├── tls
    └── .keep
├── .github
    ├── reaction.yml
    ├── lock.yml
    ├── ISSUE_TEMPLATE
    │   ├── question.md
    │   ├── bug_report.md
    │   └── feature_request.md
    └── stale.yml
├── .gitignore
├── terraform
    ├── versions.tf
    ├── tls.tf
    ├── variables.tf
    ├── k8s.tf
    └── gcp.tf
├── CHANGELOG.md
├── README.md
└── LICENSE


/tls/.keep:
--------------------------------------------------------------------------------
1 | 


--------------------------------------------------------------------------------
/.github/reaction.yml:
--------------------------------------------------------------------------------
1 | reactionComment: false
2 | 


--------------------------------------------------------------------------------
/.github/lock.yml:
--------------------------------------------------------------------------------
1 | daysUntilLock: 90
2 | lockLabel: false
3 | lockComment: false
4 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | terraform/.terraform*
2 | terraform/credentials.json
3 | terraform/terraform.tfvars
4 | terraform/terraform.tfstate*
5 | tls/*
6 | 


--------------------------------------------------------------------------------
/terraform/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 |   required_version = ">= 0.12"
3 | 
4 |   required_providers {
5 |     google = "~> 3.0"
6 |   }
7 | }
8 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/question.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Question
 3 | about: Ask a question.
 4 | 
 5 | ---
 6 | 
 7 | **Question**
 8 | What is your question?
 9 | 
10 | **Considerations**
11 | Are there any other considerations?
12 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/bug_report.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Bug report
 3 | about: Report issues like errors or failed executions.
 4 | 
 5 | ---
 6 | 
 7 | **What did you expect to happen?**
 8 | Describe what you expected to happen here.
 9 | 
10 | **What actually happened?**
11 | Describe what actually happened here.
12 | 
13 | **Output**
14 | ```text
15 | What is the output?
16 | ```
17 | 
18 | **Additional context**
19 | Add any other context about the problem here.
20 | 


--------------------------------------------------------------------------------
/.github/ISSUE_TEMPLATE/feature_request.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | name: Feature request
 3 | about: Suggest an improvement.
 4 | 
 5 | ---
 6 | 
 7 | **Describe the feature you'd like**
 8 | A clear and concise description of what you want to happen.
 9 | 
10 | **Describe alternatives you've considered**
11 | A clear and concise description of any alternative solutions or features you've considered.
12 | 
13 | **Additional context**
14 | Add any other context or screenshots about the feature request here.
15 | 


--------------------------------------------------------------------------------
/.github/stale.yml:
--------------------------------------------------------------------------------
 1 | daysUntilStale: 14
 2 | daysUntilClose: 14
 3 | exemptMilestones: true
 4 | staleLabel: waiting-reply
 5 | 
 6 | exemptLabels:
 7 | - thinking
 8 | 
 9 | markComment: >
10 |   Hi there! This has been automatically marked as stale because it has not
11 |   had activity in the past 14 days. It will be closed in 14 days if no
12 |   further activity takes place.
13 | 
14 | closeComment: >
15 |   Hi there! This has been closed due to lack of activity. Please comment
16 |   if you would like it re-opened.
17 |   
18 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | # Changelog
 2 | 
 3 | All notable changes to this project will be documented in this file.
 4 | 
 5 | ## [0.2.0] - 2019-08-01
 6 | ### Breaking
 7 | - These configurations now require Terraform 0.12+
 8 | - Deploy Vault 1.2.0 by default
 9 | - Some variable types have changed to be 0.12 compatible
10 | 
11 | ### Added
12 | - More documentation on securing Terraform state
13 | 
14 | ### Changed
15 | - Stop writing Vault TLS private key to disk
16 | - Reduce required KMS key permissions now that hashicorp/vault#5999 has been out for awhile
17 | 
18 | ## [0.1.2] - 2019-02-19
19 | ### Added
20 | - Include CA cert in configmap
21 | 
22 | ### Changed
23 | - Choose google vs google-beta provider
24 | 
25 | ## [0.1.1] - 2019-01-12
26 | 
27 | ### Added
28 | - New networking configuration options
29 | 
30 | ### Changed
31 | - Use private clusters
32 | 
33 | 
34 | ## [0.1.0] - 2019-01-07
35 | 
36 | ### Added
37 | - Preserve client IP addresses in audit logs
38 | - Configurable number of recovery shares and threshold
39 | - Listen on localhost in the container
40 | - Reduce required KMS IAM permissions
41 | 
42 | 
43 | ## [0.0.1] - 2018-4-27
44 | 
45 | ### Added
46 | - Initial release
47 | 


--------------------------------------------------------------------------------
/terraform/tls.tf:
--------------------------------------------------------------------------------
 1 | # Generate self-signed TLS certificates. Unlike @kelseyhightower's original
 2 | # demo, this does not use cfssl and uses Terraform's internals instead.
