mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-18 04:27:02 +02:00
8d22142a3e
Begin the process of migrating away from the "strongly encouraged not to use"[0] Ec2 spot fleet API to the more modern `ec2:CreateFleet`. Unfortuantely the `instant` type fleet does not guarantee fulfillment with either on-demand or spot types. We'll need to add a feature similar to `wait_for_fulfillment` on the `spot_fleet_request` resource[1] to `ec2_fleet` before we can rely on it. We also update the existing target fleets to support provisioning generic targets. This has allowed us to remove our usage of `terraform-enos-aws-consul` and replace it with a smaller `backend_consul` module in-repo. We also remove `terraform-enos-aws-infra` and replace it with two smaller in-repo modules `ec2_info` and `create_vpc`. This has allowed us to simplify the vpc resources we use for each scneario, which in turn allows us to not rely on flaky resources. As part of this refactor we've also made it possible to provision targets using different distro versions. [0] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-best-practices.html#which-spot-request-method-to-use [1] https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/spot_fleet_request#wait_for_fulfillment * enos/consul: add `backend_consul` module that accepts target hosts. * enos/target_ec2_spot_fleet: add support for consul networking. * enos/target_ec2_spot_fleet: add support for customizing cluster tag key. * enos/scenarios: create `target_ec2_fleet` which uses a more modern `ec2_fleet` API. * enos/create_vpc: replace `terraform-enos-aws-infra` with smaller and simplified version. Flatten the networking to a single route on the default route table and a single subnet. * enos/ec2_info: add a new module to give us useful ec2 information including AMI id's for various arch/distro/version combinations. * enos/ci: update service user role to allow for managing ec2 fleets. Signed-off-by: Ryan Cragun <me@ryan.ec>
218 lines
5.6 KiB
HCL
218 lines
5.6 KiB
HCL
variable "artifactory_release" {
|
|
type = object({
|
|
username = string
|
|
token = string
|
|
url = string
|
|
sha256 = string
|
|
})
|
|
description = "The Artifactory release information to install Vault artifacts from Artifactory"
|
|
default = null
|
|
}
|
|
|
|
variable "awskms_unseal_key_arn" {
|
|
type = string
|
|
description = "The AWSKMS key ARN if using the awskms unseal method"
|
|
default = null
|
|
}
|
|
|
|
variable "backend_cluster_name" {
|
|
type = string
|
|
description = "The name of the backend cluster"
|
|
default = null
|
|
}
|
|
|
|
variable "backend_cluster_tag_key" {
|
|
type = string
|
|
description = "The tag key for searching for backend nodes"
|
|
default = null
|
|
}
|
|
|
|
variable "cluster_name" {
|
|
type = string
|
|
description = "The Vault cluster name"
|
|
default = null
|
|
}
|
|
|
|
variable "config_dir" {
|
|
type = string
|
|
description = "The directory to use for Vault configuration"
|
|
default = "/etc/vault.d"
|
|
}
|
|
|
|
variable "config_env_vars" {
|
|
description = "Optional Vault configuration environment variables to set starting Vault"
|
|
type = map(string)
|
|
default = null
|
|
}
|
|
|
|
variable "consul_data_dir" {
|
|
type = string
|
|
description = "The directory where the consul will store data"
|
|
default = "/opt/consul/data"
|
|
}
|
|
|
|
variable "consul_install_dir" {
|
|
type = string
|
|
description = "The directory where the consul binary will be installed"
|
|
default = "/opt/consul/bin"
|
|
}
|
|
|
|
variable "consul_license" {
|
|
type = string
|
|
sensitive = true
|
|
description = "The consul enterprise license"
|
|
default = null
|
|
}
|
|
|
|
variable "consul_log_file" {
|
|
type = string
|
|
description = "The file where the consul will write log output"
|
|
default = "/var/log/consul.log"
|
|
}
|
|
|
|
variable "consul_log_level" {
|
|
type = string
|
|
description = "The consul service log level"
|
|
default = "info"
|
|
|
|
validation {
|
|
condition = contains(["trace", "debug", "info", "warn", "error"], var.consul_log_level)
|
|
error_message = "The consul_log_level must be one of 'trace', 'debug', 'info', 'warn', or 'error'."
