PageRenderTime 49ms CodeModel.GetById 23ms RepoModel.GetById 0ms app.codeStats 0ms

/infrastructures/terraform/aws/data/vault/main.tf

https://gitlab.com/OBSERVER-DLL/atlas-examples
Terraform | 309 lines | 238 code | 54 blank | 17 comment | 19 complexity | a2a3b976a9804dd644f619fd3731d53f MD5 | raw file
    

  1. variable "name" { default = "vault" }
    2. 

  2. variable "vpc_id" {}
    3. 

  3. variable "vpc_cidr" {}
    4. 

  4. variable "azs" {}
    5. 

  5. variable "private_subnet_ids" {}
    6. 

  6. variable "public_subnet_ids" {}
    7. 

  7. variable "count" {}
    8. 

  8. variable "instance_type" {}
    9. 

  9. variable "amis" {}
    10. 

  10. 

  11. variable "ssl_cert_name" {}
    12. 

  12. variable "ssl_cert_crt" {}
    13. 

  13. variable "ssl_cert_key" {}
    14. 

  14. variable "key_name" {}
    15. 

  15. variable "key_path" {}
    16. 

  16. variable "bastion_host" {}
    17. 

  17. variable "bastion_user" {}
    18. 

  18. 

  19. variable "user_data" {}
    20. 

  20. variable "atlas_username" {}
    21. 

  21. variable "atlas_environment" {}
    22. 

  22. variable "atlas_token" {}
    23. 

  23. variable "consul_ips" {}
    24. 

  24. 

  25. resource "aws_security_group" "vault" {
    26. 

  26.   name        = "${var.name}"
    27. 

  27.   vpc_id      = "${var.vpc_id}"
    28. 

  28.   description = "Security group for Vault"
    29. 

  29. 

  30.   tags { Name = "${var.name}" }
    31. 

  31. 

  32.   ingress {
    33. 

  33.     protocol    = -1
    34. 

  34.     from_port   = 0
    35. 

  35.     to_port     = 0
    36. 

  36.     cidr_blocks = ["${var.vpc_cidr}"]
    37. 

  37.   }
    38. 

  38. 

  39.   egress {
    40. 

  40.     protocol    = -1
    41. 

  41.     from_port   = 0
    42. 

  42.     to_port     = 0
    43. 

  43.     cidr_blocks = ["0.0.0.0/0"]
    44. 

  44.   }
    45. 

  45. }
    46. 

  46. 

  47. resource "template_file" "user_data" {
    48. 

  48.   filename = "${var.user_data}"
    49. 

  49.   count    = "${var.count}"
    50. 

  50. 

  51.   vars {
    52. 

  52.     atlas_username    = "${var.atlas_username}"
    53. 

  53.     atlas_environment = "${var.atlas_environment}"
    54. 

  54.     atlas_token       = "${var.atlas_token}"
    55. 

  55.     service           = "${var.name}"
    56. 

  56.     node_name         = "${var.name}.${count.index+1}"
    57. 

  57.     cert_name         = "${var.ssl_cert_name}"
    58. 

  58.   }
    59. 

  59. }
    60. 

  60. 

  61. resource "aws_instance" "vault" {
    62. 

  62.   ami           = "${element(split(",", var.amis), count.index)}"
    63. 

  63.   count         = "${var.count}"
    64. 

  64.   instance_type = "${var.instance_type}"
    65. 

  65.   key_name      = "${var.key_name}"
    66. 

  66.   subnet_id     = "${element(split(",", var.private_subnet_ids), count.index)}"
    67. 

  67.   user_data     = "${element(template_file.user_data.*.rendered, count.index)}"
    68. 

  68. 

  69.   vpc_security_group_ids = ["${aws_security_group.vault.id}"]
    70. 

  70. 

  71.   tags { Name = "${var.name}.${count.index+1}" }
    72. 

  72. }
    73. 

  73. 

  74. resource "null_resource" "vault_init" {
    75. 

