search

hashicorp / terraform-aws-vault

A Terraform Module for how to run Vault on AWS using Terraform and Packer
Apache License 2.0
659 stars 465 forks source link

In vault-cluster-private, should the vault servers join Consul on startup? #29

Open davidham opened 6 years ago

davidham commented 6 years ago

In vault-cluster-private, should the vault servers join the Consul cluster when they start up? In my setup, they are not doing this. I'd like them to, but if this is not something built in I won't worry about it.

My Vault server instances are running this as their user_data script:

#!/bin/bash
 /opt/consul/bin/run-consul --client --cluster-tag-key consul-dev-servers --cluster-tag-value consul-development 
/opt/vault/bin/run-vault --s3-bucket clearcover-vault-development --s3-bucket-region us-east-2 --tls-cert-file /opt/vault/tls/vault.crt.pem --tls-key-file /opt/vault/tls/vault.key.pem
brikis98 commented 6 years ago

The Consul agent running on each Vault server will join the Consul cluster as clients. Vault itself will just use those agents.

davidham commented 6 years ago

OK cool, thanks. I noticed the IAM instance profile in the Vault module doesn't have the DescribeInstance permissions it needs (the IAM profile in the Consul module does, however). I forked the repo and will submit a PR in the next couple of days. Thanks!