diff --git a/.circleci/config.yml b/.circleci/config.yml index 1106ee87..be1841a9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ jobs: - checkout - run: name: Validate Terraform Formatting - command: "[ -z \"$(terraform fmt -write=false)\" ] || { terraform fmt -write=false -diff; exit 1; }" + command: '[ -z "$(terraform fmt -write=false)" ] || { terraform fmt -write=false -diff; exit 1; }' build: machine: true @@ -24,11 +24,11 @@ jobs: # Install the gruntwork-module-circleci-helpers and use it to configure the build environment and run tests. - run: curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version v0.0.21 - - run: gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "build-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "aws-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "git-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --binary-name "terratest_log_parser" --repo "https://github.com/gruntwork-io/terratest" --tag v0.13.10 + - run: gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "build-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "aws-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "git-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --binary-name "terratest_log_parser" --repo "https://github.com/gruntwork-io/terratest" --tag v0.17.4 - run: configure-environment-for-gruntwork-module --go-src-path test --use-go-dep --circle-ci-2 --circle-ci-2-machine-executor - save_cache: diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 81d5577a..e7a4d5a3 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -1,33 +1,32 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- # INSTANCE THAT WILL AUTHENTICATE TO VAULT USING VAULT AGENT # --------------------------------------------------------------------------------------------------------------------- resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" - key_name = "${var.ssh_key_name}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name - tags { - Name = "${var.auth_server_name}" + tags = { + Name = var.auth_server_name } } @@ -38,12 +37,12 @@ resource "aws_instance" "example_auth_to_vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${aws_iam_role.example_instance_role.name}" + role = aws_iam_role.example_instance_role.name } resource "aws_iam_role" "example_instance_role" { name_prefix = "${var.auth_server_name}-role" - assume_role_policy = "${data.aws_iam_policy_document.example_instance_role.json}" + assume_role_policy = data.aws_iam_policy_document.example_instance_role.json } data "aws_iam_policy_document" "example_instance_role" { @@ -60,9 +59,9 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${aws_iam_role.example_instance_role.id}" + iam_role_id = aws_iam_role.example_instance_role.id } # --------------------------------------------------------------------------------------------------------------------- @@ -72,12 +71,12 @@ module "consul_iam_policies_for_client" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -87,9 +86,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -99,7 +98,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -108,8 +107,8 @@ resource "aws_security_group_rule" "allow_inbound_api" { resource "aws_iam_role_policy" "vault_iam" { name = "vault_iam" - role = "${module.vault_cluster.iam_role_id}" - policy = "${data.aws_iam_policy_document.vault_iam.json}" + role = module.vault_cluster.iam_role_id + policy = data.aws_iam_policy_document.vault_iam.json } data "aws_iam_policy_document" "vault_iam" { @@ -118,7 +117,7 @@ data "aws_iam_policy_document" "vault_iam" { actions = ["iam:GetRole", "iam:GetUser"] # List of arns it can query, for more security, it could be set to specific roles or user - # resources = ["${aws_iam_role.example_instance_role.arn}"] + # resources = ["aws_iam_role.example_instance_role.arn"] resources = [ "arn:aws:iam::*:user/*", "arn:aws:iam::*:role/*", @@ -142,15 +141,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -159,7 +158,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -169,9 +168,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -180,18 +179,16 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" - - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + template = file("${path.module}/user-data-vault.sh") + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - aws_iam_role_arn = "${aws_iam_role.example_instance_role.arn}" + example_secret = var.example_secret + aws_iam_role_arn = aws_iam_role.example_instance_role.arn } } @@ -202,9 +199,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -217,28 +214,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -247,11 +244,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -263,12 +260,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-agent/outputs.tf b/examples/vault-agent/outputs.tf index 30b51314..16bb9676 100644 --- a/examples/vault-agent/outputs.tf +++ b/examples/vault-agent/outputs.tf @@ -1,95 +1,96 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "auth_role_arn" { - value = "${aws_iam_role.example_instance_role.arn}" + value = aws_iam_role.example_instance_role.arn } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-agent/variables.tf b/examples/vault-agent/variables.tf index 0f86ce5f..9abf58af 100644 --- a/examples/vault-agent/variables.tf +++ b/examples/vault-agent/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,50 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 00ea898b..9aa8eadd 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -1,10 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } data "aws_kms_alias" "vault-example" { @@ -21,21 +20,21 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # This setting will create the AWS policy that allows the vault cluster to # access KMS and use this key for encryption and decryption enable_auto_unseal = true - auto_unseal_kms_key_arn = "${data.aws_kms_alias.vault-example.target_key_arn}" + auto_unseal_kms_key_arn = data.aws_kms_alias.vault-example.target_key_arn # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -44,7 +43,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -54,9 +53,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -65,14 +64,13 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - - kms_key_id = "${data.aws_kms_alias.vault-example.target_key_id}" - aws_region = "${data.aws_region.current.name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + kms_key_id = data.aws_kms_alias.vault-example.target_key_id + aws_region = data.aws_region.current.name } } @@ -83,9 +81,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -98,28 +96,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -128,11 +126,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -144,12 +142,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-auto-unseal/outputs.tf b/examples/vault-auto-unseal/outputs.tf index 97b842b6..9e7ebd3b 100644 --- a/examples/vault-auto-unseal/outputs.tf +++ b/examples/vault-auto-unseal/outputs.tf @@ -1,83 +1,84 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-auto-unseal/variables.tf b/examples/vault-auto-unseal/variables.tf index 8b090544..03847da8 100644 --- a/examples/vault-auto-unseal/variables.tf +++ b/examples/vault-auto-unseal/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "auto_unseal_kms_key_alias" { description = "The alias of AWS KMS key used for encryption and decryption" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,45 +34,55 @@ variable "auto_unseal_kms_key_alias" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index f7924dbe..8d799c37 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -1,11 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, -# running in a separate cluster, as its storage backend. -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -18,15 +16,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-vault.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -35,7 +33,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -45,9 +43,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -56,12 +54,12 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") - vars { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -72,9 +70,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -87,28 +85,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -117,11 +115,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -133,12 +131,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-cluster-private/outputs.tf b/examples/vault-cluster-private/outputs.tf index 97b842b6..9e7ebd3b 100644 --- a/examples/vault-cluster-private/outputs.tf +++ b/examples/vault-cluster-private/outputs.tf @@ -1,83 +1,84 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-cluster-private/variables.tf b/examples/vault-cluster-private/variables.tf index e99e3261..3e919aff 100644 --- a/examples/vault-cluster-private/variables.tf +++ b/examples/vault-cluster-private/variables.tf @@ -14,10 +14,12 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -27,40 +29,49 @@ variable "ssh_key_name" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index b08fe637..18e38b46 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -1,30 +1,29 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" - key_name = "${var.ssh_key_name}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name - tags { - Name = "${var.auth_server_name}" + tags = { + Name = var.auth_server_name } } @@ -33,7 +32,7 @@ resource "aws_instance" "example_auth_to_vault" { # access the DNS registry for the vault server resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${module.vault_cluster.iam_role_name}" + role = module.vault_cluster.iam_role_name } # --------------------------------------------------------------------------------------------------------------------- @@ -42,12 +41,12 @@ resource "aws_iam_instance_profile" "example_instance_profile" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -56,9 +55,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -68,7 +67,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -81,15 +80,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -98,7 +97,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -108,9 +107,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -119,19 +118,17 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" - - vars { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + template = file("${path.module}/user-data-vault.sh") + vars = { + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - ami_id = "${var.ami_id}" + example_secret = var.example_secret + ami_id = var.ami_id } } @@ -142,9 +139,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -157,28 +154,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -187,11 +184,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -203,12 +200,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-ec2-auth/outputs.tf b/examples/vault-ec2-auth/outputs.tf index 17ca8e2d..8694fbce 100644 --- a/examples/vault-ec2-auth/outputs.tf +++ b/examples/vault-ec2-auth/outputs.tf @@ -1,91 +1,92 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-ec2-auth/variables.tf b/examples/vault-ec2-auth/variables.tf index 098a72db..f04b84ea 100644 --- a/examples/vault-ec2-auth/variables.tf +++ b/examples/vault-ec2-auth/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,50 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 74849185..79b8e108 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -1,33 +1,32 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- # INSTANCE THAT WILL AUTHENTICATE TO VAULT USING IAM METHOD # --------------------------------------------------------------------------------------------------------------------- resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" - key_name = "${var.ssh_key_name}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name - tags { - Name = "${var.auth_server_name}" + tags = { + Name = var.auth_server_name } } @@ -38,12 +37,12 @@ resource "aws_instance" "example_auth_to_vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${aws_iam_role.example_instance_role.name}" + role = aws_iam_role.example_instance_role.name } resource "aws_iam_role" "example_instance_role" { name_prefix = "${var.auth_server_name}-role" - assume_role_policy = "${data.aws_iam_policy_document.example_instance_role.json}" + assume_role_policy = data.aws_iam_policy_document.example_instance_role.json } data "aws_iam_policy_document" "example_instance_role" { @@ -60,9 +59,9 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${aws_iam_role.example_instance_role.id}" + iam_role_id = aws_iam_role.example_instance_role.id } # --------------------------------------------------------------------------------------------------------------------- @@ -72,12 +71,12 @@ module "consul_iam_policies_for_client" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -87,9 +86,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -99,7 +98,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -108,8 +107,8 @@ resource "aws_security_group_rule" "allow_inbound_api" { resource "aws_iam_role_policy" "vault_iam" { name = "vault_iam" - role = "${module.vault_cluster.iam_role_id}" - policy = "${data.aws_iam_policy_document.vault_iam.json}" + role = module.vault_cluster.iam_role_id + policy = data.aws_iam_policy_document.vault_iam.json } data "aws_iam_policy_document" "vault_iam" { @@ -142,15 +141,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -159,7 +158,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -169,9 +168,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -180,18 +179,16 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" - - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + template = file("${path.module}/user-data-vault.sh") + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - aws_iam_role_arn = "${aws_iam_role.example_instance_role.arn}" + example_secret = var.example_secret + aws_iam_role_arn = aws_iam_role.example_instance_role.arn } } @@ -202,9 +199,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -217,28 +214,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -247,11 +244,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -263,12 +260,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-iam-auth/outputs.tf b/examples/vault-iam-auth/outputs.tf index 30b51314..16bb9676 100644 --- a/examples/vault-iam-auth/outputs.tf +++ b/examples/vault-iam-auth/outputs.tf @@ -1,95 +1,96 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "auth_role_arn" { - value = "${aws_iam_role.example_instance_role.arn}" + value = aws_iam_role.example_instance_role.arn } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-iam-auth/variables.tf b/examples/vault-iam-auth/variables.tf index 0f86ce5f..9abf58af 100644 --- a/examples/vault-iam-auth/variables.tf +++ b/examples/vault-iam-auth/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,50 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 9f0f1af0..1988d6be 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -1,11 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, -# running in a separate cluster, as its storage backend. -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -18,19 +16,19 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered enable_s3_backend = true - s3_bucket_name = "${var.s3_bucket_name}" - force_destroy_s3_bucket = "${var.force_destroy_s3_bucket}" + s3_bucket_name = var.s3_bucket_name + force_destroy_s3_bucket = var.force_destroy_s3_bucket - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -39,7 +37,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -49,9 +47,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -60,13 +58,13 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") - vars { - aws_region = "${data.aws_region.current.name}" - s3_bucket_name = "${var.s3_bucket_name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + aws_region = data.aws_region.current.name + s3_bucket_name = var.s3_bucket_name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -77,9 +75,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -92,28 +90,28 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -122,11 +120,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -138,12 +136,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == null ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-s3-backend/outputs.tf b/examples/vault-s3-backend/outputs.tf index 850bce74..e1af7046 100644 --- a/examples/vault-s3-backend/outputs.tf +++ b/examples/vault-s3-backend/outputs.tf @@ -1,87 +1,88 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } output "s3_bucket_arn" { - value = "${module.vault_cluster.s3_bucket_arn}" + value = module.vault_cluster.s3_bucket_arn } + diff --git a/examples/vault-s3-backend/variables.tf b/examples/vault-s3-backend/variables.tf index 2ed6b2b0..f526eaaa 100644 --- a/examples/vault-s3-backend/variables.tf +++ b/examples/vault-s3-backend/variables.tf @@ -14,10 +14,12 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -27,50 +29,61 @@ variable "ssh_key_name" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-s3-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-s3-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-vault-s3-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } variable "s3_bucket_name" { description = "The name of an S3 bucket to create and use as a storage backend (if configured). Note: S3 bucket names must be *globally* unique." + type = string default = "my-vault-bucket" } variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." + type = bool default = false } + diff --git a/main.tf b/main.tf index 087b2687..3e2db19f 100644 --- a/main.tf +++ b/main.tf @@ -5,10 +5,12 @@ # backend. # --------------------------------------------------------------------------------------------------------------------- -# Terraform 0.9.5 suffered from https://github.com/hashicorp/terraform/issues/14399, which causes this template the -# conditionals in this template to fail. +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3, != 0.9.5" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -57,15 +59,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-vault//modules/vault-cluster?ref=v0.0.1" source = "./modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id == null ? data.aws_ami.vault_consul.image_id : var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # Do NOT use the ELB for the ASG health check, or the ASG will assume all sealed instances are unhealthy and # repeatedly try to redeploy them. @@ -78,7 +80,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -88,9 +90,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -99,12 +101,12 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/examples/root-example/user-data-vault.sh")}" + template = file("${path.module}/examples/root-example/user-data-vault.sh") - vars { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -115,9 +117,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -135,31 +137,31 @@ module "vault_elb" { # source = "github.com/hashicorp/terraform-aws-vault//modules/vault-elb?ref=v0.0.1" source = "./modules/vault-elb" - name = "${var.vault_cluster_name}" + name = var.vault_cluster_name - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # Associate the ELB with the instances created by the Vault Autoscaling group - vault_asg_name = "${module.vault_cluster.asg_name}" + vault_asg_name = module.vault_cluster.asg_name # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_inbound_cidr_blocks = ["0.0.0.0/0"] # In order to access Vault over HTTPS, we need a domain name that matches the TLS cert - create_dns_entry = "${var.create_dns_entry}" + create_dns_entry = var.create_dns_entry # Terraform conditionals are not short-circuiting, so we use join as a workaround to avoid errors when the # aws_route53_zone data source isn't actually set: https://github.com/hashicorp/hil/issues/50 - hosted_zone_id = "${var.create_dns_entry ? join("", data.aws_route53_zone.selected.