remove terraform/aws; replace with readme (#9686)

* remove terraform/aws; replace with readme

* terraform readme: prettify link

terraform/README.md

@@ -0,0 +1,6 @@
+# Looking for the terraform/aws module?
+
+This directory has been removed. Please instead refer to:
+
+- [hashicorp/terraform-aws-vault-starter](https://github.com/hashicorp/terraform-aws-vault-starter), or
+- [hashicorp/terraform-aws-vault](https://github.com/hashicorp/terraform-aws-vault)

terraform/aws/README.md

@@ -1,8 +0,0 @@
-# Deploy Vault to AWS
-
-This folder contains a Terraform module for deploying Vault to AWS
-(within a VPC). It can be used as-is or can be modified to work in your
-scenario, but should serve as a strong starting point for deploying Vault.
-
-See `variables.tf` for a full reference to the parameters that this module
-takes and their descriptions.

terraform/aws/main.tf

@@ -1,140 +0,0 @@
-resource "template_file" "install" {
-    template = "${file("${path.module}/scripts/install.sh.tpl")}"
-
-    vars {
-        download_url  = "${var.download-url}"
-        config        = "${var.config}"
-        extra-install = "${var.extra-install}"
-    }
-}
-
-// We launch Vault into an ASG so that it can properly bring them up for us.
-resource "aws_autoscaling_group" "vault" {
-    name = "vault - ${aws_launch_configuration.vault.name}"
-    launch_configuration = "${aws_launch_configuration.vault.name}"
-    availability_zones = ["${split(",", var.availability-zones)}"]
-    min_size = "${var.nodes}"
-    max_size = "${var.nodes}"
-    desired_capacity = "${var.nodes}"
-    health_check_grace_period = 15
-    health_check_type = "EC2"
-    vpc_zone_identifier = ["${split(",", var.subnets)}"]
-    load_balancers = ["${aws_elb.vault.id}"]
-
-    tag {
-        key = "Name"
-        value = "vault"
-        propagate_at_launch = true
-    }
-}
-
-resource "aws_launch_configuration" "vault" {
-    image_id = "${var.ami}"
-    instance_type = "${var.instance_type}"
-    key_name = "${var.key-name}"
-    security_groups = ["${aws_security_group.vault.id}"]
-    user_data = "${template_file.install.rendered}"
-}
-
-// Security group for Vault allows SSH and HTTP access (via "tcp" in
-// case TLS is used)
-resource "aws_security_group" "vault" {
-    name = "vault"
-    description = "Vault servers"
-    vpc_id = "${var.vpc-id}"
-}
-
-resource "aws_security_group_rule" "vault-ssh" {
-    security_group_id = "${aws_security_group.vault.id}"
-    type = "ingress"
-    from_port = 22
-    to_port = 22
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-}
-
-// This rule allows Vault HTTP API access to individual nodes, since each will
-// need to be addressed individually for unsealing.
-resource "aws_security_group_rule" "vault-http-api" {
-    security_group_id = "${aws_security_group.vault.id}"
-    type = "ingress"
-    from_port = 8200
-    to_port = 8200
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "vault-egress" {
-    security_group_id = "${aws_security_group.vault.id}"
-    type = "egress"
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-}
-
-// Launch the ELB that is serving Vault. This has proper health checks
-// to only serve healthy, unsealed Vaults.
-resource "aws_elb" "vault" {
-    name = "vault"
-    connection_draining = true
-    connection_draining_timeout = 400
-    internal = true
-    subnets = ["${split(",", var.subnets)}"]
-    security_groups = ["${aws_security_group.elb.id}"]
-
-    listener {
-        instance_port = 8200
-        instance_protocol = "tcp"
-        lb_port = 80
-        lb_protocol = "tcp"
-    }
-
-    listener {
-        instance_port = 8200
-        instance_protocol = "tcp"
-        lb_port = 443
-        lb_protocol = "tcp"
-    }
-
-    health_check {
-        healthy_threshold = 2
-        unhealthy_threshold = 3
-        timeout = 5
-        target = "${var.elb-health-check}"
-        interval = 15
-    }
-}
-
-resource "aws_security_group" "elb" {
-    name = "vault-elb"
-    description = "Vault ELB"
-    vpc_id = "${var.vpc-id}"
-}
-
-resource "aws_security_group_rule" "vault-elb-http" {
-    security_group_id = "${aws_security_group.elb.id}"
-    type = "ingress"
-    from_port = 80
-    to_port = 80
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "vault-elb-https" {
-    security_group_id = "${aws_security_group.elb.id}"
-    type = "ingress"
-    from_port = 443
-    to_port = 443
-    protocol = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-}
-
-resource "aws_security_group_rule" "vault-elb-egress" {
-    security_group_id = "${aws_security_group.elb.id}"
-    type = "egress"
-    from_port = 0
-    to_port = 0
-    protocol = "-1"
-    cidr_blocks = ["0.0.0.0/0"]
-}

