Verifying the installation 1.Prerequisites Before we get started with the tutorial, we need to set up few things on your system.VS Code (or IDE of your choice) to edit our Terraform scripts.Packer and Terraform to run our codes.GCP Service Account JSON Key with owner permission.Set environment variable GOOGLE_APPLICATION_CREDENTIALS to full path where json is stored.This will allow Packer and Terraform to Authenticate with GCP back-end.2.
VM image with Packer We will first create a GCP VM Image with Vault installed in it via Packer.This will ensure that we don’t have to install Vault in multiple VMs separately.
Packer is configured via a JSON file, where we configure provisioners and builders .Since we are only creating image for 1 back-end (namely GCP) we’ll have only 1 builder configured.Now we’ll configure our provisioners.In this case we only have 1 provisioned of type shell .
The install_vault.sh script, as the name suggests, install the vault.You can refer the here for full code listing.Now lets run our Packer script.packer build vault.json The way Packer build the image is by creating a VM and then running our provisioners on that machine.Then Packer create the VM image by using the Disk of the VM.Packer provisioning 3.Infrastructure components with Terraform We’ll begin by creating a Service Account We’ll then create a bucket to be used as Vault’s storage back-end.
Now let us create Google KMS Keyring and Crypto Key.Let us add permissions to our Service Account.Now our Service Account has following access.
Bucket Owner (to read and write secrets and metadata to GCS bucket) CryptoKeyEncrypterDecrypter (encrypt and de-crypt keys via KMS) Now let us spawn Compute Engine VMs for Vault.As you can notice there are two types of VMs that we are creating.1 Primary VM and 1 or more Secondary VM (based on num_instances passed).The primary VM is responsible for executing vault init .The secondary vm do not need to init , only 1 VM in the entire cluster need to initialize.Also once initialized, Vault will automatically unseal using KMS keys.Here is the template for the vault.hcl config file.As you can see we are using gcs as storage backend and using gcpkms as auto-unseal method.
I’ve skipped the service definitions for brevity.You can take a look at complete module here .Once VMs are configured we need to create firewall rules to allow access to UI from internet.All these Terraform files are part of vault module.
We now need to create a main module that configure Terraform providers and reference this vault module.Note the credentials key.Put the path of service account JSON key (Prerequisite Step 3) here.The main module which reference the vault module.
Lets create terraform.tfvars file to provide values to all the variables used.You can notice that we are creating 2 instances.
In a HA setup, 1 of the node is active and others are in standby mode.You can clone the entire repository from here .Now let us run our Terraform module.terraform init .
