This repo contains a Module for how to deploy a Vault cluster on AWS using Terraform.
Vault is an open source tool for managing secrets. By default, this Module uses Consul as a storage backend.
A Module is a canonical, reusable, best-practices definition for how to run a single piece of infrastructure, such as a database or server cluster. Each Module is created primarily using Terraform, includes automated tests, examples, and documentation, and is maintained both by the open source community and companies that provide commercial support.
Instead of having to figure out the details of how to run a piece of infrastructure from scratch, you can reuse existing code that has been proven in production. And instead of maintaining all that infrastructure code yourself, you can leverage the work of the Module community and maintainers, and pick up infrastructure improvements through a version number bump.
-
Create an AMI that has Vault and Consul installed
We achieve segregration trough SELinux and systemd If you are just experimenting with this Module, you may find it more convenient to use one of our official public AMIs:
WARNING! Do NOT use these AMIs in your production setup.
In production, you should build your own AMIs in your own AWS account. -
Deploy that AMI across an Auto Scaling Group in a private subnet using the Terraform.
- AMI with CIS
- WAF
- Access Logs
- Server side encrypted bucket
- Encrypted storage
Consul requires up to 6 different ports to work properly, some on TCP, UDP, or both protocols. Below we document the requirements for each port.
- HTTP API (Default 8500). This is used by clients to talk to the HTTP API. *Localhost* TCP only
- Server RPC (Default 8300). This is used by servers to handle incoming requests from other agents. TCP only.
- Serf LAN (Default 8301). This is used to handle gossip in the LAN. Required by all agents. TCP and UDP.
- Serf WAN (Default 8302). This is used by servers to gossip over the WAN, to other servers. TCP and UDP.
- As of Consul 0.8 the WAN join flooding feature requires the Serf WAN port (TCP/UDP) to be listening on both WAN and LAN interfaces.
Vault doesn't need as many ports to work as is just acting as a frontend
- HTTP API (Default 8200, we use 80). This is used by clients to talk to the
HTTP API
The alb is setup with restriction on outbound and inbound traffic. You might want to check those.
There are 2 types of certificates generated, one is the main responsabile to
handle the traffic to the ALB,
the other sets is for internal cluster communication and for CLI tools. \
We generate them at run time, leveraging ACM and cfssl.
ACM certificates are stored within AWS while the internal certificates are stored on an S3 bucket using SSE and granular IAM roles.
We achieve some isolation using cgroup, leveraging some features of systemd
- Restict services to user
User=vault
Group=vault
- Don't mess with /dev
PrivateDevices=yes
- Private tmp
PrivateTmp=yes
- Read only file system /usr /var /etc
ProtectSystem=full
- Home read only
ProtectHome=read-only
Contributions are very welcome! Check out the Contribution Guidelines for instructions.
This Module follows the principles of Semantic Versioning. You can find each new release, along with the changelog, in the Releases Page.
During initial development, the major version will be 0 (e.g., 0.x.y), which indicates the code does not yet have a
stable API. Once we hit 1.0.0, we will make every effort to maintain a backwards compatible API and use the MAJOR,
MINOR, and PATCH versions on each release to indicate any incompatibilities.
MIT