hashicorp · dannyibishev · Jul 13, 2022 · Jul 14, 2022 · Jul 14, 2022 · Sep 5, 2022
diff --git a/README.md b/README.md
@@ -32,6 +32,9 @@ on AWS using the open source version of Vault 1.8+.
   [quickstart](https://github.com/hashicorp/terraform-aws-vault-starter/tree/main/examples/prereqs_quickstart)
   to deploy these resources.
 
+  Alternatively, check out [vault enterprise quickstart](https://github.com/hashicorp/terraform-aws-vault-starter/tree/main/examples/prereqs_quickstart)
+  to deploy these resources with an additional AWS Secret Manager secret that will be used to store the vault enterprise license key.
+
 - To deploy into an existing VPC, ensure the following components exist and are
   routed to each other correctly:
   - Three public subnets
@@ -64,7 +67,9 @@ module "vault" {
     "subnet-2xyz",
   ]
   # AWS Secrets Manager ARN where TLS certs are stored
-  secrets_manager_arn = "arn:aws::secretsmanager:abc123xxx"
+  tls_cert_secrets_manager_arn = "arn:aws::secretsmanager:abc123xxx"
+  # AWS Secrets Manager ARN where a vault enterprise license is stored. Leave this out if you are not wanting to set up vault enterprise.
+  # vault_ent_license_secret_manager_arn = "arn:aws::secretsmanager:abc456xxx"
   # The shared DNS SAN of the TLS certs being used
   leader_tls_servername = "vault.server.com"
   # The cert ARN to be used on the Vault LB listener

diff --git a/examples/prereqs_quickstart/outputs.tf b/examples/prereqs_quickstart/outputs.tf
@@ -13,9 +13,9 @@ output "private_subnet_ids" {
   value       = module.vpc.private_subnet_ids
 }
 
-output "secrets_manager_arn" {
+output "tls_cert_secrets_manager_arn" {
   description = "ARN of secrets_manager secret"
-  value       = module.secrets.secrets_manager_arn
+  value       = module.secrets.tls_cert_secrets_manager_arn
 }
 
 output "vpc_id" {

diff --git a/examples/prereqs_quickstart/secrets/outputs.tf b/examples/prereqs_quickstart/secrets/outputs.tf
@@ -8,7 +8,7 @@ output "leader_tls_servername" {
   value       = var.shared_san
 }
 
-output "secrets_manager_arn" {
+output "tls_cert_secrets_manager_arn" {
   description = "ARN of secrets_manager secret"
   value       = aws_secretsmanager_secret.tls.arn
 }
diff --git a/examples/prereqs_quickstart/versions.tf b/examples/prereqs_quickstart/versions.tf
@@ -2,7 +2,7 @@ terraform {
   required_version = ">= 1.2.1"
 
   required_providers {
-    aws = ">= 3.0.0, < 4.0.0"
+    aws = ">= 4.0.0"
     tls = ">= 3.0.0, < 4.0.0"
   }
 }
diff --git a/main.tf b/main.tf
@@ -1,23 +1,74 @@
 data "aws_region" "current" {}
 
-module "iam" {
-  source = "./modules/iam"
-
-  aws_region                  = data.aws_region.current.name
-  kms_key_arn                 = module.kms.kms_key_arn
-  permissions_boundary        = var.permissions_boundary
-  resource_name_prefix        = var.resource_name_prefix
-  secrets_manager_arn         = var.secrets_manager_arn
-  user_supplied_iam_role_name = var.user_supplied_iam_role_name
+data "aws_caller_identity" "current" {}
+
+locals {
+  identifier = "vault-enterprise-${var.resource_name_prefix}"
+}
+
+/**
+ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ *    Instance IAM ROLE / Policy / Profile
+ * ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+*/
+
+data "aws_iam_policy_document" "instance_assume_role" {
+  statement {
+    effect = "Allow"
+
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_role" "instance" {
+  name                 = format("%s-instance", local.identifier)
+  permissions_boundary = var.permissions_boundary
+  assume_role_policy   = data.aws_iam_policy_document.instance_assume_role.json
+
+  tags = merge(
+    { Name = format("%s-instance", local.identifier) },
+    var.common_tags,
+  )
+}
+
+resource "aws_iam_instance_profile" "instance" {
+  name = local.identifier
+  role = aws_iam_role.instance.name
+}
+
+# Required if the volumes on the launch template are encrypted using the project KMS key.
+resource "aws_iam_service_linked_role" "autoscaling" {
+  aws_service_name = "autoscaling.amazonaws.com"
+  custom_suffix    = local.identifier
+}
+
+module "iam_policies" {
+  source = "./modules/iam_policies"
+
+  resource_name_prefix = var.resource_name_prefix
+  kms_key_arn_backend  = module.kms.backend_kms_key_arn
+  kms_key_arn_seal     = module.kms.vault_seal_unseal_kms_key_arn
+  iam_role_arn         = aws_iam_role.instance.id
+  secret_manager_arns  = compact([var.tls_cert_secrets_manager_arn, var.vault_ent_license_secret_manager_arn])
 }
 
 module "kms" {
   source = "./modules/kms"
 