 3 | resource "tls_private_key" "vault-ca" {
 4 |   algorithm = "RSA"
 5 |   rsa_bits  = "2048"
 6 | }
 7 | 
 8 | resource "tls_self_signed_cert" "vault-ca" {
 9 |   key_algorithm   = tls_private_key.vault-ca.algorithm
10 |   private_key_pem = tls_private_key.vault-ca.private_key_pem
11 | 
12 |   subject {
13 |     common_name  = "vault-ca.local"
14 |     organization = "HashiCorp Vault"
15 |   }
16 | 
17 |   validity_period_hours = 8760
18 |   is_ca_certificate     = true
19 | 
20 |   allowed_uses = [
21 |     "cert_signing",
22 |     "digital_signature",
23 |     "key_encipherment",
24 |   ]
25 | 
26 |   provisioner "local-exec" {
27 |     command = "echo '${self.cert_pem}' > ../tls/ca.pem && chmod 0600 ../tls/ca.pem"
28 |   }
29 | }
30 | 
31 | # Create the Vault server certificates
32 | resource "tls_private_key" "vault" {
33 |   algorithm = "RSA"
34 |   rsa_bits  = "2048"
35 | }
36 | 
37 | # Create the request to sign the cert with our CA
38 | resource "tls_cert_request" "vault" {
39 |   key_algorithm   = tls_private_key.vault.algorithm
40 |   private_key_pem = tls_private_key.vault.private_key_pem
41 | 
42 |   dns_names = [
43 |     "vault",
44 |     "vault.local",
45 |     "vault.default.svc.cluster.local",
46 |   ]
47 | 
48 |   ip_addresses = [
49 |     google_compute_address.vault.address,
50 |   ]
51 | 
52 |   subject {
53 |     common_name  = "vault.local"
54 |     organization = "HashiCorp Vault"
55 |   }
56 | }
57 | 
58 | # Now sign the cert
59 | resource "tls_locally_signed_cert" "vault" {
60 |   cert_request_pem = tls_cert_request.vault.cert_request_pem
61 | 
62 |   ca_key_algorithm   = tls_private_key.vault-ca.algorithm
63 |   ca_private_key_pem = tls_private_key.vault-ca.private_key_pem
64 |   ca_cert_pem        = tls_self_signed_cert.vault-ca.cert_pem
65 | 
66 |   validity_period_hours = 8760
67 | 
68 |   allowed_uses = [
69 |     "cert_signing",
70 |     "client_auth",
71 |     "digital_signature",
72 |     "key_encipherment",
73 |     "server_auth",
74 |   ]
75 | 
76 |   provisioner "local-exec" {
77 |     command = "echo '${self.cert_pem}' > ../tls/vault.pem && echo '${tls_self_signed_cert.vault-ca.cert_pem}' >> ../tls/vault.pem && chmod 0600 ../tls/vault.pem"
78 |   }
79 | }
80 | 
81 | 


--------------------------------------------------------------------------------
/terraform/variables.tf:
--------------------------------------------------------------------------------
  1 | terraform {
  2 |   required_version = ">= 0.12"
  3 | }
  4 | 
  5 | variable "region" {
  6 |   type        = string
  7 |   default     = "us-east4"
  8 |   description = "Region in which to create the cluster and run Vault."
  9 | }
 10 | 
 11 | variable "project" {
 12 |   type        = string
 13 |   default     = ""
 14 |   description = "Project ID where Terraform is authenticated to run to create additional projects. If provided, Terraform will create the GKE and Vault cluster inside this project. If not given, Terraform will generate a new project."
 15 | }
 16 | 
 17 | variable "project_prefix" {
 18 |   type        = string
 19 |   default     = "vault-"
 20 |   description = "String value to prefix the generated project ID with."
 21 | }
 22 | 
 23 | variable "billing_account" {
 24 |   type        = string
 25 |   description = "Billing account ID."
 26 | }
 27 | 
 28 | variable "org_id" {
 29 |   type        = string
 30 |   description = "Organization ID."
 31 | }
 32 | 
 33 | variable "kubernetes_instance_type" {
 34 |   type        = string
 35 |   default     = "n1-standard-2"
 36 |   description = "Instance type to use for the nodes."
 37 | }
 38 | 
 39 | variable "service_account_iam_roles" {
 40 |   type = list(string)
 41 |   default = [
 42 |     "roles/logging.logWriter",
 43 |     "roles/monitoring.metricWriter",
 44 |     "roles/monitoring.viewer",
 45 |   ]
 46 |   description = "List of IAM roles to assign to the service account."
 47 | }
 48 | 
 49 | variable "service_account_custom_iam_roles" {
 50 |   type        = list(string)
 51 |   default     = []
 52 |   description = "List of arbitrary additional IAM roles to attach to the service account on the Vault nodes."
 53 | }
 54 | 
 55 | variable "project_services" {
 56 |   type = list(string)
 57 |   default = [
 58 |     "cloudkms.googleapis.com",
 59 |     "cloudresourcemanager.googleapis.com",
 60 |     "container.googleapis.com",
 61 |     "compute.googleapis.com",
 62 |     "iam.googleapis.com",
 63 |     "logging.googleapis.com",
 64 |     "monitoring.googleapis.com",
 65 |   ]
 66 |   description = "List of services to enable on the project."
 67 | }
 68 | 
 69 | variable "storage_bucket_roles" {
 70 |   type = list(string)
 71 |   default = [
 72 |     "roles/storage.legacyBucketReader",
 73 |     "roles/storage.objectAdmin",
 74 |   ]
 75 |   description = "List of storage bucket roles."
 76 | }
 77 | 
 78 | #
 79 | # KMS options
 80 | # ------------------------------
 81 | 
 82 | variable "kms_key_ring_prefix" {
 83 |   type        = string
 84 |   default     = "vault-"
 85 |   description = "String value to prefix the generated key ring with."
 86 | }
 87 | 
 88 | variable "kms_key_ring" {
 89 |   type        = string
 90 |   default     = ""
 91 |   description = "String value to use for the name of the KMS key ring. This exists for backwards-compatability for users of the existing configurations. Please use kms_key_ring_prefix instead."
 92 | }
 93 | 
 94 | variable "kms_crypto_key" {
 95 |   type        = string
 96 |   default     = "vault-init"
 97 |   description = "String value to use for the name of the KMS crypto key."
 98 | }
 99 | 
100 | #
101 | # Kubernetes options
102 | # ------------------------------
103 | 
104 | variable "kubernetes_nodes_per_zone" {
105 |   type        = number
106 |   default     = 1
107 |   description = "Number of nodes to deploy in each zone of the Kubernetes cluster. For example, if there are 4 zones in the region and num_nodes_per_zone is 2, 8 total nodes will be created."
108 | }
109 | 
110 | variable "kubernetes_daily_maintenance_window" {
111 |   type        = string
112 |   default     = "06:00"
113 |   description = "Maintenance window for GKE."
114 | }
115 | 
116 | variable "kubernetes_logging_service" {
117 |   type        = string
118 |   default     = "logging.googleapis.com/kubernetes"
119 |   description = "Name of the logging service to use. By default this uses the new Stackdriver GKE beta."
120 | }
121 | 
122 | variable "kubernetes_monitoring_service" {
123 |   type        = string
124 |   default     = "monitoring.googleapis.com/kubernetes"
125 |   description = "Name of the monitoring service to use. By default this uses the new Stackdriver GKE beta."
