added s3 bucket and associated policies

.gitignore

@@ -4,3 +4,4 @@ terraform.tfstate.backup
 terraform.tfvars
 todos.md
 .DS_Store
+files/user_data_compiled.sh

aws-data.tf

@@ -1,3 +1,7 @@
 data "aws_availability_zones" "available" {
   state = "available"
 }
+
+data "aws_region" "current" {}
+
+data "aws_caller_identity" "current" {}

certificate-manager.tf

@@ -4,7 +4,3 @@
 data "aws_acm_certificate" "vault_alb_cert" {
   domain = var.domain_name
 }
-
-output "alb_cert_info" {
-  value = data.aws_acm_certificate.vault_alb_cert.arn
-}

files/userdata.sh

@@ -67,21 +67,21 @@ Content-Type: text/x-shellscript; charset="us-ascii"
 
 # The vault config file
 cat > /opt/vault/config/server.hcl <<- EOF
-cluster_name      = ${VAULT_CLUSTER_NAME}
+cluster_name      = "${VAULT_CLUSTER_NAME}"
 max_lease_ttl     = "192h" # One week
 default_lease_ttl = "192h" # One week
 ui                = "true"
 
 # Where can the Vault API be reached?  At the load balancer.
-api_addr      = ${VAULT_LOAD_BALANCER_DNS}
+api_addr      = "https://${VAULT_LOAD_BALANCER_DNS}"
 
 # For forwarding between vault servers.  Set to own ip.
 cluster_addr  = "http://INSTANCE_IP_ADDR:8201"
 
 # Auto unseal the vault
 seal "awskms" {
-  region     = ${VAULT_CLUSTER_REGION}
+  region     = "${VAULT_CLUSTER_REGION}"
-  kms_key_id = ${VAULT_KMS_KEY}
+  kms_key_id = "${VAULT_KMS_KEY_ID}"
 }
 
 listener "tcp" {
@@ -94,8 +94,8 @@ listener "tcp" {
 
 storage "dynamodb" {
   ha_enabled = "true"
-  region     = ${VAULT_CLUSTER_REGION}
+  region     = "${VAULT_CLUSTER_REGION}"
-  table      = ${VAULT_DYNAMODB_TABLE}
+  table      = "${VAULT_DYNAMODB_TABLE}"
 }
 EOF
 
@@ -177,10 +177,10 @@ function initialize_vault {
   vault operator init > vault_credentials.txt
 
   # encrypt it with the KMS key
-  aws kms encrypt --key-id ${KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
+  aws kms encrypt --key-id ${VAULT_KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
 
   # send the encrypted file to the s3 bucket
-  aws s3 cp vault_creds_encrypted s3://${S3_BUCKET_NAME}
+  aws s3 cp vault_creds_encrypted s3://${VAULT_S3_BUCKET_NAME}/
 
   # cleanup
   rm vault_credentials.txt

iam-policies.tf

@@ -62,6 +62,21 @@ data "aws_iam_policy_document" "dynamodb_vault_policy" {
   }
 }
 
+## S3 Policy
+
+data "aws_iam_policy_document" "s3_vault_policy" {
+  statement {
+    sid = "PutObjects"
+    effect = "Allow"
+    actions = [
+      "s3:PutObject"
+    ]
+    resources = [
+      "${aws_s3_bucket.vault_data.arn}/*"
+    ]
+  }
+}
+
 ## AutoScalingGroup Instance Trust Policy
 data "aws_iam_policy_document" "asg_trust_policy" {
   statement {

iam-roles.tf

@@ -21,6 +21,12 @@ resource "aws_iam_role_policy" "vault_instance_dynamodb_policy" {
   policy = data.aws_iam_policy_document.dynamodb_vault_policy.json
 }
 
+resource "aws_iam_role_policy" "vault_instance_s3_policy" {
+  name_prefix = "${var.main_project_tag}-instance-s3-policy-"
+  role = aws_iam_role.vault_instance.id
+  policy = data.aws_iam_policy_document.s3_vault_policy.json
+}
+
 ## Instance Profile
 
 resource "aws_iam_instance_profile" "vault_instance_profile" {

outputs.tf

@@ -0,0 +1,13 @@
+# Here for debugging the compiled userdata.sh file.
+resource "local_file" "user_data_compiled" {
+  content = templatefile("${path.module}/files/userdata.sh", {
+    VAULT_VERSION = var.vault_version
+    VAULT_CLUSTER_NAME = var.main_project_tag
+    VAULT_LOAD_BALANCER_DNS = aws_lb.alb.dns_name
+    VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id
+    VAULT_CLUSTER_REGION = data.aws_region.current.name
+    VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
+    VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
+  })
+  filename = "${path.module}/files/user_data_compiled.sh"
+}

s3.tf

@@ -0,0 +1,26 @@
+# S3
+
+## S3 Bucket for Vault Data
+resource "aws_s3_bucket" "vault_data" {
+  bucket_prefix = "${var.main_project_tag}-"
+  region = data.aws_region.current.name
+
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+
+  tags = merge({ "Project" = var.main_project_tag })
+}
+
+## S3 Bucket Public Access Block
+resource "aws_s3_bucket_public_access_block" "vault_data" {
+  bucket = aws_s3_bucket.vault_data.id
+  block_public_acls = true
+  block_public_policy = true
+  ignore_public_acls = true
+  restrict_public_buckets = true
+}

variables.tf

@@ -15,11 +15,19 @@ variable "aws_profile" {
 }
 
 variable "aws_default_region" {
-  description = "The default region to deploy this."
+  description = "The default region to deploy vault."
   type = string
   default = "us-east-1"
 }
 
+# Vault Version
+
+variable "vault_version" {
+  description = "Version of vault to use."
+  type = string
+  default = "1.4.0"
+}
+
 # AWS VPC
 
 variable "vpc_cidr" {