Skip to content

Commit

Permalink
F refactor (#1)
Browse files Browse the repository at this point in the history
* Add Vault LB AWS

* Add LB

* Add LB bucket override and bump versions

* Remove f-refactor branch
  • Loading branch information
bensojona authored Apr 30, 2018
1 parent c94cdf0 commit 2fca62a
Show file tree
Hide file tree
Showing 21 changed files with 751 additions and 0 deletions.
10 changes: 10 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Compiled files
*.tfstate
*.tfstate.backup
*.tfstate.lock.info

# Directories
.terraform/

# SSH Keys
*.pem
49 changes: 49 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,49 @@
# AWS Vault Load Balancer Terraform Module

Provisions resources for a Vault application load balancer in AWS.

Checkout [examples](./examples) for fully functioning examples.

### Environment Variables

- `AWS_DEFAULT_REGION`
- `AWS_ACCESS_KEY_ID`
- `AWS_SECRET_ACCESS_KEY`

## Input Variables

- `create`: [Optional] Create Module, defaults to true.
- `name`: [Optional] Name for resources, defaults to "vault-aws".
- `vpc_id`: [Required] VPC ID to provision LB in.
- `cidr_blocks`: [Optional] CIDR blocks to provision LB across.
- `subnet_ids`: [Optional] Subnet ID(s) to provision LB across.
- `is_internal_lb`: [Optional] Is an internal load balancer, defaults to true.
- `use_lb_cert`: [Optional] Use certificate passed in for the LB IAM listener, "lb_cert" and "lb_private_key" must be passed in if true, defaults to false.
- `lb_cert`: [Optional] Certificate for LB IAM server certificate.
- `lb_private_key`: [Optional] Private key for LB IAM server certificate.
- `lb_cert_chain`: [Optional] Certificate chain for LB IAM server certificate.
- `lb_ssl_policy`: [Optional] SSL policy for LB, defaults to "ELBSecurityPolicy-2016-08".
- `lb_bucket`: [Optional] S3 bucket override for LB access logs, `lb_bucket_override` be set to true if overriding.
- `lb_bucket_override`: [Optional] Override the default S3 bucket created for access logs, defaults to false, `lb_bucket` _must_ be set if true.
- `lb_bucket_prefix`: [Optional] S3 bucket prefix for LB access logs.
- `lb_logs_enabled`: [Optional] S3 bucket LB access logs enabled, defaults to true.
- `tags`: [Optional] Optional list of tag maps to set on resources, defaults to empty list.

## Outputs

- `vault_lb_sg_id`: Vault load balancer security group ID.
- `vault_tg_http_8200_arn`: Vault load balancer HTTP 8200 target group.
- `vault_tg_https_8200_arn`: Vault load balancer HTTPS 8200 target group.
- `vault_lb_dns`: Vault load balancer DNS name.

## Module Dependencies

_None_

## Authors

HashiCorp Solutions Engineering Team.

## License

Mozilla Public License Version 2.0. See LICENSE for full details.
123 changes: 123 additions & 0 deletions examples/advanced/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
data "aws_ami" "base" {
most_recent = true
owners = ["${var.ami_owner}"]

filter {
name = "name"
values = ["${var.ami_name}"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}
}

module "network_aws" {
# source = "github.com/hashicorp-modules/network-aws"
source = "../../../network-aws"

name = "${var.name}"
vpc_cidrs_public = "${var.vpc_cidrs_public}"
nat_count = "${var.nat_count}"
vpc_cidrs_private = "${var.vpc_cidrs_private}"
bastion_count = "${var.bastion_count}"
image_id = "${data.aws_ami.base.id}"
tags = "${var.tags}"
}

module "root_tls_self_signed_ca" {
# source = "github.com/hashicorp-modules/tls-self-signed-cert"
source = "../../../tls-self-signed-cert"

name = "root"
validity_period_hours = "12"
ca_common_name = "hashicorp.com"
organization_name = "HashiCorp Inc."
common_name = "hashicorp.com"
dns_names = ["hashicorp.com"]
ip_addresses = ["127.0.0.1",]
download_certs = true
}

module "leaf_tls_self_signed_cert" {
# source = "github.com/hashicorp-modules/tls-self-signed-cert"
source = "../../../tls-self-signed-cert"

