1resource "template_file" "install" { 2 template = "${file("${path.module}/scripts/install.sh.tpl")}" 3 4 vars { 5 download_url = "${var.download-url}" 6 config = "${var.config}" 7 extra-install = "${var.extra-install}" 8 } 9} 10 11// We launch Vault into an ASG so that it can properly bring them up for us. 12resource "aws_autoscaling_group" "vault" { 13 name = "vault - ${aws_launch_configuration.vault.name}" 14 launch_configuration = "${aws_launch_configuration.vault.name}" 15 availability_zones = ["${split(",", var.availability-zones)}"] 16 min_size = "${var.nodes}" 17 max_size = "${var.nodes}" 18 desired_capacity = "${var.nodes}" 19 health_check_grace_period = 15 20 health_check_type = "EC2" 21 vpc_zone_identifier = ["${split(",", var.subnets)}"] 22 load_balancers = ["${aws_elb.vault.id}"] 23 24 tag { 25 key = "Name" 26 value = "vault" 27 propagate_at_launch = true 28 } 29} 30 31resource "aws_launch_configuration" "vault" { 32 image_id = "${var.ami}" 33 instance_type = "${var.instance_type}" 34 key_name = "${var.key-name}" 35 security_groups = ["${aws_security_group.vault.id}"] 36 user_data = "${template_file.install.rendered}" 37} 38 39// Security group for Vault allows SSH and HTTP access (via "tcp" in 40// case TLS is used) 41resource "aws_security_group" "vault" { 42 name = "vault" 43 description = "Vault servers" 44 vpc_id = "${var.vpc-id}" 45} 46 47resource "aws_security_group_rule" "vault-ssh" { 48 security_group_id = "${aws_security_group.vault.id}" 49 type = "ingress" 50 from_port = 22 51 to_port = 22 52 protocol = "tcp" 53 cidr_blocks = ["0.0.0.0/0"] 54} 55 56// This rule allows Vault HTTP API access to individual nodes, since each will 57// need to be addressed individually for unsealing. 58resource "aws_security_group_rule" "vault-http-api" { 59 security_group_id = "${aws_security_group.vault.id}" 60 type = "ingress" 61 from_port = 8200 62 to_port = 8200 63 protocol = "tcp" 64 cidr_blocks = ["0.0.0.0/0"] 65} 66 67resource "aws_security_group_rule" "vault-egress" { 68 security_group_id = "${aws_security_group.vault.id}" 69 type = "egress" 70 from_port = 0 71 to_port = 0 72 protocol = "-1" 73 cidr_blocks = ["0.0.0.0/0"] 74} 75 76// Launch the ELB that is serving Vault. This has proper health checks 77// to only serve healthy, unsealed Vaults. 78resource "aws_elb" "vault" { 79 name = "vault" 80 connection_draining = true 81 connection_draining_timeout = 400 82 internal = true 83 subnets = ["${split(",", var.subnets)}"] 84 security_groups = ["${aws_security_group.elb.id}"] 85 86 listener { 87 instance_port = 8200 88 instance_protocol = "tcp" 89 lb_port = 80 90 lb_protocol = "tcp" 91 } 92 93 listener { 94 instance_port = 8200 95 instance_protocol = "tcp" 96 lb_port = 443 97 lb_protocol = "tcp" 98 } 99 100 health_check { 101 healthy_threshold = 2 102 unhealthy_threshold = 3 103 timeout = 5 104 target = "${var.elb-health-check}" 105 interval = 15 106 } 107} 108 109resource "aws_security_group" "elb" { 110 name = "vault-elb" 111 description = "Vault ELB" 112 vpc_id = "${var.vpc-id}" 113} 114 115resource "aws_security_group_rule" "vault-elb-http" { 116 security_group_id = "${aws_security_group.elb.id}" 117 type = "ingress" 118 from_port = 80 119 to_port = 80 120 protocol = "tcp" 121 cidr_blocks = ["0.0.0.0/0"] 122} 123 124resource "aws_security_group_rule" "vault-elb-https" { 125 security_group_id = "${aws_security_group.elb.id}" 126 type = "ingress" 127 from_port = 443 128 to_port = 443 129 protocol = "tcp" 130 cidr_blocks = ["0.0.0.0/0"] 131} 132 133resource "aws_security_group_rule" "vault-elb-egress" { 134 security_group_id = "${aws_security_group.elb.id}" 135 type = "egress" 136 from_port = 0 137 to_port = 0 138 protocol = "-1" 139 cidr_blocks = ["0.0.0.0/0"] 140} 141