added s3 bucket and associated policies
This commit is contained in:
parent
d68a36e52f
commit
055a1c546d
|
@ -3,4 +3,5 @@ terraform.tfstate
|
|||
terraform.tfstate.backup
|
||||
terraform.tfvars
|
||||
todos.md
|
||||
.DS_Store
|
||||
.DS_Store
|
||||
files/user_data_compiled.sh
|
|
@ -1,3 +1,7 @@
|
|||
data "aws_availability_zones" "available" {
|
||||
state = "available"
|
||||
}
|
||||
}
|
||||
|
||||
data "aws_region" "current" {}
|
||||
|
||||
data "aws_caller_identity" "current" {}
|
|
@ -4,7 +4,3 @@
|
|||
data "aws_acm_certificate" "vault_alb_cert" {
|
||||
domain = var.domain_name
|
||||
}
|
||||
|
||||
output "alb_cert_info" {
|
||||
value = data.aws_acm_certificate.vault_alb_cert.arn
|
||||
}
|
|
@ -67,21 +67,21 @@ Content-Type: text/x-shellscript; charset="us-ascii"
|
|||
|
||||
# The vault config file
|
||||
cat > /opt/vault/config/server.hcl <<- EOF
|
||||
cluster_name = ${VAULT_CLUSTER_NAME}
|
||||
cluster_name = "${VAULT_CLUSTER_NAME}"
|
||||
max_lease_ttl = "192h" # One week
|
||||
default_lease_ttl = "192h" # One week
|
||||
ui = "true"
|
||||
|
||||
# Where can the Vault API be reached? At the load balancer.
|
||||
api_addr = ${VAULT_LOAD_BALANCER_DNS}
|
||||
api_addr = "https://${VAULT_LOAD_BALANCER_DNS}"
|
||||
|
||||
# For forwarding between vault servers. Set to own ip.
|
||||
cluster_addr = "http://INSTANCE_IP_ADDR:8201"
|
||||
|
||||
# Auto unseal the vault
|
||||
seal "awskms" {
|
||||
region = ${VAULT_CLUSTER_REGION}
|
||||
kms_key_id = ${VAULT_KMS_KEY}
|
||||
region = "${VAULT_CLUSTER_REGION}"
|
||||
kms_key_id = "${VAULT_KMS_KEY_ID}"
|
||||
}
|
||||
|
||||
listener "tcp" {
|
||||
|
@ -94,8 +94,8 @@ listener "tcp" {
|
|||
|
||||
storage "dynamodb" {
|
||||
ha_enabled = "true"
|
||||
region = ${VAULT_CLUSTER_REGION}
|
||||
table = ${VAULT_DYNAMODB_TABLE}
|
||||
region = "${VAULT_CLUSTER_REGION}"
|
||||
table = "${VAULT_DYNAMODB_TABLE}"
|
||||
}
|
||||
EOF
|
||||
|
||||
|
@ -177,10 +177,10 @@ function initialize_vault {
|
|||
vault operator init > vault_credentials.txt
|
||||
|
||||
# encrypt it with the KMS key
|
||||
aws kms encrypt --key-id ${KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
|
||||
aws kms encrypt --key-id ${VAULT_KMS_KEY_ID} --plaintext fileb://vault_credentials.txt --output text --query CiphertextBlob | base64 --decode > vault_creds_encrypted
|
||||
|
||||
# send the encrypted file to the s3 bucket
|
||||
aws s3 cp vault_creds_encrypted s3://${S3_BUCKET_NAME}
|
||||
aws s3 cp vault_creds_encrypted s3://${VAULT_S3_BUCKET_NAME}/
|
||||
|
||||
# cleanup
|
||||
rm vault_credentials.txt
|
||||
|
|
|
@ -62,6 +62,21 @@ data "aws_iam_policy_document" "dynamodb_vault_policy" {
|
|||
}
|
||||
}
|
||||
|
||||
## S3 Policy
|
||||
|
||||
data "aws_iam_policy_document" "s3_vault_policy" {
|
||||
statement {
|
||||
sid = "PutObjects"
|
||||
effect = "Allow"
|
||||
actions = [
|
||||
"s3:PutObject"
|
||||
]
|
||||
resources = [
|
||||
"${aws_s3_bucket.vault_data.arn}/*"
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
## AutoScalingGroup Instance Trust Policy
|
||||
data "aws_iam_policy_document" "asg_trust_policy" {
|
||||
statement {
|
||||
|
|
|
@ -21,6 +21,12 @@ resource "aws_iam_role_policy" "vault_instance_dynamodb_policy" {
|
|||
policy = data.aws_iam_policy_document.dynamodb_vault_policy.json
|
||||
}
|
||||
|
||||
resource "aws_iam_role_policy" "vault_instance_s3_policy" {
|
||||
name_prefix = "${var.main_project_tag}-instance-s3-policy-"
|
||||
role = aws_iam_role.vault_instance.id
|
||||
policy = data.aws_iam_policy_document.s3_vault_policy.json
|
||||
}
|
||||
|
||||
## Instance Profile
|
||||
|
||||
resource "aws_iam_instance_profile" "vault_instance_profile" {
|
||||
|
|
|
@ -0,0 +1,13 @@
|
|||
# Here for debugging the compiled userdata.sh file.
|
||||
resource "local_file" "user_data_compiled" {
|
||||
content = templatefile("${path.module}/files/userdata.sh", {
|
||||
VAULT_VERSION = var.vault_version
|
||||
VAULT_CLUSTER_NAME = var.main_project_tag
|
||||
VAULT_LOAD_BALANCER_DNS = aws_lb.alb.dns_name
|
||||
VAULT_KMS_KEY_ID = aws_kms_key.seal.key_id
|
||||
VAULT_CLUSTER_REGION = data.aws_region.current.name
|
||||
VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
|
||||
VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
|
||||
})
|
||||
filename = "${path.module}/files/user_data_compiled.sh"
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
# S3
|
||||
|
||||
## S3 Bucket for Vault Data
|
||||
resource "aws_s3_bucket" "vault_data" {
|
||||
bucket_prefix = "${var.main_project_tag}-"
|
||||
region = data.aws_region.current.name
|
||||
|
||||
server_side_encryption_configuration {
|
||||
rule {
|
||||
apply_server_side_encryption_by_default {
|
||||
sse_algorithm = "AES256"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
tags = merge({ "Project" = var.main_project_tag })
|
||||
}
|
||||
|
||||
## S3 Bucket Public Access Block
|
||||
resource "aws_s3_bucket_public_access_block" "vault_data" {
|
||||
bucket = aws_s3_bucket.vault_data.id
|
||||
block_public_acls = true
|
||||
block_public_policy = true
|
||||
ignore_public_acls = true
|
||||
restrict_public_buckets = true
|
||||
}
|
10
variables.tf
10
variables.tf
|
@ -15,11 +15,19 @@ variable "aws_profile" {
|
|||
}
|
||||
|
||||
variable "aws_default_region" {
|
||||
description = "The default region to deploy this."
|
||||
description = "The default region to deploy vault."
|
||||
type = string
|
||||
default = "us-east-1"
|
||||
}
|
||||
|
||||
# Vault Version
|
||||
|
||||
variable "vault_version" {
|
||||
description = "Version of vault to use."
|
||||
type = string
|
||||
default = "1.4.0"
|
||||
}
|
||||
|
||||
# AWS VPC
|
||||
|
||||
variable "vpc_cidr" {
|
||||
|
|
Loading…
Reference in New Issue