balancer HTTPS 8200 target group. | ||
- `vault_lb_dns`: Vault load balancer DNS name. | ||
|
||
## Module Dependencies | ||
|
||
_None_ | ||
|
||
## Authors | ||
|
||
HashiCorp Solutions Engineering Team. | ||
|
||
## License | ||
|
||
Mozilla Public License Version 2.0. See LICENSE for full details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,123 @@ | ||
data "aws_ami" "base" { | ||
most_recent = true | ||
owners = ["${var.ami_owner}"] | ||
|
||
filter { | ||
name = "name" | ||
values = ["${var.ami_name}"] | ||
} | ||
|
||
filter { | ||
name = "root-device-type" | ||
values = ["ebs"] | ||
} | ||
|
||
filter { | ||
name = "virtualization-type" | ||
values = ["hvm"] | ||
} | ||
} | ||
|
||
module "network_aws" { | ||
# source = "github.com/hashicorp-modules/network-aws" | ||
source = "../../../network-aws" | ||
|
||
name = "${var.name}" | ||
vpc_cidrs_public = "${var.vpc_cidrs_public}" | ||
nat_count = "${var.nat_count}" | ||
vpc_cidrs_private = "${var.vpc_cidrs_private}" | ||
bastion_count = "${var.bastion_count}" | ||
image_id = "${data.aws_ami.base.id}" | ||
tags = "${var.tags}" | ||
} | ||
|
||
module "root_tls_self_signed_ca" { | ||
# source = "github.com/hashicorp-modules/tls-self-signed-cert" | ||
source = "../../../tls-self-signed-cert" | ||
|
||
name = "root" | ||
validity_period_hours = "12" | ||
ca_common_name = "hashicorp.com" | ||
organization_name = "HashiCorp Inc." | ||
common_name = "hashicorp.com" | ||
dns_names = ["hashicorp.com"] | ||
ip_addresses = ["127.0.0.1",] | ||
download_certs = true | ||
} | ||
|
||
module "leaf_tls_self_signed_cert" { | ||
# source = "github.com/hashicorp-modules/tls-self-signed-cert" | ||
source = "../../../tls-self-signed-cert" | ||
|
||
name = "leaf" | ||
validity_period_hours = "12" | ||
ca_common_name = "hashicorp.com" | ||
organization_name = "HashiCorp Inc." | ||
common_name = "hashicorp.com" | ||
dns_names = ["hashicorp.com"] | ||
ip_addresses = ["127.0.0.1",] | ||
download_certs = true | ||
|
||
ca_override = true | ||
ca_key_override = "${module.root_tls_self_signed_ca.ca_private_key_pem}" | ||
ca_cert_override = "${module.root_tls_self_signed_ca.ca_cert_pem}" | ||
download_certs = true | ||
} | ||
|
||
resource "random_id" "lb_access_logs" { | ||
byte_length = 8 | ||
prefix = "${format("%s-lb-access-logs-", var.name)}" | ||
} | ||
|
||
data "aws_elb_service_account" "lb_access_logs" {} | ||
|
||
resource "aws_s3_bucket" "lb_access_logs" { | ||
bucket = "${random_id.lb_access_logs.hex}" | ||
acl = "private" | ||
tags = "${merge(var.tags, map("Name", format("%s-lb-access-logs", var.name)))}" | ||
|
||
force_destroy = true | ||
|
||
policy = <<POLICY | ||
{ | ||
"Id": "Policy", | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "LBAccessLogs", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:PutObject" | ||
], | ||
"Resource": "arn:aws:s3:::${random_id.lb_access_logs.hex}/${var.lb_logs_prefix}/AWSLogs/*", | ||
"Principal": { | ||
"AWS": [ | ||
"${data.aws_elb_service_account.lb_access_logs.arn}" | ||
] | ||
} | ||
} | ||
] | ||
} | ||
POLICY | ||
} | ||
|
||
module "vault_lb_aws" { | ||
# source = "github.com/hashicorp-modules/vault-lb-aws" | ||
source = "../../../vault-lb-aws" | ||
|
||
create = "${var.create}" | ||
name = "${var.name}" | ||
vpc_id = "${module.network_aws.vpc_id}" | ||