126 | }
127 | 
128 | variable "kubernetes_network_ipv4_cidr" {
129 |   type        = string
130 |   default     = "10.0.96.0/22"
131 |   description = "IP CIDR block for the subnetwork. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
132 | }
133 | 
134 | variable "kubernetes_pods_ipv4_cidr" {
135 |   type        = string
136 |   default     = "10.0.92.0/22"
137 |   description = "IP CIDR block for pods. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
138 | }
139 | 
140 | variable "kubernetes_secrets_crypto_key" {
141 |   type        = string
142 |   default     = "kubernetes-secrets"
143 |   description = "Name of the KMS key to use for encrypting the Kubernetes database."
144 | }
145 | 
146 | variable "kubernetes_services_ipv4_cidr" {
147 |   type        = string
148 |   default     = "10.0.88.0/22"
149 |   description = "IP CIDR block for services. This must be at least /22 and cannot overlap with any other IP CIDR ranges."
150 | }
151 | 
152 | variable "kubernetes_masters_ipv4_cidr" {
153 |   type        = string
154 |   default     = "10.0.82.0/28"
155 |   description = "IP CIDR block for the Kubernetes master nodes. This must be exactly /28 and cannot overlap with any other IP CIDR ranges."
156 | }
157 | 
158 | variable "kubernetes_master_authorized_networks" {
159 |   type = list(object({
160 |     display_name = string
161 |     cidr_block   = string
162 |   }))
163 | 
164 |   default = [
165 |     {
166 |       display_name = "Anyone"
167 |       cidr_block   = "0.0.0.0/0"
168 |     },
169 |   ]
170 | 
171 |   description = "List of CIDR blocks to allow access to the Kubernetes master's API endpoint. This is specified as a slice of objects, where each object has a display_name and cidr_block attribute. The default behavior is to allow anyone (0.0.0.0/0) access to the endpoint. You should restrict access to external IPs that need to access the Kubernetes cluster."
172 | }
173 | 
174 | variable "kubernetes_release_channel" {
175 |   type    = string
176 |   default = "REGULAR"
177 | }
178 | 
179 | # This is an option used by the kubernetes provider, but is part of the Vault
180 | # security posture.
181 | variable "vault_source_ranges" {
182 |   type        = list(string)
183 |   default     = ["0.0.0.0/0"]
184 |   description = "List of addresses or CIDR blocks which are allowed to connect to the Vault IP address. The default behavior is to allow anyone (0.0.0.0/0) access. You should restrict access to external IPs that need to access the Vault cluster."
185 | }
186 | 
187 | #
188 | # Vault options
189 | # ------------------------------
190 | 
191 | variable "num_vault_pods" {
192 |   type        = number
193 |   default     = 3
194 |   description = "Number of Vault pods to run. Anti-affinity rules spread pods across available nodes. Please use an odd number for better availability."
195 | }
196 | 
197 | variable "vault_container" {
198 |   type        = string
199 |   default     = "vault:1.2.1"
200 |   description = "Name of the Vault container image to deploy. This can be specified like \"container:version\" or as a full container URL."
201 | }
202 | 
203 | variable "vault_init_container" {
204 |   type        = string
205 |   default     = "sethvargo/vault-init:1.0.0"
206 |   description = "Name of the Vault init container image to deploy. This can be specified like \"container:version\" or as a full container URL."
207 | }
208 | 
209 | variable "vault_recovery_shares" {
210 |   type        = string
211 |   default     = "1"
212 |   description = "Number of recovery keys to generate."
213 | }
214 | 
215 | variable "vault_recovery_threshold" {
216 |   type        = string
217 |   default     = "1"
218 |   description = "Number of recovery keys required for quorum. This must be less than or equal to \"vault_recovery_keys\"."
219 | }
220 | 


--------------------------------------------------------------------------------
/terraform/k8s.tf:
--------------------------------------------------------------------------------
  1 | # Query the client configuration for our current service account, which should
  2 | # have permission to talk to the GKE cluster since it created it.
  3 | data "google_client_config" "current" {}
  4 | 
  5 | # This file contains all the interactions with Kubernetes
  6 | provider "kubernetes" {
  7 |   host = google_container_cluster.vault.endpoint
  8 | 
  9 |   cluster_ca_certificate = base64decode(
 10 |     google_container_cluster.vault.master_auth[0].cluster_ca_certificate,
 11 |   )
 12 |   token = data.google_client_config.current.access_token
 13 | }
 14 | 
 15 | # Write the secret
 16 | resource "kubernetes_secret" "vault-tls" {
 17 |   metadata {
 18 |     name = "vault-tls"
 19 |   }
 20 | 
 21 |   data = {
 22 |     "vault.crt" = "${tls_locally_signed_cert.vault.cert_pem}\n${tls_self_signed_cert.vault-ca.cert_pem}"
 23 |     "vault.key" = tls_private_key.vault.private_key_pem
 24 |     "ca.crt"    = tls_self_signed_cert.vault-ca.cert_pem
 25 |   }
 26 | }
 27 | 
 28 | resource "kubernetes_service_account" "vault-server" {
 29 |   metadata {
 30 |     name = "vault-server"
 31 |   }
 32 | }
 33 | 
 34 | resource "kubernetes_role" "vault-server" {
 35 |   metadata {
 36 |     name = "vault-server"
 37 |   }
 38 | 
 39 |   rule {
 40 |     api_groups     = [""]
 41 |     resources      = ["pods"]
 42 |     resource_names = [for i in range(var.num_vault_pods) : "vault-${i}"]
 43 |     verbs          = ["get", "patch", "update"]
 44 |   }
 45 | }
 46 | 
 47 | resource "kubernetes_role_binding" "vault-server" {
 48 |   metadata {
 49 |     name = "vault-server"
 50 |   }
 51 | 
 52 |   role_ref {
 53 |     api_group = "rbac.authorization.k8s.io"
 54 |     kind      = "Role"
 55 |     name      = kubernetes_role.vault-server.metadata.0.name
 56 |   }
 57 | 
 58 |   subject {
 59 |     kind      = "ServiceAccount"
 60 |     name      = kubernetes_service_account.vault-server.metadata.0.name
 61 |     namespace = kubernetes_service_account.vault-server.metadata.0.namespace
 62 |   }
 63 | }
 64 | 
 65 | resource "kubernetes_service" "vault-lb" {
 66 |   metadata {
 67 |     name = "vault"
 68 |     labels = {
 69 |       app = "vault"
 70 |     }
 71 |   }
 72 | 
 73 |   spec {
 74 |     type                        = "LoadBalancer"
 75 |     load_balancer_ip            = google_compute_address.vault.address
 76 |     load_balancer_source_ranges = var.vault_source_ranges
 77 |     external_traffic_policy     = "Local"
 78 | 
 79 |     selector = {
 80 |       app          = "vault"
 81 |       vault-active = "true"
 82 |     }
 83 | 
 84 |     port {
 85 |       name        = "vault-port"
 86 |       port        = 443
 87 |       target_port = 8200
 88 |       protocol    = "TCP"
 89 |     }
 90 |   }
 91 | }
 92 | 
 93 | resource "kubernetes_stateful_set" "vault" {
 94 |   metadata {
 95 |     name = "vault"
 96 |     labels = {
 97 |       app = "vault"
 98 |     }