|
|
}
|
|
}
|
|
|
|
variable "consul_release" {
|
|
type = object({
|
|
version = string
|
|
edition = string
|
|
})
|
|
description = "Consul release version and edition to install from releases.hashicorp.com"
|
|
default = {
|
|
version = "1.15.1"
|
|
edition = "oss"
|
|
}
|
|
}
|
|
|
|
variable "enable_file_audit_device" {
|
|
description = "If true the file audit device will be enabled at the path /var/log/vault_audit.log"
|
|
type = bool
|
|
default = true
|
|
}
|
|
|
|
variable "force_unseal" {
|
|
type = bool
|
|
description = "Always unseal the Vault cluster even if we're not initializing it"
|
|
default = false
|
|
}
|
|
|
|
variable "initialize_cluster" {
|
|
type = bool
|
|
description = "Initialize the Vault cluster"
|
|
default = true
|
|
}
|
|
|
|
variable "install_dir" {
|
|
type = string
|
|
description = "The directory where the vault binary will be installed"
|
|
default = "/opt/vault/bin"
|
|
}
|
|
|
|
variable "license" {
|
|
type = string
|
|
sensitive = true
|
|
description = "The value of the Vault license"
|
|
default = null
|
|
}
|
|
|
|
variable "local_artifact_path" {
|
|
type = string
|
|
description = "The path to a locally built vault artifact to install. It can be a zip archive, RPM, or Debian package"
|
|
default = null
|
|
}
|
|
|
|
variable "log_level" {
|
|
type = string
|
|
description = "The vault service log level"
|
|
default = "info"
|
|
|
|
validation {
|
|
condition = contains(["trace", "debug", "info", "warn", "error"], var.log_level)
|
|
error_message = "The log_level must be one of 'trace', 'debug', 'info', 'warn', or 'error'."
|
|
}
|
|
}
|
|
|
|
variable "manage_service" {
|
|
type = bool
|
|
description = "Manage the Vault service users and systemd unit. Disable this to use configuration in RPM and Debian packages"
|
|
default = true
|
|
}
|
|
|
|
variable "packages" {
|
|
type = list(string)
|
|
description = "A list of packages to install via the target host package manager"
|
|
default = []
|
|
}
|
|
|
|
variable "release" {
|
|
type = object({
|
|
version = string
|
|
edition = string
|
|
})
|
|
description = "Vault release version and edition to install from releases.hashicorp.com"
|
|
default = null
|
|
}
|
|
|
|
variable "root_token" {
|
|
type = string
|
|
description = "The Vault root token that we can use to intialize and configure the cluster"
|
|
default = null
|
|
}
|
|
|
|
variable "shamir_unseal_keys" {
|
|
type = list(string)
|
|
description = "Shamir unseal keys. Often only used adding additional nodes to an already initialized cluster."
|
|
default = null
|
|
}
|
|
|
|
variable "storage_backend" {
|
|
type = string
|
|
description = "The storage backend to use"
|
|
default = "raft"
|
|
|
|
validation {
|
|
condition = contains(["raft", "consul"], var.storage_backend)
|
|
error_message = "The storage_backend must be either raft or consul. No other storage backends are supported."
|
|
}
|
|
}
|
|
|
|
variable "storage_backend_addl_config" {
|
|
type = map(any)
|
|
description = "An optional set of key value pairs to inject into the storage block"
|
|
default = {}
|
|
}
|
|
|
|
variable "storage_node_prefix" {
|
|
type = string
|
|
description = "A prefix to use for each node in the Vault storage configuration"
|
|
default = "node"
|
|
}
|
|
|
|
variable "target_hosts" {
|
|
description = "The target machines host addresses to use for the Vault cluster"
|
|
type = map(object({
|
|
private_ip = string
|
|
public_ip = string
|
|
}))
|
|
}
|
|
|
|
variable "unseal_method" {
|
|
type = string
|
|
description = "The method by which to unseal the Vault cluster"
|
|
default = "awskms"
|
|
|
|
validation {
|
|
condition = contains(["awskms", "shamir"], var.unseal_method)
|
|
error_message = "The unseal_method must be either awskms or shamir. No other unseal methods are supported."
|
|
}
|
|
}
|