AWS implementation

HashiCorp Validated Designs assert a strategic, competitive advantage to ensure the operational execution of your Consul Enterprise deployment. The tangible benefits shift quickly from increasing productivity and reducing costs to broader issues, such as increasing service quality and overseeing governance. Using the HVD Solution Design as a fundamental operational model, Cloud teams increase the use of control systems, technology tools and human processes to deliver automated infrastructure provisioning to internal users and external consumers.

The implementation phase intends to bridge gaps between requirements and execution steps by converging multiple disciplines into a normalized project deliverable. Within this context, you must consider the tools available to assist you during the deployment and the installation method. In this section, we want to highlight three focus areas:

Artifacts: HashiCorp and HashiCorp partners provide supporting Terraform Modules to configure and deploy a Consul Enterprise deployment. The Terraform Modules offer a flexible approach to automate provisioning tasks and build a supporting technology foundation, while following pre-defined control standards and adhering to operational procedures.
Automated installation: The automated installation section guides the Cloud team on to use the Terraform Modules provided to deploy AWS resources, install Consul Enterprise and the Control Plane on VMs or EKS.
Manual installation: In select situations, the Cloud team may complete the deployment of AWS resources to support Consul Enterprise without the use the Terraform Modules provided. In such cases, the Cloud team can install Consul Enterprise manually by meeting a requirements checklist and following the technical guidance in the subsection of the document.

Our recommendation is to follow the automated installation path. This approach considers the best features and functions, proven to programmatically integrate with an existing ecosystem of technology tools, with the agility to incorporate guidelines from existing security controls. More specifically, an automated provisioning approach will speed the delivery of your Cloud infrastructure, Consul Enterprise applications and configuration properties. At the same time, the service can adhere to change control processes by self-documenting change requests, keeping an up-to-date record of activities and reconciling against approval systems. Finally, the newly delivered service can be immediately attached to the ecosystem of tools for health monitoring, security hardening, patch management, compliance scans, etc.

Consul on VM

The Terraform Modules contain a “gold standard” for all of the AWS environment or Consul Enterprise infrastructure-specific settings. Typically, a Cloud administrator spends many hours retrieving and changing configuration properties to enable the application to function correctly in the environment.

Within the scope of this Solution Design guide, the focus is on two Terraform modules that can work independently or in combination. The following table lists the main modules recommended to use in your deployment.

There are two modules for Consul on VMs for AWS:

terraform-aws-consul-prerequisites
terraform-aws-consul

If you apply both modules, Terraform will deploy a complete, end-to-end Consul Enterprise deployment inside of AWS.

To configure the TF deployment with the organization specific requirements, update the terraform.auto.tfvars file to provide the inputs to the Terraform module.

friendly_name_prefix will be the prefix assigned to all resources
common_tags will be applied to all resources.
secretsmanager_secrets are all the secrets that will be placed or generated. You NEED to supply the TEXT value of the consul_license on line 11 in the [terraform.auto.tfvars] (/validated-designs/consul-solution-design-guides-consul-enterprise-self-hosted/appendices#agents). If you do not provide these values, the module will generate and place all the required secrets in the AWS secrets manager.
r53_domain_name is the domain that will be used for the LB.
s3_buckets is required to provide the object storage source to the Consul snapshot agent.

Terraform modules

For the purpose of an automated deployment, HashiCorp and HashiCorp partners provide private Terraform modules to customize and support your deployment.

terraform-aws-consul-prerequisites

Module that is intended to assist with the provisioning of prerequisite resources that are required for a Consul Enterprise on AWS (EC2) deployment.

The module creates the following resources inside of an AWS environment, if necessary:

Network Load Balancer, Listeners, and Target Groups
KMS Encryption Keys
Log Groups for Consul Enterprise
Route 53 entries
S3 buckets
Secrets Manager Secrets
Consul Secrets (TLS Certificates, tokens, etc)
VPC Endpoints
VPC with Public and Private access subnets
Consul Security Groups (Agent, Server)
Consul Security Group Rules

terraform-aws-consul

Module that deploys Consul Enterprise in AWS. The module creates the following resources inside of an AWS environment:

AWS Auto Scaling Group
AWS Auto Scaling lifecycle hook
AWS Launch Template for ASG
AWS Security Group for EC2
AWS Security Group rules for EC2
Route53 Outbound Resolver Endpoint
Route53 Outbound Resolver Rule
Route53 Outbound Resolver VPC Association

Shared dependencies

The module is not built with a single run in mind due to a potential blast radius. This module is useful for development, testing and validation of a Consul Enterprise deployment.