  75.   provisioner "remote-exec" {
    76. 

  76.     connection {
    77. 

  77.       user         = "ubuntu"
    78. 

  78.       host         = "${element(aws_instance.vault.*.private_ip, 0)}"
    79. 

  79.       key_file     = "${var.key_path}"
    80. 

  80.       bastion_host = "${var.bastion_host}"
    81. 

  81.       bastion_user = "${var.bastion_user}"
    82. 

  82.     }
    83. 

  83. 

  84.     inline = [ <<COMMANDS
    85. 

  85. #!/bin/bash
    86. 

  86. set -e
    87. 

  87. 

  88. # Join Consul cluster
    89. 

  89. consul join ${replace(var.consul_ips, ",", " ")}
    90. 

  90. 

  91. # Remote commands utilize Consul's KV store, wait until ready
    92. 

  92. SLEEPTIME=1
    93. 

  93. cget() { curl -sf "http://127.0.0.1:8500/v1/kv/service/consul/ready?raw"; }
    94. 

  94. 

  95. # Wait for the Consul cluster to become ready
    96. 

  96. while ! cget | grep "true"; do
    97. 

  97.   if [ $SLEEPTIME -gt 24 ]; then
    98. 

  98.     echo "ERROR: CONSUL DID NOT COMPLETE SETUP! Manual intervention required."
    99. 

  99.     exit 2
    100. 

  100.   else
    101. 

  101.     echo "Blocking until Consul is ready, waiting $SLEEPTIME second(s)..."
    102. 

  102.     sleep $SLEEPTIME
    103. 

  103.     ((SLEEPTIME+=1))
    104. 

  104.   fi
    105. 

  105. done
    106. 

  106. 

  107. cget() { curl -sf "http://127.0.0.1:8500/v1/kv/service/vault/$1?raw"; }
    108. 

  108. 

  109. if [ ! $(cget root-token) ]; then
    110. 

  110.   echo "Initialize Vault"
    111. 

  111.   vault init | tee /tmp/vault.init > /dev/null
    112. 

  112. 

  113.   # Store master keys in consul for operator to retrieve and remove
    114. 

  114.   i=1
    115. 

  115.   cat /tmp/vault.init | grep '^Key' | awk '{print $3}' | for key in $(cat -); do
    116. 

  116.     curl -fX PUT 127.0.0.1:8500/v1/kv/service/vault/unseal-key-$i -d $key
    117. 

  117.     ((i = i + 1))
    118. 

  118.   done
    119. 

  119. 

  120.   export ROOT_TOKEN=$(cat /tmp/vault.init | grep '^Initial' | awk '{print $4}')
    121. 

  121.   curl -fX PUT 127.0.0.1:8500/v1/kv/service/vault/root-token -d $ROOT_TOKEN
    122. 

  122. 

  123.   # Remove master keys from disk
    124. 

  124.   shred /tmp/vault.init
    125. 

  125. else
    126. 

  126.   echo "Vault has already been initialized, skipping"
    127. 

  127. fi
    128. 

  128. COMMANDS ]
    129. 

  129.   }
    130. 

  130. }
    131. 

  131. 

  132. resource "null_resource" "vault_unseal" {
    133. 

  133.   count = "${var.count}"
    134. 

  134.   depends_on = ["null_resource.vault_init"]
    135. 

  135. 

  136.   provisioner "remote-exec" {
    137. 

  137.     connection {
    138. 

  138.       user         = "ubuntu"
    139. 

  139.       host         = "${element(aws_instance.vault.*.private_ip, count.index)}"
    140. 

  140.       key_file     = "${var.key_path}"
    141. 

  141.       bastion_host = "${var.bastion_host}"
    142. 

  142.       bastion_user = "${var.bastion_user}"
    143. 

  143.     }
    144. 

  144. 

  145.     inline = [ <<COMMANDS
    146. 

  146. #!/bin/bash
    147. 

  147. set -e
    148. 

  148. 

  149. # Join Consul cluster
    150. 