 99 |   }
100 | 
101 |   spec {
102 |     service_name = "vault"
103 |     replicas     = var.num_vault_pods
104 | 
105 |     selector {
106 |       match_labels = {
107 |         app = "vault"
108 |       }
109 |     }
110 | 
111 |     template {
112 |       metadata {
113 |         labels = {
114 |           app = "vault"
115 |         }
116 |       }
117 | 
118 |       spec {
119 |         service_account_name = kubernetes_service_account.vault-server.metadata.0.name
120 | 
121 |         termination_grace_period_seconds = 10
122 | 
123 |         affinity {
124 |           pod_anti_affinity {
125 |             preferred_during_scheduling_ignored_during_execution {
126 |               weight = 50
127 | 
128 |               pod_affinity_term {
129 |                 topology_key = "kubernetes.io/hostname"
130 | 
131 |                 label_selector {
132 |                   match_expressions {
133 |                     key      = "app"
134 |                     operator = "In"
135 |                     values   = ["vault"]
136 |                   }
137 |                 }
138 |               }
139 |             }
140 |           }
141 |         }
142 | 
143 |         container {
144 |           name              = "vault-init"
145 |           image             = var.vault_init_container
146 |           image_pull_policy = "IfNotPresent"
147 | 
148 |           resources {
149 |             requests = {
150 |               cpu    = "100m"
151 |               memory = "64Mi"
152 |             }
153 |           }
154 | 
155 |           env {
156 |             name  = "GCS_BUCKET_NAME"
157 |             value = google_storage_bucket.vault.name
158 |           }
159 | 
160 |           env {
161 |             name  = "KMS_KEY_ID"
162 |             value = google_kms_crypto_key.vault-init.self_link
163 |           }
164 | 
165 |           env {
166 |             name  = "VAULT_ADDR"
167 |             value = "http://127.0.0.1:8200"
168 |           }
169 | 
170 |           env {
171 |             name  = "VAULT_RECOVERY_SHARES"
172 |             value = var.vault_recovery_shares
173 |           }
174 | 
175 |           env {
176 |             name  = "VAULT_RECOVERY_THRESHOLD"
177 |             value = var.vault_recovery_threshold
178 |           }
179 |         }
180 | 
181 |         container {
182 |           name              = "vault"
183 |           image             = var.vault_container
184 |           image_pull_policy = "IfNotPresent"
185 | 
186 |           args = ["server"]
187 | 
188 |           security_context {
189 |             capabilities {
190 |               add = ["IPC_LOCK"]
191 |             }
192 |           }
193 | 
194 |           port {
195 |             name           = "vault-port"
196 |             container_port = 8200
197 |             protocol       = "TCP"
198 |           }
199 | 
200 |           port {
201 |             name           = "cluster-port"
202 |             container_port = 8201
203 |             protocol       = "TCP"
204 |           }
205 | 
206 |           resources {
207 |             requests = {
208 |               cpu    = "500m"
209 |               memory = "256Mi"
210 |             }
211 |           }
212 | 
213 |           volume_mount {
214 |             name       = "vault-tls"
215 |             mount_path = "/etc/vault/tls"
216 |           }
217 | 
218 |           env {
219 |             name  = "VAULT_ADDR"
220 |             value = "http://127.0.0.1:8200"
221 |           }
222 | 
223 |           env {
224 |             name = "POD_IP_ADDR"
225 |             value_from {
226 |               field_ref {
227 |                 field_path = "status.podIP"
228 |               }
229 |             }
230 |           }
231 | 
232 |           env {
233 |             name = "VAULT_K8S_POD_NAME"
234 |             value_from {
235 |               field_ref {
236 |                 api_version = "v1"
237 |                 field_path  = "metadata.name"
238 |               }
239 |             }
240 |           }
241 | 
242 |           env {
243 |             name = "VAULT_K8S_NAMESPACE"
244 |             value_from {
245 |               field_ref {
246 |                 api_version = "v1"
247 |                 field_path  = "metadata.namespace"
248 |               }
249 |             }
250 |           }
251 | 
252 |           env {
253 |             name  = "VAULT_LOCAL_CONFIG"
254 |             value = <<EOF
255 |               api_addr     = "https://${google_compute_address.vault.address}"
256 |               cluster_addr = "https://$(POD_IP_ADDR):8201"
257 | 
258 |               service_registration "kubernetes" {}
259 | 
260 |               log_level = "warn"
261 | 
262 |               ui = true
263 | 
264 |               seal "gcpckms" {
265 |                 project    = "${google_kms_key_ring.vault.project}"
266 |                 region     = "${google_kms_key_ring.vault.location}"
267 |                 key_ring   = "${google_kms_key_ring.vault.name}"
268 |                 crypto_key = "${google_kms_crypto_key.vault-init.name}"
269 |               }
270 | 
271 |               storage "gcs" {
272 |                 bucket     = "${google_storage_bucket.vault.name}"
273 |                 ha_enabled = "true"
274 |               }
275 | 
276 |               listener "tcp" {
277 |                 address     = "127.0.0.1:8200"
278 |                 tls_disable = "true"
279 |               }
280 | 
281 |               listener "tcp" {
282 |                 address       = "$(POD_IP_ADDR):8200"
283 |                 tls_cert_file = "/etc/vault/tls/vault.crt"
284 |                 tls_key_file  = "/etc/vault/tls/vault.key"
285 | 
286 |                 tls_disable_client_certs = true
287 |               }
288 |             EOF
289 |           }
290 | 
291 |           readiness_probe {
292 |             initial_delay_seconds = 5
293 |             period_seconds        = 5
294 | 
295 |             http_get {
296 |               path   = "/v1/sys/health?standbyok=true"
297 |               port   = 8200
298 |               scheme = "HTTPS"
299 |             }
300 |           }
301 |         }
302 | 
303 |         volume {
304 |           name = "vault-tls"
305 |           secret {
306 |             secret_name = "vault-tls"
307 |           }
308 |         }
309 |       }
310 |     }
311 |   }
312 | }
313 | 
314 | output "root_token_decrypt_command" {
315 |   value = "gsutil cat gs://${google_storage_bucket.vault.name}/root-token.enc | base64 --decode | gcloud kms decrypt --key ${google_kms_crypto_key.vault-init.self_link} --ciphertext-file - --plaintext-file -"
316 | }
317 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # HashiCorp Vault on GKE with Terraform
  2 | 
  3 | This tutorial walks through provisioning a highly-available [HashiCorp
  4 | Vault][vault] cluster on [Google Kubernetes Engine][gke] using [HashiCorp
  5 | Terraform][terraform] as the provisioning tool.
