mirror of
https://github.com/hashicorp/vault.git
synced 2025-11-18 17:21:13 +01:00
0b12cdcfd1
* Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Adding explicit MPL license for sub-package. This directory and its subdirectories (packages) contain files licensed with the MPLv2 `LICENSE` file in this directory and are intentionally licensed separately from the BSL `LICENSE` file at the root of this repository. * Updating the license from MPL to Business Source License. Going forward, this project will be licensed under the Business Source License v1.1. Please see our blog post for more details at https://hashi.co/bsl-blog, FAQ at www.hashicorp.com/licensing-faq, and details of the license at www.hashicorp.com/bsl. * add missing license headers * Update copyright file headers to BUS-1.1 * Fix test that expected exact offset on hcl file --------- Co-authored-by: hashicorp-copywrite[bot] <110428419+hashicorp-copywrite[bot]@users.noreply.github.com> Co-authored-by: Sarah Thompson <sthompson@hashicorp.com> Co-authored-by: Brian Kassouf <bkassouf@hashicorp.com>
128 lines
3.5 KiB
HCL
128 lines
3.5 KiB
HCL
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
# This module unseals the replication secondary follower nodes
|
|
terraform {
|
|
required_providers {
|
|
enos = {
|
|
source = "app.terraform.io/hashicorp-qti/enos"
|
|
}
|
|
}
|
|
}
|
|
|
|
variable "vault_install_dir" {
|
|
type = string
|
|
description = "The directory where the Vault binary will be installed"
|
|
}
|
|
|
|
variable "vault_instance_count" {
|
|
type = number
|
|
description = "How many vault instances are in the cluster"
|
|
}
|
|
|
|
variable "follower_public_ips" {
|
|
type = list(string)
|
|
description = "Vault cluster follower Public IP addresses"
|
|
}
|
|
|
|
variable "vault_seal_type" {
|
|
type = string
|
|
description = "The Vault seal type"
|
|
}
|
|
|
|
variable "vault_unseal_keys" {}
|
|
|
|
locals {
|
|
followers = toset([for idx in range(var.vault_instance_count - 1) : tostring(idx)])
|
|
vault_bin_path = "${var.vault_install_dir}/vault"
|
|
}
|
|
|
|
# After replication is enabled the secondary follower nodes are expected to be sealed,
|
|
# so we wait for the secondary follower nodes to update the seal status
|
|
resource "enos_remote_exec" "wait_until_sealed" {
|
|
for_each = {
|
|
for idx, follower in local.followers : idx => follower
|
|
}
|
|
environment = {
|
|
VAULT_ADDR = "http://127.0.0.1:8200"
|
|
VAULT_INSTALL_DIR = var.vault_install_dir
|
|
}
|
|
|
|
scripts = [abspath("${path.module}/scripts/wait-until-sealed.sh")]
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = element(var.follower_public_ips, each.key)
|
|
}
|
|
}
|
|
}
|
|
|
|
# The follower nodes on secondary replication cluster incorrectly report
|
|
# unseal progress 2/3 (Issue: https://hashicorp.atlassian.net/browse/VAULT-12309),
|
|
# so we restart the followers to clear the status and to autounseal incase of awskms seal type
|
|
resource "enos_remote_exec" "restart_followers" {
|
|
depends_on = [enos_remote_exec.wait_until_sealed]
|
|
for_each = {
|
|
for idx, follower in local.followers : idx => follower
|
|
}
|
|
|
|
inline = ["sudo systemctl restart vault"]
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = element(var.follower_public_ips, each.key)
|
|
}
|
|
}
|
|
}
|
|
|
|
# We cannot use the vault_unseal resouce due to the known issue
|
|
# (https://hashicorp.atlassian.net/browse/VAULT-12311). We use a custom
|
|
# script to allow retry for unsealing the secondary followers
|
|
resource "enos_remote_exec" "unseal_followers" {
|
|
depends_on = [enos_remote_exec.restart_followers]
|
|
# The unseal keys are required only for seal_type shamir
|
|
for_each = {
|
|
for idx, follower in local.followers : idx => follower
|
|
if var.vault_seal_type == "shamir"
|
|
}
|
|
|
|
environment = {
|
|
VAULT_ADDR = "http://127.0.0.1:8200"
|
|
VAULT_INSTALL_DIR = var.vault_install_dir
|
|
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
|
|
}
|
|
|
|
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = element(var.follower_public_ips, each.key)
|
|
}
|
|
}
|
|
}
|
|
|
|
# This is a second attempt needed to unseal the secondary followers
|
|
# using a custom script due to get past the known issue
|
|
# (https://hashicorp.atlassian.net/browse/VAULT-12311)
|
|
resource "enos_remote_exec" "unseal_followers_again" {
|
|
depends_on = [enos_remote_exec.unseal_followers]
|
|
for_each = {
|
|
for idx, follower in local.followers : idx => follower
|
|
if var.vault_seal_type == "shamir"
|
|
}
|
|
|
|
environment = {
|
|
VAULT_ADDR = "http://127.0.0.1:8200"
|
|
VAULT_INSTALL_DIR = var.vault_install_dir
|
|
UNSEAL_KEYS = join(",", var.vault_unseal_keys)
|
|
}
|
|
|
|
scripts = [abspath("${path.module}/scripts/unseal-node.sh")]
|
|
|
|
transport = {
|
|
ssh = {
|
|
host = element(var.follower_public_ips, each.key)
|
|
}
|
|
}
|
|
}
|