  150. consul join ${replace(var.consul_ips, ",", " ")}
    151. 

  151. 

  152. # Remote commands utilize Consul's KV store, wait until ready
    153. 

  153. SLEEPTIME=1
    154. 

  154. cget() { curl -sf "http://127.0.0.1:8500/v1/kv/service/consul/ready?raw"; }
    155. 

  155. 

  156. # Wait for the Consul cluster to become ready
    157. 

  157. while ! cget | grep "true"; do
    158. 

  158.   if [ $SLEEPTIME -gt 24 ]; then
    159. 

  159.     echo "ERROR: CONSUL DID NOT COMPLETE SETUP! Manual intervention required."
    160. 

  160.     exit 2
    161. 

  161.   else
    162. 

  162.     echo "Blocking until Consul is ready, waiting $SLEEPTIME second(s)..."
    163. 

  163.     sleep $SLEEPTIME
    164. 

  164.     ((SLEEPTIME+=1))
    165. 

  165.   fi
    166. 

  166. done
    167. 

  167. 

  168. cget() { curl -sf "http://127.0.0.1:8500/v1/kv/service/vault/$1?raw"; }
    169. 

  169. 

  170. echo "Unsealing Vault"
    171. 

  171. vault unseal $(cget unseal-key-1)
    172. 

  172. vault unseal $(cget unseal-key-2)
    173. 

  173. vault unseal $(cget unseal-key-3)
    174. 

  174. COMMANDS ]
    175. 

  175.   }
    176. 

  176. }
    177. 

  177. 

  178. resource "null_resource" "vault_mount_transit" {
    179. 

  179.   count = "${var.count}"
    180. 

  180.   depends_on = ["null_resource.vault_unseal"]
    181. 

  181. 

  182.   provisioner "remote-exec" {
    183. 

  183.     connection {
    184. 

  184.       user         = "ubuntu"
    185. 

  185.       host         = "${element(aws_instance.vault.*.private_ip, count.index)}"
    186. 

  186.       key_file     = "${var.key_path}"
    187. 

  187.       bastion_host = "${var.bastion_host}"
    188. 

  188.       bastion_user = "${var.bastion_user}"
    189. 

  189.     }
    190. 

  190. 

  191.     inline = [ <<COMMANDS
    192. 

  192. #!/bin/bash
    193. 

  193. set -e
    194. 

  194. 

  195. cget() { curl -sf "http://127.0.0.1:8500/v1/kv/service/vault/$1?raw"; }
    196. 

  196. 

  197. if vault status | grep standby > /dev/null; then
    198. 

  198.   echo "Mounts only run on the leader. Exiting."
    199. 

  199.   exit 0
    200. 

  200. fi
    201. 

  201. 

  202. cget root-token | vault auth -
    203. 

  203. vault mount transit
    204. 

  204. shred -u -z ~/.vault-token
    205. 

  205. 

  206. # Report that vault is ready to use. This is used over in app setup to
    207. 

  207. # wait for vault to be ready before inserting the vault policy.
    208. 

  208. curl -XPUT http://127.0.0.1:8500/v1/kv/service/vault/ready -d true
    209. 

  209. COMMANDS ]
    210. 

  210.   }
    211. 

  211. }
    212. 

  212. 

  213. resource "aws_security_group" "elb" {
    214. 

  214.   name   = "${var.name}-elb"
    215. 

  215.   vpc_id = "${var.vpc_id}"
    216. 

  216.   description = "Security group for Vault ELB"
    217. 

  217. 

  218.   tags { Name = "${var.name}-elb" }
    219. 

  219. 

  220.   ingress {
    221. 

  221.     protocol    = "tcp"
    222. 

  222.     from_port   = 80
    223. 

  223.     to_port     = 80
    224. 

  224.     cidr_blocks = ["${var.vpc_cidr}"]
    225. 

  225.   }
    226. 

  226. 

  227.   ingress {
    228. 

  228.     protocol    = "tcp"
    229. 