  6 | 
  7 | This tutorial is based on [Kelsey Hightower's Vault on Google Kubernetes
  8 | Engine][kelseys-tutorial], but focuses on codifying the steps in Terraform
  9 | instead of teaching you them individually. If you would like to know how to
 10 | provision HashiCorp Vault on Kuberenetes step-by-step (aka "the hard way"),
 11 | please follow Kelsey's repository instead.
 12 | 
 13 | **These configurations require Terraform 0.12+!** For support with Terraform
 14 | 0.11, please use the git tag v0.1.2 series.
 15 | 
 16 | 
 17 | ## Feature Highlights
 18 | 
 19 | - **Vault HA** - The Vault cluster is deployed in HA mode backed by [Google
 20 |   Cloud Storage][gcs]
 21 | 
 22 | - **Production Hardened** - Vault is deployed according to the [production
 23 |   hardening
 24 |   guide](https://www.vaultproject.io/guides/operations/production.html). Please
 25 |   see the [security section](#security) for more information.
 26 | 
 27 | - **Auto-Init and Unseal** - Vault is automatically initialized and unsealed
 28 |   at runtime. The unseal keys are encrypted with [Google Cloud KMS][kms] and
 29 |   stored in [Google Cloud Storage][gcs]
 30 | 
 31 | - **Full Isolation** - The Vault cluster is provisioned in its own Kubernetes
 32 |   cluster in a dedicated GCP project that is provisioned dynamically at
 33 |   runtime. Clients connect to Vault using **only** the load balancer and Vault
 34 |   is treated as a managed external service.
 35 | 
 36 | - **Audit Logging** - Audit logging to [Cloud Logging][cloud-logging] (formerly Stackdriver) can be optionally enabled
 37 |   with minimal additional configuration.
 38 | 
 39 | 
 40 | ## Tutorial
 41 | 
 42 | 1. Download and install [Terraform][terraform].
 43 | 
 44 | 1. Download, install, and configure the [Google Cloud SDK][sdk]. You will need
 45 |    to configure your default application credentials so Terraform can run. It
 46 |    will run against your default project, but all resources are created in the
 47 |    (new) project that it creates.
 48 | 
 49 | 1. Run Terraform:
 50 | 
 51 |     ```text
 52 |     $ cd terraform/
 53 |     $ terraform init
 54 |     $ terraform apply
 55 |     ```
 56 | 
 57 |     This operation will take some time as it:
 58 | 
 59 |     1. Creates a new project
 60 |     1. Enables the required services on that project
 61 |     1. Creates a bucket for storage
 62 |     1. Creates a KMS key for encryption
 63 |     1. Creates a service account with the most restrictive permissions to those resources
 64 |     1. Creates a GKE cluster with the configured service account attached
 65 |     1. Creates a public IP
 66 |     1. Generates a self-signed certificate authority (CA)
 67 |     1. Generates a certificate signed by that CA
 68 |     1. Configures Terraform to talk to Kubernetes
 69 |     1. Creates a Kubernetes secret with the TLS file contents
 70 |     1. Configures your local system to talk to the GKE cluster by getting the cluster credentials and kubernetes context
 71 |     1. Submits the StatefulSet and Service to the Kubernetes API
 72 | 
 73 | 
 74 | ## Interact with Vault
 75 | 
 76 | 1. Export environment variables:
 77 | 
 78 |     Vault reads these environment variables for communication. Set Vault's
 79 |     address, the CA to use for validation, and the initial root token.
 80 | 
 81 |     ```text
 82 |     # Make sure you're in the terraform/ directory
 83 |     # $ cd terraform/
 84 | 
 85 |     $ export VAULT_ADDR="https://$(terraform output address)"
 86 |     $ export VAULT_TOKEN="$(eval `terraform output root_token_decrypt_command`)"
 87 |     $ export VAULT_CAPATH="$(cd ../ && pwd)/tls/ca.pem"
 88 |     ```
 89 | 
 90 | 1. Run some commands:
 91 | 
 92 |     ```text
 93 |     $ vault secrets enable -path=secret -version=2 kv
 94 |     $ vault kv put secret/foo a=b
 95 |     ```
 96 | 
 97 | ## Audit Logging
 98 | 
 99 | Audit logging is not enabled in a default Vault installation. To enable audit
100 | logging to [Cloud Logging][cloud-logging] on Google Cloud, enable the `file` audit
101 | device on `stdout`:
102 | 
103 | ```text
104 | $ vault audit enable file file_path=stdout
105 | ```
106 | 
107 | That's it! Vault will now log all audit requests to Cloud Logging. Additionally,
108 | because the configuration uses an L4 load balancer, Vault does not need to
109 | parse `X-Forwarded-For` headers to extract the client IP, as requests are
110 | passed directly to the node.
111 | 
112 | ## Additional Permissions
113 | 
114 | You may wish to grant the Vault service account additional permissions. This
115 | service account is attached to the GKE nodes and will be the "default
116 | application credentials" for Vault.
117 | 
118 | To specify additional permissions, create a `terraform.tfvars` file with the
119 | following:
120 | 
121 | ```terraform
122 | service_account_custom_iam_roles = [
123 |   "roles/...",
124 | ]
125 | ```
126 | 
127 | ### GCP Auth Method
128 | 
129 | To use the [GCP auth method][vault-gcp-auth] with the default application
130 | credentials, the Vault server needs the following role:
131 | 
132 | ```text
133 | roles/iam.serviceAccountKeyAdmin
134 | ```
135 | 
136 | Alternatively you can create and upload a dedicated service account for the
137 | GCP auth method during configuration and restrict the node-level default
138 | application credentials.
