reorganize variables, add outputs, add license, add variable examples
This commit is contained in:
parent
97a39ed3dc
commit
01949dccbd
|
@ -0,0 +1,21 @@
|
||||||
|
MIT License
|
||||||
|
|
||||||
|
Copyright (c) 2020 Johnathan Cole Morrison
|
||||||
|
|
||||||
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||||
|
of this software and associated documentation files (the "Software"), to deal
|
||||||
|
in the Software without restriction, including without limitation the rights
|
||||||
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||||
|
copies of the Software, and to permit persons to whom the Software is
|
||||||
|
furnished to do so, subject to the following conditions:
|
||||||
|
|
||||||
|
The above copyright notice and this permission notice shall be included in all
|
||||||
|
copies or substantial portions of the Software.
|
||||||
|
|
||||||
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||||
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||||
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||||
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||||
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||||
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||||
|
SOFTWARE.
|
14
outputs.tf
14
outputs.tf
|
@ -27,4 +27,18 @@ resource "local_file" "vault_credentials" {
|
||||||
# Load Balancer DNS - You need to CNAME or Alias this.
|
# Load Balancer DNS - You need to CNAME or Alias this.
|
||||||
output "load_balancer_dns" {
|
output "load_balancer_dns" {
|
||||||
value = aws_lb.alb.dns_name
|
value = aws_lb.alb.dns_name
|
||||||
|
}
|
||||||
|
|
||||||
|
# VPC Values
|
||||||
|
|
||||||
|
output "vpc_id" {
|
||||||
|
value = aws_vpc.vault.id
|
||||||
|
}
|
||||||
|
|
||||||
|
output "vpc_ipv4_cidr" {
|
||||||
|
value = aws_vpc.vault.cidr_block
|
||||||
|
}
|
||||||
|
|
||||||
|
output "vpc_ipv6_cidr" {
|
||||||
|
value = aws_vpc.vault.ipv6_cidr_block
|
||||||
}
|
}
|
|
@ -0,0 +1,30 @@
|
||||||
|
### REQUIRED VARIABLES
|
||||||
|
|
||||||
|
# The domain name, without protocol or trailing paths, for which you've provisioned an SSL/TLS certificate via AWS Certificate Manager.
|
||||||
|
domain_name = "secrets.domain.com"
|
||||||
|
|
||||||
|
# The name of an existing `.pem` "EC2 Key Pair" that is in the same AWS Account and Region of the Vault deployment.
|
||||||
|
ec2_key_pair_name = "vault_key_pair"
|
||||||
|
|
||||||
|
### OPTIONAL VARIABLES
|
||||||
|
|
||||||
|
# If you didn't create a named AWS profile, omit this. Defaults to "default".
|
||||||
|
# aws_profile = "non_default_profile"
|
||||||
|
|
||||||
|
# If you want to scope allowed traffic to specific CIDR blocks.
|
||||||
|
# allowed_traffic_cidr_blocks = ["0.0.0.0/0"] # default value
|
||||||
|
|
||||||
|
# If you want to scope allowed traffic to specific IPv6 CIDR blocks.
|
||||||
|
# allowed_traffic_cidr_blocks_ipv6 = ["::/0"] # default value
|
||||||
|
|
||||||
|
### PRIVATE MODE - Restrict Traffic to other AWS VPCs.
|
||||||
|
|
||||||
|
# Flag to deploy the project as private. Defaults to false.
|
||||||
|
# private_mode = true
|
||||||
|
|
||||||
|
# ID of VPCs that can access the Vault Deployment's VPC and, as a result, the Vault endpoint.
|
||||||
|
# peered_vpc_ids = ["EXTERNAL_VPC_ID_1", "EXTERNAL_VPC_ID_2"]
|
||||||
|
|
||||||
|
### OPERATOR MODE - LEAVE THIS AS TRUE FOR FIRST TIME DEPLOYS. Defaults to true.
|
||||||
|
|
||||||
|
# operator_mode = true
|
253
variables.tf
253
variables.tf
|
@ -1,3 +1,21 @@
|
||||||
|
# REQUIRED VARIABLES
|
||||||
|
|
||||||
|
# SSL Certificate for HTTPS Access
|
||||||
|
|
||||||
|
variable "domain_name" {
|
||||||
|
description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager. Example: secrets.examples.com. Do not include the protocol (i.e. https://)."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
# EC2 - General
|
||||||
|
|
||||||
|
variable "ec2_key_pair_name" {
|
||||||
|
description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."
|
||||||
|
type = string
|
||||||
|
}
|
||||||
|
|
||||||
|
# OPTIONAL VARIABLES
|
||||||
|
|
||||||
# Organization
|
# Organization
|
||||||
|
|
||||||
variable "main_project_tag" {
|
variable "main_project_tag" {
|
||||||
|
@ -15,7 +33,7 @@ variable "aws_profile" {
|
||||||
}
|
}
|
||||||
|
|
||||||
variable "aws_default_region" {
|
variable "aws_default_region" {
|
||||||
description = "The default region to deploy vault."