name = "leaf"
validity_period_hours = "12"
ca_common_name = "hashicorp.com"
organization_name = "HashiCorp Inc."
common_name = "hashicorp.com"
dns_names = ["hashicorp.com"]
ip_addresses = ["127.0.0.1",]
download_certs = true

ca_override = true
ca_key_override = "${module.root_tls_self_signed_ca.ca_private_key_pem}"
ca_cert_override = "${module.root_tls_self_signed_ca.ca_cert_pem}"
download_certs = true
}

resource "random_id" "lb_access_logs" {
byte_length = 8
prefix = "${format("%s-lb-access-logs-", var.name)}"
}

data "aws_elb_service_account" "lb_access_logs" {}

resource "aws_s3_bucket" "lb_access_logs" {
bucket = "${random_id.lb_access_logs.hex}"
acl = "private"
tags = "${merge(var.tags, map("Name", format("%s-lb-access-logs", var.name)))}"

force_destroy = true

policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "LBAccessLogs",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::${random_id.lb_access_logs.hex}/${var.lb_logs_prefix}/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.lb_access_logs.arn}"
]
}
}
]
}
POLICY
}

module "vault_lb_aws" {
# source = "github.com/hashicorp-modules/vault-lb-aws"
source = "../../../vault-lb-aws"

create = "${var.create}"
name = "${var.name}"
vpc_id = "${module.network_aws.vpc_id}"
cidr_blocks = ["${module.network_aws.vpc_cidr}"]
subnet_ids = ["${module.network_aws.subnet_private_ids}"]
is_internal_lb = "${var.is_internal_lb}"
use_lb_cert = "${var.use_lb_cert}"
lb_cert = "${module.leaf_tls_self_signed_cert.leaf_cert_pem}"
lb_private_key = "${module.leaf_tls_self_signed_cert.leaf_private_key_pem}"
lb_cert_chain = "${module.root_tls_self_signed_ca.ca_cert_pem}"
lb_ssl_policy = "${var.lb_ssl_policy}"
lb_logs_bucket = "${aws_s3_bucket.lb_access_logs.id}"
lb_logs_prefix = "${var.lb_logs_prefix}"
lb_logs_enabled = "${var.lb_logs_enabled}"
tags = "${var.tags}"
}
24 changes: 24 additions & 0 deletions examples/advanced/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
output "zREADME" {
value = <<README
LB DNS: ${module.vault_lb_aws.vault_lb_dns}
${module.root_tls_self_signed_ca.zREADME}${module.leaf_tls_self_signed_cert.zREADME}
README
}

output "vault_lb_sg_id" {
value = "${module.vault_lb_aws.vault_lb_sg_id}"
}

output "vault_lb_dns" {
value = "${module.vault_lb_aws.vault_lb_dns}"
}

output "vault_tg_http_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}"
}

output "vault_tg_https_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_https_8200_arn}"
}
12 changes: 12 additions & 0 deletions examples/advanced/terraform.tfvars
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
create = true
name = "vault-lb-adv"
vpc_cidrs_public = ["10.139.1.0/24", "10.139.2.0/24",]
vpc_cidrs_private = ["10.139.11.0/24", "10.139.12.0/24",]
nat_count = "1"
bastion_count = "0"
is_internal_lb = true
use_lb_cert = true
lb_ssl_policy = "ELBSecurityPolicy-2016-08"
lb_logs_prefix = "vault"
lb_logs_enabled = true
tags = { "foo" = "bar", "fizz" = "buzz" }
14 changes: 14 additions & 0 deletions examples/advanced/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
variable "create" { }
variable "ami_owner" { default = "309956199498" } # Base RHEL owner
variable "ami_name" { default = "*RHEL-7.3_HVM_GA-*" } # Base RHEL name
variable "name" { }
variable "vpc_cidrs_public" { type = "list" }
variable "vpc_cidrs_private" { type = "list" }
variable "nat_count" { }
variable "bastion_count" { }
variable "is_internal_lb" { }
variable "use_lb_cert" { }
variable "lb_ssl_policy" { }
variable "lb_logs_prefix" { default = "vault" }
variable "lb_logs_enabled" { default = true }
variable "tags" { type = "map" }
44 changes: 44 additions & 0 deletions examples/dev/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,44 @@
data "aws_ami" "base" {
most_recent = true
owners = ["${var.ami_owner}"]

