mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-26 17:11:13 +02:00
08c5a52b02
* require explicit value for disable_mlock * set disable_mlock back to true for all docker tests * fix build error * update test config files * change explicit mlock check to apply to integrated storage only. * formatting and typo fixes * added test for raft * remove erroneous test * remove unecessary doc line * remove unecessary var * pr suggestions * test compile fix * add mlock config value to enos tests * enos lint * update enos tests to pass disable_mlock value * move mlock error to runtime to check for env var * fixed mlock config detection logic * call out mlock on/off tradeoffs to docs * rewording production hardening section on mlock for clarity * update error message when missing disable_mlock value to help customers with the previous default * fix config doc error and update production-hardening doc to align with existing recommendations. * remove extra check for mlock config value * fix docker recovery test * Update changelog/29974.txt Explicitly call out that Vault will not start without disable_mlock included in the config. Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> * more docker test experimentation. * passing disable_mlock into test cluster * add VAULT_DISABLE_MLOCK envvar to docker tests and pass through the value * add missing envvar for docker env test * upate additional docker test disable_mlock values * Apply suggestions from code review Use active voice. Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com> --------- Co-authored-by: Kuba Wieczorek <kuba.wieczorek@hashicorp.com> Co-authored-by: Sarah Chavis <62406755+schavis@users.noreply.github.com>
194 lines
5.1 KiB
HCL
194 lines
5.1 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
variable "cluster_name" {
|
|
type = string
|
|
description = "The Vault cluster name"
|
|
}
|
|
|
|
variable "cluster_port" {
|
|
type = number
|
|
description = "The cluster port for Vault to listen on"
|
|
default = 8201
|
|
}
|
|
|
|
variable "cluster_tag_key" {
|
|
type = string
|
|
description = "The Vault cluster tag key"
|
|
default = "retry_join"
|
|
}
|
|
|
|
variable "config_dir" {
|
|
type = string
|
|
description = "The directory to use for Vault configuration"
|
|
default = "/etc/vault.d"
|
|
}
|
|
|
|
variable "config_mode" {
|
|
description = "The method to use when configuring Vault. When set to 'env' we will configure Vault using VAULT_ style environment variables if possible. When 'file' we'll use the HCL configuration file for all configuration options."
|
|
default = "file"
|
|
|
|
validation {
|
|
condition = contains(["env", "file"], var.config_mode)
|
|
error_message = "The config_mode must be either 'env' or 'file'. No other configuration modes are supported."
|
|
}
|
|
}
|
|
|
|
variable "disable_mlock" {
|
|
type = bool
|
|
description = "Disable mlock for Vault process."
|
|
default = false
|
|
}
|
|
|
|
variable "environment" {
|
|
description = "Optional Vault configuration environment variables to set starting Vault"
|
|
type = map(string)
|
|
default = null
|
|
}
|
|
|
|
variable "external_storage_port" {
|
|
type = number
|
|
description = "The port to connect to when using external storage"
|
|
default = 8500
|
|
}
|
|
|
|
variable "hosts" {
|
|
description = "The target machines host addresses to use for the Vault cluster"
|
|
type = map(object({
|
|
ipv6 = string
|
|
private_ip = string
|
|
public_ip = string
|
|
}))
|
|
}
|
|
|
|
variable "install_dir" {
|
|
type = string
|
|
description = "The directory where the vault binary will be installed"
|
|
default = "/opt/vault/bin"
|
|
}
|
|
|
|
variable "ip_version" {
|
|
type = number
|
|
description = "The IP version to use for the Vault TCP listeners"
|
|
|
|
validation {
|
|
condition = contains([4, 6], var.ip_version)
|
|
error_message = "The ip_version must be either 4 or 6"
|
|
}
|
|
}
|
|
|
|
variable "license" {
|
|
type = string
|
|
sensitive = true
|
|
description = "The value of the Vault license"
|
|
default = null
|
|
}
|
|
|
|
variable "log_level" {
|
|
type = string
|
|
description = "The vault service log level"
|
|
default = "info"
|
|
|
|
validation {
|
|
condition = contains(["trace", "debug", "info", "warn", "error"], var.log_level)
|
|
error_message = "The log_level must be one of 'trace', 'debug', 'info', 'warn', or 'error'."
|
|
}
|
|
}
|
|
|
|
variable "manage_service" {
|
|
type = bool
|
|
description = "Manage the Vault service users and systemd unit. Disable this to use configuration in RPM and Debian packages"
|
|
default = true
|
|
}
|
|
|
|
variable "listener_port" {
|
|
type = number
|
|
description = "The port for Vault to listen on"
|
|
default = 8200
|
|
}
|
|
|
|
variable "seal_alias" {
|
|
type = string
|
|
description = "The primary seal alias name"
|
|
default = "primary"
|
|
}
|
|
|
|
variable "seal_alias_secondary" {
|
|
type = string
|
|
description = "The secondary seal alias name"
|
|
default = "secondary"
|
|
}
|
|
|
|
variable "seal_attributes" {
|
|
description = "The primary auto-unseal attributes"
|
|
default = null
|
|
}
|
|
|
|
variable "seal_attributes_secondary" {
|
|
description = "The secondary auto-unseal attributes"
|
|
default = null
|
|
}
|
|
|
|
variable "seal_priority" {
|
|
type = string
|
|
description = "The primary seal priority"
|
|
default = "1"
|
|
}
|
|
|
|
variable "seal_priority_secondary" {
|
|
type = string
|
|
description = "The secondary seal priority"
|
|
default = "2"
|
|
}
|
|
|
|
variable "seal_type" {
|
|
type = string
|
|
description = "The method by which to unseal the Vault cluster"
|
|
default = "awskms"
|
|
|
|
validation {
|
|
condition = contains(["awskms", "pkcs11", "shamir"], var.seal_type)
|
|
error_message = "The seal_type must be either 'awskms', 'pkcs11', or 'shamir'. No other seal types are supported."
|
|
}
|
|
}
|
|
|
|
variable "seal_type_secondary" {
|
|
type = string
|
|
description = "A secondary HA seal method. Only supported in Vault Enterprise >= 1.15"
|
|
default = "none"
|
|
|
|
validation {
|
|
condition = contains(["awskms", "pkcs11", "none"], var.seal_type_secondary)
|
|
error_message = "The secondary_seal_type must be 'awskms', 'pkcs11' or 'none'. No other secondary seal types are supported."
|
|
}
|
|
}
|
|
|
|
variable "service_username" {
|
|
type = string
|
|
description = "The host username to own the vault service"
|
|
default = "vault"
|
|
}
|
|
|
|
variable "storage_backend" {
|
|
type = string
|
|
description = "The storage backend to use"
|
|
default = "raft"
|
|
|
|
validation {
|
|
condition = contains(["raft", "consul"], var.storage_backend)
|
|
error_message = "The storage_backend must be either raft or consul. No other storage backends are supported."
|
|
}
|
|
}
|
|
|
|
variable "storage_backend_attrs" {
|
|
type = map(any)
|
|
description = "An optional set of key value pairs to inject into the storage block"
|
|
default = {}
|
|
}
|
|
|
|
variable "storage_node_prefix" {
|
|
type = string
|
|
description = "A prefix to use for each node in the Vault storage configuration"
|
|
default = "node"
|
|
}
|