HashiCorp Cloud Platform: HCP Vault Cluster
This Terraform Module provisions a HashiCorp Vault Cluster.
Table of Contents
Requirements
- HashiCorp Cloud Platform (HCP) Account
- Terraform
1.3.0or newer.
Usage
Note This module requires a Service Principal for HashiCorp Cloud Platform.
See the official documentation for instructions on how to provide these credentials.
Examples
- Deploy HCP Vault on AWS with examples/basic-aws.
- Deploy HCP Vault on Microsoft Azure with examples/basic-azure.
- Deploy HCP Vault with AWS CloudWatch Audit Log Config with examples/audit-log-config-cloudwatch.
- Deploy HCP Vault with AWS CloudWatch Metrics Config with examples/metrics-log-config-cloudwatch.
- Deploy HCP Vault with Datadog Audit Logging with examples/audit-log-config-datadog.
- Deploy HCP Vault with Datadog Metrics Config with examples/metrics-config-datadog.
For additional examples, see the ./examples directory.
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_id | The ID of the HCP Vault cluster. | string |
n/a | yes |
| hvn_id | The ID of the HVN this HCP Vault cluster is associated to. | string |
n/a | yes |
| project_id | The ID of the HCP project where the Vault cluster is located. | string |
n/a | yes |
| audit_log_config | Complex Object for Audit Log Configuration. Only applied on Clusters that are on a tier higher than dev. |
object({ enabled = bool # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#cloudwatch_access_key_id cloudwatch_access_key_id = optional(string) cloudwatch_region = optional(string) cloudwatch_secret_access_key = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#datadog_api_key datadog_api_key = optional(string) datadog_region = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#elasticsearch_endpoint elasticsearch_endpoint = optional(string) elasticsearch_password = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#grafana_endpoint grafana_endpoint = optional(string) grafana_password = optional(string) grafana_user = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#http_basic_password http_basic_password = optional(string) http_basic_user = optional(string) http_bearer_token = optional(string) http_codec = optional(string) http_compression = optional(bool) http_headers = optional(map(string)) http_method = optional(string) http_payload_prefix = optional(string) http_payload_suffix = optional(string) http_uri = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#newrelic_account_id newrelic_account_id = optional(string) newrelic_license_key = optional(string) newrelic_region = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#splunk_hecendpoint splunk_hecendpoint = optional(string) splunk_token = optional(string) }) | { "cloudwatch_access_key_id": null, "cloudwatch_region": null, "cloudwatch_secret_access_key": null, "datadog_api_key": null, "datadog_region": "us1", "elasticsearch_endpoint": null, "elasticsearch_password": null, "enabled": false, "grafana_endpoint": null, "grafana_password": null, "grafana_user": null, "http_basic_password": null, "http_basic_user": null, "http_bearer_token": null, "http_codec": null, "http_compression": null, "http_headers": null, "http_method": null, "http_payload_prefix": null, "http_payload_suffix": null, "http_uri": null, "newrelic_account_id": null, "newrelic_license_key": null, "newrelic_region": null, "splunk_hecendpoint": null, "splunk_token": null} | no |
| ip_allowlist | Allowed IPV4 address ranges (CIDRs) for inbound traffic. Each entry must be a unique CIDR. | list(object({ address = string description = string })) | [] |
no |
| major_version_upgrade_config | The Major Version Upgrade configuration. Only applied on Clusters of tier standard_, or plus_. |
object({ upgrade_type = string maintenance_window_day = optional(string) maintenance_window_time = optional(string) }) | null |
no |
| metrics_config | Complex Object for Metrics Configuration. Only applied on Clusters that are on a tier higher than dev. |
object({ enabled = bool # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#cloudwatch_access_key_id cloudwatch_access_key_id = optional(string) cloudwatch_region = optional(string) cloudwatch_secret_access_key = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#datadog_api_key datadog_api_key = optional(string) datadog_region = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#elasticsearch_endpoint elasticsearch_endpoint = optional(string) elasticsearch_password = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#grafana_endpoint grafana_endpoint = optional(string) grafana_password = optional(string) grafana_user = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#http_basic_password http_basic_password = optional(string) http_basic_user = optional(string) http_bearer_token = optional(string) http_codec = optional(string) http_compression = optional(bool) http_headers = optional(map(string)) http_method = optional(string) http_payload_prefix = optional(string) http_payload_suffix = optional(string) http_uri = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#newrelic_account_id newrelic_account_id = optional(string) newrelic_license_key = optional(string) newrelic_region = optional(string) # see https://registry.terraform.io/providers/hashicorp/hcp/latest/docs/resources/vault_cluster#splunk_hecendpoint splunk_hecendpoint = optional(string) splunk_token = optional(string) }) | { "cloudwatch_access_key_id": null, "cloudwatch_region": null, "cloudwatch_secret_access_key": null, "datadog_api_key": null, "datadog_region": "us1", "elasticsearch_endpoint": null, "elasticsearch_password": null, "enabled": false, "grafana_endpoint": null, "grafana_password": null, "grafana_user": null, "http_basic_password": null, "http_basic_user": null, "http_bearer_token": null, "http_codec": null, "http_compression": null, "http_headers": null, "http_method": null, "http_payload_prefix": null, "http_payload_suffix": null, "http_uri": null, "newrelic_account_id": null, "newrelic_license_key": null, "newrelic_region": null, "splunk_hecendpoint": null, "splunk_token": null} | no |
| min_vault_version | The minimum Vault version to use when creating the cluster. | string |
null |
no |
| paths_filter | The performance replication paths filter. | list(string) |
null |
no |
| primary_link | The self_link of the HCP Vault Plus tier cluster which is the primary in the performance replication setup. |
bool |
null |
no |
| proxy_endpoint | Denotes that the cluster has a proxy endpoint. | string |
"DISABLED" |
no |
| public_endpoint | Denotes that the cluster has a public endpoint. | bool |
false |
no |
| tier | Tier of the HCP Vault cluster. | string |
"dev" |
no |
| timeouts | Amount of time (in minutes) that can elapse, before an operation is considered timed-out. | object({ create = string default = string delete = string update = string }) | { "create": "35m", "default": "5m", "delete": "25m", "update": "35m"} | no |
Outputs
| Name | Description |
|---|---|
| cluster_audit_logs_url | HCP Vault Cluster Audit Logs URL. |
| cluster_metrics_url | HCP Vault Cluster Metrics URL. |
| cluster_overview_url | HCP Vault Cluster Overview URL. |
| cluster_replication_url | HCP Vault Cluster Replication URL. |
| cluster_snapshots_url | HCP Vault Cluster Snapshots URL. |
| hcp_vault_cluster | Exported Attributes for hcp_vault_cluster.main
|
Notes
This module uses Terraform's lifecycle feature to prevent destruction of an HCP Vault Cluster when the corresponding Terraform module is removed.
To delete an HCP Vault Cluster, remove it from Terraform state, using the state rm command:
terraform state rm module.hcp_vault.hcp_vault_cluster.main
When done, manually carry out destructive lifecycle operations through the HCP Vault UI.
Author Information
This module is maintained by the contributors listed on GitHub.
License
Licensed under the Apache License, Version 2.0 (the "License").
You may obtain a copy of the License at apache.org/licenses/LICENSE-2.0.
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" basis, without WARRANTIES or conditions of any kind, either express or implied.
See the License for the specific language governing permissions and limitations under the License.