README.md

vault-aws-cloudformation

If you run into some problem or blocker, feel free to open a github issue. Otherwise, contact your HashiCorp representative or community leader for the latest on installing Vault on AWS. It's worth looking into their managed offering here: HCP Vault

Introduction

This repository contains code for building Amazon Machine Images (AMI) and a generic Cloudformation template. The AMI and template can be used to spin up a production-ready Vault cluster.

What does it build?

The Cloudformation templates published by this pipeline stand up the following configuration:

• VPC with 3 public and 3 private subnets
• Operating system for Vault and Consul is Centos 7
• Operating system for the Bastion host is AWS Linux (latest)
• 3 Vault servers and 5 Consul servers distributed across the private subnets
• A bastion host for connecting to the other servers, which are not directly accessible from the Internet
• An SSL certificate tied to your FQDN, managed by Amazon Certificate Manager
• Automatic unsealing of Vault using AWS Key Management Service to store the unseal key
• The Vault cluster will be ready in 10-15 minutes. The cluster comes up in an uninitialized state. The API listens on port 8200 and is accessible from the Internet.
• (Optional) Make Vault accessible only from a VPN

Required local dependencies

• HashiCorp Packer - Install Packer
• AWS CLI - Install AWS CLI
• HashiCorp Vault (optional for local testing) Install Vault

Instructions for use

• Build AMIs for Vault and Consul using the included Packer templates.
• Edit the cloudformation/aws_vault_cf.yml file and replace the existing AMIs with your new generated values.
• OPTIONAL: Have a domain (or subdomain) that you own in AWS Route 53 management. This allows you to automate the creation of DNS records that point to your Vault cluster. It also allows you to automatically validate the SSL certificate.
• Use the AWS Cloudformation UI to upload your aws_vault_cf.yml file, fill in all the necessary values and create a new stack. Make sure and verify the DNS record that you used for the Vault cluster in Route 53 (or by creating a DNS TXT record in your own DNS provider).
• After about 15 minutes your Vault cluster will be ready for initial setup. You can use 1 and 1 for the initial key shares and recovery shares. Save the initial root token and recovery key in a safe place.
• Log onto your Vault cluster using the root token and configure Vault.

Video references

• Deploy a Production Ready Vault Cluster on AWS in 5 Minutes
• Deploying a HashiCorp Vault cluster in Five Minutes "The After Party"
• Pass the HashiCorp Vault Associate exam in 2021 on the first attempt with these resources