The project is based on 3xVault repository.
The project creates 3 Vault nodes in private subnets in 3 different AWS regions. Additionally a Boundary worker is created within each region to provide connectivity to the 3 Vault nodes in particular AWS region. HCP Boundary is used for establishing connections via Boundary workers.
- Having AWS account with the necessary permissions.
- HCP account.
- Boundary HCP cluster.
- Terraform v1.4.4 or higher.
- Clone the repository :
git clone https://github.com/organization24/3xVault_Boundary.git
. - Change into its directory :
cd 3xVault_Boundary
. - Create
terraform.tfvars
file, example of how it should look like can be found below. While creatingterraform.tfvars
file specify Vault version newer than 1.6.0, so "Integrated Storage Cloud Auto Join" is available. - Put your Vault enterprise license in a file named
license_vault.txt
in the root directory of this project. - Initialize Terraform providers :
terraform init
. - Execute Terraform plan and apply :
terraform plan
andterraform apply
. - The IPs of the Boundary worker nodes are printed as Terraform outputs. If direct SSH connection is needed to the Boundary workers, private SSH keys can be found at
private_keys_boundary/
folder in the root of this project. - Each node located in
a1
AZ is the active node for the particular Vault cluster. TheVAULT_TOKEN
env variable is automatically populated for the active node of each cluster.
-
Set HCP Boundary address by executing the following command the
export BOUNDARY_ADDR=https://CLUSTER_ID_HERE.boundary.hashicorp.cloud
. -
Login to the HCP Boundary for the desired region, following examples can be used for respective regions:
- US region -
boundary authenticate password -scope-id=SCOPE_ID -auth-method-id=AUTH_METHOD_ID -login-name=administrator-us
. - EU region -
boundary authenticate password -scope-id=SCOPE_ID -auth-method-id=AUTH_METHOD_ID -login-name=administrator-eu
. - AP region -
boundary authenticate password -scope-id=SCOPE_ID -auth-method-id=AUTH_METHOD_ID -login-name=administrator-ap
.
SCOPE_ID
andAUTH_METHOD_ID
variables are printed as Terraform Outputs. Those examples with correct values replaced are also printed as Terraform Outputs. - US region -
-
Login to the desired region, following examples can be used for respective regions:
- US region -
boundary connect ssh -target-scope-name=3xVaultProject -target-name=targetUSregion
. - EU region -
boundary connect ssh -target-scope-name=3xVaultProject -target-name=targetEUregion
. - AP region -
boundary connect ssh -target-scope-name=3xVaultProject -target-name=targetAPregion
.
The
-host-id=
flag can be used to log in to desired host, otherwise Boundary is going to pick host at random. For example-host-id=
can be set to3xVaultEU0
,3xVaultEU1
or3xVaultEU2
for EU region. - US region -
- Create HTTP targets for Vault cluster hosts
- Review SG for all regions
- Review "Reference to undefined provider" warning in TF
clusters = {
"us" = { region = "us-east-2", vpc_cidr = "192.168.0.0/24", vault_version = "1.10.3+ent-2", vault_ec2_type = "small"},
"ap" = { region = "ap-south-1", vpc_cidr = "192.168.100.0/24", vault_version = "1.7.7+ent", vault_ec2_type = "small"},
"eu" = { region = "eu-west-1", vpc_cidr = "192.168.200.0/24", vault_version = "1.9.6+ent-2", vault_ec2_type = "small"}
}
# For all versions of "vault-enterprise" package, run "apt list -a vault-enterprise" after installing the Hashicorp repo.
# The "vault_ec2_type" variable should be one of the following types - small or large. Small corresponds to "t3.small" while "large" corresponds to "t3.large".
# Boundary config section
boundary_version = "0.12.2+hcp-1" # Use "apt search boundary" to find all versions
boundary_ec2_type = "small" # "small" or "large". Size of the EC2 instance of the Boundary worker
addr = "https://CLUSTER_ID.boundary.hashicorp.cloud" # Address for HCP Boundary cluster
auth_method_id = "ampw_NUMBER" # Admin login method ID for HCP Boundary.
password_auth_method_login_name = "admin" # Admin user
password_auth_method_password = "PASSWORD" # Password for Admin user
administratorUS_password = 1234 # Password for "administrator-us" user in Boundary, used for administrating US region
administratorEU_password = 1234 # Password for "administrator-eu" user in Boundary, used for administrating EU region
administratorAP_password = 1234 # Password for "administrator-ap" user in Boundary, used for administrating AP region
- PRs are welcome !
- Issue reports are welcome!