*.zone_id) : ""}" + hosted_zone_id = var.create_dns_entry ? join("", data.aws_route53_zone.selected.*.zone_id) : "" - domain_name = "${var.vault_domain_name}" + domain_name = var.vault_domain_name } # Look up the Route 53 Hosted Zone by domain name data "aws_route53_zone" "selected" { - count = "${var.create_dns_entry}" + count = var.create_dns_entry ? 1 : 0 name = "${var.hosted_zone_domain_name}." } @@ -168,28 +170,28 @@ data "aws_route53_zone" "selected" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id == null ? data.aws_ami.vault_consul.image_id : var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -198,11 +200,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/examples/root-example/user-data-consul.sh")}" + template = file("${path.module}/examples/root-example/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -214,13 +216,15 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.use_default_vpc}" - tags = "${var.vpc_tags}" + default = var.use_default_vpc + tags = var.vpc_tags } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" - tags = "${var.subnet_tags}" + vpc_id = data.aws_vpc.default.id + tags = var.subnet_tags +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/modules/private-tls-cert/main.tf b/modules/private-tls-cert/main.tf index 46f45710..f906b61e 100644 --- a/modules/private-tls-cert/main.tf +++ b/modules/private-tls-cert/main.tf @@ -3,22 +3,22 @@ # --------------------------------------------------------------------------------------------------------------------- resource "tls_private_key" "ca" { - algorithm = "${var.private_key_algorithm}" - ecdsa_curve = "${var.private_key_ecdsa_curve}" - rsa_bits = "${var.private_key_rsa_bits}" + algorithm = var.private_key_algorithm + ecdsa_curve = var.private_key_ecdsa_curve + rsa_bits = var.private_key_rsa_bits } resource "tls_self_signed_cert" "ca" { - key_algorithm = "${tls_private_key.ca.algorithm}" - private_key_pem = "${tls_private_key.ca.private_key_pem}" + key_algorithm = tls_private_key.ca.algorithm + private_key_pem = tls_private_key.ca.private_key_pem is_ca_certificate = true - validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.ca_allowed_uses}"] + validity_period_hours = var.validity_period_hours + allowed_uses = var.ca_allowed_uses subject { - common_name = "${var.ca_common_name}" - organization = "${var.organization_name}" + common_name = var.ca_common_name + organization = var.organization_name } # Store the CA public key in a file. @@ -32,9 +32,9 @@ resource "tls_self_signed_cert" "ca" { # --------------------------------------------------------------------------------------------------------------------- resource "tls_private_key" "cert" { - algorithm = "${var.private_key_algorithm}" - ecdsa_curve = "${var.private_key_ecdsa_curve}" - rsa_bits = "${var.private_key_rsa_bits}" + algorithm = var.private_key_algorithm + ecdsa_curve = var.private_key_ecdsa_curve + rsa_bits = var.private_key_rsa_bits # Store the certificate's private key in a file. provisioner "local-exec" { @@ -43,30 +43,31 @@ resource "tls_private_key" "cert" { } resource "tls_cert_request" "cert" { - key_algorithm = "${tls_private_key.cert.algorithm}" - private_key_pem = "${tls_private_key.cert.private_key_pem}" + key_algorithm = tls_private_key.cert.algorithm + private_key_pem = tls_private_key.cert.private_key_pem - dns_names = ["${var.dns_names}"] - ip_addresses = ["${var.ip_addresses}"] + dns_names = var.dns_names + ip_addresses = var.ip_addresses subject { - common_name = "${var.common_name}" - organization = "${var.organization_name}" + common_name = var.common_name + organization = var.organization_name } } resource "tls_locally_signed_cert" "cert" { - cert_request_pem = "${tls_cert_request.cert.cert_request_pem}" + cert_request_pem = tls_cert_request.cert.cert_request_pem - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" + ca_key_algorithm = tls_private_key.ca.algorithm + ca_private_key_pem = tls_private_key.ca.private_key_pem + ca_cert_pem = tls_self_signed_cert.ca.cert_pem - validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.allowed_uses}"] + validity_period_hours = var.validity_period_hours + allowed_uses = var.allowed_uses # Store the certificate's public key in a file. provisioner "local-exec" { command = "echo '${tls_locally_signed_cert.cert.cert_pem}' > '${var.public_key_file_path}' && chmod ${var.permissions} '${var.public_key_file_path}' && chown ${var.owner} '${var.public_key_file_path}'" } } + diff --git a/modules/private-tls-cert/outputs.tf b/modules/private-tls-cert/outputs.tf index 89dd1dae..078afd86 100644 --- a/modules/private-tls-cert/outputs.tf +++ b/modules/private-tls-cert/outputs.tf @@ -1,11 +1,12 @@ output "ca_public_key_file_path" { - value = "${var.ca_public_key_file_path}" + value = var.ca_public_key_file_path } output "public_key_file_path" { - value = "${var.public_key_file_path}" + value = var.public_key_file_path } output "private_key_file_path" { - value = "${var.private_key_file_path}" + value = var.private_key_file_path } + diff --git a/modules/private-tls-cert/variables.tf b/modules/private-tls-cert/variables.tf index 8fb4b005..57720d84 100644 --- a/modules/private-tls-cert/variables.tf +++ b/modules/private-tls-cert/variables.tf @@ -33,12 +33,12 @@ variable "common_name" { variable "dns_names" { description = "List of DNS names for which the certificate will be valid (e.g. vault.service.consul, foo.example.com)." - type = "list" + type = list(string) } variable "ip_addresses" { description = "List of IP addresses for which the certificate will be valid (e.g. 127.0.0.1)." - type = "list" + type = list(string) } variable "validity_period_hours" { @@ -52,7 +52,7 @@ variable "validity_period_hours" { variable "ca_allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the CA certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "cert_signing", @@ -63,7 +63,7 @@ variable "ca_allowed_uses" { variable "allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the issued certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "key_encipherment", @@ -90,3 +90,4 @@ variable "private_key_rsa_bits" { description = "The size of the generated RSA key in bits. Should only be used if var.private_key_algorithm is RSA." default = "2048" } + diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 289f1a9b..715c3f00 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -1,9 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# THESE TEMPLATES REQUIRE TERRAFORM VERSION 0.8 AND ABOVE -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -11,42 +11,63 @@ terraform { # --------------------------------------------------------------------------------------------------------------------- resource "aws_autoscaling_group" "autoscaling_group" { - name_prefix = "${var.cluster_name}" + name_prefix = var.cluster_name - launch_configuration = "${aws_launch_configuration.launch_configuration.name}" + launch_configuration = aws_launch_configuration.launch_configuration.name - availability_zones = ["${var.availability_zones}"] - vpc_zone_identifier = ["${var.subnet_ids}"] + availability_zones = var.availability_zones + vpc_zone_identifier = var.subnet_ids # Use a fixed-size cluster - min_size = "${var.cluster_size}" - max_size = "${var.cluster_size}" - desired_capacity = "${var.cluster_size}" - termination_policies = ["${var.termination_policies}"] + min_size = var.cluster_size + max_size = var.cluster_size + desired_capacity = var.cluster_size + termination_policies = [var.termination_policies] - health_check_type = "${var.health_check_type}" - health_check_grace_period = "${var.health_check_grace_period}" - wait_for_capacity_timeout = "${var.wait_for_capacity_timeout}" + health_check_type = var.health_check_type + health_check_grace_period = var.health_check_grace_period + wait_for_capacity_timeout = var.wait_for_capacity_timeout - enabled_metrics = ["${var.enabled_metrics}"] + enabled_metrics = var.enabled_metrics # Use bucket and policies names in tags for depending on them when they are there # And only create the cluster after S3 bucket and policies exist # Otherwise Vault might boot and not find the bucket or not yet have the necessary permissions # Not using `depends_on` because these resources might not exist - tags = ["${concat( - list( - map( - "key", var.cluster_tag_key, - "value", var.cluster_name, - "propagate_at_launch", true, - "using_s3_bucket_backend", element(concat(aws_iam_role_policy.vault_s3.*.name, list("")), 0), - "s3_bucket_id", element(concat(aws_s3_bucket.vault_storage.*.id, list("")), 0), - "using_auto_unseal", element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, list("")), 0), - ) - ), - var.cluster_extra_tags) - }"] + tag { + key = var.cluster_tag_key + value = var.cluster_name + propagate_at_launch = true + } + + tag { + key = "using_s3_bucket_backend" + value = element(concat(aws_iam_role_policy.vault_s3.