-  common_tags               = var.common_tags
-  kms_key_deletion_window   = var.kms_key_deletion_window
-  resource_name_prefix      = var.resource_name_prefix
-  user_supplied_kms_key_arn = var.user_supplied_kms_key_arn
+  resource_name_prefix                = var.resource_name_prefix
+  kms_key_administrators              = var.kms_key_administrators
+  kms_key_deletion_window             = var.kms_key_deletion_window
+  common_tags                         = var.common_tags
+  account_id                          = data.aws_caller_identity.current.account_id
+  custom_kms_backend_policy           = var.custom_kms_backend_policy
+  custom_kms_seal_unseal_policy       = var.custom_kms_seal_unseal_policy
+  autoscaling_service_linked_role_arn = aws_iam_service_linked_role.autoscaling.arn
+  instance_role_arn                   = aws_iam_role.instance.arn
 }
 
 module "loadbalancer" {
@@ -33,25 +84,20 @@ module "loadbalancer" {
   resource_name_prefix    = var.resource_name_prefix
   ssl_policy              = var.ssl_policy
   vault_sg_id             = module.vm.vault_sg_id
-  vpc_id                  = module.networking.vpc_id
-}
-
-module "networking" {
-  source = "./modules/networking"
-
-  vpc_id = var.vpc_id
+  vpc_id                  = var.vpc_id
 }
 
 module "user_data" {
   source = "./modules/user_data"
 
-  aws_region                  = data.aws_region.current.name
-  kms_key_arn                 = module.kms.kms_key_arn
-  leader_tls_servername       = var.leader_tls_servername
-  resource_name_prefix        = var.resource_name_prefix
-  secrets_manager_arn         = var.secrets_manager_arn
-  user_supplied_userdata_path = var.user_supplied_userdata_path
-  vault_version               = var.vault_version
+  aws_region                           = data.aws_region.current.name
+  kms_seal_unseal_key_arn              = module.kms.vault_seal_unseal_kms_key_arn
+  leader_tls_servername                = var.leader_tls_servername
+  resource_name_prefix                 = var.resource_name_prefix
+  tls_cert_secrets_manager_arn         = var.tls_cert_secrets_manager_arn
+  vault_ent_license_secret_manager_arn = var.vault_ent_license_secret_manager_arn
+  user_supplied_userdata_path          = var.user_supplied_userdata_path
+  vault_version                        = var.vault_version
 }
 
 locals {
@@ -64,19 +110,26 @@ locals {
 module "vm" {
   source = "./modules/vm"
 
-  allowed_inbound_cidrs     = var.allowed_inbound_cidrs_lb
-  allowed_inbound_cidrs_ssh = var.allowed_inbound_cidrs_ssh
-  aws_iam_instance_profile  = module.iam.aws_iam_instance_profile
-  common_tags               = var.common_tags
-  instance_type             = var.instance_type
-  key_name                  = var.key_name
-  lb_type                   = var.lb_type
-  node_count                = var.node_count
-  resource_name_prefix      = var.resource_name_prefix
-  userdata_script           = module.user_data.vault_userdata_base64_encoded
-  user_supplied_ami_id      = var.user_supplied_ami_id
-  vault_lb_sg_id            = module.loadbalancer.vault_lb_sg_id
-  vault_subnets             = var.private_subnet_ids
-  vault_target_group_arns   = local.vault_target_group_arns
-  vpc_id                    = module.networking.vpc_id
+  allowed_inbound_cidrs               = var.allowed_inbound_cidrs_lb
+  allowed_inbound_cidrs_ssh           = var.allowed_inbound_cidrs_ssh
+  aws_iam_instance_profile            = aws_iam_instance_profile.instance.arn
+  common_tags                         = var.common_tags
+  instance_type                       = var.instance_type
+  key_name                            = var.key_name
+  lb_type                             = var.lb_type
+  node_count                          = var.node_count
+  resource_name_prefix                = var.resource_name_prefix
+  userdata_script                     = module.user_data.vault_userdata_base64_encoded
+  user_supplied_ami_id                = var.user_supplied_ami_id
+  vault_lb_sg_id                      = module.loadbalancer.vault_lb_sg_id
+  vault_subnets                       = var.private_subnet_ids
+  vault_target_group_arns             = local.vault_target_group_arns
+  vpc_id                              = var.vpc_id
+  asg_health_check_type               = var.asg_health_check_type
+  asg_health_check_grace_period       = var.asg_health_check_grace_period
+  autoscaling_service_linked_role_arn = aws_iam_service_linked_role.autoscaling.arn
+  wait_for_capacity_timeout           = var.wait_for_capacity_timeout
+  backend_kms_key_arn                 = module.kms.backend_kms_key_arn
+  leader_tls_servername               = var.leader_tls_servername
+  internal_zone_id                    = var.internal_zone_id
 }
diff --git a/modules/iam/README.md b/modules/iam/README.md
diff --git a/modules/iam/main.tf b/modules/iam/main.tf
diff --git a/modules/iam/outputs.tf b/modules/iam/outputs.tf
diff --git a/modules/iam/variables.tf b/modules/iam/variables.tf