search

hashicorp / terraform-aws-vault-starter

A Terraform Module for provisioning an OSS Vault cluster (using integrated storage) as described by HashiCorp reference architecture.
Mozilla Public License 2.0
76 stars 65 forks source link

generate self-signed TLS certs for LB to Instance encryption #5

Closed xntrik closed 3 years ago

xntrik commented 4 years ago

While Vault works perfectly well without TLS on the nodes, as this is handled upstream in the LBs, a number of customers and security best-practices may require end to end encryption, where possible.

This change follows a path of least resistance method to add self-signed certificates, unique per-node.

While self-signed certificates have weaknesses, particularly when used on the public Internet, AWS LBs don't validate certificates, and this does provide a means of encrypting traffic between User -> LB -> Vault Node.

This provides a more secure-by-default method of deploying this Vault Module.

xntrik commented 4 years ago

Also, realised that I didn't update the associated LB TF code (Unsure if there's a requirement to change https://github.com/hashicorp/terraform-aws-vault-espd/blob/master/modules/vault_cluster/main.tf#L60 this to HTTPS)

Omar-Khawaja commented 3 years ago

Closing this for now as we are revamping this module and will solve this issue in a different way