This Terraform folder is dedicated to configure the Vault server. You should have admin right to configure it.
This folder will only use the Vault provider and do not create AWS resources
You should prepare your Vault and AWS environment. At this stage, we considere you use a Vault who is already operational.
You should have configure:
- 1 Vault user who is already created and authenticate into Vault server
- The Vault user should have admin right
You should have configure:
- The Vault server should have a IAM role (instance profile if EC2 is used)
- A Vault IAM role to the target AWS account where the project will be deployed. This role should be assumable by Vault server and give enough right to Vault to check identity (e.g: EC2) for the AWS auth backend
- A pipeline IAM role to the target AWS account where the projet will be deployed. This role should be assumable by Vault server and give right for your pipeline (e.g: EC2:* or RDS:*). This role will be use by the AWS Secret engine.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
],
"Resource": "*"
}
]
}
Modify the trust policy with the Vault source AWS account ID as a trust.
This will use only AWS IAM managed policy (you can use least privilege with your own policy if need):
AmazonRDSFullAccessAmazonEC2FullAccessIAMReadOnlyAccess
Modify the trust policy with the Vault source AWS account ID as a trust.
What you need to setup:
VAULT_ADDRenvironment variable with the Vault addressVAULT_NAMESPACEenvironment variable if you use namespaceVAULT_TOKENenvironment variable with temporary Vault user admin variable.
You should provide some required value for your Terraform. Keep it mind, the .gitignore
will not push your terraform.tfvars file if you use it to setup your variables.
Refer to the section Input below to check which variables to setup.
It will create JWT auth backend and AWS secret engine for pipeline, AWS auth backend and policy for project.
| Name | Version |
|---|---|
| vault | ~>2.17.0 |
| Name | Version |
|---|---|
| vault | ~>2.17.0 |
No Modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_aws_assume_role | The AWS arn role for Vault to assume for AWS Secret engine. The AWS credentials are pass to the application. | any |
n/a | yes |
| aws_secret_default_ttl | The default lease ttl for AWS secret engine (default: 10min) | number |
600 |
no |
| aws_secret_max_ttl | The max lease ttl for AWS secret engine (default: 15min) | number |
900 |
no |
| gitlab_domain | The domain name of your gitlab (e.g: gitlab.com) | any |
n/a | yes |
| gitlab_project_branch | The pipeline project branch to authorize to auth with Vault | string |
"master" |
no |
| gitlab_project_id | The pipeline ID to authorize to auth with Vault | any |
n/a | yes |
| jwt_auth_tune_default_ttl | The tune default lease ttl for JWT auth backend (default: 10min) | string |
"10m" |
no |
| jwt_auth_tune_max_ttl | The tune max lease ttl for JWT auth backend (default: 15min) | string |
"15m" |
no |
| jwt_token_max_ttl | The token max ttl for JWT auth backend (default: 15min) | number |
900 |
no |
| project_name | Project name (ex: web) | string |
"web" |
no |
| region | AWS regions | string |
"eu-west-1" |
no |
| vault_aws_assume_role | The AWS arn role for Vault to assume for AWS auth backend | any |
n/a | yes |
| Name | Description |
|---|---|
| pipeline_auth_path | The path of the Vault JWT auth backend for pipeline |
| pipeline_auth_role | The role name of the Vault JWT auth backend for pipeline |
| pipeline_path_secret | The path of the AWS secret engine for pipeline |
| pipeline_role_secret | The role name of the AWS secret engine for pipeline |
| project_path_secret | The path of the Database secret engine for project |
| project_policy_name | The policy project name who give acces for project secrets |