reorganize variables, add outputs, add license, add variable examples
This commit is contained in:
parent
97a39ed3dc
commit
01949dccbd
|
@ -0,0 +1,21 @@
|
|||
MIT License
|
||||
|
||||
Copyright (c) 2020 Johnathan Cole Morrison
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in all
|
||||
copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
||||
SOFTWARE.
|
14
outputs.tf
14
outputs.tf
|
@ -28,3 +28,17 @@ resource "local_file" "vault_credentials" {
|
|||
output "load_balancer_dns" {
|
||||
value = aws_lb.alb.dns_name
|
||||
}
|
||||
|
||||
# VPC Values
|
||||
|
||||
output "vpc_id" {
|
||||
value = aws_vpc.vault.id
|
||||
}
|
||||
|
||||
output "vpc_ipv4_cidr" {
|
||||
value = aws_vpc.vault.cidr_block
|
||||
}
|
||||
|
||||
output "vpc_ipv6_cidr" {
|
||||
value = aws_vpc.vault.ipv6_cidr_block
|
||||
}
|
|
@ -0,0 +1,30 @@
|
|||
### REQUIRED VARIABLES
|
||||
|
||||
# The domain name, without protocol or trailing paths, for which you've provisioned an SSL/TLS certificate via AWS Certificate Manager.
|
||||
domain_name = "secrets.domain.com"
|
||||
|
||||
# The name of an existing `.pem` "EC2 Key Pair" that is in the same AWS Account and Region of the Vault deployment.
|
||||
ec2_key_pair_name = "vault_key_pair"
|
||||
|
||||
### OPTIONAL VARIABLES
|
||||
|
||||
# If you didn't create a named AWS profile, omit this. Defaults to "default".
|
||||
# aws_profile = "non_default_profile"
|
||||
|
||||
# If you want to scope allowed traffic to specific CIDR blocks.
|
||||
# allowed_traffic_cidr_blocks = ["0.0.0.0/0"] # default value
|
||||
|
||||
# If you want to scope allowed traffic to specific IPv6 CIDR blocks.
|
||||
# allowed_traffic_cidr_blocks_ipv6 = ["::/0"] # default value
|
||||
|
||||
### PRIVATE MODE - Restrict Traffic to other AWS VPCs.
|
||||
|
||||
# Flag to deploy the project as private. Defaults to false.
|
||||
# private_mode = true
|
||||
|
||||
# ID of VPCs that can access the Vault Deployment's VPC and, as a result, the Vault endpoint.
|
||||
# peered_vpc_ids = ["EXTERNAL_VPC_ID_1", "EXTERNAL_VPC_ID_2"]
|
||||
|
||||
### OPERATOR MODE - LEAVE THIS AS TRUE FOR FIRST TIME DEPLOYS. Defaults to true.
|
||||
|
||||
# operator_mode = true
|
251
variables.tf
251
variables.tf
|
@ -1,3 +1,21 @@
|
|||
# REQUIRED VARIABLES
|
||||
|
||||
# SSL Certificate for HTTPS Access
|
||||
|
||||
variable "domain_name" {
|
||||
description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager. Example: secrets.examples.com. Do not include the protocol (i.e. https://)."
|
||||
type = string
|
||||
}
|
||||
|
||||
# EC2 - General
|
||||
|
||||
variable "ec2_key_pair_name" {
|
||||
description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."
|
||||
type = string
|
||||
}
|
||||
|
||||
# OPTIONAL VARIABLES
|
||||
|
||||
# Organization
|
||||
|
||||
variable "main_project_tag" {
|
||||
|
@ -15,7 +33,7 @@ variable "aws_profile" {
|
|||
}
|
||||
|
||||
variable "aws_default_region" {
|
||||
description = "The default region to deploy vault."
|
||||
description = "The default AWS region to deploy the Vault infrastructure to."
|
||||
type = string
|
||||
default = "us-east-1"
|
||||
}
|
||||
|
@ -28,134 +46,6 @@ variable "vault_version" {
|
|||
default = "1.4.0"
|
||||
}
|
||||
|
||||
# AWS VPC
|
||||
|
||||
variable "vpc_cidr" {
|
||||
description = "Cidr block for the VPC. Using a /16 or /20 Subnet Mask is recommended."
|
||||
type = string
|
||||
default = "10.255.0.0/20"
|
||||
}
|
||||
|
||||
variable "vpc_instance_tenancy" {
|
||||
description = "Tenancy for instances launched into the VPC"
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "vpc_enable_dns_support" {
|
||||
description = "Whether the DNS resolution is supported. Required as True for VPC endpoint usage."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "vpc_enable_dns_hostnames" {
|
||||
description = "Whether instances with public IP addresses get corresponding public DNS hostnames. Required as True for VPC endpoint usage."
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "vpc_tags" {
|
||||
description = "Additional tags to add to the VPC and its resources."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
# VPC Subnets
|
||||
|
||||
variable "vpc_public_subnet_count" {
|
||||
description = "The number of public subnets to create. Cannot exceed the number of AZs in your selected region. 2 is more than enough."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
variable "vpc_private_subnet_count" {
|
||||
description = "The number of private subnets to create. Cannot exceed the number of AZs in your selected region."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
# KMS
|
||||
|
||||
variable "kms_tags" {
|
||||
description = "Tags for the KMS key used to seal and unseal the Vault."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
# DynamoDB
|
||||
|
||||
variable "dynamodb_table_name" {
|
||||
description = "Name of the DynamoDB Table used for the Vault Storage Backend."
|
||||
type = string
|
||||
default = "vault_storage"
|
||||
}
|
||||
|
||||
# EC2 - General
|
||||
|
||||
variable "ec2_key_pair_name" {
|
||||
description = "Name of an existing EC2 Key Pair that exists in the same region as your vault deployment. Needs to be made separately."
