1resource "template_file" "install" {
2    template = "${file("${path.module}/scripts/install.sh.tpl")}"
3
4    vars {
5        download_url  = "${var.download-url}"
6        config        = "${var.config}"
7        extra-install = "${var.extra-install}"
8    }
9}
10
11// We launch Vault into an ASG so that it can properly bring them up for us.
12resource "aws_autoscaling_group" "vault" {
13    name = "vault - ${aws_launch_configuration.vault.name}"
14    launch_configuration = "${aws_launch_configuration.vault.name}"
15    availability_zones = ["${split(",", var.availability-zones)}"]
16    min_size = "${var.nodes}"
17    max_size = "${var.nodes}"
18    desired_capacity = "${var.nodes}"
19    health_check_grace_period = 15
20    health_check_type = "EC2"
21    vpc_zone_identifier = ["${split(",", var.subnets)}"]
22    load_balancers = ["${aws_elb.vault.id}"]
23
24    tag {
25        key = "Name"
26        value = "vault"
27        propagate_at_launch = true
28    }
29}
30
31resource "aws_launch_configuration" "vault" {
32    image_id = "${var.ami}"
33    instance_type = "${var.instance_type}"
34    key_name = "${var.key-name}"
35    security_groups = ["${aws_security_group.vault.id}"]
36    user_data = "${template_file.install.rendered}"
37}
38
39// Security group for Vault allows SSH and HTTP access (via "tcp" in
40// case TLS is used)
41resource "aws_security_group" "vault" {
42    name = "vault"
43    description = "Vault servers"
44    vpc_id = "${var.vpc-id}"
45}
46
47resource "aws_security_group_rule" "vault-ssh" {
48    security_group_id = "${aws_security_group.vault.id}"
49    type = "ingress"
50    from_port = 22
51    to_port = 22
52    protocol = "tcp"
53    cidr_blocks = ["0.0.0.0/0"]
54}
55
56// This rule allows Vault HTTP API access to individual nodes, since each will
57// need to be addressed individually for unsealing.
58resource "aws_security_group_rule" "vault-http-api" {
59    security_group_id = "${aws_security_group.vault.id}"
60    type = "ingress"
61    from_port = 8200
62    to_port = 8200
63    protocol = "tcp"
64    cidr_blocks = ["0.0.0.0/0"]
65}
66
67resource "aws_security_group_rule" "vault-egress" {
68    security_group_id = "${aws_security_group.vault.id}"
69    type = "egress"
70    from_port = 0
71    to_port = 0
72    protocol = "-1"
73    cidr_blocks = ["0.0.0.0/0"]
74}
75
76// Launch the ELB that is serving Vault. This has proper health checks
77// to only serve healthy, unsealed Vaults.
78resource "aws_elb" "vault" {
79    name = "vault"
80    connection_draining = true
81    connection_draining_timeout = 400
82    internal = true
83    subnets = ["${split(",", var.subnets)}"]
84    security_groups = ["${aws_security_group.elb.id}"]
85
86    listener {
87        instance_port = 8200
88        instance_protocol = "tcp"
89        lb_port = 80
90        lb_protocol = "tcp"
91    }
92
93    listener {
94        instance_port = 8200
95        instance_protocol = "tcp"
96        lb_port = 443
97        lb_protocol = "tcp"
98    }
99
100    health_check {
101        healthy_threshold = 2
102        unhealthy_threshold = 3
103        timeout = 5
104        target = "${var.elb-health-check}"
105        interval = 15
106    }
107}
108
109resource "aws_security_group" "elb" {
110    name = "vault-elb"
111    description = "Vault ELB"
112    vpc_id = "${var.vpc-id}"
113}
114
115resource "aws_security_group_rule" "vault-elb-http" {
116    security_group_id = "${aws_security_group.elb.id}"
117    type = "ingress"
118    from_port = 80
119    to_port = 80
120    protocol = "tcp"
121    cidr_blocks = ["0.0.0.0/0"]
122}
123
124resource "aws_security_group_rule" "vault-elb-https" {
125    security_group_id = "${aws_security_group.elb.id}"
126    type = "ingress"
127    from_port = 443
128    to_port = 443
129    protocol = "tcp"
130    cidr_blocks = ["0.0.0.0/0"]
131}
132
133resource "aws_security_group_rule" "vault-elb-egress" {
134    security_group_id = "${aws_security_group.elb.id}"
135    type = "egress"
136    from_port = 0
137    to_port = 0
138    protocol = "-1"
139    cidr_blocks = ["0.0.0.0/0"]
140}
141