This module manages some AWS resources required by the Vault Enterprise accelerator module. This is not intended to be used in production.
The module can manage:
- A self-signed cert chain to use for Vault TLS configuration
- WARNING: the private key will be stored in the Terraform state file. That's a big no-no for anything besides simple testing. You've been warned.
- A KMS key to be used for auto-unseal
- Two AWS Secrets Manager secrets for:
- The TLS files generated above
- The Vault Enterprise License
No requirements.
Name | Version |
---|---|
aws | 3.59.0 |
tls | 3.1.0 |
No modules.
Name | Type |
---|---|
aws_kms_key.main | resource |
aws_secretsmanager_secret.vault_license | resource |
aws_secretsmanager_secret.vault_tls | resource |
aws_secretsmanager_secret_version.vault_license | resource |
aws_secretsmanager_secret_version.vault_tls | resource |
tls_cert_request.vault_cert_request | resource |
tls_locally_signed_cert.vault_certificate | resource |
tls_private_key.ca | resource |
tls_private_key.vault_private_key | resource |
tls_self_signed_cert.ca | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
application_prefix | The prefix to give to cloud entities | string |
"vault" |
no |
vault_ca_bundle_secret | The CA bundle to store in AWS Secrets Manager. NOT IMPLEMENTED | string |
null |
no |
vault_domain | The DNS domain name for the TLS certificate | string |
"example.com" |
no |
vault_kms_deletion_days | Duration in days after which the key is deleted after destruction of the resource. | number |
30 |
no |
vault_kms_key_rotate | Specifies whether key rotation is enabled. | bool |
true |
no |
vault_license | Vault license string | string |
n/a | yes |
vault_manage_tls_secrets | Manage the TLS secret AWS Secrets Manager. NOT IMPLEMENTED | string |
false |
no |
vault_private_key_secret | The signed certificate's private key to store in AWS Secrets Manager. NOT IMPLEMENTED | string |
null |
no |
vault_signed_cert_secret | The signed certificate to store in AWS Secrets Manager. NOT IMPLEMENTED | string |
null |
no |
Name | Description |
---|---|
unseal_aws_kms_arn | AWS KMS key ARN for Vault auto-unseal |
unseal_aws_kms_id | AWS KMS key ID for Vault auto-unseal |
vault_license_sercret_arn | AWS Secret Manager ARN for Vault Enterprise license string |
vault_tls_sercret_arn | AWS Secret Manager ARN for Vault TLS CA, cert, and private key |