139 | 
140 | ### GCP Secrets Engine
141 | 
142 | To use the [GCP secrets engine][vault-gcp-secrets] with the default
143 | application credentials, the Vault server needs the following roles:
144 | 
145 | ```text
146 | roles/iam.serviceAccountKeyAdmin
147 | roles/iam.serviceAccountAdmin
148 | ```
149 | 
150 | Additionally, Vault needs the superset of any permissions it will grant. For
151 | example, if you want Vault to generate GCP access tokens with access to
152 | compute, you must also grant Vault access to compute.
153 | 
154 | Alternatively you can create and upload a dedicated service account for the
155 | GCP auth method during configuration and restrict the node-level default
156 | application credentials.
157 | 
158 | 
159 | ## Cleaning Up
160 | 
161 | ```text
162 | $ terraform destroy
163 | ```
164 | 
165 | 
166 | ## Security
167 | 
168 | ### Root Token
169 | 
170 | This set of Terraform configurations is designed to make your life easy. It's
171 | a best-practices setup for Vault, but also aids in the retrieval of the initial
172 | root token.
173 | 
174 | As such, you should **use a Terraform state backend with encryption enabled,
175 | such as Cloud Storage**. To access the root token
176 | 
177 | ```text
178 | $ $(terraform output root_token_decrypt_command)
179 | ```
180 | 
181 | ### TLS Keys, Service Accounts, etc
182 | 
183 | Just like the Vault root token, additional information is stored in plaintext in
184 | the Terraform state. This is not a bug and is the fundamental design of
185 | Terraform. You are ultimately responsible for securing access to your Terraform
186 | state. As such, you should **use a Terraform state backend with encryption
187 | enabled, such as Cloud Storage**.
188 | 
189 | - Vault TLS keys - the Vault TLS keys, including the private key, are stored in
190 |   Terraform state. Terraform created the resources and thus maintains their
191 |   data.
192 | 
193 | - Service Account Key - Terraform generates a Google Cloud Service Account key
194 |   in order to download the initial root token from Cloud Storage. This service
195 |   account key is stored in the Terraform state.
196 | 
197 | - OAuth Access Token - In order to communicate with the Kubernetes cluster,
198 |   Terraform gets an OAuth2 access token. This access token is stored in the
199 |   Terraform state.
200 | 
201 | You may be seeing a theme, which is that the Terraform state includes a wealth
202 | of information. This is fundamentally part of Terraform's architecture, and you
203 | should **use a Terraform state backend with encryption enabled, such as Cloud
204 | Storage**.
205 | 
206 | ### Private Cluster
207 | 
208 | The Kubernetes cluster is a "private" cluster, meaning nodes do not have
209 | publicly exposed IP addresses, and pods are only publicly accessible if exposed
210 | through a load balancer service. Additionally, only authorized IP CIDR blocks
211 | are able to communicate with the Kubernetes master nodes.
212 | 
213 | The default allowed CIDR is `0.0.0.0/0 (anyone)`. **You should restrict this
214 | CIDR to the IP address(es) which will access the nodes!**.
215 | 
216 | 
217 | ## FAQ
218 | 
219 | **Q: How is this different than [kelseyhightower/vault-on-google-kubernetes-engine][kelseys-tutorial]?**
220 | <br>
221 | Kelsey's tutorial walks through the manual steps of provisioning a cluster,
222 | creating all the components, etc. This captures those steps as
223 | [Terraform](https://www.terraform.io) configurations, so it's a single command
224 | to provision the cluster, service account, ip address, etc. Instead of using
225 | cfssl, it uses the built-in Terraform functions.
226 | 
227 | **Q: Why are you using StatefulSets instead of Deployments?**
228 | <br>
229 | A: StatefulSets ensure that each pod is deployed in order. This is important for
230 | the initial bootstrapping process, otherwise there's a race for which Vault
231 | server initializes first with auto-init.
232 | 
233 | [gcs]: https://cloud.google.com/storage
234 | [gke]: https://cloud.google.com/kubernetes-engine
235 | [kms]: https://cloud.google.com/kms
236 | [sdk]: https://cloud.google.com/sdk
237 | [kelseys-tutorial]: https://github.com/kelseyhightower/vault-on-google-kubernetes-engine
238 | [cloud-logging]: https://cloud.google.com/logging
239 | [terraform]: https://www.terraform.io
240 | [vault]: https://www.vaultproject.io
241 | [vault-gcp-auth]: https://www.vaultproject.io/docs/auth/gcp.html
242 | [vault-gcp-secrets]: https://www.vaultproject.io/docs/secrets/gcp/index.html
243 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/terraform/gcp.tf:
--------------------------------------------------------------------------------
  1 | # This file contains all the interactions with Google Cloud
  2 | provider "google" {
  3 |   region  = var.region
  4 |   project = var.project
  5 | }
  6 | 
  7 | provider "google-beta" {
  8 |   region  = var.region
  9 |   project = var.project
 10 | }
 11 | 
 12 | # Generate a random id for the project - GCP projects must have globally
 13 | # unique names
 14 | resource "random_id" "project_random" {
 15 |   prefix      = var.project_prefix
 16 |   byte_length = "8"
 17 | }
 18 | 
 19 | # Create the project if one isn't specified
 20 | resource "google_project" "vault" {
 21 |   count           = var.project != "" ? 0 : 1
 22 |   name            = random_id.project_random.hex
 23 |   project_id      = random_id.project_random.hex
 24 |   org_id          = var.org_id
 25 |   billing_account = var.billing_account
 26 | }
 27 | 
 28 | # Or use an existing project, if defined
 29 | data "google_project" "vault" {
 30 |   project_id = var.project != "" ? var.project : google_project.vault[0].project_id
 31 | }
 32 | 
 33 | # Create the vault service account
 34 | resource "google_service_account" "vault-server" {
 35 |   account_id   = "vault-server"
 36 |   display_name = "Vault Server"
 37 |   project      = data.google_project.vault.project_id
 38 | }
 39 | 
 40 | # Add the service account to the project
 41 | resource "google_project_iam_member" "service-account" {
 42 |   count   = length(var.service_account_iam_roles)
 43 |   project = data.google_project.vault.project_id
 44 |   role    = element(var.service_account_iam_roles, count.index)
 45 |   member  = "serviceAccount:${google_service_account.vault-server.email}"
 46 | }
 47 | 
 48 | # Add user-specified roles
 49 | resource "google_project_iam_member" "service-account-custom" {
 50 |   count   = length(var.service_account_custom_iam_roles)
 51 |   project = data.google_project.vault.project_id
 52 |   role    = element(var.service_account_custom_iam_roles, count.index)
 53 |   member  = "serviceAccount:${google_service_account.vault-server.email}"
 54 | }
 55 | 
 56 | # Enable required services on the project
 57 | resource "google_project_service" "service" {
 58 |   count   = length(var.project_services)
 59 |   project = data.google_project.vault.project_id
 60 |   service = element(var.project_services, count.index)
 61 | 
 62 |   # Do not disable the service on destroy. On destroy, we are going to
 63 |   # destroy the project, but we need the APIs available to destroy the
 64 |   # underlying resources.
