vault kv put kv/my-$((1 + $RANDOM % 1042)) my-key=${randomness}

Should be 1024.

Taken from Production Hardening.

Tasks:

• End-to-End TLS
• Single Tenancy
• Firewall Traffic
• Disable SSH (RDP)
• Enable memory locking (mlock)
• Disable Swap
• Don't Run as root
• Turn core dumps off
• Immutable Upgrades
• Good Root Token management

Currently a �CA is copied to every node, every node signs its own certificate. This works, but is not the prettiest.

For example to install a monitoring agent.

Custom variables like region or some_key are required.

The variables are not consistent; some have vault_ in front, some have enabled_* or *_enabled. I propose a form that will result in a more predictable style:

• Starts with vault_*.
• If a list or map is used, use plural, ending in vault_*s.
• If a boolean is used, use vault_VERB_FEATURE, where VERB is something like create, use, or enable.
• If directly_ referring to an (AWS) service, use vault_aws_SERVICE. For example vault_aws_key_name
• When referring to a file, use vault_*)path.
• Use vault_*_id, vault_*_name, vault_*_seconds to indicate what is expected. (or _ids and _names for lists or maps.)

Give the above suggestion a good think before implementing.

A NAT gateway is required to download Vault.

Maybe something like this is simpler:

resource "aws_launch_configuration" "default" {
  iam_instance_profile = aws_iam_instance_profile.default.name
  image_id             = data.aws_ami.default.id
  instance_type        = local.instance_type
  key_name             = local.key_name
  name_prefix          = "${var.name}-"
  security_groups = [aws_security_group.private.id, aws_security_group.public.id]
  spot_price      = var.size == "development" ? var.spot_price : null
  user_data       = templatefile("${path.module}/user_data_vault.sh.tpl",
    {
      api_addr                       = local.api_addr
      default_lease_ttl              = var.default_lease_ttl
      instance_name                  = local.instance_name
      kms_key_id                     = local.aws_kms_key_id
      log_level                      = var.log_level
      max_lease_ttl                  = var.max_lease_ttl
      name                           = var.name
      prometheus_disable_hostname    = var.prometheus_disable_hostname
      prometheus_retention_time      = var.prometheus_retention_time
      random_string                  = random_string.default.result
      region                         = var.region
      telemetry                      = var.telemetry
      unauthenticated_metrics_access = var.telemetry_unauthenticated_metrics_access
      vault_ca_cert                  = file(var.vault_ca_cert)
      vault_ca_key                   = file(var.vault_ca_key)
      vault_path                     = var.vault_path
      vault_ui                       = var.vault_ui
      vault_version                  = var.vault_version
      vault_package                  = local.vault_package
      vault_license                  = try(var.vault_license, null)
      warmup                         = var.warmup
    }
  )
  root_block_device {
    encrypted   = true
    iops        = local.volume_iops
    volume_size = local.volume_size
    volume_type = local.volume_type
  }
  lifecycle {
    create_before_destroy = true
  }
}

Currently the bucket to store the cloud watch and log rotate script are not encrypted.

Encrypting them helps to improve overall security.

To reduce the size of this module, the bastion host could be replaced by the [terraform-aws-instance](https://registry.terraform.io/modules/robertdebock/instance/aws/latest) module.

Benefits:

• A specialised module for an instance.
• Less code in this module.

Drawbacks:

• An extra dependency.
• More complex to integrate two modules rather than one.

Before working on this issue, please analyse the value.

It would be nice to allow users to enable CloudWatch.

When enabled: (likely a variable: cloudwatch_enabled (bool))

• Install a package, configure and start cloud watch.
• (nice to have) Have Terraform create a Dashboard for Vault.
• (nice to have) Add alerting. (Interesting to look at memory usage)
• (nice to have) Send logs to AWS. (logs: journalctl and/or audit logs.)

They are now based on the ip address of a host, but should be set to the load balancer entry-point.

This value is difficult to calculate, as a DNS name may point to the load balancer address.

The vault rpm installed uses /opt/vault as the default installation path, this is the same as the default value for the terraform variable vault_data_path. Because of this the provisioning completes succesfully.

When using a non-default vault_data_path we also need a folder called data to be created in this location.
This was not a problem before as the RPM would create it. With a non-default vault_data_path we need to create it during provisioning.

My suggestion is to add the following code to the userdata script:

# Create and configure the Vault data folder when it is different from the default path created by the rpm.
if [ "${vault_data_path}" != "/opt/vault" ] ; then
  mkdir ${vault_data_path}/data
  chown vault:vault ${vault_data_path}/data
  chmod 755 ${vault_data_path}/data
fi

Vault commands take some 5 - 15 seconds to process. This eventually works, but is annoying.

Any vault command results in:

uname({sysname="Linux", nodename="ip-172-16-127-35.eu-west-1.compute.internal", ...}) = 0
epoll_pwait(4, [], 128, 0, NULL, 138566752) = 0
futex(0x4000094550, FUTEX_WAKE_PRIVATE, 1) = 1

NOTE: The nodename is set to ip-172-16-127-35.eu-west-1.compute.internal. That's not correct, should be the external address. (api_address).

From now on a loop starts: (Likely causing the delay.)

--- SIGURG {si_signo=SIGURG, si_code=SI_TKILL, si_pid=1797, si_uid=0} ---
rt_sigreturn({mask=[]})                 = 1

The api_addr is set correctly in /etc/vault.d/vault.hcl:

api_addr          = "https://dev.robertdebock.nl:8200"

Maybe the node_id causes this behaviour:

storage "raft" {
  path    = "/opt/vault/data"
  node_id = "ip-172-16-127-35.eu-west-1.compute.internal"

A route 53 can refer to a elb. The module should output aws_elb.default.zone_id.

