diff --git a/.gitignore b/.gitignore index 9a807ad..5afd7e2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,5 @@ terraform.tfstate terraform.tfstate.backup terraform.tfvars todos.md -.DS_Store \ No newline at end of file +.DS_Store +files/user_data_compiled.sh \ No newline at end of file diff --git a/aws-data.tf b/aws-data.tf index 7284d68..ebdb707 100644 --- a/aws-data.tf +++ b/aws-data.tf @@ -1,3 +1,7 @@ data "aws_availability_zones" "available" { state = "available" -} \ No newline at end of file +} + +data "aws_region" "current" {} + +data "aws_caller_identity" "current" {} \ No newline at end of file diff --git a/certificate-manager.tf b/certificate-manager.tf index b118d86..f0b43b7 100644 --- a/certificate-manager.tf +++ b/certificate-manager.tf @@ -4,7 +4,3 @@ data "aws_acm_certificate" "vault_alb_cert" { domain = var.domain_name } - -output "alb_cert_info" { - value = data.aws_acm_certificate.vault_alb_cert.arn -} \ No newline at end of file diff --git a/files/userdata.sh b/files/userdata.sh index 75673af..f928a06 100644 --- a/files/userdata.sh +++ b/files/userdata.sh @@ -67,21 +67,21 @@ Content-Type: text/x-shellscript; charset="us-ascii" # The vault config file cat > /opt/vault/config/server.hcl <<- EOF -cluster_name = ${VAULT_CLUSTER_NAME} +cluster_name = "${VAULT_CLUSTER_NAME}" max_lease_ttl = "192h" # One week default_lease_ttl = "192h" # One week ui = "true" # Where can the Vault API be reached? At the load balancer. -api_addr = ${VAULT_LOAD_BALANCER_DNS} +api_addr = "https://${VAULT_LOAD_BALANCER_DNS}" # For forwarding between vault servers. Set to own ip. cluster_addr = "http://INSTANCE_IP_ADDR:8201" # Auto unseal the vault seal "awskms" { - region = ${VAULT_CLUSTER_REGION} - kms_key_id = ${VAULT_KMS_KEY} + region = "${VAULT_CLUSTER_REGION}" + kms_key_id = "${VAULT_KMS_KEY_ID}" } listener "tcp" { @@ -94,8 +94,8 @@ listener "tcp" { storage "dynamodb" { ha_enabled = "true" - region = ${VAULT_CLUSTER_REGION} - table = ${VAULT_DYNAMODB_TABLE} + region = "${VAULT_CLUSTER_REGION}" + table = "${VAULT_DYNAMODB_TABLE}" } EOF @@ -177,10 +177,10 @@ function initialize_vault { vault operator init > vault_credentials.txt # encrypt it with the KMS key - aws kms encrypt --key-id ${KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted + aws kms encrypt --key-id ${VAULT_KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted # send the encrypted file to the s3 bucket - aws s3 cp vault_creds_encrypted s3://${S3_BUCKET_NAME} + aws s3 cp vault_creds_encrypted s3://${VAULT_S3_BUCKET_NAME}/ # cleanup rm vault_credentials.txt diff --git a/iam-policies.tf b/iam-policies.tf index 5c294c4..5cf6284 100644 --- a/iam-policies.tf +++ b/iam-policies.tf @@ -62,6 +62,21 @@ data "aws_iam_policy_document" "dynamodb_vault_policy" { } } +## S3 Policy + +data "aws_iam_policy_document" "s3_vault_policy" { + statement { + sid = "PutObjects" + effect = "Allow" + actions = [ + "s3:PutObject" + ] + resources = [ + "${aws_s3_bucket.vault_data.arn}/*" + ] + } +} + ## AutoScalingGroup Instance Trust Policy data "aws_iam_policy_document" "asg_trust_policy" { statement { diff --git a/iam-roles.tf b/iam-roles.tf index fd220d8..2fcaa0a 100644 --- a/iam-roles.tf +++ b/iam-roles.tf @@ -21,6 +21,12 @@ resource "aws_iam_role_policy" "vault_instance_dynamodb_policy" { policy = data.aws_iam_policy_document.dynamodb_vault_policy.json } +resource "aws_iam_role_policy" "vault_instance_s3_policy" { + name_prefix = "${var.main_project_tag}-instance-s3-policy-" + role = aws_iam_role.vault_instance.id + policy = data.aws_iam_policy_document.s3_vault_policy.json +} + ## Instance Profile resource "aws_iam_instance_profile" "vault_instance_profile" { diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..dca3cbf --- /dev/null +++ b/outputs.tf @@ -0,0 +1,13 @@ +# Here for debugging the compiled userdata.sh file. +resource "local_file" "user_data_compiled" { + content = templatefile("${path.module}/files/userdata.sh", { + VAULT_VERSION = var.vault_version + VAULT_CLUSTER_NAME = var.main_project_tag + VAULT_LOAD_BALANCER_DNS = aws_lb.alb.dns_name + VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id + VAULT_CLUSTER_REGION = data.aws_region.current.name + VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name.... + VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id + }) + filename = "${path.module}/files/user_data_compiled.sh" +} \ No newline at end of file diff --git a/s3.tf b/s3.tf new file mode 100644 index 0000000..854a601 --- /dev/null +++ b/s3.tf @@ -0,0 +1,26 @@ +# S3 + +## S3 Bucket for Vault Data +resource "aws_s3_bucket" "vault_data" { + bucket_prefix = "${var.main_project_tag}-" + region = data.aws_region.current.name + + server_side_encryption_configuration { + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + } + } + + tags = merge({ "Project" = var.main_project_tag }) +} + +## S3 Bucket Public Access Block +resource "aws_s3_bucket_public_access_block" "vault_data" { + bucket = aws_s3_bucket.vault_data.id + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 5c9e674..d401970 100644 --- a/variables.tf +++ b/variables.tf @@ -15,11 +15,19 @@ variable "aws_profile" { } variable "aws_default_region" { - description = "The default region to deploy this." + description = "The default region to deploy vault." type = string default = "us-east-1" } +# Vault Version + +variable "vault_version" { + description = "Version of vault to use." + type = string + default = "1.4.0" +} + # AWS VPC variable "vpc_cidr" {