 65 |   disable_on_destroy = false
 66 | }
 67 | 
 68 | # Create the storage bucket
 69 | resource "google_storage_bucket" "vault" {
 70 |   name          = "${data.google_project.vault.project_id}-vault-storage"
 71 |   project       = data.google_project.vault.project_id
 72 |   force_destroy = true
 73 |   storage_class = "MULTI_REGIONAL"
 74 | 
 75 |   uniform_bucket_level_access = true
 76 | 
 77 |   versioning {
 78 |     enabled = true
 79 |   }
 80 | 
 81 |   lifecycle_rule {
 82 |     action {
 83 |       type = "Delete"
 84 |     }
 85 | 
 86 |     condition {
 87 |       num_newer_versions = 1
 88 |     }
 89 |   }
 90 | 
 91 |   depends_on = [google_project_service.service]
 92 | }
 93 | 
 94 | # Grant service account access to the storage bucket
 95 | resource "google_storage_bucket_iam_member" "vault-server" {
 96 |   count  = length(var.storage_bucket_roles)
 97 |   bucket = google_storage_bucket.vault.name
 98 |   role   = element(var.storage_bucket_roles, count.index)
 99 |   member = "serviceAccount:${google_service_account.vault-server.email}"
100 | }
101 | 
102 | # Generate a random suffix for the KMS keyring. Like projects, key rings names
103 | # must be globally unique within the project. A key ring also cannot be
104 | # destroyed, so deleting and re-creating a key ring will fail.
105 | #
106 | # This uses a random_id to prevent that from happening.
107 | resource "random_id" "kms_random" {
108 |   prefix      = var.kms_key_ring_prefix
109 |   byte_length = "8"
110 | }
111 | 
112 | # Obtain the key ring ID or use a randomly generated on.
113 | locals {
114 |   kms_key_ring = var.kms_key_ring != "" ? var.kms_key_ring : random_id.kms_random.hex
115 | }
116 | 
117 | # Create the KMS key ring
118 | resource "google_kms_key_ring" "vault" {
119 |   name     = local.kms_key_ring
120 |   location = var.region
121 |   project  = data.google_project.vault.project_id
122 | 
123 |   depends_on = [google_project_service.service]
124 | }
125 | 
126 | # Create the crypto key for encrypting init keys
127 | resource "google_kms_crypto_key" "vault-init" {
128 |   name            = var.kms_crypto_key
129 |   key_ring        = google_kms_key_ring.vault.id
130 |   rotation_period = "604800s"
131 | }
132 | 
133 | # Grant service account access to the key
134 | resource "google_kms_crypto_key_iam_member" "vault-init" {
135 |   crypto_key_id = google_kms_crypto_key.vault-init.id
136 |   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
137 |   member        = "serviceAccount:${google_service_account.vault-server.email}"
138 | }
139 | 
140 | # Create the crypto key for encrypting Kubernetes secrets
141 | resource "google_kms_crypto_key" "kubernetes-secrets" {
142 |   name            = var.kubernetes_secrets_crypto_key
143 |   key_ring        = google_kms_key_ring.vault.id
144 |   rotation_period = "604800s"
145 | }
146 | 
147 | # Grant GKE access to the key
148 | resource "google_kms_crypto_key_iam_member" "kubernetes-secrets-gke" {
149 |   crypto_key_id = google_kms_crypto_key.kubernetes-secrets.id
150 |   role          = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
151 |   member        = "serviceAccount:service-${data.google_project.vault.number}@container-engine-robot.iam.gserviceaccount.com"
152 | }
153 | 
154 | # Create an external NAT IP
155 | resource "google_compute_address" "vault-nat" {
156 |   count   = 2
157 |   name    = "vault-nat-external-${count.index}"
158 |   project = data.google_project.vault.project_id
159 |   region  = var.region
160 | 
161 |   depends_on = [google_project_service.service]
162 | }
163 | 
164 | # Create a network for GKE
165 | resource "google_compute_network" "vault-network" {
166 |   name                    = "vault-network"
167 |   project                 = data.google_project.vault.project_id
168 |   auto_create_subnetworks = false
169 | 
170 |   depends_on = [google_project_service.service]
171 | }
172 | 
173 | # Create subnets
174 | resource "google_compute_subnetwork" "vault-subnetwork" {
175 |   name          = "vault-subnetwork"
176 |   project       = data.google_project.vault.project_id
177 |   network       = google_compute_network.vault-network.self_link
178 |   region        = var.region
179 |   ip_cidr_range = var.kubernetes_network_ipv4_cidr
180 | 
181 |   private_ip_google_access = true
182 | 
183 |   secondary_ip_range {
184 |     range_name    = "vault-pods"
185 |     ip_cidr_range = var.kubernetes_pods_ipv4_cidr
186 |   }
187 | 
188 |   secondary_ip_range {
189 |     range_name    = "vault-svcs"
190 |     ip_cidr_range = var.kubernetes_services_ipv4_cidr
191 |   }
192 | }
193 | 
194 | # Create a NAT router so the nodes can reach DockerHub, etc
195 | resource "google_compute_router" "vault-router" {
196 |   name    = "vault-router"
197 |   project = data.google_project.vault.project_id
198 |   region  = var.region
199 |   network = google_compute_network.vault-network.self_link
200 | 
201 |   bgp {
202 |     asn = 64514
203 |   }
204 | }
205 | 
206 | resource "google_compute_router_nat" "vault-nat" {
207 |   name    = "vault-nat-1"
208 |   project = data.google_project.vault.project_id
209 |   router  = google_compute_router.vault-router.name
210 |   region  = var.region
211 | 
212 |   nat_ip_allocate_option = "MANUAL_ONLY"
213 |   nat_ips                = google_compute_address.vault-nat.*.self_link
214 | 
215 |   source_subnetwork_ip_ranges_to_nat = "LIST_OF_SUBNETWORKS"