|
||||
type = string
|
||||
}
|
||||
|
||||
# EC2 - Bastion
|
||||
|
||||
variable "use_lastest_ami" {
|
||||
description = "Whether or not to use the latest version of Amazon Linux 2. Defaults to false and uses a version that is known to work with this deployment."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
# EC2 - Vault Instance Launch Template
|
||||
|
||||
variable "vault_instance_type" {
|
||||
description = "The EC2 instance size of the vault instances."
|
||||
type = string
|
||||
default = "t2.micro"
|
||||
}
|
||||
|
||||
# EC2 - Vault Instance AutoScaling Group
|
||||
|
||||
variable "vault_instance_count" {
|
||||
description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
# SSL Certificate for HTTPS Access
|
||||
|
||||
variable "domain_name" {
|
||||
description = "Domain name for which you've provisioned an SSL certificate via AWS Certificate Manager. Example: secrets.examples.com. Do not include the protocol (i.e. https://)."
|
||||
type = string
|
||||
}
|
||||
|
||||
# Allowed Traffic
|
||||
## What IP Address ranges (via CIDR) are allowed to access your vault?
|
||||
|
||||
variable "allowed_traffic_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "allowed_traffic_cidr_blocks_ipv6" {
|
||||
description = "List of IPv6 CIDR blocks allowed to access your vault. Defaults to EVERYWHERE. Set to an empty list if not required."
|
||||
type = list(string)
|
||||
default = ["::/0"]
|
||||
}
|
||||
|
||||
## What IP Address range can access your bastion server?
|
||||
variable "allowed_bastion_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "allowed_bastion_cidr_blocks_ipv6" {
|
||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to none."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
# Operator Mode
|
||||
## Turning this on will enable NAT and Bastion to access the Vault Instances
|
||||
|
||||
|
@ -180,3 +70,106 @@ variable "peered_vpc_ids" {
|
|||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
# Allowed Traffic
|
||||
## What IP Address ranges (via CIDR) are allowed to access your vault?
|
||||
|
||||
variable "allowed_traffic_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "allowed_traffic_cidr_blocks_ipv6" {
|
||||
description = "List of IPv6 CIDR blocks allowed to send requests to your vault endpoint. Defaults to EVERYWHERE. Set to an empty list if not required."
|
||||
type = list(string)
|
||||
default = ["::/0"]
|
||||
}
|
||||
|
||||
## What IP Address range can access your bastion server?
|
||||
variable "allowed_bastion_cidr_blocks" {
|
||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to EVERYWHERE. You should probably limit this to your organization IP or VPC CIDR."
|
||||
type = list(string)
|
||||
default = ["0.0.0.0/0"]
|
||||
}
|
||||
|
||||
variable "allowed_bastion_cidr_blocks_ipv6" {
|
||||
description = "List of CIDR blocks allowed to access your Bastion. Defaults to none."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
# AWS VPC
|
||||
|
||||
variable "vpc_cidr" {
|
||||
description = "Cidr block for the VPC. Using a /16 or /20 Subnet Mask is recommended."
|
||||
type = string
|
||||
default = "10.255.0.0/20"
|
||||
}
|
||||
|
||||
variable "vpc_instance_tenancy" {
|
||||
description = "Tenancy for instances launched into the VPC."
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "vpc_tags" {
|
||||
description = "Additional tags to add to the VPC and its resources."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
# VPC Subnets
|
||||
|
||||
variable "vpc_public_subnet_count" {
|
||||
description = "The number of public subnets to create. Cannot exceed the number of AZs in your selected region. 2 is more than enough."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
variable "vpc_private_subnet_count" {
|
||||
description = "The number of private subnets to create. Cannot exceed the number of AZs in your selected region."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
# EC2 - Vault Instance Launch Template
|
||||
|
||||
variable "vault_instance_type" {
|
||||
description = "The EC2 instance size of the vault instances."
|
||||
type = string
|
||||
default = "t2.micro"
|
||||
}
|
||||
|
||||
# EC2 - Vault Instance AutoScaling Group
|
||||
|
||||
variable "vault_instance_count" {
|
||||
description = "The number of EC2 instances to launch as vault instances. Should be no less than 2."
|
||||
type = number
|
||||
default = 2
|
||||
}
|
||||
|
||||
|
||||
# EC2 - AMI
|
||||
|
||||
variable "use_lastest_ami" {
|
||||
description = "Whether or not to use the latest version of Amazon Linux 2. Defaults to false and uses a version that is known to work with this deployment."
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
# DynamoDB
|
||||
|
||||
variable "dynamodb_table_name" {
|
||||
description = "Name of the DynamoDB Table used for the Vault Storage Backend."
|
||||
type = string
|
||||
default = "vault_storage"
|
||||
}
|
||||
|
||||
# KMS
|
||||
|
||||
variable "kms_tags" {
|
||||
description = "Tags for the KMS key used to seal and unseal the Vault."
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
|
4
vpc.tf
4
vpc.tf
|
@ -2,8 +2,8 @@
|
|||
resource "aws_vpc" "vault" {
|
||||
cidr_block = var.vpc_cidr
|
||||
instance_tenancy = var.vpc_instance_tenancy
|
||||
enable_dns_support = var.vpc_enable_dns_support
|
||||
enable_dns_hostnames = var.vpc_enable_dns_hostnames
|
||||
enable_dns_support = true
|
||||
enable_dns_hostnames = true # required for VPC peering.
|
||||
assign_generated_ipv6_cidr_block = true
|
||||
|
||||
tags = merge(
|
||||
|
|
Loading…
Reference in New Issue