cidr_blocks = ["${module.network_aws.vpc_cidr}"] | ||
subnet_ids = ["${module.network_aws.subnet_private_ids}"] | ||
is_internal_lb = "${var.is_internal_lb}" | ||
use_lb_cert = "${var.use_lb_cert}" | ||
lb_cert = "${module.leaf_tls_self_signed_cert.leaf_cert_pem}" | ||
lb_private_key = "${module.leaf_tls_self_signed_cert.leaf_private_key_pem}" | ||
lb_cert_chain = "${module.root_tls_self_signed_ca.ca_cert_pem}" | ||
lb_ssl_policy = "${var.lb_ssl_policy}" | ||
lb_logs_bucket = "${aws_s3_bucket.lb_access_logs.id}" | ||
lb_logs_prefix = "${var.lb_logs_prefix}" | ||
lb_logs_enabled = "${var.lb_logs_enabled}" | ||
tags = "${var.tags}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
output "zREADME" { | ||
value = <<README | ||
LB DNS: ${module.vault_lb_aws.vault_lb_dns} | ||
${module.root_tls_self_signed_ca.zREADME}${module.leaf_tls_self_signed_cert.zREADME} | ||
README | ||
} | ||
|
||
output "vault_lb_sg_id" { | ||
value = "${module.vault_lb_aws.vault_lb_sg_id}" | ||
} | ||
|
||
output "vault_lb_dns" { | ||
value = "${module.vault_lb_aws.vault_lb_dns}" | ||
} | ||
|
||
output "vault_tg_http_8200_arn" { | ||
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}" | ||
} | ||
|
||
output "vault_tg_https_8200_arn" { | ||
value = "${module.vault_lb_aws.vault_tg_https_8200_arn}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
create = true | ||
name = "vault-lb-adv" | ||
vpc_cidrs_public = ["10.139.1.0/24", "10.139.2.0/24",] | ||
vpc_cidrs_private = ["10.139.11.0/24", "10.139.12.0/24",] | ||
nat_count = "1" | ||
bastion_count = "0" | ||
is_internal_lb = true | ||
use_lb_cert = true | ||
lb_ssl_policy = "ELBSecurityPolicy-2016-08" | ||
lb_logs_prefix = "vault" | ||
lb_logs_enabled = true | ||
tags = { "foo" = "bar", "fizz" = "buzz" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
variable "create" { } | ||
variable "ami_owner" { default = "309956199498" } # Base RHEL owner | ||
variable "ami_name" { default = "*RHEL-7.3_HVM_GA-*" } # Base RHEL name | ||
variable "name" { } | ||
variable "vpc_cidrs_public" { type = "list" } | ||
variable "vpc_cidrs_private" { type = "list" } | ||
variable "nat_count" { } | ||
variable "bastion_count" { } | ||
variable "is_internal_lb" { } | ||
variable "use_lb_cert" { } | ||
variable "lb_ssl_policy" { } | ||
variable "lb_logs_prefix" { default = "vault" } | ||
variable "lb_logs_enabled" { default = true } | ||
variable "tags" { type = "map" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
data "aws_ami" "base" { | ||
most_recent = true | ||
owners = ["${var.ami_owner}"] | ||
|
||
filter { | ||
name = "name" | ||
values = ["${var.ami_name}"] | ||
} | ||
|
||
filter { | ||
name = "root-device-type" | ||
values = ["ebs"] | ||
} | ||
|
||
filter { | ||
name = "virtualization-type" | ||
values = ["hvm"] | ||
} | ||
} | ||
|
||
module "network_aws" { | ||
# source = "github.com/hashicorp-modules/network-aws" | ||
source = "../../../network-aws" | ||
|
||
name = "${var.name}" | ||
vpc_cidrs_public = ["${var.vpc_cidrs_public}"] | ||
nat_count = "${var.nat_count}" | ||
vpc_cidrs_private = ["${var.vpc_cidrs_private}"] | ||
bastion_count = "${var.bastion_count}" | ||
image_id = "${data.aws_ami.base.id}" | ||
tags = "${var.tags}" | ||
} | ||
|
||
module "vault_lb_aws" { | ||
# source = "github.com/hashicorp-modules/vault-lb-aws" | ||
source = "../../../vault-lb-aws" | ||