filter {
name = "name"
values = ["${var.ami_name}"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}
}

module "network_aws" {
# source = "github.com/hashicorp-modules/network-aws"
source = "../../../network-aws"

name = "${var.name}"
vpc_cidrs_public = ["${var.vpc_cidrs_public}"]
nat_count = "${var.nat_count}"
vpc_cidrs_private = ["${var.vpc_cidrs_private}"]
bastion_count = "${var.bastion_count}"
image_id = "${data.aws_ami.base.id}"
tags = "${var.tags}"
}

module "vault_lb_aws" {
# source = "github.com/hashicorp-modules/vault-lb-aws"
source = "../../../vault-lb-aws"

name = "${var.name}"
vpc_id = "${module.network_aws.vpc_id}"
cidr_blocks = ["${module.network_aws.vpc_cidr}"]
subnet_ids = ["${module.network_aws.subnet_public_ids}"]
is_internal_lb = "${var.is_internal_lb}"
tags = "${var.tags}"
}
11 changes: 11 additions & 0 deletions examples/dev/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
output "vault_lb_sg_id" {
value = "${module.vault_lb_aws.vault_lb_sg_id}"
}

output "vault_lb_dns" {
value = "${module.vault_lb_aws.vault_lb_dns}"
}

output "vault_tg_http_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}"
}
Empty file added examples/dev/terraform.tfvars
Empty file.
25 changes: 25 additions & 0 deletions examples/dev/variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
variable "ami_owner" { default = "309956199498" } # Base RHEL owner
variable "ami_name" { default = "*RHEL-7.3_HVM_GA-*" } # Base RHEL name

variable "name" {
default = "vault-lb-dev"
}

variable "vpc_cidrs_public" {
type = "list"
default = ["10.139.1.0/24", "10.139.2.0/24",]
}

variable "vpc_cidrs_private" {
type = "list"
default = ["10.139.11.0/24", "10.139.12.0/24",]
}

variable "nat_count" { default = "1" }
variable "bastion_count" { default = "0" }
variable "is_internal_lb" { default = false }

variable "tags" {
type = "map"
default = {}
}
9 changes: 9 additions & 0 deletions examples/no-provision/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
module "vault_lb_aws" {
# source = "github.com/hashicorp-modules/vault-lb-aws"
source = "../../../vault-lb-aws"

create = false
vpc_id = ""
cidr_blocks = []
subnet_ids = []
}
5 changes: 5 additions & 0 deletions examples/no-provision/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
output "zREADME" {
value = <<README
No resources to provision.
README
}
Empty file.
Empty file.
43 changes: 43 additions & 0 deletions examples/simple/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
data "aws_ami" "base" {
most_recent = true
owners = ["${var.ami_owner}"]

filter {
name = "name"
values = ["${var.ami_name}"]
}

filter {
name = "root-device-type"
values = ["ebs"]
}

filter {
name = "virtualization-type"
values = ["hvm"]
}
}

module "network_aws" {
# source = "github.com/hashicorp-modules/network-aws"
source = "../../../network-aws"

name = "${var.name}"
vpc_cidrs_public = ["${var.vpc_cidrs_public}"]
nat_count = "${var.nat_count}"
vpc_cidrs_private = ["${var.vpc_cidrs_private}"]
bastion_count = "${var.bastion_count}"
image_id = "${data.aws_ami.base.id}"
tags = "${var.tags}"
}

module "vault_lb_aws" {
# source = "github.com/hashicorp-modules/vault-lb-aws"
source = "../../../vault-lb-aws"

name = "${var.name}"
vpc_id = "${module.network_aws.vpc_id}"
cidr_blocks = ["${module.network_aws.vpc_cidr}"]
subnet_ids = ["${module.network_aws.subnet_private_ids}"]
tags = "${var.tags}"
}
11 changes: 11 additions & 0 deletions examples/simple/output.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
output "vault_lb_sg_id" {
value = "${module.vault_lb_aws.vault_lb_sg_id}"
}

output "vault_lb_dns" {
value = "${module.vault_lb_aws.vault_lb_dns}"
}

output "vault_tg_http_8200_arn" {
value = "${module.vault_lb_aws.vault_tg_http_8200_arn}"
}
Empty file.
Loading

0 comments on commit 2fca62a

Please sign in to comment.