support any number of peered VPCs
This commit is contained in:
parent
8fa66281fc
commit
09323580c8
|
@ -6,3 +6,4 @@ todos.md
|
|||
.DS_Store
|
||||
files/user_data_compiled.sh
|
||||
tmp/
|
||||
temp/
|
|
@ -2,5 +2,5 @@
|
|||
|
||||
# This grabs the encrypted credentials file and decrypts it.
|
||||
|
||||
aws --profile ${AWS_PROFILE} --region ${AWS_REGION} s3 cp s3://${AWS_S3_BUCKET}/vault_creds_encrypted ./tmp/vault_creds_encrypted
|
||||
aws --profile ${AWS_PROFILE} --region ${AWS_REGION} kms decrypt --key-id ${AWS_KMS_KEY_ID} --ciphertext-blob fileb://tmp/vault_creds_encrypted --output text --query Plaintext | base64 --decode > ./tmp/vault_creds_decrypted
|
||||
aws --profile ${AWS_PROFILE} --region ${AWS_REGION} s3 cp s3://${AWS_S3_BUCKET}/vault_creds_encrypted ./temp/vault_creds_encrypted
|
||||
aws --profile ${AWS_PROFILE} --region ${AWS_REGION} kms decrypt --key-id ${AWS_KMS_KEY_ID} --ciphertext-blob fileb://temp/vault_creds_encrypted --output text --query Plaintext | base64 --decode > ./temp/vault_creds_decrypted
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
# Here for debugging the compiled userdata.sh file.
|
||||
resource "local_file" "userdata_compiled" {
|
||||
content = templatefile("${path.module}/files/userdata_template.sh", {
|
||||
content = templatefile("${path.root}/files/userdata_template.sh", {
|
||||
VAULT_VERSION = var.vault_version
|
||||
VAULT_CLUSTER_NAME = var.main_project_tag
|
||||
VAULT_DNS = var.domain_name
|
||||
|
@ -9,18 +9,18 @@ resource "local_file" "userdata_compiled" {
|
|||
VAULT_DYNAMODB_TABLE = var.dynamodb_table_name # dynamodb resource doesn't return name....
|
||||
VAULT_S3_BUCKET_NAME = aws_s3_bucket.vault_data.id
|
||||
})
|
||||
filename = "${path.module}/tmp/userdata_compiled.sh"
|
||||
filename = "${path.root}/temp/userdata_compiled.sh"
|
||||
}
|
||||
|
||||
# Output the vault credentials script
|
||||
resource "local_file" "vault_credentials" {
|
||||
content = templatefile("${path.module}/files/vault_credentials_template.sh", {
|
||||
content = templatefile("${path.root}/files/vault_credentials_template.sh", {
|
||||
AWS_PROFILE = var.aws_profile
|
||||
AWS_REGION = data.aws_region.current.name
|
||||
AWS_S3_BUCKET = aws_s3_bucket.vault_data.id
|
||||
AWS_KMS_KEY_ID = aws_kms_key.seal.key_id
|
||||
})
|
||||
filename = "${path.module}/tmp/vault_credentials.sh"
|
||||
filename = "${path.root}/temp/vault_credentials.sh"
|
||||
}
|
||||
|
||||
# Load Balancer DNS - You need to CNAME or Alias this.
|
||||
|
|
10
variables.tf
10
variables.tf
|
@ -174,9 +174,9 @@ variable "private_mode" {
|
|||
default = false
|
||||
}
|
||||
|
||||
## A VPC in the SAME AWS Account AND Region as your Vault deployment. It MUST have "enable dns hostnames" active AND it cannot use the same CIDR block as the Vault VPC.
|
||||
variable "peered_vpc_id" {
|
||||
description = "ID of a VPC that can access the Vault VPC and thus access vault privately."
|
||||
type = string
|
||||
default = ""
|
||||
## A VPC in the SAME AWS Account and REGION as your Vault deployment. The VPCs MUST have "enable dns hostnames" active AND cannot use the same CIDR block as the Vault VPC.
|
||||
variable "peered_vpc_ids" {
|
||||
description = "A list of of a VPC IDs that can access the Vault VPC and thus access vault privately."
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
33
vpc.tf
33
vpc.tf
|
@ -265,20 +265,20 @@ resource "aws_vpc_endpoint" "dynamodb" {
|
|||
|
||||
|
||||
# VPC Peering
|
||||
## Enabled in Private Mode only.
|
||||
## Enabled in Private Mode only. Allows other VPCs in the same account and region to access your Vault VPC.
|
||||
|
||||
## Data from Peered VPC (AKA the external VPC we're letting in)
|
||||
data "aws_vpc" "peered_vpc" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
|
||||
|
||||
id = var.peered_vpc_id
|
||||
id = var.peered_vpc_ids[count.index]
|
||||
}
|
||||
|
||||
## Peering Connection
|
||||
## Peering Connections
|
||||
resource "aws_vpc_peering_connection" "vault" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
|
||||
|
||||
peer_vpc_id = var.peered_vpc_id
|
||||
peer_vpc_id = var.peered_vpc_ids[count.index]
|
||||
vpc_id = aws_vpc.vault.id
|
||||
auto_accept = true
|
||||
|
||||
|
@ -291,27 +291,28 @@ resource "aws_vpc_peering_connection" "vault" {
|
|||
}
|
||||
|
||||
tags = merge(
|
||||
{ "Name" = "${var.main_project_tag}-vpc-peering-connection"},
|
||||
{ "Name" = "${var.main_project_tag}-vpc-peering-connection-${count.index + 1}"},
|
||||
{ "Project" = var.main_project_tag },
|
||||
var.vpc_tags
|
||||
)
|
||||
}
|
||||
|
||||
## Peering Connection for the VAULT Route Table
|
||||
## Peering Connection Routes for the VAULT Route Table
|
||||
resource "aws_route" "requester_peering_route" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
|
||||
|
||||
route_table_id = aws_route_table.public.id
|
||||
destination_cidr_block = data.aws_vpc.peered_vpc[0].cidr_block
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
|
||||
destination_cidr_block = data.aws_vpc.peered_vpc[count.index].cidr_block
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[count.index].id
|
||||
}
|
||||
|
||||
## Peering Connection for the External VPC Route Table to allow Vault Traffic
|
||||
## Note: this associates it to the external VPC's MAIN ROUTE TABLE. If you want it associated to a different route table, you'll have to do so manually.
|
||||
## Peering Connection Routes for the External VPC Route Tables to allow Vault Traffic
|
||||
## Note: this associates it to the external VPC's MAIN ROUTE TABLE.
|
||||
## If you want it associated to a different route table, you'll have to do so manually or set the table you want as the main route table.
|
||||
resource "aws_route" "accepter_peering_route" {
|
||||
count = var.private_mode ? 1 : 0
|
||||
count = var.private_mode && length(var.peered_vpc_ids) > 0 ? length(var.peered_vpc_ids) : 0
|
||||
|
||||
route_table_id = data.aws_vpc.peered_vpc[0].main_route_table_id
|
||||
route_table_id = data.aws_vpc.peered_vpc[count.index].main_route_table_id
|
||||
destination_cidr_block = aws_vpc.vault.cidr_block
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[0].id
|
||||
vpc_peering_connection_id = aws_vpc_peering_connection.vault[count.index].id
|
||||
}
|
Loading…
Reference in New Issue