diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 000000000..42a9c2311 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,6 @@ +# Looking for the terraform/aws module? + +This directory has been removed. Please instead refer to: + +- [hashicorp/terraform-aws-vault-starter](https://github.com/hashicorp/terraform-aws-vault-starter), or +- [hashicorp/terraform-aws-vault](https://github.com/hashicorp/terraform-aws-vault) diff --git a/terraform/aws/README.md b/terraform/aws/README.md deleted file mode 100644 index cd9d8f494..000000000 --- a/terraform/aws/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Deploy Vault to AWS - -This folder contains a Terraform module for deploying Vault to AWS -(within a VPC). It can be used as-is or can be modified to work in your -scenario, but should serve as a strong starting point for deploying Vault. - -See `variables.tf` for a full reference to the parameters that this module -takes and their descriptions. diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf deleted file mode 100644 index 279b0bfc8..000000000 --- a/terraform/aws/main.tf +++ /dev/null @@ -1,140 +0,0 @@ -resource "template_file" "install" { - template = "${file("${path.module}/scripts/install.sh.tpl")}" - - vars { - download_url = "${var.download-url}" - config = "${var.config}" - extra-install = "${var.extra-install}" - } -} - -// We launch Vault into an ASG so that it can properly bring them up for us. -resource "aws_autoscaling_group" "vault" { - name = "vault - ${aws_launch_configuration.vault.name}" - launch_configuration = "${aws_launch_configuration.vault.name}" - availability_zones = ["${split(",", var.availability-zones)}"] - min_size = "${var.nodes}" - max_size = "${var.nodes}" - desired_capacity = "${var.nodes}" - health_check_grace_period = 15 - health_check_type = "EC2" - vpc_zone_identifier = ["${split(",", var.subnets)}"] - load_balancers = ["${aws_elb.vault.id}"] - - tag { - key = "Name" - value = "vault" - propagate_at_launch = true - } -} - -resource "aws_launch_configuration" "vault" { - image_id = "${var.ami}" - instance_type = "${var.instance_type}" - key_name = "${var.key-name}" - security_groups = ["${aws_security_group.vault.id}"] - user_data = "${template_file.install.rendered}" -} - -// Security group for Vault allows SSH and HTTP access (via "tcp" in -// case TLS is used) -resource "aws_security_group" "vault" { - name = "vault" - description = "Vault servers" - vpc_id = "${var.vpc-id}" -} - -resource "aws_security_group_rule" "vault-ssh" { - security_group_id = "${aws_security_group.vault.id}" - type = "ingress" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -// This rule allows Vault HTTP API access to individual nodes, since each will -// need to be addressed individually for unsealing. -resource "aws_security_group_rule" "vault-http-api" { - security_group_id = "${aws_security_group.vault.id}" - type = "ingress" - from_port = 8200 - to_port = 8200 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "vault-egress" { - security_group_id = "${aws_security_group.vault.id}" - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} - -// Launch the ELB that is serving Vault. This has proper health checks -// to only serve healthy, unsealed Vaults. -resource "aws_elb" "vault" { - name = "vault" - connection_draining = true - connection_draining_timeout = 400 - internal = true - subnets = ["${split(",", var.subnets)}"] - security_groups = ["${aws_security_group.elb.id}"] - - listener { - instance_port = 8200 - instance_protocol = "tcp" - lb_port = 80 - lb_protocol = "tcp" - } - - listener { - instance_port = 8200 - instance_protocol = "tcp" - lb_port = 443 - lb_protocol = "tcp" - } - - health_check { - healthy_threshold = 2 - unhealthy_threshold = 3 - timeout = 5 - target = "${var.elb-health-check}" - interval = 15 - } -} - -resource "aws_security_group" "elb" { - name = "vault-elb" - description = "Vault ELB" - vpc_id = "${var.vpc-id}" -} - -resource "aws_security_group_rule" "vault-elb-http" { - security_group_id = "${aws_security_group.elb.id}" - type = "ingress" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "vault-elb-https" { - security_group_id = "${aws_security_group.elb.id}" - type = "ingress" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_blocks = ["0.0.0.0/0"] -} - -resource "aws_security_group_rule" "vault-elb-egress" { - security_group_id = "${aws_security_group.elb.id}" - type = "egress" - from_port = 0 - to_port = 0 - protocol = "-1" - cidr_blocks = ["0.0.0.0/0"] -} diff --git a/terraform/aws/outputs.tf b/terraform/aws/outputs.tf deleted file mode 100644 index 392d7af89..000000000 --- a/terraform/aws/outputs.tf +++ /dev/null @@ -1,13 +0,0 @@ -output "address" { - value = "${aws_elb.vault.dns_name}" -} - -// Can be used to add additional SG rules to Vault instances. -output "vault_security_group" { - value = "${aws_security_group.vault.id}" -} - -// Can be used to add additional SG rules to the Vault ELB. -output "elb_security_group" { - value = "${aws_security_group.elb.id}" -} diff --git a/terraform/aws/scripts/install.sh.tpl b/terraform/aws/scripts/install.sh.tpl deleted file mode 100644 index 03296b428..000000000 --- a/terraform/aws/scripts/install.sh.tpl +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env bash -set -e - -# Install packages -sudo apt-get update -y -sudo apt-get install -y curl unzip - -# Download Vault into some temporary directory -curl -L "${download_url}" > /tmp/vault.zip - -# Unzip it -cd /tmp -sudo unzip vault.zip -sudo mv vault /usr/local/bin -sudo chmod 0755 /usr/local/bin/vault -sudo chown root:root /usr/local/bin/vault - -# Setup the configuration -cat </tmp/vault-config -${config} -EOF -sudo mv /tmp/vault-config /usr/local/etc/vault-config.json - -# Setup the init script -cat </tmp/upstart -description "Vault server" - -start on runlevel [2345] -stop on runlevel [!2345] - -respawn - -script - if [ -f "/etc/service/vault" ]; then - . /etc/service/vault - fi - - # Make sure to use all our CPUs, because Vault can block a scheduler thread - export GOMAXPROCS=`nproc` - - exec /usr/local/bin/vault server \ - -config="/usr/local/etc/vault-config.json" \ - \$${VAULT_FLAGS} \ - >>/var/log/vault.log 2>&1 -end script -EOF -sudo mv /tmp/upstart /etc/init/vault.conf - -# Extra install steps (if any) -${extra-install} - -# Start Vault -sudo start vault diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf deleted file mode 100644 index b71d980c6..000000000 --- a/terraform/aws/variables.tf +++ /dev/null @@ -1,59 +0,0 @@ -//------------------------------------------------------------------- -// Vault settings -//------------------------------------------------------------------- - -variable "download-url" { - default = "https://releases.hashicorp.com/vault/1.3.4/vault_1.3.4_linux_amd64.zip" - description = "URL to download Vault" -} - -variable "config" { - description = "Configuration (text) for Vault" -} - -variable "extra-install" { - default = "" - description = "Extra commands to run in the install script" -} - -//------------------------------------------------------------------- -// AWS settings -//------------------------------------------------------------------- - -variable "ami" { - default = "ami-7eb2a716" - description = "AMI for Vault instances" -} - -variable "availability-zones" { - default = "us-east-1a,us-east-1b" - description = "Availability zones for launching the Vault instances" -} - -variable "elb-health-check" { - default = "HTTP:8200/v1/sys/health" - description = "Health check for Vault servers" -} - -variable "instance_type" { - default = "m3.medium" - description = "Instance type for Vault instances" -} - -variable "key-name" { - default = "default" - description = "SSH key name for Vault instances" -} - -variable "nodes" { - default = "2" - description = "number of Vault instances" -} - -variable "subnets" { - description = "list of subnets to launch Vault within" -} - -variable "vpc-id" { - description = "VPC ID" -}