This is a Terraform module for provisioning Vault Enterprise with integrated storage on GCP. This module defaults to setting up a cluster with 5 Vault nodes (as recommended by the Vault with Integrated Storage Reference Architecture).
This module implements the Vault with Integrated Storage Reference Architecture on GCP using the Enterprise version of Vault 1.8+.
-
Ensure your GCP credentials are configured correctly and have permission to use the following GCP services:
- Cloud Resource Manager API
- Compute Engine API
- GCP Identity & Access Management (IAM)
- GCP Key Management System API
- GCP Cloud Storage
- Google Cloud Load Balancing
- GCP SSL Certificates
- Secret Manager API
-
To deploy without an existing VPC, use the example VPC code to build out the pre-requisite environment. Ensure you are selecting a region that has at least three zones.
-
To deploy into an existing VPC, ensure the following components exist and are routed to each other correctly:
- Google Compute Network: manages a VPC network
- Subnet: a single subnet in which to deploy the Vault cluster
- One Cloud Router and Cloud NAT
-
Use the example code to create TLS certs and store them in GCP Secret Manager along with importing them into a GCP self managed SSL Certificate
-
Create a Terraform configuration that pulls in the Vault module and specifies values for the required variables:
provider "google" {
project = "my-project-id"
region = "us-west1"
}
provider "google-beta" {
project = "my-project-id"
region = "us-west1"
}
module "vault-ent" {
source = "hashicorp/vault-ent-starter/gcp"
version = "0.1.1"
# The shared DNS SAN of the TLS certs being used
leader_tls_servername = "vault.server.com"
#Your GCP project ID
project_id = "my-project-id"
# Prefix for uniquely identifying GCP resources
resource_name_prefix = "test"
# Self link of the subnetwork you wish to deploy into
subnetwork = "https://www.googleapis.com/compute/v1/projects/my-project-id/regions/us-west1/subnetworks/subnet-01"
# Name of the SSL Certificate to be used for Vault LB
ssl_certificate_name = "vault-xxxxxxxxxxxxxxxx"
# Secret id/name given to the google secret manager secret
tls_secret_id = "terraform_example_module_vault_tls_secret"
# Path to Vault Enterprise license file
vault_license_filepath = "/Users/user/Downloads/vault.hclic"
}-
Run
terraform initandterraform apply -
You must initialize your Vault cluster after you create it. Begin by logging into your Vault cluster:
- SSH: you must provide a cidr range value for the
ssh_source_rangesvariable. The default value is a range provided by google for use with the Identity-Aware Proxy service.- Please note this Vault cluster is not public-facing. If you want to use SSH from outside the VPC, you are required to establish your own connection to it (VPN, etc).
- SSH: you must provide a cidr range value for the
-
To initialize the Vault cluster, run the following commands:
$ vault operator init
- This should return back the following output which includes the recovery keys and initial root token (omitted here):
...
Success! Vault is initialized
- Please securely store the recovery keys and initial root token that Vault returns to you.
- To check the status of your Vault cluster, export your Vault token and run the list-peers command:
$ export VAULT_TOKEN="<your Vault token>"
$ vault operator raft list-peers
- Please note that Vault does not enable dead server cleanup by default. You must enable this to avoid manually managing the Raft configuration every time there is a change in the Vault MIG. To enable dead server cleanup, run the following command:
$ vault operator raft autopilot set-config \
-cleanup-dead-servers=true \
-dead-server-last-contact-threshold=10 \
-min-quorum=3
- You can verify these settings after you apply them by running the following command:
$ vault operator raft autopilot get-config
This code is released under the Mozilla Public License 2.0. Please see LICENSE for more details.