Currently the examples all use CloudFlare, Route53 would be more logical.

As described here: https://www.vaultproject.io/docs/commands#autocompletion

In the examples it would be nice to show how to add AWS Route53 records that do health checking.

When DR secondary nodes are refreshed, the DR primary loses connection to the secondary.

Tasks:

• Verify when the clusters disconnect. Could be that if the active node is replaced, that the replication breaks.

Some environments will have no access to the internet. The deployment will now fail, because yum depends on repositories hosted on the internet.

The vault nodes have an option to run a custom script. That script is typically used to install a backup or monitoring agent.

The bastion host can't run this now. Please add an option to run a custom script on the bastion host as well.

Some users have a key-pair and would like to refer to the identifier of that key, rather than specifying a key-pair file.

Many resources use the random provider to create some uniqueness, some resources have name_prefix, which offers the same functionality, but built into Terraform natively.

• Make a list of all modules. grep '^resource' * | cut -d: -f2 | awk '{ print $2 }'| sort | uniq | sed 's/"//g'
• Check which resources support name_prefix.
• Remove random part, use name_prefix.

For example: sometimes nat gateways still exists.

Currently, the KMS key is generated within the module.

When you now delete a Vault deployment, the KMS key is also destroyed.

This means a saved snapshot can't be used, because the decryption key does not exist anymore.

Options to overcome this:

• Let the user of the module bring his/her own key.
• Prevent deleting KMS keys.

Line 33 on main Readme.md is broken

Please add it to README.md

Resources have a name parameter, which differs over multiple files.

• Think of a naming convention, maybe: "vault-${var.vault_name}-${random_string.default.result}".
• Find all name parameters. (Not fully working, but a good start: grep -E 'name +=' *.tf.
• Implement naming convention.

The variable key_id now should contain the name of the key, better rename key_id to key_name.

Error: error creating application Load Balancer: InvalidConfigurationRequest: A load balancer cannot be attached to multiple subnets in the same Availability Zone
│ status code: 400, request id: 9831def4-be92-4315-a399-ddeb1b8f9dde
│
│ with module.vault.aws_lb.default,
│ on .terraform/modules/vault/main.tf line 270, in resource "aws_lb" "default":
│ 270: resource "aws_lb" "default" {

The problem was encountered when deploying the "Cloudwatch" example with:

• var.replication == false
• var.vault_enable_metrics == true
• var.vault_enable_metrics_unauthenticated_access == false

Problem / Symptoms

• Vault standby (http return code:429) are marked unhealthy and continuously replaced by the ASG even though they are behaving as expected. They should be marked as unhealthy so they do not receive traffic from the loadbalancer. However from the point of Vault these nodes are perfectly healthy standby cluster nodes and behaving as expected.

When calling the module with an existing VPC:

  vpc_id = "vpc-123abc"
  allowed_cidr_blocks  = [ "10.1.3.0/24", "10.1.4.0/24", "10.1.5.0/24"] 

An error occurs:

Error: Incorrect attribute value type
│ 
│   on .terraform/modules/vault/main.tf line 279, in resource "aws_lb" "default":
│  279:   subnets            = local.aws_subnet_ids
│     ├────────────────
│     │ local.aws_subnet_ids is "vpc-123abc"
│ 
│ Inappropriate value for attribute "subnets": set of string required.
╵
╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/vault/main.tf line 328, in resource "aws_autoscaling_group" "default":
│  328:   vpc_zone_identifier   = tolist(local.aws_subnet_ids)
│     ├────────────────
│     │ local.aws_subnet_ids is "vpc-123abc"
│ 
│ Invalid value for "v" parameter: cannot convert string to list of any single type.
╵
╷
│ Error: Invalid function argument
│ 
│   on .terraform/modules/vault/main.tf line 388, in resource "aws_instance" "bastion":
│  388:   subnet_id                   = tolist(local.aws_subnet_ids)[0]
│     ├────────────────
│     │ local.aws_subnet_ids is "vpc-123abc"
│ 
│ Invalid value for "v" parameter: cannot convert string to list of any single type. 

When running vault operator init, an error is returned.

# vault operator init
Error initializing: Error making API request.

URL: PUT https://172.16.1.14:8200/v1/sys/init
Code: 400. Errors:

* cannot initialize storage without an autoloaded license

I've tried:

• To export VAULT_LICENSE=xyz"
• To source /etc/vault.d/vault.env
• To set license_path pointing to a file with the license.
• To run VAULT_LICENSE=xyz vault operator init.

Details:

vault status
Key                      Value
---                      -----
Recovery Seal Type       awskms
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  1.9.3+ent
Storage Type             raft
HA Enabled               true

There are some heredoc markers in .tf file. (cloudwatch.tf, iam.tf and outputs.tf) (grep -Ril EOF *.tf).

• Verify if using heredoc is preferable over reading files. (file(...) or templatefile(...))

If heredoc is not preferred:

• Identify files with heredoc.
• Move content in separate files. (something.json)
• Use the file or template file function to read the file.

It would be convenient to be able to run vault on the bastion host.

• Install binary
• Place CA_CERT (
• Place variables (VAULT_ADDR and VAULT_CACERT)

The bastion host should have an option to write to an S3 bucket. This can be used for backups.