70 lines
1.7 KiB
HCL
70 lines
1.7 KiB
HCL
|
|
resource "helm_release" "vault" {
|
|
name = "vault"
|
|
repository = "https://helm.releases.hashicorp.com"
|
|
chart = "vault"
|
|
namespace = "vault"
|
|
version = "0.28.1"
|
|
create_namespace = true
|
|
wait = true
|
|
|
|
set {
|
|
name = "server.ha.enabled"
|
|
value = "true"
|
|
}
|
|
|
|
set {
|
|
name = "server.ha.raft.enabled"
|
|
value = "true"
|
|
}
|
|
|
|
values = [
|
|
<<-EOT
|
|
server:
|
|
ingress:
|
|
enabled: true
|
|
ingressClassName: traefik
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
|
|
hosts:
|
|
- host: ${var.hostname}
|
|
paths: []
|
|
tls:
|
|
- secretName: tls-vault
|
|
hosts:
|
|
- ${var.hostname}
|
|
extraEnvironmentVars:
|
|
VAULT_SEAL_TYPE: "awskms"
|
|
AWS_REGION: "${var.aws_region}"
|
|
VAULT_AWSKMS_SEAL_KEY_ID: "${var.aws_kms_key_id}"
|
|
extraSecretEnvironmentVars:
|
|
- envName: AWS_ACCESS_KEY_ID
|
|
secretName: vault-aws-creds
|
|
secretKey: AWS_ACCESS_KEY_ID
|
|
- envName: AWS_SECRET_ACCESS_KEY
|
|
secretName: vault-aws-creds
|
|
secretKey: AWS_SECRET_ACCESS_KEY
|
|
EOT
|
|
]
|
|
}
|
|
|
|
|
|
resource "ssh_resource" "vault_init" {
|
|
depends_on = [helm_release.vault]
|
|
host = var.node_public_ip
|
|
user = var.node_username
|
|
private_key = var.ssh_private_key_pem
|
|
|
|
commands = [
|
|
"kubectl -n vault exec vault-0 -- vault operator init -format=json"
|
|
]
|
|
}
|
|
|
|
resource "local_file" "vault-keys" {
|
|
depends_on = [ssh_resource.vault_init]
|
|
filename = format("%s/%s", path.root, "vault.secret")
|
|
content = ssh_resource.vault_init.result
|
|
}
|