hashicorp / terraform-azurerm-vault Goto Github PK

A Terraform Module for how to run Vault on AzureRM using Terraform and Packer

License: Apache License 2.0

Shell 44.96% HCL 55.04%

terraform-azurerm-vault's Introduction

DISCLAIMER

This repository is no longer supported, please consider using this repository for the latest and most supported version for Vault.

Moving forward in the future this repository will be no longer supported and eventually lead to deprecation. Please use our latest versions of our products moving forward or alternatively you may fork the repository to continue use and development for your personal/business use.

Vault Azure Module

This repo contains a Module to deploy a Vault cluster on Azure using Terraform. Vault is an open source tool for managing secrets. This Module uses Azure Storage as a storage backend and a Consul server cluster as a high availability backend:

This Module includes:

install-vault: This module can be used to install Vault. It can be used in a Packer template to create a Vault Azure Manager Image.
run-vault: This module can be used to configure and run Vault. It can be used in a Custom Data script to fire up Vault while the server is booting.
vault-cluster: Terraform code to deploy a cluster of Vault servers using an [Scale Set] (https://docs.microsoft.com/en-us/azure/virtual-machine-scale-sets/virtual-machine-scale-sets-create).
private-tls-cert: Generate a private TLS certificate for use with a private Vault cluster.
update-certificate-store: Add a trusted, CA public key to an OS's certificate store. This allows you to establish TLS connections to services that use this TLS certs signed by this CA without getting x509 certificate errors.

What's a Module?

A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such as a database or server cluster. Each Module is created primarily using Terraform, includes automated tests, examples, and documentation, and is maintained both by the open source community and companies that provide commercial support.

Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself, you can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through a version number bump.

Who created this Module?

These modules were created by Gruntwork, in partnership with HashiCorp, in 2017 and maintained through 2021. They were deprecated in 2022 in favor of newer alternatives (see the top of the README for details).

How do you use this Module?

Each Module has the following folder structure:

root: The root folder contains an example of running a public Vault cluster on Azure
modules: This folder contains the reusable code for this Module, broken down into one or more modules.
examples: This folder contains examples of how to use the modules.
test: Automated tests for the modules and examples.

Click on each of the modules above for more details.

To deploy Vault with this Blueprint, you will need to deploy two separate clusters: one to run Consul servers (which Vault uses as a high availability backend) and one to run Vault servers.

To deploy the Consul server cluster, use the Consul Azure Module.

To deploy the Vault cluster:

Create an Azure Image that has Vault installed (using the install-vault module) and the Consul agent installed (using the install-consul module). Here is an example Packer template.
Deploy that Azure Image across a Scale Set in a private subnet using the Terraform vault-cluster module.
Execute the run-consul script with the --client flag during boot on each Instance to have the Consul agent connect to the Consul server cluster.
Execute the run-vault script during boot on each Instance to create the Vault cluster.
If you only need to access Vault from inside your Azure account (recommended), run the install-dnsmasq module on each server, and that server will be able to reach Vault using the Consul Server cluster as the DNS resolver (e.g. using an address like vault.service.consul). See the main example for working sample code.
Head over to the How do you use the Vault cluster? guide to learn how to initialize, unseal, and use Vault.

How is this Module versioned?

This Module follows the principles of Semantic Versioning. You can find each new release, along with the changelog, in the Releases Page.

During initial development, the major version will be 0 (e.g., 0.x.y), which indicates the code does not yet have a stable API. Once we hit 1.0.0, we will make every effort to maintain a backwards compatible API and use the MAJOR, MINOR, and PATCH versions on each release to indicate any incompatibilities.

License

This code is released under the Apache 2.0 License. Please see LICENSE and NOTICE for more details.

terraform-azurerm-vault's People

Contributors

Stargazers

Watchers

terraform-azurerm-vault's Issues

private-tls-cert not creating output files

variable paths for the private-tls-cert module are not being created during an apply.

I get "Apply Complete!" when i add my variable paths and terraform apply, but navigating to that path to check the cert, it does not exist. attempting to deploy via packer I get

1 error(s) occurred:

* Bad source 'c:/temp/ca.crt.pem': CreateFile c:/temp/ca.crt.pem: The system cannot find the file specified.

here is the output of terraform apply:

 tls_locally_signed_cert.cert: Creation complete after 0s (ID: xxxxxxxx)

Apply complete! Resources: 5 added, 0 changed, 0 destroyed.

