Skip to content
This repository has been archived by the owner on Oct 10, 2022. It is now read-only.

Add vault enterprise support #43

Closed
wants to merge 5 commits into from
Closed

Add vault enterprise support #43

wants to merge 5 commits into from

Conversation

dannyibishev
Copy link

@dannyibishev dannyibishev commented Jul 13, 2022

  • Adds condition for terraform enterprise, if a license is provided (via a new secret manager secret), then the user data script will install the terraform enterprise binary and export the required vault variable before the service is started. - Closes Support for vault enterprise #45
  • Health check improvements. - Closes Allow platform engineers to manage the health check settings for the ASG #44
  • Bumped up the AWS provider requirements to >= 4.0.0.
  • Replaced the aws_autoscaling_group tag method. tags is deprecated. The new recommended way to specify tags is by using the tag block

Update (7 September 2022)

I have added a lot more than I would have liked for my use-case. Therefore, I will leave the owners to decide whether they want to make tweaks to make it acceptable for this module, or if they want to close it.

Here are a few other changes that were made in order to support terraform enterprise (for our usecase) using the integrated storage architecture.

  • DNS autoscaling. This was added for the node to node communication. I needed a way for my nodes to find each other and trust each other using mTLS (as recommended by best practices) - To save time and keep complexity low, I ended up using another third party module to achieve this. Basically, the lifecycle policy on the ASG creates and removes records on the private route53 hosted zone.
  • Added the ability to specify KMS administrators.
  • Encrypted most of the essential resources with the KMS key and added the required policies to achieve this.
  • replaced the ASG and Launch Template resource with that of a third party module.
  • Added trust for the self managed CA certificate to the certificate chain on the nodes.

I'd also suggest a git rebase is done to tidy up the commit names and splice together test commits so there's less noise

@dannyibishev dannyibishev changed the title [WIP]: Add vault enterprise support Add vault enterprise support Sep 7, 2022
Add KMS additions + more tweaks to user_data (enterprise support)

- Restructuring the project layout to make KMS / IAM / Launch template settings more easily accessible.
- KMS policy added.
- Removed unecessary networking module.
- Add trusted self signed cert steps to the user data script
@troyready
Copy link
Contributor

Hi @dannyibishev . Sorry for not responding sooner here. Very much appreciate the contributions you've done.

I'm going to close this out, but I'd encourage anyone interested in any of its features to pick it up and open a separate issue to explore it. The only technical/procedural note I'll make is that we currently have a separate module for deploying Vault Enterprise, so anyone picking up the same features should split them between the modules as appropriate.

@troyready troyready closed this Sep 14, 2022
@dannyibishev
Copy link
Author

@troyready Thanks for looking into this.

May I suggest you add labels to the enterprise vault module repository as I could not find it easily when I first started looking into this.

@dannyibishev dannyibishev deleted the YI/ENTERPRISE-SUPPORT branch September 14, 2022 06:33
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support for vault enterprise Allow platform engineers to manage the health check settings for the ASG
2 participants