  229.     from_port   = 443
    230. 

  230.     to_port     = 443
    231. 

  231.     cidr_blocks = ["${var.vpc_cidr}"]
    232. 

  232.   }
    233. 

  233. 

  234.   egress {
    235. 

  235.     protocol    = -1
    236. 

  236.     from_port   = 0
    237. 

  237.     to_port     = 0
    238. 

  238.     cidr_blocks = ["0.0.0.0/0"]
    239. 

  239.   }
    240. 

  240. }
    241. 

  241. 

  242. resource "aws_iam_server_certificate" "vault" {
    243. 

  243.   name             = "${var.name}"
    244. 

  244.   certificate_body = "${file("${var.ssl_cert_crt}")}"
    245. 

  245.   private_key      = "${file("${var.ssl_cert_key}")}"
    246. 

  246. 

  247.   provisioner "local-exec" {
    248. 

  248.     command = <<EOF
    249. 

  249.       echo "Sleep 10 secends so that mycert is propagated by aws iam service"
    250. 

  250.       echo "See https://github.com/hashicorp/terraform/issues/2499 (terraform ~v0.6.1)"
    251. 

  251.       sleep 10
    252. 

  252. EOF
    253. 

  253.   }
    254. 

  254. }
    255. 

  255. 

  256. resource "aws_elb" "vault" {
    257. 

  257.   name                        = "${var.name}"
    258. 

  258.   connection_draining         = true
    259. 

  259.   connection_draining_timeout = 400
    260. 

  260.   internal                    = true
    261. 

  261. 

  262.   subnets         = ["${split(",", var.public_subnet_ids)}"]
    263. 

  263.   security_groups = ["${aws_security_group.elb.id}"]
    264. 

  264.   instances       = ["${aws_instance.vault.*.id}"]
    265. 

  265. 

  266.   listener {
    267. 

  267.     lb_port           = 80
    268. 

  268.     lb_protocol       = "tcp"
    269. 

  269.     instance_port     = 8200
    270. 

  270.     instance_protocol = "tcp"
    271. 

  271.   }
    272. 

  272. 

  273.   listener {
    274. 

  274.     lb_port           = 443
    275. 

  275.     lb_protocol       = "tcp"
    276. 

  276.     instance_port     = 8200
    277. 

  277.     instance_protocol = "tcp"
    278. 

  278.     # There is a bug with setting ssl_certificate_id right now. When it's not set,
    279. 

  279.     # you will see TLS warnings every 5 minutes in the Vault logs due to the load
    280. 

  280.     # balancer not using the proper version of TLS when doing health checks.
    281. 

  281.     # ssl_certificate_id = "${aws_iam_server_certificate.vault.arn}"
    282. 

  282.   }
    283. 

  283. 

  284.   health_check {
    285. 

  285.     healthy_threshold   = 2
    286. 

  286.     unhealthy_threshold = 3
    287. 

  287.     timeout             = 5
    288. 

  288.     interval            = 15
    289. 

  289.     target              = "HTTPS:8200/v1/sys/health"
    290. 

  290.   }
    291. 

  291. }
    292. 

  292. 

  293. output "dns_name" { value = "${aws_elb.vault.dns_name}" }
    294. 

  294. output "private_ips" { value = "${join(",", aws_instance.vault.*.private_ip)}" }
    295. 

  295. output "instructions" {
    296. 

  296.   value = <<EOF
    297. 

  297. 

  298. We use an instance of HashiCorp Vault for secrets management.
    299. 

  299. 

  300. It has been automatically initialized and unsealed once. Future unsealing must
    301. 

  301. be done manually.
    302. 

  302. 

  303. The unseal keys and root token have been temporarily stored in Consul K/V.
    304. 

  304. 

  305.   /service/vault/root-token
    306. 

  306.   /service/vault/unseal-key-{1..5}
    307. 

  307. 

  308. Please securely distribute and record these secrets and remove them from Consul.
    309. 

  309. EOF }
    310. 

  310.