# Copyright (c) HashiCorp, Inc. # SPDX-License-Identifier: BUSL-1.1 terraform { required_providers { # We need to specify the provider source in each module until we publish it # to the public registry enos = { source = "app.terraform.io/hashicorp-qti/enos" version = ">= 0.4.7" } } } data "enos_environment" "localhost" {} locals { bin_path = "${var.install_dir}/vault" environment = local.seal_secondary == null ? var.environment : merge( var.environment, { VAULT_ENABLE_SEAL_HA_BETA : tobool(var.seal_ha_beta) }, ) // In order to get Terraform to plan we have to use collections with keys // that are known at plan time. In order for our module to work our var.target_hosts // must be a map with known keys at plan time. Here we're creating locals // that keep track of index values that point to our target hosts. followers = toset(slice(local.instances, 1, length(local.instances))) instances = [for idx in range(length(var.target_hosts)) : tostring(idx)] key_shares = { "awskms" = null "shamir" = 5 } key_threshold = { "awskms" = null "shamir" = 3 } leader = toset(slice(local.instances, 0, 1)) recovery_shares = { "awskms" = 5 "shamir" = null } recovery_threshold = { "awskms" = 3 "shamir" = null } seals = local.seal_secondary.type == "none" ? { primary = local.seal_primary } : { primary = local.seal_primary secondary = local.seal_secondary } seals_primary = { "awskms" = { type = "awskms" attributes = { name = var.seal_alias priority = var.seal_priority kms_key_id = var.seal_key_name } } "shamir" = { type = "shamir" attributes = null } } seal_primary = local.seals_primary[var.seal_type] seals_secondary = { "awskms" = { type = "awskms" attributes = { name = var.seal_alias_secondary priority = var.seal_priority_secondary kms_key_id = var.seal_key_name_secondary } } "none" = { type = "none" attributes = null } } seal_secondary = local.seals_secondary[var.seal_type_secondary] storage_config = [for idx, host in var.target_hosts : (var.storage_backend == "raft" ? merge( { node_id = "${var.storage_node_prefix}_${idx}" }, var.storage_backend_attrs ) : { address = "127.0.0.1:8500" path = "vault" }) ] } resource "enos_vault_start" "leader" { for_each = local.leader bin_path = local.bin_path config_dir = var.config_dir environment = local.environment config = { api_addr = "http://${var.target_hosts[each.value].private_ip}:8200" cluster_addr = "http://${var.target_hosts[each.value].private_ip}:8201" cluster_name = var.cluster_name listener = { type = "tcp" attributes = { address = "0.0.0.0:8200" tls_disable = "true" } } log_level = var.log_level storage = { type = var.storage_backend attributes = ({ for key, value in local.storage_config[each.key] : key => value }) } seals = local.seals ui = true } license = var.license manage_service = var.manage_service username = var.service_username unit_name = "vault" transport = { ssh = { host = var.target_hosts[each.value].public_ip } } } resource "enos_vault_start" "followers" { depends_on = [ enos_vault_start.leader, ] for_each = local.followers bin_path = local.bin_path config_dir = var.config_dir environment = local.environment config = { api_addr = "http://${var.target_hosts[each.value].private_ip}:8200" cluster_addr = "http://${var.target_hosts[each.value].private_ip}:8201" cluster_name = var.cluster_name listener = { type = "tcp" attributes = { address = "0.0.0.0:8200" tls_disable = "true" } } log_level = var.log_level storage = { type = var.storage_backend attributes = { for key, value in local.storage_config[each.key] : key => value } } seals = local.seals ui = true } license = var.license manage_service = var.manage_service username = var.service_username unit_name = "vault" transport = { ssh = { host = var.target_hosts[each.value].public_ip } } }