Outputs:

ca_public_key_file_path = C:\temp\ca.crt.pem
private_key_file_path = C:\temp\vault.key.pem
public_key_file_path = C:\temp\vault.crt.pem

// , What is the secret_access_key?

// , Along the lines of the "copy and paste" complaint heard elsewhere, it looks like one of the required variables for this module, secret_access_key, is largely meaningless for Azure.

I did a quick search for it, and got the following results:

https://github.com/hashicorp/terraform-azurerm-vault/search?q=secret_access_key&unscoped_q=secret_access_key

Is it the equivalent of ARM_CLIENT_SECRET?

Does this Terraform module require authentication via a Service Principal?

Anyway, this whole project was made and maintained by @mcalhoun, and it looks like his company, gruntwork.io, has its hands full at the moment. I do not entirely blame him for slow responses.

If there's more demand, perhaps HashiCorp might sic another one of their System Integrator partners on it?

test folder does not exist

The docs refer to /test folder, which exists for the terraform-aws-vault repo (I understand this repo was derived from that repo), but does not exist for this one,

Many of the links are broken

Examples:
https://github.com/hashicorp/terraform-azurerm-consul/tree/master/modules/vault-cluster#how-do-you-use-the-vault-cluster
https://github.com/hashicorp/terraform-azurerm-consul/tree/master/examples/vault-consul-image

Looks like they mean to refer to vault, rather than consul. Example of what it should be:

https://github.com/hashicorp/terraform-azurerm-vault/tree/master/examples/vault-consul-image

Error "Resource 'azurerm_lb.vault_access' not found for variable 'azurerm_lb.vault_access.id'" when setting up Vault without load balancer

I'm trying to deploy Vault cluster with load balancer turned OFF. So I changed associate_public_ip_address_load_balancer to false (at https://github.com/hashicorp/terraform-azurerm-vault/blob/master/main.tf#L109).
When I run terraform apply I got an error

* module.vault_servers.azurerm_lb_probe.vault_probe: 1 error(s) occurred:
* module.vault_servers.azurerm_lb_probe.vault_probe: Resource 'azurerm_lb.vault_access' not found for variable 'azurerm_lb.vault_access.id'

Question - dual vault storage configuration

https://github.com/hashicorp/terraform-azurerm-vault/blob/master/modules/run-vault/run-vault#L120

In the generated config file, storage is set to an Azure storage account backend and ha_storage is set to the consul cluster. In this configuration, what role exactly does the Azure backend play? Is it necessary to have separate providers, or could both storage blocks be configured to use Consul? Is the ha_storage block even necessary if Consul is configured as the storage?

Thanks in advance!

Template link doesn't work

Hi,

The copy paste from the AWS module forgot to add the image for vault+consul..

You also didn't update the script for a long time although the original module where this is coming from (AWS) does get the updates.

Error: azure-cli package cannot be authenticated with vault-consul.json and Packer

I'm trying to build manager Azure image with Packer as said here. It fails with the following error ("The following packages cannot be authenticated!" (azure-cli package))

 azure-arm: The following NEW packages will be installed:
    azure-arm:   azure-cli jq libonig2 unzip
    azure-arm: The following packages will be upgraded:
    azure-arm:   curl libcurl3-gnutls
    azure-arm: 2 upgraded, 4 newly installed, 0 to remove and 43 not upgraded.
    azure-arm: Need to get 83.7 MB of archives.
    azure-arm: After this operation, 348 MB of additional disk space will be used.
    azure-arm: E: There were unauthenticated packages and -y was used without --allow-unauthenticated
    azure-arm: WARNING: The following packages cannot be authenticated!
    azure-arm:   azure-cli

I found the solution here , here is a warning that signing key was changed in May 2018.
Need to update https://github.com/hashicorp/terraform-azurerm-vault/blob/master/examples/vault-consul-image/vault-consul.json#L63 with correct code

Missing Image inside example vault-consul.json

The referenced managed_image_name value no longer exists.

https://github.com/hashicorp/terraform-azurerm-vault/blob/master/examples/vault-consul-image/vault-consul.json#L25

"managed_image_name": "vault-consul-ubuntu-{{isotime \"2006-01-02-150405\"}}"

Is this module still maintained? :)

Howdy. I'd like to consider using this module, but the last update was in 2019, and there's several PRs that are unaddressed. I'd love to see this module be keep feature-parity to the awesome AWS Vault module set. :) Cheers, and thanks for the work already done. :)