-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
f87a269
commit 7105acd
Showing
2 changed files
with
69 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| # Terraform cluster configuration for HashiCorp Vault | ||
|
|
||
| This is a generic cluster configuration for HashiCorp Vault running inside a Docker Swarm environment. | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - [Terraform](https://www.terraform.io/downloads.html) | ||
|
|
||
| ## Usage | ||
|
|
||
| 1. Deploy Vault to Docker Swarm | ||
| 2. Initialize Vault | ||
| 3. Unseal Vault | ||
| 4. Enable authentication methods (optional, you can use `root` token) | ||
| 5. Apply terraform configuration | ||
|
|
||
| ### Apply the terraform configuration | ||
|
|
||
| ```bash | ||
| terraform init # Only required once | ||
| terraform apply | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| #------------------------------------------------------------------------------ | ||
| # The best practice is to use remote state file and encrypt it since your | ||
| # state files may contains sensitive data (secrets). | ||
| #------------------------------------------------------------------------------ | ||
| # terraform { | ||
| # backend "s3" { | ||
| # bucket = "remote-terraform-state-dev" | ||
| # encrypt = true | ||
| # key = "terraform.tfstate" | ||
| # region = "us-east-1" | ||
| # } | ||
| # } | ||
|
|
||
| # Use Vault provider | ||
| provider "vault" { | ||
| # It is strongly recommended to configure this provider through the | ||
| # environment variables: | ||
| # - VAULT_ADDR | ||
| # - VAULT_TOKEN | ||
| # - VAULT_CACERT | ||
| # - VAULT_CAPATH | ||
| # - etc. | ||
| } | ||
|
|
||
| # ============================================================================== | ||
| # Vault Cluster Configuration | ||
| # ============================================================================== | ||
|
|
||
| # Enable Audit devices to log all requests to stdout | ||
| # See https://developer.hashicorp.com/vault/docs/audit | ||
| resource "vault_audit" "stdout" { | ||
| type = "file" | ||
| options = { | ||
| file_path = "stdout" | ||
| } | ||
| } | ||
|
|
||
| # Raft Autopilot Configuration | ||
| # See https://developer.hashicorp.com/vault/docs/concepts/integrated-storage/autopilot | ||
| resource "vault_raft_autopilot" "autopilot" { | ||
| cleanup_dead_servers = true | ||
| dead_server_last_contact_threshold = "24h0m0s" | ||
| last_contact_threshold = "10s" | ||
| max_trailing_logs = 1000 | ||
| min_quorum = 3 | ||
| server_stabilization_time = "10s" | ||
| } |