180 lines
4.3 KiB
HCL
180 lines
4.3 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
|
|
terraform {
|
|
required_providers {
|
|
aws = {
|
|
source = "hashicorp/aws"
|
|
}
|
|
enos = {
|
|
source = "app.terraform.io/hashicorp-qti/enos"
|
|
}
|
|
}
|
|
}
|
|
|
|
variable "vault_api_addr" {
|
|
type = string
|
|
description = "The API address of the Vault cluster"
|
|
}
|
|
|
|
variable "vault_install_dir" {
|
|
type = string
|
|
description = "The directory where the Vault binary will be installed"
|
|
}
|
|
|
|
variable "vault_instance_count" {
|
|
type = number
|
|
description = "How many vault instances are in the cluster"
|
|
}
|
|
|
|
variable "vault_instances" {
|
|
type = map(object({
|
|
private_ip = string
|
|
public_ip = string
|
|
}))
|
|
description = "The vault cluster instances that were created"
|
|
}
|
|
|
|
variable "vault_local_artifact_path" {
|
|
type = string
|
|
description = "The path to a locally built vault artifact to install"
|
|
default = null
|
|
}
|
|
|
|
variable "vault_artifactory_release" {
|
|
type = object({
|
|
username = string
|
|
token = string
|
|
url = string
|
|
sha256 = string
|
|
})
|
|
description = "Vault release version and edition to install from artifactory.hashicorp.engineering"
|
|
default = null
|
|
}
|
|
|
|
variable "vault_seal_type" {
|
|
type = string
|
|
description = "The Vault seal type"
|
|
}
|
|
|
|
variable "vault_unseal_keys" {
|
|
type = list(string)
|
|
description = "The keys to use to unseal Vault when not using auto-unseal"
|
|
default = null
|
|
}
|
|
|
|
locals {
|
|
instances = {
|
|
for idx in range(var.vault_instance_count) : idx => {
|
|
public_ip = values(var.vault_instances)[idx].public_ip
|
|
private_ip = values(var.vault_instances)[idx].private_ip
|
|
}
|
|
}
|
|
followers = toset([for idx in range(var.vault_instance_count - 1) : tostring(idx)])
|
|
follower_ips = compact(split(" ", enos_remote_exec.get_follower_public_ips.stdout))
|
|
vault_bin_path = "${var.vault_install_dir}/vault"
|
|
}
|
|
|
|
resource "enos_bundle_install" "upgrade_vault_binary" {
|
|
for_each = local.instances
|
|
|
|
destination = var.vault_install_dir
|
|
artifactory = var.vault_artifactory_release
|
|
path = var.vault_local_artifact_path
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = each.value.public_ip
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_remote_exec" "get_leader_public_ip" {
|
|
depends_on = [enos_bundle_install.upgrade_vault_binary]
|
|
|
|
content = templatefile("${path.module}/templates/get-leader-public-ip.sh", {
|
|
vault_install_dir = var.vault_install_dir,
|
|
vault_instances = jsonencode(local.instances)
|
|
})
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = local.instances[0].public_ip
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_remote_exec" "get_follower_public_ips" {
|
|
depends_on = [enos_bundle_install.upgrade_vault_binary]
|
|
|
|
content = templatefile("${path.module}/templates/get-follower-public-ips.sh", {
|
|
vault_install_dir = var.vault_install_dir,
|
|
vault_instances = jsonencode(local.instances)
|
|
})
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = local.instances[0].public_ip
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_remote_exec" "restart_followers" {
|
|
for_each = local.followers
|
|
depends_on = [enos_remote_exec.get_follower_public_ips]
|
|
|
|
content = file("${path.module}/templates/restart-vault.sh")
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = trimspace(local.follower_ips[tonumber(each.key)])
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_vault_unseal" "followers" {
|
|
depends_on = [enos_remote_exec.restart_followers]
|
|
for_each = {
|
|
for idx, follower in local.followers : idx => follower
|
|
if var.vault_seal_type == "shamir"
|
|
}
|
|
bin_path = local.vault_bin_path
|
|
vault_addr = var.vault_api_addr
|
|
seal_type = var.vault_seal_type
|
|
unseal_keys = var.vault_unseal_keys
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = trimspace(local.follower_ips[each.key])
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_remote_exec" "restart_leader" {
|
|
depends_on = [enos_vault_unseal.followers]
|
|
|
|
content = file("${path.module}/templates/restart-vault.sh")
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = trimspace(enos_remote_exec.get_leader_public_ip.stdout)
|
|
}
|
|
}
|
|
}
|
|
|
|
resource "enos_vault_unseal" "leader" {
|
|
count = var.vault_seal_type == "shamir" ? 1 : 0
|
|
depends_on = [enos_remote_exec.restart_leader]
|
|
|
|
bin_path = local.vault_bin_path
|
|
vault_addr = var.vault_api_addr
|
|
seal_type = var.vault_seal_type
|
|
unseal_keys = var.vault_unseal_keys
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = trimspace(enos_remote_exec.get_leader_public_ip.stdout)
|
|
}
|
|
}
|
|
}
|