216 | 
217 |   subnetwork {
218 |     name                    = google_compute_subnetwork.vault-subnetwork.self_link
219 |     source_ip_ranges_to_nat = ["PRIMARY_IP_RANGE", "LIST_OF_SECONDARY_IP_RANGES"]
220 | 
221 |     secondary_ip_range_names = [
222 |       google_compute_subnetwork.vault-subnetwork.secondary_ip_range[0].range_name,
223 |       google_compute_subnetwork.vault-subnetwork.secondary_ip_range[1].range_name,
224 |     ]
225 |   }
226 | }
227 | 
228 | # Create the GKE cluster
229 | resource "google_container_cluster" "vault" {
230 |   provider = google-beta
231 | 
232 |   name     = "vault"
233 |   project  = data.google_project.vault.project_id
234 |   location = var.region
235 | 
236 |   network    = google_compute_network.vault-network.self_link
237 |   subnetwork = google_compute_subnetwork.vault-subnetwork.self_link
238 | 
239 |   initial_node_count = var.kubernetes_nodes_per_zone
240 | 
241 |   release_channel {
242 |     channel = var.kubernetes_release_channel
243 |   }
244 | 
245 |   logging_service    = var.kubernetes_logging_service
246 |   monitoring_service = var.kubernetes_monitoring_service
247 | 
248 |   # Disable legacy ACLs. The default is false, but explicitly marking it false
249 |   # here as well.
250 |   enable_legacy_abac = false
251 | 
252 |   database_encryption {
253 |     state    = "ENCRYPTED"
254 |     key_name = google_kms_crypto_key.kubernetes-secrets.self_link
255 |   }
256 | 
257 |   node_config {
258 |     machine_type    = var.kubernetes_instance_type
259 |     service_account = google_service_account.vault-server.email
260 | 
261 |     oauth_scopes = [
262 |       "https://www.googleapis.com/auth/cloud-platform",
263 |     ]
264 | 
265 |     # Set metadata on the VM to supply more entropy
266 |     metadata = {
267 |       google-compute-enable-virtio-rng = "true"
268 |       disable-legacy-endpoints         = "true"
269 |     }
270 | 
271 |     labels = {
272 |       service = "vault"
273 |     }
274 | 
275 |     tags = ["vault"]
276 | 
277 |     # Protect node metadata
278 |     workload_metadata_config {
279 |       node_metadata = "SECURE"
280 |     }
281 |   }
282 | 
283 |   # Configure various addons
284 |   addons_config {
285 |     # Enable network policy configurations (like Calico).
286 |     network_policy_config {
287 |       disabled = false
288 |     }
289 |   }
290 | 
291 |   # Disable basic authentication and cert-based authentication.
292 |   master_auth {
293 |     username = ""
294 |     password = ""
295 | 
296 |     client_certificate_config {
297 |       issue_client_certificate = false
298 |     }
299 |   }
300 | 
301 |   # Enable network policy configurations (like Calico) - for some reason this
302 |   # has to be in here twice.
303 |   network_policy {
304 |     enabled = true
305 |   }
306 | 
307 |   # Set the maintenance window.
308 |   maintenance_policy {
309 |     daily_maintenance_window {
310 |       start_time = var.kubernetes_daily_maintenance_window
311 |     }
312 |   }
313 | 
314 |   # Allocate IPs in our subnetwork
315 |   ip_allocation_policy {
316 |     cluster_secondary_range_name  = google_compute_subnetwork.vault-subnetwork.secondary_ip_range[0].range_name
317 |     services_secondary_range_name = google_compute_subnetwork.vault-subnetwork.secondary_ip_range[1].range_name
318 |   }
319 | 
320 |   # Specify the list of CIDRs which can access the master's API
321 |   master_authorized_networks_config {
322 |     dynamic "cidr_blocks" {
323 |       for_each = var.kubernetes_master_authorized_networks
324 |       content {
325 |         cidr_block   = cidr_blocks.value.cidr_block
326 |         display_name = cidr_blocks.value.display_name
327 |       }
328 |     }
329 |   }
330 | 
331 |   # Configure the cluster to be private (not have public facing IPs)
332 |   private_cluster_config {
333 |     # This field is misleading. This prevents access to the master API from
334 |     # any external IP. While that might represent the most secure
335 |     # configuration, it is not ideal for most setups. As such, we disable the
336 |     # private endpoint (allow the public endpoint) and restrict which CIDRs
337 |     # can talk to that endpoint.
338 |     enable_private_endpoint = false
339 | 
340 |     enable_private_nodes   = true
341 |     master_ipv4_cidr_block = var.kubernetes_masters_ipv4_cidr
342 |   }
343 | 
344 |   depends_on = [
345 |     google_project_service.service,
346 |     google_kms_crypto_key_iam_member.vault-init,
347 |     google_kms_crypto_key_iam_member.kubernetes-secrets-gke,
348 |     google_storage_bucket_iam_member.vault-server,
349 |     google_project_iam_member.service-account,
350 |     google_project_iam_member.service-account-custom,
351 |     google_compute_router_nat.vault-nat,
352 |   ]
353 | }
354 | 
355 | # Provision IP
356 | resource "google_compute_address" "vault" {
357 |   name    = "vault-lb"
358 |   region  = var.region
359 |   project = data.google_project.vault.project_id
360 | 
361 |   depends_on = [google_project_service.service]
362 | }
363 | 
364 | output "address" {
365 |   value = google_compute_address.vault.address
366 | }
367 | 
368 | output "project" {
369 |   value = data.google_project.vault.project_id
370 | }
371 | 
372 | output "region" {
373 |   value = var.region
374 | }
375 | 


--------------------------------------------------------------------------------