The terraform-aws-consul and terraform-aws-consul-prerequisites modules rely upon a collection of Terraform sub-modules to support different parts of the deployment requirements. In situations where there are air-gapped requirements for the deployment, the sub-modules need to be present in the deployment bootstrap environment.

It is important to understand that consuming teams do not interact with these sub-modules on a regular basis. The following table lists the modules and their description. This will let you evaluate each module if you need to store them in a private repository.

Module Name	Description
terraform-aws-ent-prereq-networking	This module deploys multiple VPC resources in order to allow the proper connectivity required for the HashiCorp products that are deployed.
terraform-aws-ent-prereq-s3	This module establishes S3 buckets to be used for the HashiCorp product deployment. The module utilizes various inputs to control settings that customers may want to customize for their particular environment. For example, the module allows the user to specify if they want Cross Region Replication, Encryption with a KMS CMK, a logging bucket configuration, etc
terraform-aws-ent-prereq-ingress	This module creates the ingress constructs required for clients to reach the deployed HashiCorp products. This includes Load Balancing, Listeners, Target Groups, Certificate hosting and/or creation, DNS Record entries, and Security Groups for the inbound traffic.
terraform-aws-ent-prereq-kms	This module creates a KMS key and alias in the region that it is called. It provides various input variables to control aspects of the KMS key policy, such as whether or not the Key Default Policy is enabled by default, if specific IAM Users or Roles should be allowed to use the key for Cryptographic operations, or whether or not AWS AutoScaling should have access to use the key as well.
terraform-aws-ent-prereq-iam	This module builds out IAM roles, policies, and instance profiles for the HashiCorp product deployment on AWS.
terraform-aws-ent-prereq-secrets-manager	This module establishes multiple Secrets Manager secrets inside of AWS.
terraform-null-cloudinit-function-template	The null templating module is a helper module that generates standard shell functions based on the cloud where the product is being deployed. This allows for secret retrieval, object storage consumption, instance scraping, and pre-requisite tooling to be consistent regardless of product and cloud.
terraform-aws-ent-prereq-sg	This module creates all of the necessary Security Groups to allow for network connectivity between the various components deployed based on the HashiCorp product.

Consul license

When getting started with Consul Enterprise, HashiCorp provides an onboarding bundle that includes a License File. The file contains a license key unique to your environment.

For the purpose of the installation, the file must be available to the Cloud team. To provide a license file, update the terraform.auto.tfvars file to be utilized by terraform deployment.

Consul installation

The artifacts listed in this document can automate the deployment from end to end. Each module provides flexible methods to adapt the deployment to your target AWS environment. Use the Terraform modules in this order:

Module Name	Description
terraform-aws-consul-prerequisites	This module confirms and deploys AWS resources and provides inventory required for deployment
terraform-aws-consul	This module deploys Consul Enterprise control plane into an existing AWS environment

Note that the terraform-aws-consul-prerequisites has an example calling module called public-5-node-nlb. This can be found in the /examples directory. This will utilize both of the modules outlined in the table above to deploy the infrastructure on AWS. We recommend evaluating the variable inputs for both modules above, and manipulating the hvd.terraform.auto.tfvars file accordingly.

Both of the modules have a large amount of input variables that can be customized, and many defaults have been provided as part of this Solution Design Guide. However, we recommend evaluation of what is set in the public-5-node-nlb main.tf file, and to also evaluate all of the input parameters available if necessary.

Using the Terraform modules requires practical experience working with the HashiCorp Configuration Language (HCL) and Terraform configuration syntax.

Security hardening

Detailed instructions to ensure the deployment of the solution is hardened to meet security recommendations.

Platform environment
Operating system
Application

Detailed Design

Use Cases