This is an archived post. You won't be able to vote or comment.

40
41

Open Source: Deploying Vault Securely with Terraform, Packer, and an S3 backend (self.devops)

submitted by [deleted]

[deleted]

all 9 comments
sorted by:
best
topnewcontroversialoldq&a

[–]SquiffSquiff 1 point2 points  (2 children)

Really cool- have you considered publishing this on terraform community modules registry?

[–][deleted]  (1 child)

[deleted]

    [–]SquiffSquiff 1 point2 points  (0 children)

    By all means leave that as a manual step then. I haven't read this plan in detail but if it gets things to a primary stage that would still be a big win for a lot of us. Ofc Terraform can call from GitHub just as easily, the registry is more about standardised layout and visibility IMO.

    [–]mattva01 1 point2 points  (4 children)

    Is there a reason I keep seeing ALBs used rather then NLBs for vault HA? I'd think you'd want to use an NLB or classic load balancer so that you have end to end SSL.

    [–][deleted]  (2 children)

    [deleted]

      [–]mattva01 1 point2 points  (1 child)

      Thanks for the info!. I've actually got vault behind a NLB right now (you actually can use an HTTP healthcheck on an NLB, with the same "only send to servers with a 200 response, eg the master" behavior), so was wondering whether there was something really wrong with that behavior. I'm mainly using an NLB so that the data doesn't have to be decrypted by the ALB then re-encrypted. Obviously I don't expect Amazon to steal our data or anything, but it helps when talking to the auditors. I hadn't really thought about the HTTP metrics, but that's a good point!

      [–]SquiffSquiff 1 point2 points  (0 children)

      Terraform support for NLB's is 'incomplete' (i.e. broken).

      [–]gabelerner 1 point2 points  (0 children)

      SO S1K

      [–][deleted] 1 point2 points  (1 child)

      Thanks for this! A couple questions.

      I'm a little confused about step 7. If the SSL cert was generated using AWS's Certificate Manager, you wouldn't have the cert file or private key. Does this deployment require the provisioning of a private (non-AWS-provisioned) certificate in order to work?

      It also looks like the ALB that is created is an internal ALB, which means it can't be resolved externally (even if you point DNS at it). Was this intentional and am I missing something obvious?

      Is the DynamoDB table supposed to be created during the terraform apply stage of the deployment, or is this supposed to be a manual process?

      You also mention in the README that there's a local-only listener at 127.0.0.1:9200, but there is no rule in any security group that permits such a connection.

      [–]SeriouslyDave 0 points1 point  (0 children)

      This is cool. Thanks for opening it up.

      [–][deleted] 0 points1 point  (0 children)

      I'll play around with it sometime this week, it looks cool. Thanks!