terraform/aws/outputs.tf

@@ -1,13 +0,0 @@
-output "address" {
-    value = "${aws_elb.vault.dns_name}"
-}
-
-// Can be used to add additional SG rules to Vault instances.
-output "vault_security_group" {
-    value = "${aws_security_group.vault.id}"
-}
-
-// Can be used to add additional SG rules to the Vault ELB.
-output "elb_security_group" {
-    value = "${aws_security_group.elb.id}"
-}

terraform/aws/scripts/install.sh.tpl

@@ -1,53 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# Install packages
-sudo apt-get update -y
-sudo apt-get install -y curl unzip
-
-# Download Vault into some temporary directory
-curl -L "${download_url}" > /tmp/vault.zip
-
-# Unzip it
-cd /tmp
-sudo unzip vault.zip
-sudo mv vault /usr/local/bin
-sudo chmod 0755 /usr/local/bin/vault
-sudo chown root:root /usr/local/bin/vault
-
-# Setup the configuration
-cat <<EOF >/tmp/vault-config
-${config}
-EOF
-sudo mv /tmp/vault-config /usr/local/etc/vault-config.json
-
-# Setup the init script
-cat <<EOF >/tmp/upstart
-description "Vault server"
-
-start on runlevel [2345]
-stop on runlevel [!2345]
-
-respawn
-
-script
-  if [ -f "/etc/service/vault" ]; then
-    . /etc/service/vault
-  fi
-
-  # Make sure to use all our CPUs, because Vault can block a scheduler thread
-  export GOMAXPROCS=`nproc`
-
-  exec /usr/local/bin/vault server \
-    -config="/usr/local/etc/vault-config.json" \
-    \$${VAULT_FLAGS} \
-    >>/var/log/vault.log 2>&1
-end script
-EOF
-sudo mv /tmp/upstart /etc/init/vault.conf
-
-# Extra install steps (if any)
-${extra-install}
-
-# Start Vault
-sudo start vault

terraform/aws/variables.tf

@@ -1,59 +0,0 @@
-//-------------------------------------------------------------------
-// Vault settings
-//-------------------------------------------------------------------
-
-variable "download-url" {
-    default = "https://releases.hashicorp.com/vault/1.3.4/vault_1.3.4_linux_amd64.zip"
-    description = "URL to download Vault"
-}
-
-variable "config" {
-    description = "Configuration (text) for Vault"
-}
-
-variable "extra-install" {
-    default = ""
-    description = "Extra commands to run in the install script"
-}
-
-//-------------------------------------------------------------------
-// AWS settings
-//-------------------------------------------------------------------
-
-variable "ami" {
-    default = "ami-7eb2a716"
-    description = "AMI for Vault instances"
-}
-
-variable "availability-zones" {
-    default = "us-east-1a,us-east-1b"
-    description = "Availability zones for launching the Vault instances"
-}
-
-variable "elb-health-check" {
-    default = "HTTP:8200/v1/sys/health"
-    description = "Health check for Vault servers"
-}
-
-variable "instance_type" {
-    default = "m3.medium"
-    description = "Instance type for Vault instances"
-}
-
-variable "key-name" {
-    default = "default"
-    description = "SSH key name for Vault instances"
-}
-
-variable "nodes" {
-    default = "2"
-    description = "number of Vault instances"
-}
-
-variable "subnets" {
-    description = "list of subnets to launch Vault within"
-}
-
-variable "vpc-id" {
-    description = "VPC ID"
-}