HashiConf 2024 Now streaming live from Boston! Attend for free
HVD Home
HVD Home

Deploying Vault using Terraform

HashiCorp provides a set of official Terraform(opens in new tab) modules to make it easier to deploy a Vault Enterprise environment that adheres to the requirements and standards laid out in this HashiCorp Validated Design.

Tip

HashiCorp Professional Services or one of our trusted partners can help you accelerate your deployment of Vault Enterprise, using the provided modules. For more information, contact your HashiCorp account team.

Platform-specific guidance

Select the tab below for your cloud for further guidance.

HashiCorp provides an official HVD Module to deploy Vault Enterprise on AWS EC2(opens in new tab).

Before deployment, you will need to deploy the prerequisite infrastructure in AWS.

  1. A functional VPC with at least three public and private subnets.
  2. A Vault license that has been uploaded to AWS Secrets Manager.
  3. A TLS private key and certificate, valid for the fully qualified domain name you plan to use with Vault, that have been uploaded to AWS Secrets Manager.
  4. The ARN of a symetric encryption key created in AWS KMS.

Using this module, you will be able to use Terraform to deploy a complete, end-to-end Vault Enterprise deployment inside of your own cloud account.

Note

The following steps outline a manual method of installing Vault using this module. This method of installation is primarily designed for you to test the execution of the module and get to know the design. We strongly recommend adapting these steps into a more controlled deployment process, such as HCP Terraform, Terraform Enterprise, or your existing CI/CD pipeline infrastructure.

Warning

NEVER store Terraform state in a version control system or in another unprotected location. Terraform state contains sensitive information and must be protected. For more information, refer to the HashiCorp Terraform documentation(opens in new tab).

While we have made efforts throughout this document to provide prescriptive best practices, we recognize that each organization has their own unique requirements and constraints when it comes to deploying infrastructure. Wherever possible, we have attempted to represent the different considerations you will need to make when deploying Vault in your cloud environment within the context of this Terraform module. The module contains additional capabilities that you may wish to review if the variables from this module do not suit your specific needs.

Deployment sequence overview

  1. Create the certificate files.
  2. Obtain the license file.
  3. Download the Vault CLI.
  4. Download the Terraform CLI.
  5. Deploy your prerequisite resources.
  6. Obtain the HashiCorp Validated Design Terraform module for deploying Vault Enterprise.
  7. Configure your cloud credentials.
  8. Initialize your Terraform workspace.
  9. Input your variables, including the values from your prerequisite deployment, in the module for deployment.
  10. Create a Terraform plan.
  11. Apply the plan.
  12. Validate the cluster was created and is reachable.
  13. Initialize the Vault cluster.

Preparation

Create the certificate files

Create a standard X.509 certificate that will be installed on the Vault servers. Refer to your organization's process on creating a new certificate that matches the DNS record you intend to direct users to when accessing Vault.

A total of three files will be needed as follows.

  1. The certificate (vault-public.pub).
  2. The certificate's private key (vault-private.key).
  3. The bundle file from the certificate authority used to vend the certificate (ca.pub).

Keep these files to hand as you will need them later in the installation process.

Obtain the Vault Enterprise license file

Obtain the Vault Enterprise license file from your HashiCorp account team. This file contains a license key unique to your environment. The file will be named something like vault.hclic.

Keep this file handy, as you will need it later in the installation process.

Download and Install the Vault CLI

Note

This guide was tested using Vault 1.17.1+ent.

  • Download the appropriate package for your operating system from the HashiCorp Releases(opens in new tab) site.
  • Unzip the package.
  • Move the vault binary (vault.exe for Windows) to a directory in your system's PATH.

Download and install the Terraform CLI

Note

This guide was tested using Terraform 1.6.2.

  • Download the appropriate package for your operating system from the HashiCorp Releases(opens in new tab) site.
  • Unzip the package.
  • Move the terraform binary (terraform.exe for Windows) to a directory in your system's PATH.

Download the Terraform module

For the purpose of an automated deployment, HashiCorp and HashiCorp partners provide private Terraform modules to customize and support your deployment.

