Modular deployment of Vault on Compute Engine.

Unseal keys are generated when the instance first starts and stored encrypted using Cloud KMS in a separate Cloud Storage bucket for later retrival and Vault unsealing.

This module also creates a TLS CA and certificates for the Vault server. The generated certificates are encrypyed using Cloud KMS and stored in a separate Cloud Storage bucket.

module "vault" {
  source = "github.com/GoogleCloudPlatform/terrform-google-vault"
  project_id           = "${var.project_id}"
  region               = "${var.region}"
  zone                 = "${var.zone}"
  storage_bucket       = "${var.storage_bucket}"
  kms_keyring_name     = "${var.kms_keyring_name}"
}

• project_id (required): The project ID to add the IAM bindings for the service account to.
• region (required): The region to create the instance in.
• zone (required): The zone to create the instance in.
• kms_keyring_name (required): The name of the Cloud KMS KeyRing for asset encryption.
• kms_key_name: (optional): The name of the Cloud KMS Key used for asset encryption/decryption. Default is vault-init.
• network (optional): The network to deploy to. Default is default.
• subnetwork (optional): The subnetwork to deploy to. Default is default.
• machine_type (optional): The machine type for the instance. Default is n1-standard-1
• vault_args (optional): Additional command line arguments passed to vault server.
• force_destroy_bucket (optional): Set to true to force deletion of backend bucket on terraform destroy. Default is false.
• tls_ca_subject (optional): The subject block for the root CA certificate.
• tls_dns_names (optional): List of DNS names added to the Vault server self-signed certificate. Default is ["vault.example.net"].
• tls_ips (optional): List of IP addresses added to the Vault server self-signed certificate. Default is ["127.0.0.1"].
• tls_cn (optional): The TLS Common Name for the TLS certificates. Default is vault.example.net.
• tls_ou (optional): The TLS Organizational Unit for the TLS certificate. Default is IT Security Operations.

• instance_group: Link to the instance_group property of the instance group manager resource.
• ca_private_key_algorithm: The root CA algorithm for generating client certs.
• ca_private_key_pem: The root CA key pem for generating client certs.
• ca_cert_pem: The root CA cert pem for generating client certs.

• module.vault-server: The Vault server managed instance group module.
• google_storage_bucket.vault: The Cloud Storage bucket for Vault storage.
• google_storage_bucket.vault-assets: The Cloud Storage bucket for Vault unseal key and TLS certificate storage.
• google_service_account.vault-admin: The service account for the Vault instance.
• google_project_iam_policy.vault: The IAM policy bindings for the Vault service account.