This is a Terraform configuration set up for HashiCorp Vault on AWS and it's designed with a small infrastructure in mind. This is not the best solution for high availability and it's best suited for small companies and personal use.
This was build as a two part article in partnership with ZRP
-
Part 1: Provisioning Vault using Terraform
The first part of the article handles the infrastructure itself.
It explains how to build everything you need to get Vault up and running using S3 for backend, KMS for Auto-unsealing, hosted on ECS using the official Docker image with EC2 spot instances (spot for cost reduction) that register into the ECS Cluster.
-
Part 2: Setting up Access Control Policy (ACL) in Vault using Terraform
The second part of the article handles Vault internal configuration using Vault Terraform provider.
It explains how to create policies for multiple projects taking into consideration 4 different access levels: admin, management, member and visitor, and also how to create users and attach the necessary policies to them, all using only Terraform, Vault UI is only used for validation.
The image bellow illustrates the 4 mentioned level of access for the policies. Each project will have a policy of each kind (minus admin which is global).
All the code in this repository was build gradually, if you try to apply it as is it will not work, you will get an error from Terraform.
Use this as a reference or read the articles for more information about how you can make this works.