|
description = "The default AWS region to deploy the Vault infrastructure to."
|
||||||
type = string
|
type = string
|
||||||
default = "us-east-1"
|
default = "us-east-1"
|
||||||
}
|
}
|
||||||
|
@ -28,134 +46,6 @@ variable "vault_version" {
|
||||||
default = "1.4.0"
|
default = "1.4.0"
|
||||||
}
|
}
|
||||||
|
|
||||||
# AWS VPC
|
|
||||||
|
|
||||||
variable "vpc_cidr" {
|
|
||||||
description = "Cidr block for the VPC. Using a /16 or /20 Subnet Mask is recommended."
|
|
||||||
type = string
|
|
||||||
default = "10.255.0.0/20"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "vpc_instance_tenancy" {
|
|
||||||
description = "Tenancy for instances launched into the VPC"
|
|
||||||
type = string
|
|
||||||
default = "default"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "vpc_enable_dns_support" {
|
|
||||||
description = "Whether the DNS resolution is supported. Required as True for VPC endpoint usage."
|
|
||||||
type = bool
|
|
||||||
default = true
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "vpc_enable_dns_hostnames" {
|
|
||||||
description = "Whether instances with public IP addresses get corresponding public DNS hostnames. Required as True for VPC endpoint usage."
|
|
||||||
type = bool
|
|
||||||
default = true
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "vpc_tags" {
|
|
||||||
description = "Additional tags to add to the VPC and its resources."
|
|
||||||
type = map(string)
|
|
||||||
default = {}
|
|
||||||
}
|
|
||||||
|
|
||||||
# VPC Subnets
|
|
||||||
|
|
||||||
variable "vpc_public_subnet_count" {
|
|
||||||
description = "The number of public subnets to create. Cannot exceed the number of AZs in your selected region. 2 is more than enough."
|
|
||||||
type = number
|
|
||||||
default = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "vpc_private_subnet_count" {
|
|
||||||
description = "The number of private subnets to create. Cannot exceed the number of AZs in your selected region."
|
|
||||||
type = number
|
|
||||||
default = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
# KMS
|
|
||||||
|
|
||||||
variable "kms_tags" {
|
|
||||||
description = "Tags for the KMS key used to seal and unseal the Vault."
|
|
||||||
type = map(string)
|
|
||||||
default = {}
|
|
||||||
}
|
|
||||||
|
|
||||||
# DynamoDB
|
|
||||||
|
|
||||||
variable "dynamodb_table_name" {
|
|
||||||
description = "Name of the DynamoDB Table used for the Vault Storage Backend."
|
|
||||||
type = string
|
|
||||||
default = "vault_storage"
|
|
||||||
}
|
|
||||||
|
|
||||||
# EC2 - General
|
|
||||||
|
|
||||||
variable "ec2_key_pair_name" {
|
|
||||||
description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
# EC2 - Bastion
|
|
||||||
|
|
||||||
variable "use_lastest_ami" {
|
|
||||||
description = "Whether or not to use the latest version of Amazon Linux 2. Defaults to false and uses a version that is known to work with this deployment."
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
|
||||||
|
|
||||||
# EC2 - Vault Instance Launch Template
|
|
||||||
|
|
||||||
variable "vault_instance_type" {
|
|
||||||
description = "The EC2 instance size of the vault instances."
|
|
||||||
type = string
|
|
||||||
default = "t2.micro"
|
|
||||||
}
|
|
||||||
|
|
||||||
# EC2 - Vault Instance AutoScaling Group
|
|
||||||
|
|
||||||
variable "vault_instance_count" {
|
|
||||||
description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."
|
|
||||||
type = number
|
|
||||||
default = 2
|
|
||||||
}
|
|
||||||
|
|
||||||
# SSL Certificate for HTTPS Access
|
|
||||||
|
|
||||||
variable "domain_name" {
|
|
||||||
description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager. Example: secrets.examples.com. Do not include the protocol (i.e. https://)."
|
|
||||||
type = string
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allowed Traffic
|
|
||||||
## What IP Address ranges (via CIDR) are allowed to access your vault?
|
|
||||||
|
|
||||||
variable "allowed_traffic_cidr_blocks" {
|
|
||||||
description = "List of CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
|
||||||
type = list(string)
|
|
||||||
default = ["0.0.0.0/0"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "allowed_traffic_cidr_blocks_ipv6" {
|
|
||||||
description = "List of IPv6 CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. Set to an empty list if not required."
|
|
||||||
type = list(string)
|
|
||||||
default = ["::/0"]
|
|
||||||
}
|
|
||||||
|
|
||||||
## What IP Address range can access your bastion server?
|
|
||||||
variable "allowed_bastion_cidr_blocks" {
|
|
||||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
|
||||||
type = list(string)
|
|
||||||
default = ["0.0.0.0/0"]
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "allowed_bastion_cidr_blocks_ipv6" {
|
|
||||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to none."
