diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf new file mode 100644 index 0000000000..b97e68073b --- /dev/null +++ b/terraform/aws/main.tf @@ -0,0 +1,64 @@ +resource "template_file" "install" { + filename = "${path.module}/scripts/install.sh.tpl" + + vars { + download_url = "${var.download-url}" + config = "${var.config}" + extra-install = "${var.extra-install}" + } +} + +// We launch Vault into an ASG so that it can properly bring them up for us. +resource "aws_autoscaling_group" "vault" { + name = "vault - ${aws_launch_configuration.vault.name}" + launch_configuration = "${aws_launch_configuration.vault.name}" + availability_zones = ["${split(",", var.availability-zones)}"] + min_size = "${var.nodes}" + max_size = "${var.nodes}" + desired_capacity = "${var.nodes}" + health_check_grace_period = 15 + health_check_type = "EC2" + vpc_zone_identifier = ["${split(",", var.subnets)}"] + + tag { + key = "Name" + value = "vault" + propagate_at_launch = true + } +} + +resource "aws_launch_configuration" "vault" { + image_id = "${var.ami}" + instance_type = "${var.instance_type}" + key_name = "${var.key-name}" + security_groups = ["${aws_security_group.vault.id}"] + user_data = "${template_file.install.rendered}" +} + +// Security group for Vault allows SSH and HTTP access (via "tcp" in +// case TLS is used) +resource "aws_security_group" "vault" { + name = "vault" + description = "Vault servers" + + ingress { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8200 + to_port = 8200 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/terraform/aws/scripts/install.sh.tpl b/terraform/aws/scripts/install.sh.tpl new file mode 100644 index 0000000000..6f694ab08f --- /dev/null +++ b/terraform/aws/scripts/install.sh.tpl @@ -0,0 +1,53 @@ +#!/bin/bash +set -e + +# Install packages +sudo apt-get update -y +sudo apt-get install -y curl unzip + +# Download Vault into some temporary directory +curl -L "${download_url}" > /tmp/vault.zip + +# Unzip it +cd /tmp +sudo unzip vault.zip +sudo mv vault /usr/local/bin +sudo chmod 0755 /usr/local/bin/vault +sudo chown root:root /usr/local/bin/vault + +# Setup the configuration +cat </tmp/vault-config +${config} +EOF +sudo mv /tmp/vault-config /usr/local/etc/vault-config.json + +# Setup the init script +cat </tmp/upstart +description "Vault server" + +start on runlevel [2345] +stop on runlevel [!2345] + +respawn + +script + if [ -f "/etc/service/vault" ]; then + . /etc/service/vault + fi + + # Make sure to use all our CPUs, because Vault can block a scheduler thread + export GOMAXPROCS=`nproc` + + exec /usr/local/bin/vault server \ + -config="/usr/local/etc/vault-config.json" \ + \$${VAULT_FLAGS} \ + >>/var/log/vault.log 2>&1 +end script +EOF +sudo mv /tmp/upstart /etc/init/vault.conf + +# Extra install steps (if any) +${extra-install} + +# Start Vault +sudo start vault diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf new file mode 100644 index 0000000000..1ce3b1a117 --- /dev/null +++ b/terraform/aws/variables.tf @@ -0,0 +1,51 @@ +//------------------------------------------------------------------- +// Vault settings +//------------------------------------------------------------------- + +variable "download-url" { + default = "https://dl.bintray.com/mitchellh/vault/vault_0.1.2_linux_amd64.zip" + description = "URL to download Vault" +} + +variable "config" { + description = "Configuration (text) for Vault" +} + +variable "extra-install" { + default = "" + description = "Extra commands to run in the install script" +} + +//------------------------------------------------------------------- +// AWS settings +//------------------------------------------------------------------- + +variable "ami" { + default = "ami-d0c807d0" + description = "AMI for Vault instances" +} + +variable "availability-zones" { + default = "us-east-1a,us-east-1b" + description = "Availabilizy zones for launcing the Vault instances" +} + +variable "instance_type" { + default = "m3.medium" + description = "Instance type for Vault instances" +} + +variable "key-name" { + default = "default" + description = "SSH key name for Vault instances" +} + +variable "nodes" { + default = "2" + description = "number of Vault instances" +} + +variable "subnets" { + default = "" + description = "list of subnets to launch Vault within" +}