From 3323a71f40735f7df362879bc89c5638668222ad Mon Sep 17 00:00:00 2001 From: Jesse Adelman Date: Mon, 27 Nov 2017 14:54:35 -0500 Subject: [PATCH 1/5] Add ability to specify VPC. --- main.tf | 3 ++- variables.tf | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/main.tf b/main.tf index e14bff05..946b4eb0 100644 --- a/main.tf +++ b/main.tf @@ -202,7 +202,8 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = true + default = "${var.vpc_id == "" ? true : false}" + id = "${var.vpc_id}" } data "aws_subnet_ids" "default" { diff --git a/variables.tf b/variables.tf index a3d892f2..1e84158e 100644 --- a/variables.tf +++ b/variables.tf @@ -85,3 +85,8 @@ variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." default = false } + +variable "vpc_id" { + description = "The ID of the VPC in which the nodes will be deployed. Uses default VPC if not supplied." + default = "" +} From 93339ed62412b132e98bf2c3f711d8e3bc3e8f9d Mon Sep 17 00:00:00 2001 From: Jesse Adelman Date: Mon, 27 Nov 2017 15:38:13 -0500 Subject: [PATCH 2/5] Add non-default VPC support to vault-cluster-private example. --- examples/vault-cluster-private/main.tf | 5 +++-- examples/vault-cluster-private/variables.tf | 5 +++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index e1f1247d..183e04f0 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -123,9 +123,10 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = true + default = "${var.vpc_id == "" ? true : false}" + id = "${var.vpc_id}" } data "aws_subnet_ids" "default" { vpc_id = "${data.aws_vpc.default.id}" -} \ No newline at end of file +} diff --git a/examples/vault-cluster-private/variables.tf b/examples/vault-cluster-private/variables.tf index fadd1c04..7a9d01e9 100644 --- a/examples/vault-cluster-private/variables.tf +++ b/examples/vault-cluster-private/variables.tf @@ -72,3 +72,8 @@ variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." default = false } + +variable "vpc_id" { + description = "The ID of the VPC in which the nodes will be deployed. Uses default VPC if not supplied." + default = "" +} From c624968626b949e40c7e68facca6638a75e5d717 Mon Sep 17 00:00:00 2001 From: Jesse Adelman Date: Thu, 12 Apr 2018 18:58:23 -0400 Subject: [PATCH 3/5] Create IAM Instance Profile Role policy to allow Vault AWS Auth full functionality, and enable by variable. --- modules/vault-cluster/main.tf | 24 ++++++++++++++++++++++++ modules/vault-cluster/variables.tf | 4 ++++ 2 files changed, 28 insertions(+) diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 375aeedc..bc44f789 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -212,3 +212,27 @@ data "aws_iam_policy_document" "vault_s3" { ] } } + +resource "aws_iam_role_policy" "vault_aws_EC2_IAM_Auth" { + count = "${var.enable_EC2_IAM_Auth ? 1 : 0}" + name = "vault_aws_EC2_IAM_Auth" + role = "${aws_iam_role.instance_role.id}" + policy = "${element(concat(data.aws_iam_policy_document.vault_aws_EC2_IAM_Auth.*.json, list("")), 0)}" +} + +data "aws_iam_policy_document" "vault_aws_EC2_IAM_Auth" { + count = "${var.enable_EC2_IAM_Auth ? 1 : 0}" + statement { + effect = "Allow" + + actions = [ + "ec2:DescribeInstances", + "iam:GetInstanceProfile", + "iam:GetUser", + "iam:GetRole" + ] + + resources = ["*"] + } +} + diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index 32d8f8eb..8b150e8e 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -175,3 +175,7 @@ variable "force_destroy_s3_bucket" { description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true." default = false } + +variable "enable_EC2_IAM_Auth" { + description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policys that will permit it to function as expected." +} From 03d81941a67b201f384f60d589c092152e03a731 Mon Sep 17 00:00:00 2001 From: Jesse Adelman Date: Fri, 13 Apr 2018 16:30:35 -0400 Subject: [PATCH 4/5] Remove duplicate vpc_id variable; set default to false for new enable_EC2_IAM_Auth variable. --- examples/vault-cluster-private/variables.tf | 4 ---- modules/vault-cluster/variables.tf | 1 + 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/examples/vault-cluster-private/variables.tf b/examples/vault-cluster-private/variables.tf index d717ed19..69989c9d 100644 --- a/examples/vault-cluster-private/variables.tf +++ b/examples/vault-cluster-private/variables.tf @@ -69,7 +69,3 @@ variable "vpc_id" { default = "" } -variable "vpc_id" { - description = "The ID of the VPC in which the nodes will be deployed. Uses default VPC if not supplied." - default = "" -} diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index 8b150e8e..c6258fd0 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -178,4 +178,5 @@ variable "force_destroy_s3_bucket" { variable "enable_EC2_IAM_Auth" { description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policys that will permit it to function as expected." + default = false } From 3eef292dd7f50f07080483fa235a17ebec02e96b Mon Sep 17 00:00:00 2001 From: Jesse Adelman Date: Fri, 13 Apr 2018 16:37:57 -0400 Subject: [PATCH 5/5] Expose more variables from underlying modules. --- variables.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/variables.tf b/variables.tf index 1b8af772..ec76dc3c 100644 --- a/variables.tf +++ b/variables.tf @@ -101,3 +101,14 @@ variable "vpc_id" { description = "The ID of the VPC in which the nodes will be deployed. Uses default VPC if not supplied." default = "" } + +variable "enable_s3_backend" { + description = "Whether to configure an S3 storage backend in addition to Consul." + default = false +} + +variable "enable_EC2_IAM_Auth" { + description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policys that will permit it to function as expected." + default = false +} +