Modular deployment of Vault on Compute Engine.
Unseal keys are generated when the instance first starts and stored encrypted using Cloud KMS in a separate Cloud Storage bucket for later retrival and Vault unsealing.
This module also creates a TLS CA and certificates for the Vault server. The generated certificates are encrypyed using Cloud KMS and stored in a separate Cloud Storage bucket.
module "vault" {
source = "github.com/GoogleCloudPlatform/terraform-google-vault"
project_id = "${var.project_id}"
region = "${var.region}"
zone = "${var.zone}"
storage_bucket = "${var.storage_bucket}"
kms_keyring_name = "${var.kms_keyring_name}"
}project_id(required): The project ID to add the IAM bindings for the service account to.region(required): The region to create the instance in.zone(required): The zone to create the instance in.kms_keyring_name(required): The name of the Cloud KMS KeyRing for asset encryption.kms_key_name: (optional): The name of the Cloud KMS Key used for asset encryption/decryption. Default isvault-init.network(optional): The network to deploy to. Default isdefault.subnetwork(optional): The subnetwork to deploy to. Default isdefault.machine_type(optional): The machine type for the instance. Default isn1-standard-1vault_args(optional): Additional command line arguments passed to vault server.force_destroy_bucket(optional): Set to true to force deletion of backend bucket on terraform destroy. Default isfalse.tls_ca_subject(optional): Thesubjectblock for the root CA certificate.tls_dns_names(optional): List of DNS names added to the Vault server self-signed certificate. Default is["vault.example.net"].tls_ips(optional): List of IP addresses added to the Vault server self-signed certificate. Default is["127.0.0.1"].tls_cn(optional): The TLS Common Name for the TLS certificates. Default isvault.example.net.tls_ou(optional): The TLS Organizational Unit for the TLS certificate. Default isIT Security Operations.
instance_group: Link to theinstance_groupproperty of the instance group manager resource.ca_private_key_algorithm: The root CA algorithm for generating client certs.ca_private_key_pem: The root CA key pem for generating client certs.ca_cert_pem: The root CA cert pem for generating client certs.
module.vault-server: The Vault server managed instance group module.google_storage_bucket.vault: The Cloud Storage bucket for Vault storage.google_storage_bucket.vault-assets: The Cloud Storage bucket for Vault unseal key and TLS certificate storage.google_service_account.vault-admin: The service account for the Vault instance.google_project_iam_policy.vault: The IAM policy bindings for the Vault service account.