Once you have downloaded the module, navigate to the examples/default/ directory. Use this as the base working directory during the installation process.

Configure AWS credentials

Ensure the correct AWS credentials are in place and accessible to Terraform. Terraform can read credentials from:

  • Credentials file: typically located at $HOME/.aws/credentials ( %UserProfile%\.aws\credentials on Windows).
  • Environment variables as follows.
    • AWS_ACCESS_KEY_ID
    • AWS_SECRET_ACCESS_KEY
    • AWS_SESSION_TOKEN (if using an IAM role or other expiring credentials)
    • AWS_DEFAULT_REGION

For complete details on how to configure AWS credentials for Terraform, see the HashiCorp Terraform AWS provider documentation(opens in new tab).

Ensure that the credentials you will be using have sufficient permissions to perform the necessary actions that Terraform will be performing.

Installation

Initialize Terraform

Run terraform init to initialize your Terraform workspace. Inspect the output to ensure that all providers and modules are successfully downloaded, and that there are no outstanding errors before continuing.

Configure variables for deployment

Warning

You can only configure variables for the installation module's terraform.tfvars file after all the prerequisite resources are available. You will need to supply values from the prerequisites to the Vault module.

Review the terraform.tfvars.example file HashiCorp maintains in the examples/default/ directory for explanations of each relevant variable. There is a terraform.tfvars.example file in the respective module for each public cloud provider. Copy this file to a file called terraform.tfvars, and then fill in the values for each declared variable with the applicable values for your environment.

Create and apply Terraform plan

From the examples/default/ directory, generate a Terraform plan with the following command:

terraform plan -out plan.out

Review the plan output to see the changes that will be applied, then apply the changes with this command:

terraform apply plan

Confirm the changes by typing yes when prompted.

Validate installation

Run the following command:

terraform output

Using the terraform output that references the load balancer name or ip address, create a new DNS entry that matches your TLS certificate and points to the load balancer for the Vault cluster. Set the following environment variables:

$ export VAULT_ADDR="https://vault.example.com:8200/"

Test that the Vault cluster is running and reachable by running:

vault status

Initialize

Create GPG public keys

For each individual who will be receiving a key share, create their own unique GPG public key:

$ cat > alice_key.conf << EOF
%echo Generating a basic OpenPGP key for Alice
Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: Alice
Name-Comment: Alice is a Vault PGP user
Name-Email: alice@example.com
Expire-Date: 1
Passphrase: recede-yard-unwilling-shrouded
%commit
%echo done
EOF
 
 
$ gpg --full-gen-key --batch alice_key.conf

$ gpg --output alice_key.pub --export alice@example.com

Initialize Vault

Pass in the GPG public key from each participating individual to initialize Vault with the API, CLI, or UI. Once Vault initializes, it returns the key shares, each one encrypted with the GPG public keys which you passed in at initialization time.

$ vault operator init \
  -pgp-keys “alice_key.pub,bob_key.pub,carol_key.pub,dan_key.pub,frank_key.pub" \
  -root-token-pgp-key "alice_key.pub"
 
 
Recovery Key 1: Fr6OZBDRG…KsgqC
Recovery Key 2: X6/RDBpC…rZfUM
Recovery Key 3: XCAmAgbr…J0+P3
Recovery Key 4: JwoPoWtl…QXhyV
Recovery Key 5: 8Rdk5D+7…0tgWJ
 
 
Initial Root Token: hvs.NpBT…cbbXZ
 
 
Success! Vault is initialized
 
 
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.

Record the root_token from the output, so you can authenticate to Vault and begin configuration of user authentication.

Each individual should now record their unique recovery key and store it safely. This is their key share, which is now encrypted and base64-encoded.

This concludes the key ceremony.

You should now have a running cluster. Log into Vault:

$ VAULT_ADDR=$(terraform output vault_addr) VAULT_TOKEN="hvs-TOKEN-value-from-key-ceremony" vault login
Previous

Detailed design

 Next

Deploying Vault Enterprise in a private datacenter