|
|
||||||
type = list(string)
|
|
||||||
default = []
|
|
||||||
}
|
|
||||||
|
|
||||||
# Operator Mode
|
# Operator Mode
|
||||||
## Turning this on will enable NAT and Bastion to access the Vault Instances
|
## Turning this on will enable NAT and Bastion to access the Vault Instances
|
||||||
|
|
||||||
|
@ -179,4 +69,107 @@ variable "peered_vpc_ids" {
|
||||||
description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."
|
description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Allowed Traffic
|
||||||
|
## What IP Address ranges (via CIDR) are allowed to access your vault?
|
||||||
|
|
||||||
|
variable "allowed_traffic_cidr_blocks" {
|
||||||
|
description = "List of CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||||
|
type = list(string)
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "allowed_traffic_cidr_blocks_ipv6" {
|
||||||
|
description = "List of IPv6 CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. Set to an empty list if not required."
|
||||||
|
type = list(string)
|
||||||
|
default = ["::/0"]
|
||||||
|
}
|
||||||
|
|
||||||
|
## What IP Address range can access your bastion server?
|
||||||
|
variable "allowed_bastion_cidr_blocks" {
|
||||||
|
description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||||
|
type = list(string)
|
||||||
|
default = ["0.0.0.0/0"]
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "allowed_bastion_cidr_blocks_ipv6" {
|
||||||
|
description = "List of CIDR blocks allowed to access your Bastion. Defaults to none."
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
|
|
||||||
|
# AWS VPC
|
||||||
|
|
||||||
|
variable "vpc_cidr" {
|
||||||
|
description = "Cidr block for the VPC. Using a /16 or /20 Subnet Mask is recommended."
|
||||||
|
type = string
|
||||||
|
default = "10.255.0.0/20"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "vpc_instance_tenancy" {
|
||||||
|
description = "Tenancy for instances launched into the VPC."
|
||||||
|
type = string
|
||||||
|
default = "default"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "vpc_tags" {
|
||||||
|
description = "Additional tags to add to the VPC and its resources."
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
||||||
|
# VPC Subnets
|
||||||
|
|
||||||
|
variable "vpc_public_subnet_count" {
|
||||||
|
description = "The number of public subnets to create. Cannot exceed the number of AZs in your selected region. 2 is more than enough."
|
||||||
|
type = number
|
||||||
|
default = 2
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "vpc_private_subnet_count" {
|
||||||
|
description = "The number of private subnets to create. Cannot exceed the number of AZs in your selected region."
|
||||||
|
type = number
|
||||||
|
default = 2
|
||||||
|
}
|
||||||
|
|
||||||
|
# EC2 - Vault Instance Launch Template
|
||||||
|
|
||||||
|
variable "vault_instance_type" {
|
||||||
|
description = "The EC2 instance size of the vault instances."
|
||||||
|
type = string
|
||||||
|
default = "t2.micro"
|
||||||
|
}
|
||||||
|
|
||||||
|
# EC2 - Vault Instance AutoScaling Group
|
||||||
|
|
||||||
|
variable "vault_instance_count" {
|
||||||
|
description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."
|
||||||
|
type = number
|
||||||
|
default = 2
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# EC2 - AMI
|
||||||
|
|
||||||
|
variable "use_lastest_ami" {
|
||||||
|
description = "Whether or not to use the latest version of Amazon Linux 2. Defaults to false and uses a version that is known to work with this deployment."
|
||||||
|
type = bool
|
||||||
|
default = false
|
||||||
|
}
|
||||||
|
|
||||||
|
# DynamoDB
|
||||||
|
|
||||||
|
variable "dynamodb_table_name" {
|
||||||
|
description = "Name of the DynamoDB Table used for the Vault Storage Backend."
|
||||||
|
type = string
|
||||||
|
default = "vault_storage"
|
||||||
|
}
|
||||||
|
|
||||||
|
# KMS
|
||||||
|
|
||||||
|
variable "kms_tags" {
|
||||||
|
description = "Tags for the KMS key used to seal and unseal the Vault."
|
||||||
|
type = map(string)
|
||||||
|
default = {}
|
||||||
|
}
|
||||||
|
|
4
vpc.tf
4
vpc.tf
|
@ -2,8 +2,8 @@
|
||||||
resource "aws_vpc" "vault" {
|
resource "aws_vpc" "vault" {
|
||||||
cidr_block = var.vpc_cidr
|
cidr_block = var.vpc_cidr
|
||||||
instance_tenancy = var.vpc_instance_tenancy
|
instance_tenancy = var.vpc_instance_tenancy
|
||||||
enable_dns_support = var.vpc_enable_dns_support
|
enable_dns_support = true
|
||||||
enable_dns_hostnames = var.vpc_enable_dns_hostnames
|
enable_dns_hostnames = true # required for VPC peering.
|
||||||
assign_generated_ipv6_cidr_block = true
|
assign_generated_ipv6_cidr_block = true
|
||||||
|
|
||||||
tags = merge(
|
tags = merge(
|
||||||
|
|
Loading…
Reference in New Issue