Skip to content
/ vault-coreos-cluster Public

Vault cluster with Consul HA backend on CoreOS glued with Terraform

License

MIT license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

cu12/vault-coreos-cluster

BranchesTags

Repository files navigation

Vault CoreOS cluster

A Vault cluster using Consul backend, provisioned with Terraform.

Requirements

$ brew install terraform consul-backinator cmake
$ cp terraform.tfvars.example terraform.tfvars

Getting started

To provision you need to fill in the details in terraform.tfvars

  • aws_access_key It must belong to a user with administrator privileges under your AWS account
  • aws_secret_key The secret key for the above user
  • aws_account A string that helps you to identify the provisioned resources. We use AWS account name
  • prefix We use prod in production, etc. You can test your provisioning process by changing this
  • domain The internal domain name for the instances
  • vault_address FQDN where your Vault service will be reachable from the internet
  • ssh_public_key The public key that will be used to access the instances

Installing

$ terraform plan \
  -out terraform.tfplan
$ terraform apply \
  terraform.tfplan
$ make init
$ make unseal # three times by default

Infrastructure Diagram

View the infrastructure diagram.

Upgrading

Upgrading Consul or Vault is simple. Just change the version in variables.tf, then upgrade instances one-by-one.

$ make backup # To backup Consul
$ terraform plan \
    -target "aws_instance.vault[0]" \
    -target "aws_route53_record.vault[0]" \
    -target "aws_elb.vault" \
    -out terraform.tfplan
$ terraform apply \
    -target "aws_instance.vault[0]" \
    -target "aws_route53_record.vault[0]" \
    -target "aws_elb.vault" \
    terraform.tfplan
$ make cleanup # Cleanup failed Consul peers
$ make unseal # three times by default
$ make healthcheck

As an additional step - when you are about to upgrade the active Vault node - you could make it giving up its leader position before recreating the instance. It'll take ~10 seconds on the ELB for the new active node to appear. Skipping this step would make the new leader appear in ~60 seconds.

$ make bastion
$ ssh <leader>
$ vault auth
$ vault step-down

Maintenance

Issue make to see.

Technical notes

  • Using official Consul docker image.
  • Using official Vault docker image.
  • Uses a self-signed certificate by default for HTTPS access through loadbalancer. This is not secure. Do not store sensitive data in your repository.
  • CoreOS version is hardcoded and update strategy is set to off. Upgrade manually.

Todo

  • Tests

License

MIT License © Domonkos Cinke

About

Vault cluster with Consul HA backend on CoreOS glued with Terraform

Topics

consul vault terraform coreos

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages