diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 41229919..f318e45f 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -36,6 +36,7 @@ module "vault_cluster" { allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 ssh_key_name = "${var.ssh_key_name}" + enable_EC2_IAM_Auth = "${var.enable_EC2_IAM_Auth}" } # --------------------------------------------------------------------------------------------------------------------- @@ -74,11 +75,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -139,6 +140,10 @@ data "aws_vpc" "default" { data "aws_subnet_ids" "default" { vpc_id = "${data.aws_vpc.default.id}" + + tags { + SubnetType = "private" + } } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} diff --git a/examples/vault-cluster-private/variables.tf b/examples/vault-cluster-private/variables.tf index 62fe815b..50e85683 100644 --- a/examples/vault-cluster-private/variables.tf +++ b/examples/vault-cluster-private/variables.tf @@ -64,3 +64,8 @@ variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." default = "" } + +variable "enable_EC2_IAM_Auth" { + description = "Configure IAM Instance Profile on Vault cluster members to permit the user to enable AWS Auth backend. Note that this does NOT actually enable the backend, but merely sets policies that will permit it to function as expected." + default = false +} diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index b5e9251b..7e0cfaea 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -79,11 +79,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -146,4 +146,4 @@ data "aws_subnet_ids" "default" { vpc_id = "${data.aws_vpc.default.id}" } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} diff --git a/examples/vault-s3-backend/outputs.tf b/examples/vault-s3-backend/outputs.tf index e71de3a5..850bce74 100644 --- a/examples/vault-s3-backend/outputs.tf +++ b/examples/vault-s3-backend/outputs.tf @@ -84,4 +84,4 @@ output "consul_cluster_cluster_tag_value" { output "s3_bucket_arn" { value = "${module.vault_cluster.s3_bucket_arn}" -} \ No newline at end of file +} diff --git a/examples/vault-s3-backend/variables.tf b/examples/vault-s3-backend/variables.tf index ecea70ed..2ed6b2b0 100644 --- a/examples/vault-s3-backend/variables.tf +++ b/examples/vault-s3-backend/variables.tf @@ -73,4 +73,4 @@ variable "s3_bucket_name" { variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." default = false -} \ No newline at end of file +} diff --git a/main.tf b/main.tf index 245c57c6..851c62fa 100644 --- a/main.tf +++ b/main.tf @@ -117,11 +117,11 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.3.3" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = "${module.vault_cluster.security_group_id}" # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. - + allowed_inbound_cidr_blocks = ["0.0.0.0/0"] } @@ -223,4 +223,4 @@ data "aws_subnet_ids" "default" { tags = "${var.subnet_tags}" } -data "aws_region" "current" {} \ No newline at end of file +data "aws_region" "current" {} diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 52e9d540..5bea4ad7 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -183,7 +183,7 @@ data "aws_iam_policy_document" "instance_role" { } resource "aws_s3_bucket" "vault_storage" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = "${var.enable_s3_backend}" bucket = "${var.s3_bucket_name}" force_destroy = "${var.force_destroy_s3_bucket}" @@ -194,14 +194,14 @@ resource "aws_s3_bucket" "vault_storage" { } resource "aws_iam_role_policy" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = "${var.enable_s3_backend}" name = "vault_s3" role = "${aws_iam_role.instance_role.id}" policy = "${element(concat(data.aws_iam_policy_document.vault_s3.*.json, list("")), 0)}" } data "aws_iam_policy_document" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = "${var.enable_s3_backend}" statement { effect = "Allow" @@ -213,3 +213,30 @@ data "aws_iam_policy_document" "vault_s3" { ] } } + +resource "aws_iam_role_policy" "vault_aws_ec2_iam_auth" { + count = "${var.create_aws_auth_backend_iam_policies}" + name = "vault_aws_ec2_iam_auth" + role = "${aws_iam_role.instance_role.id}" + policy = "${element(concat(data.aws_iam_policy_document.vault_aws_ec2_iam_auth.*.json, list("")), 0)}" +} + +# Source for IAM policies: https://www.vaultproject.io/docs/auth/aws.html#recommended-vault-iam-policy +# TODO: Add Cross Account Access stanza, enumerating all roles with cross-account access + +data "aws_iam_policy_document" "vault_aws_ec2_iam_auth" { + count = "${var.create_aws_auth_backend_iam_policies}" + + statement { + effect = "Allow" + + actions = [ + "ec2:DescribeInstances", + "iam:GetInstanceProfile", + "iam:GetUser", + "iam:GetRole", + ] + + resources = ["*"] + } +} diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index 03039be7..27c2df9a 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -197,3 +197,8 @@ variable "force_destroy_s3_bucket" { description = "If 'configure_s3_backend' is enabled and you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage. You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves. Only used if 'enable_s3_backend' is set to true." default = false } + +variable "create_aws_auth_backend_iam_policies" { + description = "If set to true, create IAM policies required by the AWS Auth backend, and apply the policies via IAM Instance Profiles. Note that this does NOT actually enable the backend, but merely sets policies that will permit it to function as expected." + default = false +}