scottk/vault
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/vault.git synced 2025-10-30 18:17:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

terraform: allow SG rule customization

Browse Source 
Switches SG rules to from nested to top-level resources and exports the
SG ids so that users of the module can define additional rules for their
Vault instances and/or the Vault ELB.

While this change should be backwards compatible, applying the new rules
might result in a very brief interruption of Vault service as:

 (1) Old nested-resource SG rules are cleared
 (2) New SG rules are applied one by one
This commit is contained in:
Paul Hinze
2015-05-19 14:47:44 -05:00
parent 787cc6ec51
commit e9f4d0f219
2 changed files with 63 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
terraform/aws/main.tf
View File

@@ -42,27 +42,35 @@ resource "aws_security_group" "vault" {
name = "vault" name = "vault"
description = "Vault servers" description = "Vault servers"
vpc_id = "${var.vpc-id}" vpc_id = "${var.vpc-id}"
}
ingress { resource "aws_security_group_rule" "vault-ssh" {
security_group_id = "${aws_security_group.vault.id}"
type = "ingress"
from_port = 22 from_port = 22
to_port = 22 to_port = 22
protocol = "tcp" protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
ingress { // This rule allows Vault HTTP API access to individual nodes, since each will
// need to be addressed individually for unsealing.
resource "aws_security_group_rule" "vault-http-api" {
security_group_id = "${aws_security_group.vault.id}"
type = "ingress"
from_port = 8200 from_port = 8200
to_port = 8200 to_port = 8200
protocol = "tcp" protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
egress { resource "aws_security_group_rule" "vault-egress" {
security_group_id = "${aws_security_group.vault.id}"
type = "egress"
from_port = 0 from_port = 0
to_port = 0 to_port = 0
protocol = "-1" protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
}
} }
// Launch the ELB that is serving Vault. This has proper health checks // Launch the ELB that is serving Vault. This has proper health checks
@@ -102,25 +110,31 @@ resource "aws_security_group" "elb" {
name = "vault-elb" name = "vault-elb"
description = "Vault ELB" description = "Vault ELB"
vpc_id = "${var.vpc-id}" vpc_id = "${var.vpc-id}"
}
ingress { resource "aws_security_group_rule" "vault-elb-http" {
security_group_id = "${aws_security_group.elb.id}"
type = "ingress"
from_port = 80 from_port = 80
to_port = 80 to_port = 80
protocol = "tcp" protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
ingress { resource "aws_security_group_rule" "vault-elb-https" {
security_group_id = "${aws_security_group.elb.id}"
type = "ingress"
from_port = 443 from_port = 443
to_port = 443 to_port = 443
protocol = "tcp" protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
} }
egress { resource "aws_security_group_rule" "vault-elb-egress" {
security_group_id = "${aws_security_group.elb.id}"
type = "egress"
from_port = 0 from_port = 0
to_port = 0 to_port = 0
protocol = "-1" protocol = "-1"
cidr_blocks = ["0.0.0.0/0"] cidr_blocks = ["0.0.0.0/0"]
}
} }

10
terraform/aws/outputs.tf
View File

@@ -1,3 +1,13 @@
output "address" { output "address" {
value = "${aws_elb.vault.dns_name}" value = "${aws_elb.vault.dns_name}"
} }
// Can be used to add additional SG rules to Vault instances.
output "vault_security_group" {
value = "${aws_security_group.vault.id}"
}
// Can be used to add additional SG rules to the Vault ELB.
output "elb_security_group" {
value = "${aws_security_group.elb.id}"
}