|
||
name = "${var.name}" | ||
vpc_id = "${module.network_aws.vpc_id}" | ||
cidr_blocks = ["${module.network_aws.vpc_cidr}"] | ||
subnet_ids = ["${module.network_aws.subnet_public_ids}"] | ||
is_internal_lb = "${var.is_internal_lb}" | ||
tags = "${var.tags}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
output "vault_lb_sg_id" { | ||
value = "${module.vault_lb_aws.vault_lb_sg_id}" | ||
} | ||
|
||
output "vault_lb_dns" { | ||
value = "${module.vault_lb_aws.vault_lb_dns}" | ||
} | ||
|
||
output "vault_tg_http_8200_arn" { | ||
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}" | ||
} |
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
variable "ami_owner" { default = "309956199498" } # Base RHEL owner | ||
variable "ami_name" { default = "*RHEL-7.3_HVM_GA-*" } # Base RHEL name | ||
|
||
variable "name" { | ||
default = "vault-lb-dev" | ||
} | ||
|
||
variable "vpc_cidrs_public" { | ||
type = "list" | ||
default = ["10.139.1.0/24", "10.139.2.0/24",] | ||
} | ||
|
||
variable "vpc_cidrs_private" { | ||
type = "list" | ||
default = ["10.139.11.0/24", "10.139.12.0/24",] | ||
} | ||
|
||
variable "nat_count" { default = "1" } | ||
variable "bastion_count" { default = "0" } | ||
variable "is_internal_lb" { default = false } | ||
|
||
variable "tags" { | ||
type = "map" | ||
default = {} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
module "vault_lb_aws" { | ||
# source = "github.com/hashicorp-modules/vault-lb-aws" | ||
source = "../../../vault-lb-aws" | ||
|
||
create = false | ||
vpc_id = "" | ||
cidr_blocks = [] | ||
subnet_ids = [] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
output "zREADME" { | ||
value = <<README | ||
No resources to provision. | ||
README | ||
} |
Empty file.
Empty file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
data "aws_ami" "base" { | ||
most_recent = true | ||
owners = ["${var.ami_owner}"] | ||
|
||
filter { | ||
name = "name" | ||
values = ["${var.ami_name}"] | ||
} | ||
|
||
filter { | ||
name = "root-device-type" | ||
values = ["ebs"] | ||
} | ||
|
||
filter { | ||
name = "virtualization-type" | ||
values = ["hvm"] | ||
} | ||
} | ||
|
||
module "network_aws" { | ||
# source = "github.com/hashicorp-modules/network-aws" | ||
source = "../../../network-aws" | ||
|
||
name = "${var.name}" | ||
vpc_cidrs_public = ["${var.vpc_cidrs_public}"] | ||
nat_count = "${var.nat_count}" | ||
vpc_cidrs_private = ["${var.vpc_cidrs_private}"] | ||
bastion_count = "${var.bastion_count}" | ||
image_id = "${data.aws_ami.base.id}" | ||
tags = "${var.tags}" | ||
} | ||
|
||
module "vault_lb_aws" { | ||
# source = "github.com/hashicorp-modules/vault-lb-aws" | ||
source = "../../../vault-lb-aws" | ||
|
||
name = "${var.name}" | ||
vpc_id = "${module.network_aws.vpc_id}" | ||
cidr_blocks = ["${module.network_aws.vpc_cidr}"] | ||
subnet_ids = ["${module.network_aws.subnet_private_ids}"] | ||
tags = "${var.tags}" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
output "vault_lb_sg_id" { | ||
value = "${module.vault_lb_aws.vault_lb_sg_id}" | ||
} | ||
|
||
output "vault_lb_dns" { | ||
value = "${module.vault_lb_aws.vault_lb_dns}" | ||
} | ||
|
||
output "vault_tg_http_8200_arn" { | ||
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}" | ||
} |
Empty file.
Oops, something went wrong.