*.name, [""]), 0) + propagate_at_launch = true + } + + tag { + key = "s3_bucket_id" + value = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) + propagate_at_launch = true + } + + tag { + key = "using_auto_unseal" + value = element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, [""]), 0) + propagate_at_launch = true + } + + dynamic "tag" { + for_each = var.cluster_extra_tags + + content { + key = tag.key + value = tag.value + propagate_at_launch = tag.propagate_at_launch + } + } + # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -62,22 +83,33 @@ resource "aws_autoscaling_group" "autoscaling_group" { resource "aws_launch_configuration" "launch_configuration" { name_prefix = "${var.cluster_name}-" - image_id = "${var.ami_id}" - instance_type = "${var.instance_type}" - user_data = "${var.user_data}" - - iam_instance_profile = "${aws_iam_instance_profile.instance_profile.name}" - key_name = "${var.ssh_key_name}" - security_groups = ["${concat(list(aws_security_group.lc_security_group.id), var.additional_security_group_ids)}"] - placement_tenancy = "${var.tenancy}" - associate_public_ip_address = "${var.associate_public_ip_address}" - - ebs_optimized = "${var.root_volume_ebs_optimized}" + image_id = var.ami_id + instance_type = var.instance_type + user_data = var.user_data + + iam_instance_profile = aws_iam_instance_profile.instance_profile.name + key_name = var.ssh_key_name + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibilty in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. + security_groups = concat( + [aws_security_group.lc_security_group.id], + var.additional_security_group_ids, + ) + placement_tenancy = var.tenancy + associate_public_ip_address = var.associate_public_ip_address + + ebs_optimized = var.root_volume_ebs_optimized root_block_device { - volume_type = "${var.root_volume_type}" - volume_size = "${var.root_volume_size}" - delete_on_termination = "${var.root_volume_delete_on_termination}" + volume_type = var.root_volume_type + volume_size = var.root_volume_size + delete_on_termination = var.root_volume_delete_on_termination } # Important note: whenever using a launch configuration with an auto scaling group, you must set @@ -97,9 +129,9 @@ resource "aws_launch_configuration" "launch_configuration" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "lc_security_group" { - name_prefix = "${var.cluster_name}" + name_prefix = var.cluster_name description = "Security group for the ${var.cluster_name} launch configuration" - vpc_id = "${var.vpc_id}" + vpc_id = var.vpc_id # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -108,29 +140,34 @@ resource "aws_security_group" "lc_security_group" { create_before_destroy = true } - tags = "${merge(map("Name", var.cluster_name), var.security_group_tags)}" + tags = merge( + { + "Name" = var.cluster_name + }, + var.security_group_tags, + ) } resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" { - count = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}" + count = length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0 type = "ingress" - from_port = "${var.ssh_port}" - to_port = "${var.ssh_port}" + from_port = var.ssh_port + to_port = var.ssh_port protocol = "tcp" - cidr_blocks = ["${var.allowed_ssh_cidr_blocks}"] + cidr_blocks = var.allowed_ssh_cidr_blocks - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } resource "aws_security_group_rule" "allow_ssh_inbound_from_security_group_ids" { - count = "${length(var.allowed_ssh_security_group_ids)}" + count = length(var.allowed_ssh_security_group_ids) type = "ingress" - from_port = "${var.ssh_port}" - to_port = "${var.ssh_port}" + from_port = var.ssh_port + to_port = var.ssh_port protocol = "tcp" - source_security_group_id = "${element(var.allowed_ssh_security_group_ids, count.index)}" + source_security_group_id = element(var.allowed_ssh_security_group_ids, count.index) - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } resource "aws_security_group_rule" "allow_all_outbound" { @@ -140,7 +177,7 @@ resource "aws_security_group_rule" "allow_all_outbound" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } # --------------------------------------------------------------------------------------------------------------------- @@ -150,13 +187,13 @@ resource "aws_security_group_rule" "allow_all_outbound" { module "security_group_rules" { source = "../vault-security-group-rules" - security_group_id = "${aws_security_group.lc_security_group.id}" - allowed_inbound_cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] - allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"] - allowed_inbound_security_group_count = "${var.allowed_inbound_security_group_count}" + security_group_id = aws_security_group.lc_security_group.id + allowed_inbound_cidr_blocks = var.allowed_inbound_cidr_blocks + allowed_inbound_security_group_ids = var.allowed_inbound_security_group_ids + allowed_inbound_security_group_count = var.allowed_inbound_security_group_count - api_port = "${var.api_port}" - cluster_port = "${var.cluster_port}" + api_port = var.api_port + cluster_port = var.cluster_port } # --------------------------------------------------------------------------------------------------------------------- @@ -166,9 +203,9 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "instance_profile" { - name_prefix = "${var.cluster_name}" - path = "${var.instance_profile_path}" - role = "${aws_iam_role.instance_role.name}" + name_prefix = var.cluster_name + path = var.instance_profile_path + role = aws_iam_role.instance_role.name # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -179,8 +216,8 @@ resource "aws_iam_instance_profile" "instance_profile" { } resource "aws_iam_role" "instance_role" { - name_prefix = "${var.cluster_name}" - assume_role_policy = "${data.aws_iam_policy_document.instance_role.json}" + name_prefix = var.cluster_name + assume_role_policy = data.aws_iam_policy_document.instance_role.json # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -203,17 +240,19 @@ data "aws_iam_policy_document" "instance_role" { } resource "aws_s3_bucket" "vault_storage" { - count = "${var.enable_s3_backend ? 1 : 0}" - bucket = "${var.s3_bucket_name}" - force_destroy = "${var.force_destroy_s3_bucket}" + count = var.enable_s3_backend ? 1 : 0 + bucket = var.s3_bucket_name + force_destroy = var.force_destroy_s3_bucket - tags = "${merge( - map("Description", "Used for secret storage with Vault. DO NOT DELETE this Bucket unless you know what you are doing."), - var.s3_bucket_tags) - }" + tags = merge( + { + "Description" = "Used for secret storage with Vault. DO NOT DELETE this Bucket unless you know what you are doing." + }, + var.s3_bucket_tags, + ) versioning { - enabled = "${var.enable_s3_bucket_versioning}" + enabled = var.enable_s3_bucket_versioning } # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means @@ -225,10 +264,13 @@ resource "aws_s3_bucket" "vault_storage" { } resource "aws_iam_role_policy" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" - name = "vault_s3" - role = "${aws_iam_role.instance_role.id}" - policy = "${element(concat(data.aws_iam_policy_document.vault_s3.*.json, list("")), 0)}" + count = var.enable_s3_backend ? 1 : 0 + name = "vault_s3" + role = aws_iam_role.instance_role.id + policy = element( + concat(data.aws_iam_policy_document.vault_s3.*.json, [""]), + 0, + ) # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -239,21 +281,21 @@ resource "aws_iam_role_policy" "vault_s3" { } data "aws_iam_policy_document" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = var.enable_s3_backend ? 1 : 0 statement { effect = "Allow" actions = ["s3:*"] resources = [ - "${aws_s3_bucket.vault_storage.arn}", - "${aws_s3_bucket.vault_storage.arn}/*", + aws_s3_bucket.vault_storage[0].arn, + "${aws_s3_bucket.vault_storage[0].arn}/*", ] } } data "aws_iam_policy_document" "vault_auto_unseal_kms" { - count = "${var.enable_auto_unseal ? 1 : 0}" + count = var.enable_auto_unseal ? 1 : 0 statement { effect = "Allow" @@ -264,15 +306,21 @@ data "aws_iam_policy_document" "vault_auto_unseal_kms" { "kms:DescribeKey", ] - resources = ["${var.auto_unseal_kms_key_arn}"] + resources = [var.auto_unseal_kms_key_arn] } } resource "aws_iam_role_policy" "vault_auto_unseal_kms" { - count = "${var.enable_auto_unseal ? 1 : 0}" - name = "vault_auto_unseal_kms" - role = "${aws_iam_role.instance_role.id}" - policy = "${element(concat(data.aws_iam_policy_document.vault_auto_unseal_kms.*.json, list("")), 0)}" + count = var.enable_auto_unseal ? 1 : 0 + name = "vault_auto_unseal_kms" + role = aws_iam_role.instance_role.id + policy = element( + concat( + data.aws_iam_policy_document.vault_auto_unseal_kms.*.json, + [""], + ), + 0, + ) # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -281,3 +329,4 @@ resource "aws_iam_role_policy" "vault_auto_unseal_kms" { create_before_destroy = true } } + diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf index f246541e..ab03f0ac 100644 --- a/modules/vault-cluster/outputs.tf +++ b/modules/vault-cluster/outputs.tf @@ -1,39 +1,40 @@ output "asg_name" { - value = "${aws_autoscaling_group.autoscaling_group.name}" + value = aws_autoscaling_group.autoscaling_group.name } output "cluster_tag_key" { - value = "${var.cluster_tag_key}" + value = var.cluster_tag_key } output "cluster_tag_value" { - value = "${var.cluster_name}" + value = var.cluster_name } output "cluster_size" { - value = "${aws_autoscaling_group.autoscaling_group.desired_capacity}" + value = aws_autoscaling_group.autoscaling_group.desired_capacity } output "launch_config_name" { - value = "${aws_launch_configuration.launch_configuration.name}" + value = aws_launch_configuration.launch_configuration.name } output "iam_role_arn" { - value = "${aws_iam_role.instance_role.arn}" + value = aws_iam_role.instance_role.arn } output "iam_role_id" { - value = "${aws_iam_role.instance_role.id}" + value = aws_iam_role.instance_role.id } output "iam_role_name" { - value = "${aws_iam_role.instance_role.name}" + value = aws_iam_role.instance_role.name } output "security_group_id" { - value = "${aws_security_group.lc_security_group.id}" + value = aws_security_group.lc_security_group.id } output "s3_bucket_arn" { - value = "${join(",", aws_s3_bucket.vault_storage.*.arn)}" + value = join(",", aws_s3_bucket.vault_storage.*.arn) } + diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index e3f3c465..4067580f 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -21,12 +21,12 @@ variable "vpc_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_ids" { description = "A list of security group IDs that will be allowed to connect to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_count" { @@ -58,13 +58,13 @@ variable "auto_unseal_kms_key_arn" { variable "subnet_ids" { description = "The subnet IDs into which the EC2 Instances should be deployed. You should typically pass in one subnet ID per node in the cluster_size variable. We strongly recommend that you run Vault in private subnets. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } variable "availability_zones" { description = "The availability zones into which the EC2 Instances should be deployed. You should typically pass in one availability zone per node in the cluster_size variable. We strongly recommend against passing in only a list of availability zones, as that will run Vault in the default (and most likely public) subnets in your VPC. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } @@ -75,25 +75,25 @@ variable "ssh_key_name" { variable "allowed_ssh_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow SSH connections" - type = "list" + type = list(string) default = [] } variable "allowed_ssh_security_group_ids" { description = "A list of security group IDs from which the EC2 Instances will allow SSH connections" - type = "list" + type = list(string) default = [] } variable "additional_security_group_ids" { description = "A list of additional security group IDs to add to Vault EC2 Instances" - type = "list" + type = list(string) default = [] } variable "security_group_tags" { description = "Tags to be applied to the LC security group" - type = "map" + type = map(string) default = {} } @@ -104,7 +104,7 @@ variable "cluster_tag_key" { variable "cluster_extra_tags" { description = "A list of additional tags to add to each Instance in the ASG. Each element in the list must be a map with the keys key, value, and propagate_at_launch" - type = "list" + type = list(object({ key : string, value : string, propagate_at_launch : bool })) #example: # default = [ @@ -199,7 +199,7 @@ variable "s3_bucket_name" { variable "s3_bucket_tags" { description = "Tags to be applied to the S3 bucket." - type = "map" + type = map(string) default = {} } @@ -215,6 +215,7 @@ variable "force_destroy_s3_bucket" { variable "enabled_metrics" { description = "List of autoscaling group metrics to enable." - type = "list" + type = list(string) default = [] } + diff --git a/modules/vault-elb/main.tf b/modules/vault-elb/main.tf index 8faa3329..0f85aea4 100644 --- a/modules/vault-elb/main.tf +++ b/modules/vault-elb/main.tf @@ -1,9 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# THESE TEMPLATES REQUIRE TERRAFORM VERSION 0.8 AND ABOVE -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -11,34 +11,39 @@ terraform { # --------------------------------------------------------------------------------------------------------------------- resource "aws_elb" "vault" { - name = "${var.name}" + name = var.name - internal = "${var.internal}" - cross_zone_load_balancing = "${var.cross_zone_load_balancing}" - idle_timeout = "${var.idle_timeout}" - connection_draining = "${var.connection_draining}" - connection_draining_timeout = "${var.connection_draining_timeout}" + internal = var.internal + cross_zone_load_balancing = var.cross_zone_load_balancing + idle_timeout = var.idle_timeout + connection_draining = var.connection_draining + connection_draining_timeout = var.connection_draining_timeout - security_groups = ["${aws_security_group.vault.id}"] - subnets = ["${var.subnet_ids}"] + security_groups = [aws_security_group.vault.id] + subnets = var.subnet_ids # Run the ELB in TCP passthrough mode listener { - lb_port = "${var.lb_port}" + lb_port = var.lb_port lb_protocol = "TCP" - instance_port = "${var.vault_api_port}" + instance_port = var.vault_api_port instance_protocol = "TCP" } health_check { target = "${var.health_check_protocol}:${var.health_check_port == 0 ? var.vault_api_port : var.health_check_port}${var.health_check_path}" - interval = "${var.health_check_interval}" - healthy_threshold = "${var.health_check_healthy_threshold}" - unhealthy_threshold = "${var.health_check_unhealthy_threshold}" - timeout = "${var.health_check_timeout}" + interval = var.health_check_interval + healthy_threshold = var.health_check_healthy_threshold + unhealthy_threshold = var.health_check_unhealthy_threshold + timeout = var.health_check_timeout } - tags = "${merge(var.load_balancer_tags, map("Name", var.name))}" + tags = merge( + var.load_balancer_tags, + { + "Name" = var.name + }, + ) } # --------------------------------------------------------------------------------------------------------------------- @@ -46,8 +51,8 @@ resource "aws_elb" "vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_autoscaling_attachment" "vault" { - autoscaling_group_name = "${var.vault_asg_name}" - elb = "${aws_elb.vault.id}" + autoscaling_group_name = var.vault_asg_name + elb = aws_elb.vault.id } # --------------------------------------------------------------------------------------------------------------------- @@ -57,19 +62,19 @@ resource "aws_autoscaling_attachment" "vault" { resource "aws_security_group" "vault" { name = "${var.name}-elb" description = "Security group for the ${var.name} ELB" - vpc_id = "${var.vpc_id}" + vpc_id = var.vpc_id - tags = "${var.security_group_tags}" + tags = var.security_group_tags } resource "aws_security_group_rule" "allow_inbound_api" { type = "ingress" - from_port = "${var.lb_port}" - to_port = "${var.lb_port}" + from_port = var.lb_port + to_port = var.lb_port protocol = "tcp" - cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] + cidr_blocks = var.allowed_inbound_cidr_blocks - security_group_id = "${aws_security_group.vault.id}" + security_group_id = aws_security_group.vault.id } resource "aws_security_group_rule" "allow_all_outbound" { @@ -79,7 +84,7 @@ resource "aws_security_group_rule" "allow_all_outbound" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.vault.id}" + security_group_id = aws_security_group.vault.id } # --------------------------------------------------------------------------------------------------------------------- @@ -87,15 +92,15 @@ resource "aws_security_group_rule" "allow_all_outbound" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_route53_record" "vault_elb" { - count = "${var.create_dns_entry}" + count = var.create_dns_entry ? 1 : 0 - zone_id = "${var.hosted_zone_id}" - name = "${var.domain_name}" + zone_id = var.hosted_zone_id + name = var.domain_name type = "A" alias { - name = "${aws_elb.vault.dns_name}" - zone_id = "${aws_elb.vault.zone_id}" + name = aws_elb.vault.dns_name + zone_id = aws_elb.vault.zone_id # When set to true, if either none of the ELB's EC2 instances are healthy or the ELB itself is unhealthy, # Route 53 routes queries to "other resources." But since we haven't defined any other resources, we'd rather @@ -104,3 +109,4 @@ resource "aws_route53_record" "vault_elb" { evaluate_target_health = false } } + diff --git a/modules/vault-elb/outputs.tf b/modules/vault-elb/outputs.tf index ff67df74..024b1c73 100644 --- a/modules/vault-elb/outputs.tf +++ b/modules/vault-elb/outputs.tf @@ -1,19 +1,20 @@ output "load_balancer_name" { - value = "${aws_elb.vault.name}" + value = aws_elb.vault.name } output "load_balancer_dns_name" { - value = "${aws_elb.vault.dns_name}" + value = aws_elb.vault.dns_name } output "load_balancer_zone_id" { - value = "${aws_elb.vault.zone_id}" + value = aws_elb.vault.zone_id } output "load_balancer_security_group_id" { - value = "${aws_security_group.vault.id}" + value = aws_security_group.vault.id } output "fully_qualified_domain_name" { - value = "${element(concat(aws_route53_record.vault_elb.*.fqdn, list("")), 0)}" + value = element(concat(aws_route53_record.vault_elb.*.fqdn, [""]), 0) } + diff --git a/modules/vault-elb/variables.tf b/modules/vault-elb/variables.tf index 75159bf7..f6ec2ced 100644 --- a/modules/vault-elb/variables.tf +++ b/modules/vault-elb/variables.tf @@ -13,7 +13,7 @@ variable "vpc_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the ELB will accept requests." - type = "list" + type = list(string) } variable "vault_asg_name" { @@ -27,7 +27,7 @@ variable "vault_asg_name" { variable "subnet_ids" { description = "The subnet IDs into which the ELB should be deployed. You will typically want to deploy the ELB into public subnets so your Vault cluster can run in private subnets. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } @@ -123,6 +123,7 @@ variable "load_balancer_tags" { variable "security_group_tags" { description = "Tags to be applied to the ELB security group." - type = "map" + type = map(string) default = {} } + diff --git a/modules/vault-security-group-rules/main.tf b/modules/vault-security-group-rules/main.tf index 1dc6bb1e..c42c6e6d 100644 --- a/modules/vault-security-group-rules/main.tf +++ b/modules/vault-security-group-rules/main.tf @@ -3,43 +3,44 @@ # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group_rule" "allow_api_inbound_from_cidr_blocks" { - count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}" + count = length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0 type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" - cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] + cidr_blocks = var.allowed_inbound_cidr_blocks - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_api_inbound_from_security_group_ids" { - count = "${var.allowed_inbound_security_group_count}" + count = var.allowed_inbound_security_group_count type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" - source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}" + source_security_group_id = element(var.allowed_inbound_security_group_ids, count.index) - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_cluster_inbound_from_self" { type = "ingress" - from_port = "${var.cluster_port}" - to_port = "${var.cluster_port}" + from_port = var.cluster_port + to_port = var.cluster_port protocol = "tcp" self = true - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_cluster_inbound_from_self_api" { type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" self = true - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } + diff --git a/modules/vault-security-group-rules/variables.tf b/modules/vault-security-group-rules/variables.tf index 09de1929..2e18f3fe 100644 --- a/modules/vault-security-group-rules/variables.tf +++ b/modules/vault-security-group-rules/variables.tf @@ -9,12 +9,12 @@ variable "security_group_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_ids" { description = "A list of security group IDs that will be allowed to connect to Vault" - type = "list" + type = list(string) } # --------------------------------------------------------------------------------------------------------------------- @@ -35,3 +35,4 @@ variable "cluster_port" { description = "The port to use for Vault server-to-server communication" default = 8201 } + diff --git a/outputs.tf b/outputs.tf index a78edb42..9d46ba8b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,67 +1,68 @@ output "vault_fully_qualified_domain_name" { - value = "${module.vault_elb.fully_qualified_domain_name}" + value = module.vault_elb.fully_qualified_domain_name } output "vault_elb_dns_name" { - value = "${module.vault_elb.load_balancer_dns_name}" + value = module.vault_elb.load_balancer_dns_name } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } + diff --git a/test/Gopkg.lock b/test/Gopkg.lock index 9f13786d..568bc595 100644 --- a/test/Gopkg.lock +++ b/test/Gopkg.lock @@ -2,6 +2,15 @@ [[projects]] + digest = "1:1a37f9f2ae10d161d9688fb6008ffa14e1631e5068cc3e9698008b9e8d40d575" + name = "cloud.google.com/go" + packages = ["compute/metadata"] + pruneopts = "" + revision = "457ea5c15ccf3b87db582c450e80101989da35f7" + version = "v0.40.0" + +[[projects]] + digest = "1:a457c94c2e32db1c365e1b3a333b18d047da8c416142b75567f5fc4b1899cc86" name = "github.com/aws/aws-sdk-go" packages = [ "aws", @@ -13,7 +22,9 @@ "aws/credentials", "aws/credentials/ec2rolecreds", "aws/credentials/endpointcreds", + "aws/credentials/processcreds", "aws/credentials/stscreds", + "aws/crr", "aws/csm", "aws/defaults", "aws/ec2metadata", @@ -21,6 +32,7 @@ "aws/request", "aws/session", "aws/signer/v4", + "internal/ini", "internal/s3err", "internal/sdkio", "internal/sdkrand", @@ -40,7 +52,9 @@ "service/acm", "service/autoscaling", "service/cloudwatchlogs", + "service/dynamodb", "service/ec2", + "service/ecs", "service/iam", "service/kms", "service/rds", @@ -49,59 +63,175 @@ "service/s3/s3manager", "service/sns", "service/sqs", - "service/sts" + "service/ssm", + "service/sts", ] - revision = "2324d8a7db41970a80d19791bd30b94f632ce0cc" - version = "v1.15.58" + pruneopts = "" + revision = "b0b59fd2ceb03908e5d3bcd1449b46ce75508f4b" + version = "v1.20.7" [[projects]] + digest = "1:b529f4bf748979caa18b599d40d13e8b6e591a74b340f315ce4f95e119c288c2" name = "github.com/boombuler/barcode" packages = [ ".", "qr", - "utils" + "utils", ] + pruneopts = "" revision = "3cfea5ab600ae37946be2b763b8ec2c1cf2d272d" version = "v1.0.0" [[projects]] + digest = "1:0deddd908b6b4b768cfc272c16ee61e7088a60f7fe2f06c547bd3d8e1f8b8e77" name = "github.com/davecgh/go-spew" packages = ["spew"] + pruneopts = "" revision = "8991bc29aa16c548c550c7ff78260e27b9ab7c73" version = "v1.1.1" [[projects]] - name = "github.com/go-ini/ini" + branch = "master" + digest = "1:d6c13a378213e3de60445e49084b8a0a9ce582776dfc77927775dbeb3ff72a35" + name = "github.com/docker/spdystream" + packages = [ + ".", + "spdy", + ] + pruneopts = "" + revision = "6480d4af844c189cf5dd913db24ddd339d3a4f85" + +[[projects]] + digest = "1:b13707423743d41665fd23f0c36b2f37bb49c30e94adb813319c44188a51ba22" + name = "github.com/ghodss/yaml" packages = ["."] - revision = "6529cf7c58879c08d927016dde4477f18a0634cb" - version = "v1.36.0" + pruneopts = "" + revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7" + version = "v1.0.0" [[projects]] + branch = "master" + digest = "1:26317724ed32bcf2ef15454613d2a8fe9d670b12f073cfd20db3bcec54e069ab" + name = "github.com/go-errors/errors" + packages = ["."] + pruneopts = "" + revision = "d98b870cc4e05f1545532a80e9909be8216095b6" + +[[projects]] + digest = "1:e692d16fdfbddb94e9e4886aaf6c08bdbae5cb4ac80651445de9181b371c6e46" name = "github.com/go-sql-driver/mysql" packages = ["."] - revision = "d523deb1b23d913de5bdada721a6071e71283618" - version = "v1.4.0" + pruneopts = "" + revision = "72cd26f257d44c1114970e19afddcd812016007e" + version = "v1.4.1" + +[[projects]] + digest = "1:fd53b471edb4c28c7d297f617f4da0d33402755f58d6301e7ca1197ef0a90937" + name = "github.com/gogo/protobuf" + packages = [ + "proto", + "sortkeys", + ] + pruneopts = "" + revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c" + version = "v1.2.1" [[projects]] branch = "master" + digest = "1:107b233e45174dbab5b1324201d092ea9448e58243ab9f039e4c0f332e121e3a" + name = "github.com/golang/glog" + packages = ["."] + pruneopts = "" + revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998" + +[[projects]] + digest = "1:529d738b7976c3848cae5cf3a8036440166835e389c1f617af701eeb12a0518d" + name = "github.com/golang/protobuf" + packages = [ + "proto", + "ptypes", + "ptypes/any", + "ptypes/duration", + "ptypes/timestamp", + ] + pruneopts = "" + revision = "b5d812f8a3706043e23a9cd5babf2e5423744d30" + version = "v1.3.1" + +[[projects]] + digest = "1:6a6322a15aa8e99bd156fbba0aae4e5d67b4bb05251d860b348a45dfdcba9cce" name = "github.com/golang/snappy" packages = ["."] - revision = "553a641470496b2327abcac10b36396bd98e45c9" + pruneopts = "" + revision = "2a8bb927dd31d8daada140a5d09578521ce5c36a" + version = "v0.0.1" + +[[projects]] + digest = "1:1e5b1e14524ed08301977b7b8e10c719ed853cbf3f24ecb66fae783a46f207a6" + name = "github.com/google/btree" + packages = ["."] + pruneopts = "" + revision = "4030bb1f1f0c35b30ca7009e9ebd06849dd45306" + version = "v1.0.0" + +[[projects]] + digest = "1:8d4a577a9643f713c25a32151c0f26af7228b4b97a219b5ddb7fd38d16f6e673" + name = "github.com/google/gofuzz" + packages = ["."] + pruneopts = "" + revision = "f140a6486e521aad38f5917de355cbf147cc0496" + version = "v1.0.0" [[projects]] + digest = "1:c1d7e883c50a26ea34019320d8ae40fad86c9e5d56e63a1ba2cb618cef43e986" name = "github.com/google/uuid" packages = ["."] + pruneopts = "" revision = "064e2069ce9c359c118179501254f67d7d37ba24" version = "0.2" [[projects]] + digest = "1:5facc3828b6a56f9aec988433ea33fb4407a89460952ed75be5347cec07318c0" + name = "github.com/googleapis/gnostic" + packages = [ + "OpenAPIv2", + "compiler", + "extensions", + ] + pruneopts = "" + revision = "e73c7ec21d36ddb0711cb36d1502d18363b5c2c9" + version = "v0.3.0" + +[[projects]] + branch = "master" + digest = "1:e1fd67b5695fb12f54f979606c5d650a5aa72ef242f8e71072bfd4f7b5a141a0" + name = "github.com/gregjones/httpcache" + packages = [ + ".", + "diskcache", + ] + pruneopts = "" + revision = "901d90724c7919163f472a9812253fb26761123d" + +[[projects]] + digest = "1:f032ebac9a824af56f183e82817a79792738f3faef09b4feced2252df7b253e7" + name = "github.com/gruntwork-io/gruntwork-cli" + packages = ["errors"] + pruneopts = "" + revision = "6a2163138f3d10377f313428e7e367b0a6c0c1c9" + version = "v0.4.2" + +[[projects]] + digest = "1:f4aa63932320bc30b5a0895d451eba4749e08a7fc18ba096a4bf2afcaeae9b5e" name = "github.com/gruntwork-io/terratest" packages = [ "modules/aws", "modules/collections", "modules/customerrors", + "modules/environment", "modules/files", "modules/http-helper", + "modules/k8s", "modules/logger", "modules/packer", "modules/random", @@ -109,43 +239,62 @@ "modules/shell", "modules/ssh", "modules/terraform", - "modules/test-structure" + "modules/test-structure", ] - revision = "987fbe40e5b6702a3602403d2519bdb5f2f362e9" - version = "v0.13.10" + pruneopts = "" + revision = "295736141a96daa369a972e1409622d702c8f40e" + version = "v0.17.4" [[projects]] - branch = "master" + digest = "1:8e3bd93036b4a925fe2250d3e4f38f21cadb8ef623561cd80c3c50c114b13201" name = "github.com/hashicorp/errwrap" packages = ["."] - revision = "7554cd9344cec97297fa6649b055a8c98c2a1e55" + pruneopts = "" + revision = "8a6fb523712970c966eefc6b39ed2c5e74880354" + version = "v1.0.0" [[projects]] - branch = "master" + digest = "1:984b627a3c838daa9f4c949ec8e6f049a7021b1156eb4db0337c3a5afe07aada" name = "github.com/hashicorp/go-cleanhttp" packages = ["."] - revision = "d5fe4b57a186c716b0e00b8c301cbd9b4182694d" + pruneopts = "" + revision = "eda1e5db218aad1db63ca4642c8906b26bcf2744" + version = "v0.5.1" [[projects]] - branch = "master" + digest = "1:72308fdd6d5ef61106a95be7ca72349a5565809042b6426a3cfb61d99483b824" name = "github.com/hashicorp/go-multierror" packages = ["."] - revision = "b7773ae218740a7be65057fc60b366a49b538a44" + pruneopts = "" + revision = "886a7fbe3eb1c874d46f623bfa70af45f425b3d1" + version = "v1.0.0" [[projects]] - branch = "master" + digest = "1:0e2d55461c960fad1050dafc69c1fe2a41d5719dc6bfa7c0b74faf56dfdfe85c" + name = "github.com/hashicorp/go-retryablehttp" + packages = ["."] + pruneopts = "" + revision = "85a8ee556d7323a4faf0f4c17ee900e9ff1482e8" + version = "v0.5.4" + +[[projects]] + digest = "1:1ce74de952243566df45871a9e823f3000efac179a8a75af8b1c57c49ae89d97" name = "github.com/hashicorp/go-rootcerts" packages = ["."] - revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00" + pruneopts = "" + revision = "df8e78a645e18d56ed7bb9ae10ffb8174ab892e2" + version = "v1.0.1" [[projects]] - branch = "master" + digest = "1:24ee99da0190535baad44a5df2710ca2e116d615fcaaffcf3b79b476450af917" name = "github.com/hashicorp/go-sockaddr" packages = ["."] - revision = "6d291a969b86c4b633730bfc6b8b9d64c3aafed9" + pruneopts = "" + revision = "c7188e74f6acae5a989bdc959aa779f8b9f42faf" + version = "v1.0.2" [[projects]] - branch = "master" + digest = "1:d14365c51dd1d34d5c79833ec91413bfbb166be978724f15701e17080dc06dec" name = "github.com/hashicorp/hcl" packages = [ ".", @@ -156,110 +305,238 @@ "hcl/token", "json/parser", "json/scanner", - "json/token" + "json/token", ] - revision = "ef8a98b0bbce4a65b5aa4c368430a80ddc533168" + pruneopts = "" + revision = "8cb6e5b959231cc1119e43259c4a608f9c51a241" + version = "v1.0.0" [[projects]] + digest = "1:d18bd2106eed6a53efcd3f4dc9faa9492488f51b94e6fd80eae92abda0ec0202" name = "github.com/hashicorp/vault" packages = [ "api", "helper/compressutil", + "helper/hclutil", "helper/jsonutil", "helper/parseutil", - "helper/strutil" + "helper/strutil", ] - revision = "756fdc4587350daf1c65b93647b2cc31a6f119cd" - version = "v0.10.1" + pruneopts = "" + revision = "e21712a687889de1125e0a12a980420b1a4f72d3" + version = "v0.10.4" [[projects]] + digest = "1:31bfd110d31505e9ffbc9478e31773bf05bf02adcaeb9b139af42684f9294c13" + name = "github.com/imdario/mergo" + packages = ["."] + pruneopts = "" + revision = "7c29201646fa3de8506f701213473dd407f19646" + version = "v0.3.7" + +[[projects]] + digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be" + name = "github.com/inconshreveable/mousetrap" + packages = ["."] + pruneopts = "" + revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75" + version = "v1.0" + +[[projects]] + digest = "1:13fe471d0ed891e8544eddfeeb0471fd3c9f2015609a1c000aefdedf52a19d40" name = "github.com/jmespath/go-jmespath" packages = ["."] - revision = "0b12d6b5" + pruneopts = "" + revision = "c2b33e84" [[projects]] - branch = "master" + digest = "1:12d3de2c11e54ea37d7f00daf85088ad5e61ec4e8a1f828d6c8b657976856be7" + name = "github.com/json-iterator/go" + packages = ["."] + pruneopts = "" + revision = "0ff49de124c6f76f8494e194af75bde0f1a49a29" + version = "v1.1.6" + +[[projects]] + digest = "1:6dbb0eb72090871f2e58d1e37973fe3cb8c0f45f49459398d3fc740cb30e13bd" name = "github.com/mitchellh/go-homedir" packages = ["."] - revision = "b8bc1bf767474819792c23f32d8286a45736f1c6" + pruneopts = "" + revision = "af06845cf3004701891bf4fdb884bfe4920b3727" + version = "v1.1.0" [[projects]] - branch = "master" + digest = "1:bcc46a0fbd9e933087bef394871256b5c60269575bb661935874729c65bbbf60" name = "github.com/mitchellh/mapstructure" packages = ["."] - revision = "00c29f56e2386353d58c599509e8dc3801b0d716" + pruneopts = "" + revision = "3536a929edddb9a5b34bd6861dc4a9647cb459fe" + version = "v1.1.2" + +[[projects]] + digest = "1:0c0ff2a89c1bb0d01887e1dac043ad7efbf3ec77482ef058ac423d13497e16fd" + name = "github.com/modern-go/concurrent" + packages = ["."] + pruneopts = "" + revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94" + version = "1.0.3" + +[[projects]] + digest = "1:e32bdbdb7c377a07a9a46378290059822efdce5c8d96fe71940d87cb4f918855" + name = "github.com/modern-go/reflect2" + packages = ["."] + pruneopts = "" + revision = "4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd" + version = "1.0.1" [[projects]] + branch = "master" + digest = "1:5f0faa008e8ff4221b55a1a5057c8b02cb2fd68da6a65c9e31c82b72cbc836d0" + name = "github.com/petar/GoLLRB" + packages = ["llrb"] + pruneopts = "" + revision = "33fb24c13b99c46c93183c291836c573ac382536" + +[[projects]] + digest = "1:4709c61d984ef9ba99b037b047546d8a576ae984fb49486e48d99658aa750cd5" + name = "github.com/peterbourgon/diskv" + packages = ["."] + pruneopts = "" + revision = "0be1b92a6df0e4f5cb0a5d15fb7f643d0ad93ce6" + version = "v3.0.0" + +[[projects]] + digest = "1:256484dbbcd271f9ecebc6795b2df8cad4c458dd0f5fd82a8c2fa0c29f233411" name = "github.com/pmezard/go-difflib" packages = ["difflib"] + pruneopts = "" revision = "792786c7400a136282c1664665ae0a8db921c6c2" version = "v1.0.0" [[projects]] + digest = "1:09d0eed1a0e502dfff8227c3fdbe022ea4bd722c1db3daf7251f20cfc549b428" name = "github.com/pquerna/otp" packages = [ ".", "hotp", - "totp" + "totp", ] - revision = "b7b89250c468c06871d3837bee02e2d5c155ae19" - version = "v1.0.0" + pruneopts = "" + revision = "43bebefda392017900e7a7b237b4c914c6a55b50" + version = "v1.2.0" [[projects]] + digest = "1:4244255905cb95c3c98894d671367f84a6292608ae528936fe46ba9c86f68393" name = "github.com/ryanuber/go-glob" packages = ["."] - revision = "572520ed46dbddaed19ea3d9541bdd0494163693" - version = "v0.1" + pruneopts = "" + revision = "51a8f68e6c24dc43f1e371749c89a267de4ebc53" + version = "v1.0.0" [[projects]] - branch = "master" - name = "github.com/sethgrid/pester" + digest = "1:0c63b3c7ad6d825a898f28cb854252a3b29d37700c68a117a977263f5ec94efe" + name = "github.com/spf13/cobra" + packages = ["."] + pruneopts = "" + revision = "f2b07da1e2c38d5f12845a4f607e2e1018cbb1f5" + version = "v0.0.5" + +[[projects]] + digest = "1:cbaf13cdbfef0e4734ed8a7504f57fe893d471d62a35b982bf6fb3f036449a66" + name = "github.com/spf13/pflag" packages = ["."] - revision = "38b020c58c99152830334916f25375e6bdbf9567" + pruneopts = "" + revision = "298182f68c66c05229eb03ac171abe6e309ee79a" + version = "v1.0.3" [[projects]] + digest = "1:381bcbeb112a51493d9d998bbba207a529c73dbb49b3fd789e48c63fac1f192c" name = "github.com/stretchr/testify" packages = [ "assert", - "require" + "require", ] - revision = "f35b8ab0b5a2cef36673838d662e249dd9c94686" - version = "v1.2.2" + pruneopts = "" + revision = "ffdc059bfe9ce6a4e144ba849dbedead332c6053" + version = "v1.3.0" + +[[projects]] + digest = "1:e85837cb04b78f61688c6eba93ea9d14f60d611e2aaf8319999b1a60d2dafbfa" + name = "github.com/urfave/cli" + packages = ["."] + pruneopts = "" + revision = "cfb38830724cc34fedffe9a2a29fb54fa9169cd1" + version = "v1.20.0" [[projects]] branch = "master" + digest = "1:90722da867436e04650b8491e5d9f690aeb2a4e305d548666bdd541d68d6cdbd" name = "golang.org/x/crypto" packages = [ "curve25519", "ed25519", "ed25519/internal/edwards25519", "internal/chacha20", + "internal/subtle", "poly1305", "ssh", - "ssh/agent" + "ssh/agent", + "ssh/terminal", ] - revision = "b49d69b5da943f7ef3c9cf91c8777c1f78a0cc3c" + pruneopts = "" + revision = "cc06ce4a13d484c0101a9e92913248488a75786d" [[projects]] branch = "master" + digest = "1:5c6b8395efd72ad4250b7747e2b1a0683c3edb7b0346a938ff45240c7ec53691" name = "golang.org/x/net" packages = [ "context", + "context/ctxhttp", "http/httpguts", "http2", "http2/hpack", "idna", - "lex/httplex" ] - revision = "5f9ae10d9af5b1c89ae6904293b14b064d4ada23" + pruneopts = "" + revision = "3b0461eec859c4b73bb64fdc8285971fd33e3938" [[projects]] + branch = "master" + digest = "1:01bdbbc604dcd5afb6f66a717f69ad45e9643c72d5bc11678d44ffa5c50f9e42" + name = "golang.org/x/oauth2" + packages = [ + ".", + "google", + "internal", + "jws", + "jwt", + ] + pruneopts = "" + revision = "0f29369cfe4552d0e4bcddc57cc75f4d7e672a33" + +[[projects]] + branch = "master" + digest = "1:0cc6f08b513a8ae7ee7d5edfb89c528224c8f64cbd5d7587c9c758f9fab9dba2" + name = "golang.org/x/sys" + packages = [ + "cpu", + "unix", + "windows", + ] + pruneopts = "" + revision = "c5567b49c5d04a5f83870795b8c0e2df43a8ce32" + +[[projects]] + digest = "1:740b51a55815493a8d0f2b1e0d0ae48fe48953bf7eaf3fcc4198823bf67768c0" name = "golang.org/x/text" packages = [ "collate", "collate/build", "internal/colltab", "internal/gen", + "internal/language", + "internal/language/compact", "internal/tag", "internal/triegen", "internal/ucd", @@ -269,20 +546,235 @@ "unicode/bidi", "unicode/cldr", "unicode/norm", - "unicode/rangetable" + "unicode/rangetable", ] - revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0" - version = "v0.3.0" + pruneopts = "" + revision = "342b2e1fbaa52c93f31447ad2c6abc048c63e475" + version = "v0.3.2" [[projects]] + branch = "master" + digest = "1:9522af4be529c108010f95b05f1022cb872f2b9ff8b101080f554245673466e1" + name = "golang.org/x/time" + packages = ["rate"] + pruneopts = "" + revision = "9d24e82272b4f38b78bc8cff74fa936d31ccd8ef" + +[[projects]] + digest = "1:47f391ee443f578f01168347818cb234ed819521e49e4d2c8dd2fb80d48ee41a" name = "google.golang.org/appengine" - packages = ["cloudsql"] - revision = "ae0ab99deb4dc413a2b4bd6c8bdd0eb67f1e4d06" - version = "v1.2.0" + packages = [ + ".", + "cloudsql", + "internal", + "internal/app_identity", + "internal/base", + "internal/datastore", + "internal/log", + "internal/modules", + "internal/remote_api", + "internal/urlfetch", + "urlfetch", + ] + pruneopts = "" + revision = "b2f4a3cf3c67576a2ee09e1fe62656a5086ce880" + version = "v1.6.1" + +[[projects]] + digest = "1:75fb3fcfc73a8c723efde7777b40e8e8ff9babf30d8c56160d01beffea8a95a6" + name = "gopkg.in/inf.v0" + packages = ["."] + pruneopts = "" + revision = "d2d2541c53f18d2a059457998ce2876cc8e67cbf" + version = "v0.9.1" + +[[projects]] + digest = "1:cedccf16b71e86db87a24f8d4c70b0a855872eb967cb906a66b95de56aefbd0d" + name = "gopkg.in/yaml.v2" + packages = ["."] + pruneopts = "" + revision = "51d6538a90f86fe93ac480b35f37b2be17fef232" + version = "v2.2.2" + +[[projects]] + branch = "release-1.12" + digest = "1:3e3e9df293bd6f9fd64effc9fa1f0edcd97e6c74145cd9ab05d35719004dc41f" + name = "k8s.io/api" + packages = [ + "admissionregistration/v1alpha1", + "admissionregistration/v1beta1", + "apps/v1", + "apps/v1beta1", + "apps/v1beta2", + "authentication/v1", + "authentication/v1beta1", + "authorization/v1", + "authorization/v1beta1", + "autoscaling/v1", + "autoscaling/v2beta1", + "autoscaling/v2beta2", + "batch/v1", + "batch/v1beta1", + "batch/v2alpha1", + "certificates/v1beta1", + "coordination/v1beta1", + "core/v1", + "events/v1beta1", + "extensions/v1beta1", + "networking/v1", + "policy/v1beta1", + "rbac/v1", + "rbac/v1alpha1", + "rbac/v1beta1", + "scheduling/v1alpha1", + "scheduling/v1beta1", + "settings/v1alpha1", + "storage/v1", + "storage/v1alpha1", + "storage/v1beta1", + ] + pruneopts = "" + revision = "6db15a15d2d3874a6c3ddb2140ac9f3bc7058428" + +[[projects]] + branch = "release-1.12" + digest = "1:9c7ee6fe7b8b621df5a7604e9a1f752b566ae451b2cf010c9c075e5e5ff81f56" + name = "k8s.io/apimachinery" + packages = [ + "pkg/api/errors", + "pkg/api/meta", + "pkg/api/resource", + "pkg/apis/meta/v1", + "pkg/apis/meta/v1/unstructured", + "pkg/apis/meta/v1beta1", + "pkg/conversion", + "pkg/conversion/queryparams", + "pkg/fields", + "pkg/labels", + "pkg/runtime", + "pkg/runtime/schema", + "pkg/runtime/serializer", + "pkg/runtime/serializer/json", + "pkg/runtime/serializer/protobuf", + "pkg/runtime/serializer/recognizer", + "pkg/runtime/serializer/streaming", + "pkg/runtime/serializer/versioning", + "pkg/selection", + "pkg/types", + "pkg/util/clock", + "pkg/util/errors", + "pkg/util/framer", + "pkg/util/httpstream", + "pkg/util/httpstream/spdy", + "pkg/util/intstr", + "pkg/util/json", + "pkg/util/naming", + "pkg/util/net", + "pkg/util/runtime", + "pkg/util/sets", + "pkg/util/validation", + "pkg/util/validation/field", + "pkg/util/yaml", + "pkg/version", + "pkg/watch", + "third_party/forked/golang/netutil", + "third_party/forked/golang/reflect", + ] + pruneopts = "" + revision = "01f179d85dbce0f2e0e4351a92394b38694b7cae" + +[[projects]] + branch = "release-9.0" + digest = "1:b1a32e8c431a032029c57bd211aa8b7e7de4fd7e142d4805be654da286f5efe4" + name = "k8s.io/client-go" + packages = [ + "discovery", + "kubernetes", + "kubernetes/scheme", + "kubernetes/typed/admissionregistration/v1alpha1", + "kubernetes/typed/admissionregistration/v1beta1", + "kubernetes/typed/apps/v1", + "kubernetes/typed/apps/v1beta1", + "kubernetes/typed/apps/v1beta2", + "kubernetes/typed/authentication/v1", + "kubernetes/typed/authentication/v1beta1", + "kubernetes/typed/authorization/v1", + "kubernetes/typed/authorization/v1beta1", + "kubernetes/typed/autoscaling/v1", + "kubernetes/typed/autoscaling/v2beta1", + "kubernetes/typed/autoscaling/v2beta2", + "kubernetes/typed/batch/v1", + "kubernetes/typed/batch/v1beta1", + "kubernetes/typed/batch/v2alpha1", + "kubernetes/typed/certificates/v1beta1", + "kubernetes/typed/coordination/v1beta1", + "kubernetes/typed/core/v1", + "kubernetes/typed/events/v1beta1", + "kubernetes/typed/extensions/v1beta1", + "kubernetes/typed/networking/v1", + "kubernetes/typed/policy/v1beta1", + "kubernetes/typed/rbac/v1", + "kubernetes/typed/rbac/v1alpha1", + "kubernetes/typed/rbac/v1beta1", + "kubernetes/typed/scheduling/v1alpha1", + "kubernetes/typed/scheduling/v1beta1", + "kubernetes/typed/settings/v1alpha1", + "kubernetes/typed/storage/v1", + "kubernetes/typed/storage/v1alpha1", + "kubernetes/typed/storage/v1beta1", + "pkg/apis/clientauthentication", + "pkg/apis/clientauthentication/v1alpha1", + "pkg/apis/clientauthentication/v1beta1", + "pkg/version", + "plugin/pkg/client/auth/exec", + "plugin/pkg/client/auth/gcp", + "rest", + "rest/watch", + "third_party/forked/golang/template", + "tools/auth", + "tools/clientcmd", + "tools/clientcmd/api", + "tools/clientcmd/api/latest", + "tools/clientcmd/api/v1", + "tools/metrics", + "tools/portforward", + "tools/reference", + "transport", + "transport/spdy", + "util/cert", + "util/connrotation", + "util/flowcontrol", + "util/homedir", + "util/integer", + "util/jsonpath", + ] + pruneopts = "" + revision = "b6aa6aafe32b0767f075245e5d391381c5449c8a" + +[[projects]] + digest = "1:f27698f7ae7864893ebcfb843e44d821263ac1dcf0ba1d5c2353f9d319a2f28d" + name = "k8s.io/kubernetes" + packages = ["pkg/kubectl/generate"] + pruneopts = "" + revision = "e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529" + version = "v1.15.0" [solve-meta] analyzer-name = "dep" analyzer-version = 1 - inputs-digest = "cf518e98ffebe16a5fbb5b6b0de73c3a3447dad14da3393fa7a2c3cba44cab67" + input-imports = [ + "github.com/gruntwork-io/terratest/modules/aws", + "github.com/gruntwork-io/terratest/modules/files", + "github.com/gruntwork-io/terratest/modules/http-helper", + "github.com/gruntwork-io/terratest/modules/logger", + "github.com/gruntwork-io/terratest/modules/packer", + "github.com/gruntwork-io/terratest/modules/random", + "github.com/gruntwork-io/terratest/modules/retry", + "github.com/gruntwork-io/terratest/modules/ssh", + "github.com/gruntwork-io/terratest/modules/terraform", + "github.com/gruntwork-io/terratest/modules/test-structure", + "github.com/hashicorp/vault/api", + "github.com/stretchr/testify/require", + ] solver-name = "gps-cdcl" solver-version = 1 diff --git a/test/Gopkg.toml b/test/Gopkg.toml index ff0d2818..0b963bee 100644 --- a/test/Gopkg.toml +++ b/test/Gopkg.toml @@ -23,7 +23,7 @@ [[constraint]] name = "github.com/gruntwork-io/terratest" - version = "0.13.12" + version = "0.17.4" [[constraint]] name = "github.com/hashicorp/vault" diff --git a/test/vault_cluster_s3_backend_test.go b/test/vault_cluster_s3_backend_test.go index 3b2cc694..cb028cf8 100644 --- a/test/vault_cluster_s3_backend_test.go +++ b/test/vault_cluster_s3_backend_test.go @@ -9,7 +9,6 @@ import ( const VAULT_CLUSTER_S3_BACKEND_PATH = "examples/vault-s3-backend" -const VAR_ENABLE_S3_BACKEND = "enable_s3_backend" const VAR_S3_BUCKET_NAME = "s3_bucket_name" const VAR_FORCE_DESTROY_S3_BUCKET = "force_destroy_s3_bucket" @@ -39,9 +38,8 @@ func runVaultWithS3BackendClusterTest(t *testing.T, amiId string, awsRegion, ssh test_structure.RunTestStage(t, "deploy", func() { uniqueId := random.UniqueId() terraformVars := map[string]interface{}{ - VAR_ENABLE_S3_BACKEND: boolToTerraformVar(true), VAR_S3_BUCKET_NAME: s3BucketName(uniqueId), - VAR_FORCE_DESTROY_S3_BUCKET: boolToTerraformVar(true), + VAR_FORCE_DESTROY_S3_BUCKET: true, } deployCluster(t, amiId, awsRegion, examplesDir, uniqueId, terraformVars) }) diff --git a/test/vault_main_test.go b/test/vault_main_test.go index 939ad6ac..e694e8c2 100644 --- a/test/vault_main_test.go +++ b/test/vault_main_test.go @@ -77,6 +77,16 @@ var testCases = []testCase{ func TestMainVaultCluster(t *testing.T) { t.Parallel() + // For convenience - uncomment these as well as the "os" import + // when doing local testing if you need to skip any sections. + + // os.Setenv("SKIP_setup_amis", "true") + // os.Setenv("SKIP_deploy", "true") + // os.Setenv("SKIP_validate", "true") + // os.Setenv("SKIP_log", "true") + // os.Setenv("SKIP_teardown", "true") + // os.Setenv("SKIP_delete_amis", "true") + test_structure.RunTestStage(t, "setup_amis", func() { tlsCert := generateSelfSignedTlsCert(t) saveTlsCert(t, WORK_DIR, tlsCert) @@ -85,6 +95,7 @@ func TestMainVaultCluster(t *testing.T) { for _, ami := range amisData { // Exclude eu-north-1 as it is missing the instance types we use awsRegion := aws.GetRandomRegion(t, nil, []string{"eu-north-1"}) + test_structure.SaveString(t, WORK_DIR, fmt.Sprintf("awsRegion-%s", ami.Name), awsRegion) if ami.Enterprise { @@ -118,12 +129,13 @@ func TestMainVaultCluster(t *testing.T) { } func runTestsOnDifferentPlatforms(t *testing.T) { + for _, testCase := range testCases { // This re-assignment necessary, because the variable testCase is defined and set outside the forloop. - // As such, it gets overwritten on each iteration of the forloop. This is fine if you don't have concurrent code in the loop, - // but in this case, because you have a t.Parallel, the t.Run completes before the test function exits, - // which means that the value of testCase might change. - // More information at: + // As such, it gets overwritten on each iteration of the forloop. This is fine if you don't have concurrent code + // in the loop, but in this case, because you have a t.Parallel, the t.Run completes before the test function + // exits, which means that the value of testCase might change. More information at: + // // "Be Careful with Table Driven Tests and t.Parallel()" // https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721 testCase := testCase diff --git a/variables.tf b/variables.tf index cb52602a..c1e78c62 100644 --- a/variables.tf +++ b/variables.tf @@ -8,84 +8,97 @@ # AWS_DEFAULT_REGION # --------------------------------------------------------------------------------------------------------------------- -# REQUIRED PARAMETERS -# You must provide a value for each of these parameters. +# OPTIONAL PARAMETERS +# These parameters have reasonable defaults. # --------------------------------------------------------------------------------------------------------------------- -variable "ami_id" { - description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json. If no AMI is specified, the template will 'just work' by using the example public AMIs. WARNING! Do not use the example AMIs in a production setting!" - default = "" -} - variable "create_dns_entry" { - description = "If set to true, this module will create a Route 53 DNS A record for the ELB in the var.hosted_zone_id hosted zone with the domain name in var.domain_name." + description = "If set to true, this module will create a Route 53 DNS A record for the ELB in the var.hosted_zone_id hosted zone with the domain name in var.vault_domain_name." + type = bool + default = false } variable "hosted_zone_domain_name" { description = "The domain name of the Route 53 Hosted Zone in which to add a DNS entry for Vault (e.g. example.com). Only used if var.create_dns_entry is true." + type = string + default = null } variable "vault_domain_name" { description = "The domain name to use in the DNS A record for the Vault ELB (e.g. vault.example.com). Make sure that a) this is a domain within the var.hosted_zone_domain_name hosted zone and b) this is the same domain name you used in the TLS certificates for Vault. Only used if var.create_dns_entry is true." + type = string + default = null +} + +variable "ami_id" { + description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json. If no AMI is specified, the template will 'just work' by using the example public AMIs. WARNING! Do not use the example AMIs in a production setting!" + type = string + default = null } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string + default = null } -# --------------------------------------------------------------------------------------------------------------------- -# OPTIONAL PARAMETERS -# These parameters have reasonable defaults. -# --------------------------------------------------------------------------------------------------------------------- - variable "subnet_tags" { description = "Tags used to find subnets for vault and consul servers" - type = "map" + type = map(string) default = {} } variable "vpc_tags" { description = "Tags used to find a vpc for building resources in" - type = "map" + type = map(string) default = {} } variable "use_default_vpc" { description = "Whether to use the default VPC - NOT recommended for production! - should more likely change this to false and use the vpc_tags to find your vpc" + type = bool default = true } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } +