From 69877f8c68c1890dd7a02ca1b97d7a171f3763a0 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Mon, 24 Jun 2019 17:27:45 -0400 Subject: [PATCH 01/28] deps: bump consul version to tf12-upgrade branch --- examples/vault-agent/main.tf | 8 ++++---- examples/vault-auto-unseal/main.tf | 6 +++--- examples/vault-cluster-private/main.tf | 6 +++--- examples/vault-ec2-auth/main.tf | 6 +++--- examples/vault-iam-auth/main.tf | 8 ++++---- examples/vault-s3-backend/main.tf | 6 +++--- main.tf | 6 +++--- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 81d5577a..1e865950 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 00ea898b..a4dc610a 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -54,7 +54,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -83,7 +83,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -98,7 +98,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index f7924dbe..5ec277a8 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -45,7 +45,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -72,7 +72,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -87,7 +87,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index b08fe637..0fc7affa 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -108,7 +108,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -142,7 +142,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -157,7 +157,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 74849185..820db131 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 9f0f1af0..2e3f5a7a 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -49,7 +49,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -77,7 +77,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -92,7 +92,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/main.tf b/main.tf index 087b2687..8c0ba73d 100644 --- a/main.tf +++ b/main.tf @@ -88,7 +88,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul//modules/consul-iam-policies?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -115,7 +115,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" security_group_id = "${module.vault_cluster.security_group_id}" @@ -168,7 +168,7 @@ data "aws_route53_zone" "selected" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul//modules/consul-cluster?ref=v0.4.0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" From 4e8d2ee22d1a5f87bfd69519f01663a0eee83168 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Mon, 24 Jun 2019 17:45:10 -0400 Subject: [PATCH 02/28] deps: bump terratest version --- test/Gopkg.lock | 604 +++++++++++++++++++++++++++++++++++++++++++----- test/Gopkg.toml | 2 +- 2 files changed, 549 insertions(+), 57 deletions(-) diff --git a/test/Gopkg.lock b/test/Gopkg.lock index 9f13786d..568bc595 100644 --- a/test/Gopkg.lock +++ b/test/Gopkg.lock @@ -2,6 +2,15 @@ [[projects]] + digest = "1:1a37f9f2ae10d161d9688fb6008ffa14e1631e5068cc3e9698008b9e8d40d575" + name = "cloud.google.com/go" + packages = ["compute/metadata"] + pruneopts = "" + revision = "457ea5c15ccf3b87db582c450e80101989da35f7" + version = "v0.40.0" + +[[projects]] + digest = "1:a457c94c2e32db1c365e1b3a333b18d047da8c416142b75567f5fc4b1899cc86" name = "github.com/aws/aws-sdk-go" packages = [ "aws", @@ -13,7 +22,9 @@ "aws/credentials", "aws/credentials/ec2rolecreds", "aws/credentials/endpointcreds", + "aws/credentials/processcreds", "aws/credentials/stscreds", + "aws/crr", "aws/csm", "aws/defaults", "aws/ec2metadata", @@ -21,6 +32,7 @@ "aws/request", "aws/session", "aws/signer/v4", + "internal/ini", "internal/s3err", "internal/sdkio", "internal/sdkrand", @@ -40,7 +52,9 @@ "service/acm", "service/autoscaling", "service/cloudwatchlogs", + "service/dynamodb", "service/ec2", + "service/ecs", "service/iam", "service/kms", "service/rds", @@ -49,59 +63,175 @@ "service/s3/s3manager", "service/sns", "service/sqs", - "service/sts" + "service/ssm", + "service/sts", ] - revision = "2324d8a7db41970a80d19791bd30b94f632ce0cc" - version = "v1.15.58" + pruneopts = "" + revision = "b0b59fd2ceb03908e5d3bcd1449b46ce75508f4b" + version = "v1.20.7" [[projects]] + digest = "1:b529f4bf748979caa18b599d40d13e8b6e591a74b340f315ce4f95e119c288c2" name = "github.com/boombuler/barcode" packages = [ ".", "qr", - "utils" + "utils", ] + pruneopts = "" revision = "3cfea5ab600ae37946be2b763b8ec2c1cf2d272d" version = "v1.0.0" [[projects]] + digest = "1:0deddd908b6b4b768cfc272c16ee61e7088a60f7fe2f06c547bd3d8e1f8b8e77" name = "github.com/davecgh/go-spew" packages = ["spew"] + pruneopts = "" revision = "8991bc29aa16c548c550c7ff78260e27b9ab7c73" version = "v1.1.1" [[projects]] - name = "github.com/go-ini/ini" + branch = "master" + digest = "1:d6c13a378213e3de60445e49084b8a0a9ce582776dfc77927775dbeb3ff72a35" + name = "github.com/docker/spdystream" + packages = [ + ".", + "spdy", + ] + pruneopts = "" + revision = "6480d4af844c189cf5dd913db24ddd339d3a4f85" + +[[projects]] + digest = "1:b13707423743d41665fd23f0c36b2f37bb49c30e94adb813319c44188a51ba22" + name = "github.com/ghodss/yaml" packages = ["."] - revision = "6529cf7c58879c08d927016dde4477f18a0634cb" - version = "v1.36.0" + pruneopts = "" + revision = "0ca9ea5df5451ffdf184b4428c902747c2c11cd7" + version = "v1.0.0" [[projects]] + branch = "master" + digest = "1:26317724ed32bcf2ef15454613d2a8fe9d670b12f073cfd20db3bcec54e069ab" + name = "github.com/go-errors/errors" + packages = ["."] + pruneopts = "" + revision = "d98b870cc4e05f1545532a80e9909be8216095b6" + +[[projects]] + digest = "1:e692d16fdfbddb94e9e4886aaf6c08bdbae5cb4ac80651445de9181b371c6e46" name = "github.com/go-sql-driver/mysql" packages = ["."] - revision = "d523deb1b23d913de5bdada721a6071e71283618" - version = "v1.4.0" + pruneopts = "" + revision = "72cd26f257d44c1114970e19afddcd812016007e" + version = "v1.4.1" + +[[projects]] + digest = "1:fd53b471edb4c28c7d297f617f4da0d33402755f58d6301e7ca1197ef0a90937" + name = "github.com/gogo/protobuf" + packages = [ + "proto", + "sortkeys", + ] + pruneopts = "" + revision = "ba06b47c162d49f2af050fb4c75bcbc86a159d5c" + version = "v1.2.1" [[projects]] branch = "master" + digest = "1:107b233e45174dbab5b1324201d092ea9448e58243ab9f039e4c0f332e121e3a" + name = "github.com/golang/glog" + packages = ["."] + pruneopts = "" + revision = "23def4e6c14b4da8ac2ed8007337bc5eb5007998" + +[[projects]] + digest = "1:529d738b7976c3848cae5cf3a8036440166835e389c1f617af701eeb12a0518d" + name = "github.com/golang/protobuf" + packages = [ + "proto", + "ptypes", + "ptypes/any", + "ptypes/duration", + "ptypes/timestamp", + ] + pruneopts = "" + revision = "b5d812f8a3706043e23a9cd5babf2e5423744d30" + version = "v1.3.1" + +[[projects]] + digest = "1:6a6322a15aa8e99bd156fbba0aae4e5d67b4bb05251d860b348a45dfdcba9cce" name = "github.com/golang/snappy" packages = ["."] - revision = "553a641470496b2327abcac10b36396bd98e45c9" + pruneopts = "" + revision = "2a8bb927dd31d8daada140a5d09578521ce5c36a" + version = "v0.0.1" + +[[projects]] + digest = "1:1e5b1e14524ed08301977b7b8e10c719ed853cbf3f24ecb66fae783a46f207a6" + name = "github.com/google/btree" + packages = ["."] + pruneopts = "" + revision = "4030bb1f1f0c35b30ca7009e9ebd06849dd45306" + version = "v1.0.0" + +[[projects]] + digest = "1:8d4a577a9643f713c25a32151c0f26af7228b4b97a219b5ddb7fd38d16f6e673" + name = "github.com/google/gofuzz" + packages = ["."] + pruneopts = "" + revision = "f140a6486e521aad38f5917de355cbf147cc0496" + version = "v1.0.0" [[projects]] + digest = "1:c1d7e883c50a26ea34019320d8ae40fad86c9e5d56e63a1ba2cb618cef43e986" name = "github.com/google/uuid" packages = ["."] + pruneopts = "" revision = "064e2069ce9c359c118179501254f67d7d37ba24" version = "0.2" [[projects]] + digest = "1:5facc3828b6a56f9aec988433ea33fb4407a89460952ed75be5347cec07318c0" + name = "github.com/googleapis/gnostic" + packages = [ + "OpenAPIv2", + "compiler", + "extensions", + ] + pruneopts = "" + revision = "e73c7ec21d36ddb0711cb36d1502d18363b5c2c9" + version = "v0.3.0" + +[[projects]] + branch = "master" + digest = "1:e1fd67b5695fb12f54f979606c5d650a5aa72ef242f8e71072bfd4f7b5a141a0" + name = "github.com/gregjones/httpcache" + packages = [ + ".", + "diskcache", + ] + pruneopts = "" + revision = "901d90724c7919163f472a9812253fb26761123d" + +[[projects]] + digest = "1:f032ebac9a824af56f183e82817a79792738f3faef09b4feced2252df7b253e7" + name = "github.com/gruntwork-io/gruntwork-cli" + packages = ["errors"] + pruneopts = "" + revision = "6a2163138f3d10377f313428e7e367b0a6c0c1c9" + version = "v0.4.2" + +[[projects]] + digest = "1:f4aa63932320bc30b5a0895d451eba4749e08a7fc18ba096a4bf2afcaeae9b5e" name = "github.com/gruntwork-io/terratest" packages = [ "modules/aws", "modules/collections", "modules/customerrors", + "modules/environment", "modules/files", "modules/http-helper", + "modules/k8s", "modules/logger", "modules/packer", "modules/random", @@ -109,43 +239,62 @@ "modules/shell", "modules/ssh", "modules/terraform", - "modules/test-structure" + "modules/test-structure", ] - revision = "987fbe40e5b6702a3602403d2519bdb5f2f362e9" - version = "v0.13.10" + pruneopts = "" + revision = "295736141a96daa369a972e1409622d702c8f40e" + version = "v0.17.4" [[projects]] - branch = "master" + digest = "1:8e3bd93036b4a925fe2250d3e4f38f21cadb8ef623561cd80c3c50c114b13201" name = "github.com/hashicorp/errwrap" packages = ["."] - revision = "7554cd9344cec97297fa6649b055a8c98c2a1e55" + pruneopts = "" + revision = "8a6fb523712970c966eefc6b39ed2c5e74880354" + version = "v1.0.0" [[projects]] - branch = "master" + digest = "1:984b627a3c838daa9f4c949ec8e6f049a7021b1156eb4db0337c3a5afe07aada" name = "github.com/hashicorp/go-cleanhttp" packages = ["."] - revision = "d5fe4b57a186c716b0e00b8c301cbd9b4182694d" + pruneopts = "" + revision = "eda1e5db218aad1db63ca4642c8906b26bcf2744" + version = "v0.5.1" [[projects]] - branch = "master" + digest = "1:72308fdd6d5ef61106a95be7ca72349a5565809042b6426a3cfb61d99483b824" name = "github.com/hashicorp/go-multierror" packages = ["."] - revision = "b7773ae218740a7be65057fc60b366a49b538a44" + pruneopts = "" + revision = "886a7fbe3eb1c874d46f623bfa70af45f425b3d1" + version = "v1.0.0" [[projects]] - branch = "master" + digest = "1:0e2d55461c960fad1050dafc69c1fe2a41d5719dc6bfa7c0b74faf56dfdfe85c" + name = "github.com/hashicorp/go-retryablehttp" + packages = ["."] + pruneopts = "" + revision = "85a8ee556d7323a4faf0f4c17ee900e9ff1482e8" + version = "v0.5.4" + +[[projects]] + digest = "1:1ce74de952243566df45871a9e823f3000efac179a8a75af8b1c57c49ae89d97" name = "github.com/hashicorp/go-rootcerts" packages = ["."] - revision = "6bb64b370b90e7ef1fa532be9e591a81c3493e00" + pruneopts = "" + revision = "df8e78a645e18d56ed7bb9ae10ffb8174ab892e2" + version = "v1.0.1" [[projects]] - branch = "master" + digest = "1:24ee99da0190535baad44a5df2710ca2e116d615fcaaffcf3b79b476450af917" name = "github.com/hashicorp/go-sockaddr" packages = ["."] - revision = "6d291a969b86c4b633730bfc6b8b9d64c3aafed9" + pruneopts = "" + revision = "c7188e74f6acae5a989bdc959aa779f8b9f42faf" + version = "v1.0.2" [[projects]] - branch = "master" + digest = "1:d14365c51dd1d34d5c79833ec91413bfbb166be978724f15701e17080dc06dec" name = "github.com/hashicorp/hcl" packages = [ ".", @@ -156,110 +305,238 @@ "hcl/token", "json/parser", "json/scanner", - "json/token" + "json/token", ] - revision = "ef8a98b0bbce4a65b5aa4c368430a80ddc533168" + pruneopts = "" + revision = "8cb6e5b959231cc1119e43259c4a608f9c51a241" + version = "v1.0.0" [[projects]] + digest = "1:d18bd2106eed6a53efcd3f4dc9faa9492488f51b94e6fd80eae92abda0ec0202" name = "github.com/hashicorp/vault" packages = [ "api", "helper/compressutil", + "helper/hclutil", "helper/jsonutil", "helper/parseutil", - "helper/strutil" + "helper/strutil", ] - revision = "756fdc4587350daf1c65b93647b2cc31a6f119cd" - version = "v0.10.1" + pruneopts = "" + revision = "e21712a687889de1125e0a12a980420b1a4f72d3" + version = "v0.10.4" [[projects]] + digest = "1:31bfd110d31505e9ffbc9478e31773bf05bf02adcaeb9b139af42684f9294c13" + name = "github.com/imdario/mergo" + packages = ["."] + pruneopts = "" + revision = "7c29201646fa3de8506f701213473dd407f19646" + version = "v0.3.7" + +[[projects]] + digest = "1:870d441fe217b8e689d7949fef6e43efbc787e50f200cb1e70dbca9204a1d6be" + name = "github.com/inconshreveable/mousetrap" + packages = ["."] + pruneopts = "" + revision = "76626ae9c91c4f2a10f34cad8ce83ea42c93bb75" + version = "v1.0" + +[[projects]] + digest = "1:13fe471d0ed891e8544eddfeeb0471fd3c9f2015609a1c000aefdedf52a19d40" name = "github.com/jmespath/go-jmespath" packages = ["."] - revision = "0b12d6b5" + pruneopts = "" + revision = "c2b33e84" [[projects]] - branch = "master" + digest = "1:12d3de2c11e54ea37d7f00daf85088ad5e61ec4e8a1f828d6c8b657976856be7" + name = "github.com/json-iterator/go" + packages = ["."] + pruneopts = "" + revision = "0ff49de124c6f76f8494e194af75bde0f1a49a29" + version = "v1.1.6" + +[[projects]] + digest = "1:6dbb0eb72090871f2e58d1e37973fe3cb8c0f45f49459398d3fc740cb30e13bd" name = "github.com/mitchellh/go-homedir" packages = ["."] - revision = "b8bc1bf767474819792c23f32d8286a45736f1c6" + pruneopts = "" + revision = "af06845cf3004701891bf4fdb884bfe4920b3727" + version = "v1.1.0" [[projects]] - branch = "master" + digest = "1:bcc46a0fbd9e933087bef394871256b5c60269575bb661935874729c65bbbf60" name = "github.com/mitchellh/mapstructure" packages = ["."] - revision = "00c29f56e2386353d58c599509e8dc3801b0d716" + pruneopts = "" + revision = "3536a929edddb9a5b34bd6861dc4a9647cb459fe" + version = "v1.1.2" + +[[projects]] + digest = "1:0c0ff2a89c1bb0d01887e1dac043ad7efbf3ec77482ef058ac423d13497e16fd" + name = "github.com/modern-go/concurrent" + packages = ["."] + pruneopts = "" + revision = "bacd9c7ef1dd9b15be4a9909b8ac7a4e313eec94" + version = "1.0.3" + +[[projects]] + digest = "1:e32bdbdb7c377a07a9a46378290059822efdce5c8d96fe71940d87cb4f918855" + name = "github.com/modern-go/reflect2" + packages = ["."] + pruneopts = "" + revision = "4b7aa43c6742a2c18fdef89dd197aaae7dac7ccd" + version = "1.0.1" [[projects]] + branch = "master" + digest = "1:5f0faa008e8ff4221b55a1a5057c8b02cb2fd68da6a65c9e31c82b72cbc836d0" + name = "github.com/petar/GoLLRB" + packages = ["llrb"] + pruneopts = "" + revision = "33fb24c13b99c46c93183c291836c573ac382536" + +[[projects]] + digest = "1:4709c61d984ef9ba99b037b047546d8a576ae984fb49486e48d99658aa750cd5" + name = "github.com/peterbourgon/diskv" + packages = ["."] + pruneopts = "" + revision = "0be1b92a6df0e4f5cb0a5d15fb7f643d0ad93ce6" + version = "v3.0.0" + +[[projects]] + digest = "1:256484dbbcd271f9ecebc6795b2df8cad4c458dd0f5fd82a8c2fa0c29f233411" name = "github.com/pmezard/go-difflib" packages = ["difflib"] + pruneopts = "" revision = "792786c7400a136282c1664665ae0a8db921c6c2" version = "v1.0.0" [[projects]] + digest = "1:09d0eed1a0e502dfff8227c3fdbe022ea4bd722c1db3daf7251f20cfc549b428" name = "github.com/pquerna/otp" packages = [ ".", "hotp", - "totp" + "totp", ] - revision = "b7b89250c468c06871d3837bee02e2d5c155ae19" - version = "v1.0.0" + pruneopts = "" + revision = "43bebefda392017900e7a7b237b4c914c6a55b50" + version = "v1.2.0" [[projects]] + digest = "1:4244255905cb95c3c98894d671367f84a6292608ae528936fe46ba9c86f68393" name = "github.com/ryanuber/go-glob" packages = ["."] - revision = "572520ed46dbddaed19ea3d9541bdd0494163693" - version = "v0.1" + pruneopts = "" + revision = "51a8f68e6c24dc43f1e371749c89a267de4ebc53" + version = "v1.0.0" [[projects]] - branch = "master" - name = "github.com/sethgrid/pester" + digest = "1:0c63b3c7ad6d825a898f28cb854252a3b29d37700c68a117a977263f5ec94efe" + name = "github.com/spf13/cobra" + packages = ["."] + pruneopts = "" + revision = "f2b07da1e2c38d5f12845a4f607e2e1018cbb1f5" + version = "v0.0.5" + +[[projects]] + digest = "1:cbaf13cdbfef0e4734ed8a7504f57fe893d471d62a35b982bf6fb3f036449a66" + name = "github.com/spf13/pflag" packages = ["."] - revision = "38b020c58c99152830334916f25375e6bdbf9567" + pruneopts = "" + revision = "298182f68c66c05229eb03ac171abe6e309ee79a" + version = "v1.0.3" [[projects]] + digest = "1:381bcbeb112a51493d9d998bbba207a529c73dbb49b3fd789e48c63fac1f192c" name = "github.com/stretchr/testify" packages = [ "assert", - "require" + "require", ] - revision = "f35b8ab0b5a2cef36673838d662e249dd9c94686" - version = "v1.2.2" + pruneopts = "" + revision = "ffdc059bfe9ce6a4e144ba849dbedead332c6053" + version = "v1.3.0" + +[[projects]] + digest = "1:e85837cb04b78f61688c6eba93ea9d14f60d611e2aaf8319999b1a60d2dafbfa" + name = "github.com/urfave/cli" + packages = ["."] + pruneopts = "" + revision = "cfb38830724cc34fedffe9a2a29fb54fa9169cd1" + version = "v1.20.0" [[projects]] branch = "master" + digest = "1:90722da867436e04650b8491e5d9f690aeb2a4e305d548666bdd541d68d6cdbd" name = "golang.org/x/crypto" packages = [ "curve25519", "ed25519", "ed25519/internal/edwards25519", "internal/chacha20", + "internal/subtle", "poly1305", "ssh", - "ssh/agent" + "ssh/agent", + "ssh/terminal", ] - revision = "b49d69b5da943f7ef3c9cf91c8777c1f78a0cc3c" + pruneopts = "" + revision = "cc06ce4a13d484c0101a9e92913248488a75786d" [[projects]] branch = "master" + digest = "1:5c6b8395efd72ad4250b7747e2b1a0683c3edb7b0346a938ff45240c7ec53691" name = "golang.org/x/net" packages = [ "context", + "context/ctxhttp", "http/httpguts", "http2", "http2/hpack", "idna", - "lex/httplex" ] - revision = "5f9ae10d9af5b1c89ae6904293b14b064d4ada23" + pruneopts = "" + revision = "3b0461eec859c4b73bb64fdc8285971fd33e3938" [[projects]] + branch = "master" + digest = "1:01bdbbc604dcd5afb6f66a717f69ad45e9643c72d5bc11678d44ffa5c50f9e42" + name = "golang.org/x/oauth2" + packages = [ + ".", + "google", + "internal", + "jws", + "jwt", + ] + pruneopts = "" + revision = "0f29369cfe4552d0e4bcddc57cc75f4d7e672a33" + +[[projects]] + branch = "master" + digest = "1:0cc6f08b513a8ae7ee7d5edfb89c528224c8f64cbd5d7587c9c758f9fab9dba2" + name = "golang.org/x/sys" + packages = [ + "cpu", + "unix", + "windows", + ] + pruneopts = "" + revision = "c5567b49c5d04a5f83870795b8c0e2df43a8ce32" + +[[projects]] + digest = "1:740b51a55815493a8d0f2b1e0d0ae48fe48953bf7eaf3fcc4198823bf67768c0" name = "golang.org/x/text" packages = [ "collate", "collate/build", "internal/colltab", "internal/gen", + "internal/language", + "internal/language/compact", "internal/tag", "internal/triegen", "internal/ucd", @@ -269,20 +546,235 @@ "unicode/bidi", "unicode/cldr", "unicode/norm", - "unicode/rangetable" + "unicode/rangetable", ] - revision = "f21a4dfb5e38f5895301dc265a8def02365cc3d0" - version = "v0.3.0" + pruneopts = "" + revision = "342b2e1fbaa52c93f31447ad2c6abc048c63e475" + version = "v0.3.2" [[projects]] + branch = "master" + digest = "1:9522af4be529c108010f95b05f1022cb872f2b9ff8b101080f554245673466e1" + name = "golang.org/x/time" + packages = ["rate"] + pruneopts = "" + revision = "9d24e82272b4f38b78bc8cff74fa936d31ccd8ef" + +[[projects]] + digest = "1:47f391ee443f578f01168347818cb234ed819521e49e4d2c8dd2fb80d48ee41a" name = "google.golang.org/appengine" - packages = ["cloudsql"] - revision = "ae0ab99deb4dc413a2b4bd6c8bdd0eb67f1e4d06" - version = "v1.2.0" + packages = [ + ".", + "cloudsql", + "internal", + "internal/app_identity", + "internal/base", + "internal/datastore", + "internal/log", + "internal/modules", + "internal/remote_api", + "internal/urlfetch", + "urlfetch", + ] + pruneopts = "" + revision = "b2f4a3cf3c67576a2ee09e1fe62656a5086ce880" + version = "v1.6.1" + +[[projects]] + digest = "1:75fb3fcfc73a8c723efde7777b40e8e8ff9babf30d8c56160d01beffea8a95a6" + name = "gopkg.in/inf.v0" + packages = ["."] + pruneopts = "" + revision = "d2d2541c53f18d2a059457998ce2876cc8e67cbf" + version = "v0.9.1" + +[[projects]] + digest = "1:cedccf16b71e86db87a24f8d4c70b0a855872eb967cb906a66b95de56aefbd0d" + name = "gopkg.in/yaml.v2" + packages = ["."] + pruneopts = "" + revision = "51d6538a90f86fe93ac480b35f37b2be17fef232" + version = "v2.2.2" + +[[projects]] + branch = "release-1.12" + digest = "1:3e3e9df293bd6f9fd64effc9fa1f0edcd97e6c74145cd9ab05d35719004dc41f" + name = "k8s.io/api" + packages = [ + "admissionregistration/v1alpha1", + "admissionregistration/v1beta1", + "apps/v1", + "apps/v1beta1", + "apps/v1beta2", + "authentication/v1", + "authentication/v1beta1", + "authorization/v1", + "authorization/v1beta1", + "autoscaling/v1", + "autoscaling/v2beta1", + "autoscaling/v2beta2", + "batch/v1", + "batch/v1beta1", + "batch/v2alpha1", + "certificates/v1beta1", + "coordination/v1beta1", + "core/v1", + "events/v1beta1", + "extensions/v1beta1", + "networking/v1", + "policy/v1beta1", + "rbac/v1", + "rbac/v1alpha1", + "rbac/v1beta1", + "scheduling/v1alpha1", + "scheduling/v1beta1", + "settings/v1alpha1", + "storage/v1", + "storage/v1alpha1", + "storage/v1beta1", + ] + pruneopts = "" + revision = "6db15a15d2d3874a6c3ddb2140ac9f3bc7058428" + +[[projects]] + branch = "release-1.12" + digest = "1:9c7ee6fe7b8b621df5a7604e9a1f752b566ae451b2cf010c9c075e5e5ff81f56" + name = "k8s.io/apimachinery" + packages = [ + "pkg/api/errors", + "pkg/api/meta", + "pkg/api/resource", + "pkg/apis/meta/v1", + "pkg/apis/meta/v1/unstructured", + "pkg/apis/meta/v1beta1", + "pkg/conversion", + "pkg/conversion/queryparams", + "pkg/fields", + "pkg/labels", + "pkg/runtime", + "pkg/runtime/schema", + "pkg/runtime/serializer", + "pkg/runtime/serializer/json", + "pkg/runtime/serializer/protobuf", + "pkg/runtime/serializer/recognizer", + "pkg/runtime/serializer/streaming", + "pkg/runtime/serializer/versioning", + "pkg/selection", + "pkg/types", + "pkg/util/clock", + "pkg/util/errors", + "pkg/util/framer", + "pkg/util/httpstream", + "pkg/util/httpstream/spdy", + "pkg/util/intstr", + "pkg/util/json", + "pkg/util/naming", + "pkg/util/net", + "pkg/util/runtime", + "pkg/util/sets", + "pkg/util/validation", + "pkg/util/validation/field", + "pkg/util/yaml", + "pkg/version", + "pkg/watch", + "third_party/forked/golang/netutil", + "third_party/forked/golang/reflect", + ] + pruneopts = "" + revision = "01f179d85dbce0f2e0e4351a92394b38694b7cae" + +[[projects]] + branch = "release-9.0" + digest = "1:b1a32e8c431a032029c57bd211aa8b7e7de4fd7e142d4805be654da286f5efe4" + name = "k8s.io/client-go" + packages = [ + "discovery", + "kubernetes", + "kubernetes/scheme", + "kubernetes/typed/admissionregistration/v1alpha1", + "kubernetes/typed/admissionregistration/v1beta1", + "kubernetes/typed/apps/v1", + "kubernetes/typed/apps/v1beta1", + "kubernetes/typed/apps/v1beta2", + "kubernetes/typed/authentication/v1", + "kubernetes/typed/authentication/v1beta1", + "kubernetes/typed/authorization/v1", + "kubernetes/typed/authorization/v1beta1", + "kubernetes/typed/autoscaling/v1", + "kubernetes/typed/autoscaling/v2beta1", + "kubernetes/typed/autoscaling/v2beta2", + "kubernetes/typed/batch/v1", + "kubernetes/typed/batch/v1beta1", + "kubernetes/typed/batch/v2alpha1", + "kubernetes/typed/certificates/v1beta1", + "kubernetes/typed/coordination/v1beta1", + "kubernetes/typed/core/v1", + "kubernetes/typed/events/v1beta1", + "kubernetes/typed/extensions/v1beta1", + "kubernetes/typed/networking/v1", + "kubernetes/typed/policy/v1beta1", + "kubernetes/typed/rbac/v1", + "kubernetes/typed/rbac/v1alpha1", + "kubernetes/typed/rbac/v1beta1", + "kubernetes/typed/scheduling/v1alpha1", + "kubernetes/typed/scheduling/v1beta1", + "kubernetes/typed/settings/v1alpha1", + "kubernetes/typed/storage/v1", + "kubernetes/typed/storage/v1alpha1", + "kubernetes/typed/storage/v1beta1", + "pkg/apis/clientauthentication", + "pkg/apis/clientauthentication/v1alpha1", + "pkg/apis/clientauthentication/v1beta1", + "pkg/version", + "plugin/pkg/client/auth/exec", + "plugin/pkg/client/auth/gcp", + "rest", + "rest/watch", + "third_party/forked/golang/template", + "tools/auth", + "tools/clientcmd", + "tools/clientcmd/api", + "tools/clientcmd/api/latest", + "tools/clientcmd/api/v1", + "tools/metrics", + "tools/portforward", + "tools/reference", + "transport", + "transport/spdy", + "util/cert", + "util/connrotation", + "util/flowcontrol", + "util/homedir", + "util/integer", + "util/jsonpath", + ] + pruneopts = "" + revision = "b6aa6aafe32b0767f075245e5d391381c5449c8a" + +[[projects]] + digest = "1:f27698f7ae7864893ebcfb843e44d821263ac1dcf0ba1d5c2353f9d319a2f28d" + name = "k8s.io/kubernetes" + packages = ["pkg/kubectl/generate"] + pruneopts = "" + revision = "e8462b5b5dc2584fdcd18e6bcfe9f1e4d970a529" + version = "v1.15.0" [solve-meta] analyzer-name = "dep" analyzer-version = 1 - inputs-digest = "cf518e98ffebe16a5fbb5b6b0de73c3a3447dad14da3393fa7a2c3cba44cab67" + input-imports = [ + "github.com/gruntwork-io/terratest/modules/aws", + "github.com/gruntwork-io/terratest/modules/files", + "github.com/gruntwork-io/terratest/modules/http-helper", + "github.com/gruntwork-io/terratest/modules/logger", + "github.com/gruntwork-io/terratest/modules/packer", + "github.com/gruntwork-io/terratest/modules/random", + "github.com/gruntwork-io/terratest/modules/retry", + "github.com/gruntwork-io/terratest/modules/ssh", + "github.com/gruntwork-io/terratest/modules/terraform", + "github.com/gruntwork-io/terratest/modules/test-structure", + "github.com/hashicorp/vault/api", + "github.com/stretchr/testify/require", + ] solver-name = "gps-cdcl" solver-version = 1 diff --git a/test/Gopkg.toml b/test/Gopkg.toml index ff0d2818..0b963bee 100644 --- a/test/Gopkg.toml +++ b/test/Gopkg.toml @@ -23,7 +23,7 @@ [[constraint]] name = "github.com/gruntwork-io/terratest" - version = "0.13.12" + version = "0.17.4" [[constraint]] name = "github.com/hashicorp/vault" From 2d2aae6944f07b468617b1c7432807c367cc6208 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Mon, 24 Jun 2019 17:57:45 -0400 Subject: [PATCH 03/28] deps: pin consul version to commit id --- examples/vault-agent/main.tf | 8 ++++---- examples/vault-auto-unseal/main.tf | 6 +++--- examples/vault-cluster-private/main.tf | 6 +++--- examples/vault-ec2-auth/main.tf | 6 +++--- examples/vault-iam-auth/main.tf | 8 ++++---- examples/vault-s3-backend/main.tf | 6 +++--- main.tf | 6 +++--- 7 files changed, 23 insertions(+), 23 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 1e865950..04c372e9 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index a4dc610a..8c2542d5 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -54,7 +54,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -83,7 +83,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -98,7 +98,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 5ec277a8..fd90b74a 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -45,7 +45,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -72,7 +72,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -87,7 +87,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index 0fc7affa..58a905dc 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -108,7 +108,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -142,7 +142,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -157,7 +157,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 820db131..a02f467e 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 2e3f5a7a..2c336ece 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -49,7 +49,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -77,7 +77,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -92,7 +92,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/main.tf b/main.tf index 8c0ba73d..747dae88 100644 --- a/main.tf +++ b/main.tf @@ -88,7 +88,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -115,7 +115,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -168,7 +168,7 @@ data "aws_route53_zone" "selected" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=tf12-upgrade" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" From bf3e657a6e454e6360a194b2a9553a1bf283ee03 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Tue, 25 Jun 2019 12:08:21 -0400 Subject: [PATCH 04/28] dep: bump consul to v0.7.0 --- examples/vault-agent/main.tf | 8 +- examples/vault-auto-unseal/main.tf | 6 +- examples/vault-cluster-private/main.tf | 6 +- examples/vault-ec2-auth/main.tf | 6 +- examples/vault-iam-auth/main.tf | 8 +- examples/vault-s3-backend/main.tf | 6 +- main.tf | 100 +++++++++++++------------ outputs.tf | 35 ++++----- variables.tf | 43 +++++++---- 9 files changed, 118 insertions(+), 100 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 04c372e9..4feb7f9e 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 8c2542d5..d976a5a3 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -54,7 +54,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -83,7 +83,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -98,7 +98,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index fd90b74a..03e89c79 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -45,7 +45,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -72,7 +72,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -87,7 +87,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index 58a905dc..de1c8b23 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -108,7 +108,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -142,7 +142,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -157,7 +157,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index a02f467e..485f9615 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -60,7 +60,7 @@ data "aws_iam_policy_document" "example_instance_role" { # Adds policies necessary for running consul module "consul_iam_policies_for_client" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${aws_iam_role.example_instance_role.id}" } @@ -169,7 +169,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -202,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -217,7 +217,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 2c336ece..34d2b8b3 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -49,7 +49,7 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" iam_role_id = "${module.vault_cluster.iam_role_id}" } @@ -77,7 +77,7 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" security_group_id = "${module.vault_cluster.security_group_id}" @@ -92,7 +92,7 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" cluster_name = "${var.consul_cluster_name}" cluster_size = "${var.consul_cluster_size}" diff --git a/main.tf b/main.tf index 747dae88..e07dbd82 100644 --- a/main.tf +++ b/main.tf @@ -5,10 +5,12 @@ # backend. # --------------------------------------------------------------------------------------------------------------------- -# Terraform 0.9.5 suffered from https://github.com/hashicorp/terraform/issues/14399, which causes this template the -# conditionals in this template to fail. +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3, != 0.9.5" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -57,15 +59,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-vault//modules/vault-cluster?ref=v0.0.1" source = "./modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # Do NOT use the ELB for the ASG health check, or the ASG will assume all sealed instances are unhealthy and # repeatedly try to redeploy them. @@ -78,7 +80,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -88,9 +90,9 @@ module "vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "consul_iam_policies_servers" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -99,12 +101,12 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/examples/root-example/user-data-vault.sh")}" + template = file("${path.module}/examples/root-example/user-data-vault.sh") - vars { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -115,9 +117,9 @@ data "template_file" "user_data_vault_cluster" { # --------------------------------------------------------------------------------------------------------------------- module "security_group_rules" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -135,31 +137,31 @@ module "vault_elb" { # source = "github.com/hashicorp/terraform-aws-vault//modules/vault-elb?ref=v0.0.1" source = "./modules/vault-elb" - name = "${var.vault_cluster_name}" + name = var.vault_cluster_name - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # Associate the ELB with the instances created by the Vault Autoscaling group - vault_asg_name = "${module.vault_cluster.asg_name}" + vault_asg_name = module.vault_cluster.asg_name # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_inbound_cidr_blocks = ["0.0.0.0/0"] # In order to access Vault over HTTPS, we need a domain name that matches the TLS cert - create_dns_entry = "${var.create_dns_entry}" + create_dns_entry = var.create_dns_entry # Terraform conditionals are not short-circuiting, so we use join as a workaround to avoid errors when the # aws_route53_zone data source isn't actually set: https://github.com/hashicorp/hil/issues/50 - hosted_zone_id = "${var.create_dns_entry ? join("", data.aws_route53_zone.selected.*.zone_id) : ""}" + hosted_zone_id = var.create_dns_entry ? join("", data.aws_route53_zone.selected.*.zone_id) : "" - domain_name = "${var.vault_domain_name}" + domain_name = var.vault_domain_name } # Look up the Route 53 Hosted Zone by domain name data "aws_route53_zone" "selected" { - count = "${var.create_dns_entry}" + count = var.create_dns_entry name = "${var.hosted_zone_domain_name}." } @@ -168,28 +170,28 @@ data "aws_route53_zone" "selected" { # --------------------------------------------------------------------------------------------------------------------- module "consul_cluster" { - source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=015a04ce193fc8c03b7442857d620bffe7634da0" + source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -198,11 +200,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/examples/root-example/user-data-consul.sh")}" + template = file("${path.module}/examples/root-example/user-data-consul.sh") - vars { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + vars = { + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -214,13 +216,15 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.use_default_vpc}" - tags = "${var.vpc_tags}" + default = var.use_default_vpc + tags = var.vpc_tags } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" - tags = "${var.subnet_tags}" + vpc_id = data.aws_vpc.default.id + tags = var.subnet_tags +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/outputs.tf b/outputs.tf index a78edb42..9d46ba8b 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,67 +1,68 @@ output "vault_fully_qualified_domain_name" { - value = "${module.vault_elb.fully_qualified_domain_name}" + value = module.vault_elb.fully_qualified_domain_name } output "vault_elb_dns_name" { - value = "${module.vault_elb.load_balancer_dns_name}" + value = module.vault_elb.load_balancer_dns_name } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } + diff --git a/variables.tf b/variables.tf index cb52602a..c1e78c62 100644 --- a/variables.tf +++ b/variables.tf @@ -8,84 +8,97 @@ # AWS_DEFAULT_REGION # --------------------------------------------------------------------------------------------------------------------- -# REQUIRED PARAMETERS -# You must provide a value for each of these parameters. +# OPTIONAL PARAMETERS +# These parameters have reasonable defaults. # --------------------------------------------------------------------------------------------------------------------- -variable "ami_id" { - description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json. If no AMI is specified, the template will 'just work' by using the example public AMIs. WARNING! Do not use the example AMIs in a production setting!" - default = "" -} - variable "create_dns_entry" { - description = "If set to true, this module will create a Route 53 DNS A record for the ELB in the var.hosted_zone_id hosted zone with the domain name in var.domain_name." + description = "If set to true, this module will create a Route 53 DNS A record for the ELB in the var.hosted_zone_id hosted zone with the domain name in var.vault_domain_name." + type = bool + default = false } variable "hosted_zone_domain_name" { description = "The domain name of the Route 53 Hosted Zone in which to add a DNS entry for Vault (e.g. example.com). Only used if var.create_dns_entry is true." + type = string + default = null } variable "vault_domain_name" { description = "The domain name to use in the DNS A record for the Vault ELB (e.g. vault.example.com). Make sure that a) this is a domain within the var.hosted_zone_domain_name hosted zone and b) this is the same domain name you used in the TLS certificates for Vault. Only used if var.create_dns_entry is true." + type = string + default = null +} + +variable "ami_id" { + description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json. If no AMI is specified, the template will 'just work' by using the example public AMIs. WARNING! Do not use the example AMIs in a production setting!" + type = string + default = null } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string + default = null } -# --------------------------------------------------------------------------------------------------------------------- -# OPTIONAL PARAMETERS -# These parameters have reasonable defaults. -# --------------------------------------------------------------------------------------------------------------------- - variable "subnet_tags" { description = "Tags used to find subnets for vault and consul servers" - type = "map" + type = map(string) default = {} } variable "vpc_tags" { description = "Tags used to find a vpc for building resources in" - type = "map" + type = map(string) default = {} } variable "use_default_vpc" { description = "Whether to use the default VPC - NOT recommended for production! - should more likely change this to false and use the vpc_tags to find your vpc" + type = bool default = true } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } + From afdc280e0dd62c8dc13146f4890e4261a00cfd91 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Tue, 25 Jun 2019 12:24:19 -0400 Subject: [PATCH 05/28] feature: upgrade to terraform 0.12.x --- .circleci/config.yml | 12 +- main.tf | 2 +- modules/vault-cluster/main.tf | 209 +++++++++++------- modules/vault-cluster/outputs.tf | 21 +- modules/vault-cluster/variables.tf | 23 +- modules/vault-elb/main.tf | 64 +++--- modules/vault-elb/outputs.tf | 11 +- modules/vault-elb/variables.tf | 7 +- modules/vault-security-group-rules/main.tf | 33 +-- .../vault-security-group-rules/variables.tf | 5 +- 10 files changed, 220 insertions(+), 167 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 1106ee87..be1841a9 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ jobs: - checkout - run: name: Validate Terraform Formatting - command: "[ -z \"$(terraform fmt -write=false)\" ] || { terraform fmt -write=false -diff; exit 1; }" + command: '[ -z "$(terraform fmt -write=false)" ] || { terraform fmt -write=false -diff; exit 1; }' build: machine: true @@ -24,11 +24,11 @@ jobs: # Install the gruntwork-module-circleci-helpers and use it to configure the build environment and run tests. - run: curl -Ls https://raw.githubusercontent.com/gruntwork-io/gruntwork-installer/master/bootstrap-gruntwork-installer.sh | bash /dev/stdin --version v0.0.21 - - run: gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "build-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "aws-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --module-name "git-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.13.9" - - run: gruntwork-install --binary-name "terratest_log_parser" --repo "https://github.com/gruntwork-io/terratest" --tag v0.13.10 + - run: gruntwork-install --module-name "gruntwork-module-circleci-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "build-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "aws-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --module-name "git-helpers" --repo "https://github.com/gruntwork-io/module-ci" --tag "v0.14.0" + - run: gruntwork-install --binary-name "terratest_log_parser" --repo "https://github.com/gruntwork-io/terratest" --tag v0.17.4 - run: configure-environment-for-gruntwork-module --go-src-path test --use-go-dep --circle-ci-2 --circle-ci-2-machine-executor - save_cache: diff --git a/main.tf b/main.tf index e07dbd82..d7d3c8a0 100644 --- a/main.tf +++ b/main.tf @@ -161,7 +161,7 @@ module "vault_elb" { # Look up the Route 53 Hosted Zone by domain name data "aws_route53_zone" "selected" { - count = var.create_dns_entry + count = var.create_dns_entry ? 1 : 0 name = "${var.hosted_zone_domain_name}." } diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 289f1a9b..b6b26f40 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -11,42 +11,55 @@ terraform { # --------------------------------------------------------------------------------------------------------------------- resource "aws_autoscaling_group" "autoscaling_group" { - name_prefix = "${var.cluster_name}" + name_prefix = var.cluster_name - launch_configuration = "${aws_launch_configuration.launch_configuration.name}" + launch_configuration = aws_launch_configuration.launch_configuration.name - availability_zones = ["${var.availability_zones}"] - vpc_zone_identifier = ["${var.subnet_ids}"] + availability_zones = var.availability_zones + vpc_zone_identifier = var.subnet_ids # Use a fixed-size cluster - min_size = "${var.cluster_size}" - max_size = "${var.cluster_size}" - desired_capacity = "${var.cluster_size}" - termination_policies = ["${var.termination_policies}"] + min_size = var.cluster_size + max_size = var.cluster_size + desired_capacity = var.cluster_size + termination_policies = [var.termination_policies] - health_check_type = "${var.health_check_type}" - health_check_grace_period = "${var.health_check_grace_period}" - wait_for_capacity_timeout = "${var.wait_for_capacity_timeout}" + health_check_type = var.health_check_type + health_check_grace_period = var.health_check_grace_period + wait_for_capacity_timeout = var.wait_for_capacity_timeout - enabled_metrics = ["${var.enabled_metrics}"] + enabled_metrics = var.enabled_metrics # Use bucket and policies names in tags for depending on them when they are there # And only create the cluster after S3 bucket and policies exist # Otherwise Vault might boot and not find the bucket or not yet have the necessary permissions # Not using `depends_on` because these resources might not exist - tags = ["${concat( - list( - map( - "key", var.cluster_tag_key, - "value", var.cluster_name, - "propagate_at_launch", true, - "using_s3_bucket_backend", element(concat(aws_iam_role_policy.vault_s3.*.name, list("")), 0), - "s3_bucket_id", element(concat(aws_s3_bucket.vault_storage.*.id, list("")), 0), - "using_auto_unseal", element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, list("")), 0), - ) + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibilty in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. + tags = [ + concat( + [ + { + "key" = var.cluster_tag_key + "value" = var.cluster_name + "propagate_at_launch" = true + "using_s3_bucket_backend" = element(concat(aws_iam_role_policy.vault_s3.*.name, [""]), 0) + "s3_bucket_id" = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) + "using_auto_unseal" = element( + concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, [""]), + 0, + ) + }, + ], + var.cluster_extra_tags, ), - var.cluster_extra_tags) - }"] + ] # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -62,22 +75,33 @@ resource "aws_autoscaling_group" "autoscaling_group" { resource "aws_launch_configuration" "launch_configuration" { name_prefix = "${var.cluster_name}-" - image_id = "${var.ami_id}" - instance_type = "${var.instance_type}" - user_data = "${var.user_data}" - - iam_instance_profile = "${aws_iam_instance_profile.instance_profile.name}" - key_name = "${var.ssh_key_name}" - security_groups = ["${concat(list(aws_security_group.lc_security_group.id), var.additional_security_group_ids)}"] - placement_tenancy = "${var.tenancy}" - associate_public_ip_address = "${var.associate_public_ip_address}" - - ebs_optimized = "${var.root_volume_ebs_optimized}" + image_id = var.ami_id + instance_type = var.instance_type + user_data = var.user_data + + iam_instance_profile = aws_iam_instance_profile.instance_profile.name + key_name = var.ssh_key_name + # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to + # force an interpolation expression to be interpreted as a list by wrapping it + # in an extra set of list brackets. That form was supported for compatibilty in + # v0.11, but is no longer supported in Terraform v0.12. + # + # If the expression in the following list itself returns a list, remove the + # brackets to avoid interpretation as a list of lists. If the expression + # returns a single list item then leave it as-is and remove this TODO comment. + security_groups = concat( + [aws_security_group.lc_security_group.id], + var.additional_security_group_ids, + ) + placement_tenancy = var.tenancy + associate_public_ip_address = var.associate_public_ip_address + + ebs_optimized = var.root_volume_ebs_optimized root_block_device { - volume_type = "${var.root_volume_type}" - volume_size = "${var.root_volume_size}" - delete_on_termination = "${var.root_volume_delete_on_termination}" + volume_type = var.root_volume_type + volume_size = var.root_volume_size + delete_on_termination = var.root_volume_delete_on_termination } # Important note: whenever using a launch configuration with an auto scaling group, you must set @@ -97,9 +121,9 @@ resource "aws_launch_configuration" "launch_configuration" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "lc_security_group" { - name_prefix = "${var.cluster_name}" + name_prefix = var.cluster_name description = "Security group for the ${var.cluster_name} launch configuration" - vpc_id = "${var.vpc_id}" + vpc_id = var.vpc_id # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -108,29 +132,34 @@ resource "aws_security_group" "lc_security_group" { create_before_destroy = true } - tags = "${merge(map("Name", var.cluster_name), var.security_group_tags)}" + tags = merge( + { + "Name" = var.cluster_name + }, + var.security_group_tags, + ) } resource "aws_security_group_rule" "allow_ssh_inbound_from_cidr_blocks" { - count = "${length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0}" + count = length(var.allowed_ssh_cidr_blocks) >= 1 ? 1 : 0 type = "ingress" - from_port = "${var.ssh_port}" - to_port = "${var.ssh_port}" + from_port = var.ssh_port + to_port = var.ssh_port protocol = "tcp" - cidr_blocks = ["${var.allowed_ssh_cidr_blocks}"] + cidr_blocks = var.allowed_ssh_cidr_blocks - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } resource "aws_security_group_rule" "allow_ssh_inbound_from_security_group_ids" { - count = "${length(var.allowed_ssh_security_group_ids)}" + count = length(var.allowed_ssh_security_group_ids) type = "ingress" - from_port = "${var.ssh_port}" - to_port = "${var.ssh_port}" + from_port = var.ssh_port + to_port = var.ssh_port protocol = "tcp" - source_security_group_id = "${element(var.allowed_ssh_security_group_ids, count.index)}" + source_security_group_id = element(var.allowed_ssh_security_group_ids, count.index) - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } resource "aws_security_group_rule" "allow_all_outbound" { @@ -140,7 +169,7 @@ resource "aws_security_group_rule" "allow_all_outbound" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.lc_security_group.id}" + security_group_id = aws_security_group.lc_security_group.id } # --------------------------------------------------------------------------------------------------------------------- @@ -150,13 +179,13 @@ resource "aws_security_group_rule" "allow_all_outbound" { module "security_group_rules" { source = "../vault-security-group-rules" - security_group_id = "${aws_security_group.lc_security_group.id}" - allowed_inbound_cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] - allowed_inbound_security_group_ids = ["${var.allowed_inbound_security_group_ids}"] - allowed_inbound_security_group_count = "${var.allowed_inbound_security_group_count}" + security_group_id = aws_security_group.lc_security_group.id + allowed_inbound_cidr_blocks = var.allowed_inbound_cidr_blocks + allowed_inbound_security_group_ids = var.allowed_inbound_security_group_ids + allowed_inbound_security_group_count = var.allowed_inbound_security_group_count - api_port = "${var.api_port}" - cluster_port = "${var.cluster_port}" + api_port = var.api_port + cluster_port = var.cluster_port } # --------------------------------------------------------------------------------------------------------------------- @@ -166,9 +195,9 @@ module "security_group_rules" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "instance_profile" { - name_prefix = "${var.cluster_name}" - path = "${var.instance_profile_path}" - role = "${aws_iam_role.instance_role.name}" + name_prefix = var.cluster_name + path = var.instance_profile_path + role = aws_iam_role.instance_role.name # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -179,8 +208,8 @@ resource "aws_iam_instance_profile" "instance_profile" { } resource "aws_iam_role" "instance_role" { - name_prefix = "${var.cluster_name}" - assume_role_policy = "${data.aws_iam_policy_document.instance_role.json}" + name_prefix = var.cluster_name + assume_role_policy = data.aws_iam_policy_document.instance_role.json # aws_iam_instance_profile.instance_profile in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -203,17 +232,19 @@ data "aws_iam_policy_document" "instance_role" { } resource "aws_s3_bucket" "vault_storage" { - count = "${var.enable_s3_backend ? 1 : 0}" - bucket = "${var.s3_bucket_name}" - force_destroy = "${var.force_destroy_s3_bucket}" + count = var.enable_s3_backend ? 1 : 0 + bucket = var.s3_bucket_name + force_destroy = var.force_destroy_s3_bucket - tags = "${merge( - map("Description", "Used for secret storage with Vault. DO NOT DELETE this Bucket unless you know what you are doing."), - var.s3_bucket_tags) - }" + tags = merge( + { + "Description" = "Used for secret storage with Vault. DO NOT DELETE this Bucket unless you know what you are doing." + }, + var.s3_bucket_tags, + ) versioning { - enabled = "${var.enable_s3_bucket_versioning}" + enabled = var.enable_s3_bucket_versioning } # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means @@ -225,10 +256,13 @@ resource "aws_s3_bucket" "vault_storage" { } resource "aws_iam_role_policy" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" - name = "vault_s3" - role = "${aws_iam_role.instance_role.id}" - policy = "${element(concat(data.aws_iam_policy_document.vault_s3.*.json, list("")), 0)}" + count = var.enable_s3_backend ? 1 : 0 + name = "vault_s3" + role = aws_iam_role.instance_role.id + policy = element( + concat(data.aws_iam_policy_document.vault_s3.*.json, [""]), + 0, + ) # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -239,21 +273,21 @@ resource "aws_iam_role_policy" "vault_s3" { } data "aws_iam_policy_document" "vault_s3" { - count = "${var.enable_s3_backend ? 1 : 0}" + count = var.enable_s3_backend ? 1 : 0 statement { effect = "Allow" actions = ["s3:*"] resources = [ - "${aws_s3_bucket.vault_storage.arn}", - "${aws_s3_bucket.vault_storage.arn}/*", + aws_s3_bucket.vault_storage[0].arn, + "${aws_s3_bucket.vault_storage[0].arn}/*", ] } } data "aws_iam_policy_document" "vault_auto_unseal_kms" { - count = "${var.enable_auto_unseal ? 1 : 0}" + count = var.enable_auto_unseal ? 1 : 0 statement { effect = "Allow" @@ -264,15 +298,21 @@ data "aws_iam_policy_document" "vault_auto_unseal_kms" { "kms:DescribeKey", ] - resources = ["${var.auto_unseal_kms_key_arn}"] + resources = [var.auto_unseal_kms_key_arn] } } resource "aws_iam_role_policy" "vault_auto_unseal_kms" { - count = "${var.enable_auto_unseal ? 1 : 0}" - name = "vault_auto_unseal_kms" - role = "${aws_iam_role.instance_role.id}" - policy = "${element(concat(data.aws_iam_policy_document.vault_auto_unseal_kms.*.json, list("")), 0)}" + count = var.enable_auto_unseal ? 1 : 0 + name = "vault_auto_unseal_kms" + role = aws_iam_role.instance_role.id + policy = element( + concat( + data.aws_iam_policy_document.vault_auto_unseal_kms.*.json, + [""], + ), + 0, + ) # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors @@ -281,3 +321,4 @@ resource "aws_iam_role_policy" "vault_auto_unseal_kms" { create_before_destroy = true } } + diff --git a/modules/vault-cluster/outputs.tf b/modules/vault-cluster/outputs.tf index f246541e..ab03f0ac 100644 --- a/modules/vault-cluster/outputs.tf +++ b/modules/vault-cluster/outputs.tf @@ -1,39 +1,40 @@ output "asg_name" { - value = "${aws_autoscaling_group.autoscaling_group.name}" + value = aws_autoscaling_group.autoscaling_group.name } output "cluster_tag_key" { - value = "${var.cluster_tag_key}" + value = var.cluster_tag_key } output "cluster_tag_value" { - value = "${var.cluster_name}" + value = var.cluster_name } output "cluster_size" { - value = "${aws_autoscaling_group.autoscaling_group.desired_capacity}" + value = aws_autoscaling_group.autoscaling_group.desired_capacity } output "launch_config_name" { - value = "${aws_launch_configuration.launch_configuration.name}" + value = aws_launch_configuration.launch_configuration.name } output "iam_role_arn" { - value = "${aws_iam_role.instance_role.arn}" + value = aws_iam_role.instance_role.arn } output "iam_role_id" { - value = "${aws_iam_role.instance_role.id}" + value = aws_iam_role.instance_role.id } output "iam_role_name" { - value = "${aws_iam_role.instance_role.name}" + value = aws_iam_role.instance_role.name } output "security_group_id" { - value = "${aws_security_group.lc_security_group.id}" + value = aws_security_group.lc_security_group.id } output "s3_bucket_arn" { - value = "${join(",", aws_s3_bucket.vault_storage.*.arn)}" + value = join(",", aws_s3_bucket.vault_storage.*.arn) } + diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index e3f3c465..aff95c66 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -21,12 +21,12 @@ variable "vpc_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_ids" { description = "A list of security group IDs that will be allowed to connect to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_count" { @@ -58,13 +58,13 @@ variable "auto_unseal_kms_key_arn" { variable "subnet_ids" { description = "The subnet IDs into which the EC2 Instances should be deployed. You should typically pass in one subnet ID per node in the cluster_size variable. We strongly recommend that you run Vault in private subnets. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } variable "availability_zones" { description = "The availability zones into which the EC2 Instances should be deployed. You should typically pass in one availability zone per node in the cluster_size variable. We strongly recommend against passing in only a list of availability zones, as that will run Vault in the default (and most likely public) subnets in your VPC. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } @@ -75,25 +75,25 @@ variable "ssh_key_name" { variable "allowed_ssh_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow SSH connections" - type = "list" + type = list(string) default = [] } variable "allowed_ssh_security_group_ids" { description = "A list of security group IDs from which the EC2 Instances will allow SSH connections" - type = "list" + type = list(string) default = [] } variable "additional_security_group_ids" { description = "A list of additional security group IDs to add to Vault EC2 Instances" - type = "list" + type = list(string) default = [] } variable "security_group_tags" { description = "Tags to be applied to the LC security group" - type = "map" + type = map(string) default = {} } @@ -104,7 +104,7 @@ variable "cluster_tag_key" { variable "cluster_extra_tags" { description = "A list of additional tags to add to each Instance in the ASG. Each element in the list must be a map with the keys key, value, and propagate_at_launch" - type = "list" + type = list(string) #example: # default = [ @@ -199,7 +199,7 @@ variable "s3_bucket_name" { variable "s3_bucket_tags" { description = "Tags to be applied to the S3 bucket." - type = "map" + type = map(string) default = {} } @@ -215,6 +215,7 @@ variable "force_destroy_s3_bucket" { variable "enabled_metrics" { description = "List of autoscaling group metrics to enable." - type = "list" + type = list(string) default = [] } + diff --git a/modules/vault-elb/main.tf b/modules/vault-elb/main.tf index 8faa3329..984aa866 100644 --- a/modules/vault-elb/main.tf +++ b/modules/vault-elb/main.tf @@ -11,34 +11,39 @@ terraform { # --------------------------------------------------------------------------------------------------------------------- resource "aws_elb" "vault" { - name = "${var.name}" + name = var.name - internal = "${var.internal}" - cross_zone_load_balancing = "${var.cross_zone_load_balancing}" - idle_timeout = "${var.idle_timeout}" - connection_draining = "${var.connection_draining}" - connection_draining_timeout = "${var.connection_draining_timeout}" + internal = var.internal + cross_zone_load_balancing = var.cross_zone_load_balancing + idle_timeout = var.idle_timeout + connection_draining = var.connection_draining + connection_draining_timeout = var.connection_draining_timeout - security_groups = ["${aws_security_group.vault.id}"] - subnets = ["${var.subnet_ids}"] + security_groups = [aws_security_group.vault.id] + subnets = var.subnet_ids # Run the ELB in TCP passthrough mode listener { - lb_port = "${var.lb_port}" + lb_port = var.lb_port lb_protocol = "TCP" - instance_port = "${var.vault_api_port}" + instance_port = var.vault_api_port instance_protocol = "TCP" } health_check { target = "${var.health_check_protocol}:${var.health_check_port == 0 ? var.vault_api_port : var.health_check_port}${var.health_check_path}" - interval = "${var.health_check_interval}" - healthy_threshold = "${var.health_check_healthy_threshold}" - unhealthy_threshold = "${var.health_check_unhealthy_threshold}" - timeout = "${var.health_check_timeout}" + interval = var.health_check_interval + healthy_threshold = var.health_check_healthy_threshold + unhealthy_threshold = var.health_check_unhealthy_threshold + timeout = var.health_check_timeout } - tags = "${merge(var.load_balancer_tags, map("Name", var.name))}" + tags = merge( + var.load_balancer_tags, + { + "Name" = var.name + }, + ) } # --------------------------------------------------------------------------------------------------------------------- @@ -46,8 +51,8 @@ resource "aws_elb" "vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_autoscaling_attachment" "vault" { - autoscaling_group_name = "${var.vault_asg_name}" - elb = "${aws_elb.vault.id}" + autoscaling_group_name = var.vault_asg_name + elb = aws_elb.vault.id } # --------------------------------------------------------------------------------------------------------------------- @@ -57,19 +62,19 @@ resource "aws_autoscaling_attachment" "vault" { resource "aws_security_group" "vault" { name = "${var.name}-elb" description = "Security group for the ${var.name} ELB" - vpc_id = "${var.vpc_id}" + vpc_id = var.vpc_id - tags = "${var.security_group_tags}" + tags = var.security_group_tags } resource "aws_security_group_rule" "allow_inbound_api" { type = "ingress" - from_port = "${var.lb_port}" - to_port = "${var.lb_port}" + from_port = var.lb_port + to_port = var.lb_port protocol = "tcp" - cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] + cidr_blocks = var.allowed_inbound_cidr_blocks - security_group_id = "${aws_security_group.vault.id}" + security_group_id = aws_security_group.vault.id } resource "aws_security_group_rule" "allow_all_outbound" { @@ -79,7 +84,7 @@ resource "aws_security_group_rule" "allow_all_outbound" { protocol = "-1" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.vault.id}" + security_group_id = aws_security_group.vault.id } # --------------------------------------------------------------------------------------------------------------------- @@ -87,15 +92,15 @@ resource "aws_security_group_rule" "allow_all_outbound" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_route53_record" "vault_elb" { - count = "${var.create_dns_entry}" + count = var.create_dns_entry ? 1 : 0 - zone_id = "${var.hosted_zone_id}" - name = "${var.domain_name}" + zone_id = var.hosted_zone_id + name = var.domain_name type = "A" alias { - name = "${aws_elb.vault.dns_name}" - zone_id = "${aws_elb.vault.zone_id}" + name = aws_elb.vault.dns_name + zone_id = aws_elb.vault.zone_id # When set to true, if either none of the ELB's EC2 instances are healthy or the ELB itself is unhealthy, # Route 53 routes queries to "other resources." But since we haven't defined any other resources, we'd rather @@ -104,3 +109,4 @@ resource "aws_route53_record" "vault_elb" { evaluate_target_health = false } } + diff --git a/modules/vault-elb/outputs.tf b/modules/vault-elb/outputs.tf index ff67df74..024b1c73 100644 --- a/modules/vault-elb/outputs.tf +++ b/modules/vault-elb/outputs.tf @@ -1,19 +1,20 @@ output "load_balancer_name" { - value = "${aws_elb.vault.name}" + value = aws_elb.vault.name } output "load_balancer_dns_name" { - value = "${aws_elb.vault.dns_name}" + value = aws_elb.vault.dns_name } output "load_balancer_zone_id" { - value = "${aws_elb.vault.zone_id}" + value = aws_elb.vault.zone_id } output "load_balancer_security_group_id" { - value = "${aws_security_group.vault.id}" + value = aws_security_group.vault.id } output "fully_qualified_domain_name" { - value = "${element(concat(aws_route53_record.vault_elb.*.fqdn, list("")), 0)}" + value = element(concat(aws_route53_record.vault_elb.*.fqdn, [""]), 0) } + diff --git a/modules/vault-elb/variables.tf b/modules/vault-elb/variables.tf index 75159bf7..f6ec2ced 100644 --- a/modules/vault-elb/variables.tf +++ b/modules/vault-elb/variables.tf @@ -13,7 +13,7 @@ variable "vpc_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the ELB will accept requests." - type = "list" + type = list(string) } variable "vault_asg_name" { @@ -27,7 +27,7 @@ variable "vault_asg_name" { variable "subnet_ids" { description = "The subnet IDs into which the ELB should be deployed. You will typically want to deploy the ELB into public subnets so your Vault cluster can run in private subnets. At least one of var.subnet_ids or var.availability_zones must be non-empty." - type = "list" + type = list(string) default = [] } @@ -123,6 +123,7 @@ variable "load_balancer_tags" { variable "security_group_tags" { description = "Tags to be applied to the ELB security group." - type = "map" + type = map(string) default = {} } + diff --git a/modules/vault-security-group-rules/main.tf b/modules/vault-security-group-rules/main.tf index 1dc6bb1e..c42c6e6d 100644 --- a/modules/vault-security-group-rules/main.tf +++ b/modules/vault-security-group-rules/main.tf @@ -3,43 +3,44 @@ # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group_rule" "allow_api_inbound_from_cidr_blocks" { - count = "${length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0}" + count = length(var.allowed_inbound_cidr_blocks) >= 1 ? 1 : 0 type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" - cidr_blocks = ["${var.allowed_inbound_cidr_blocks}"] + cidr_blocks = var.allowed_inbound_cidr_blocks - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_api_inbound_from_security_group_ids" { - count = "${var.allowed_inbound_security_group_count}" + count = var.allowed_inbound_security_group_count type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" - source_security_group_id = "${element(var.allowed_inbound_security_group_ids, count.index)}" + source_security_group_id = element(var.allowed_inbound_security_group_ids, count.index) - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_cluster_inbound_from_self" { type = "ingress" - from_port = "${var.cluster_port}" - to_port = "${var.cluster_port}" + from_port = var.cluster_port + to_port = var.cluster_port protocol = "tcp" self = true - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } resource "aws_security_group_rule" "allow_cluster_inbound_from_self_api" { type = "ingress" - from_port = "${var.api_port}" - to_port = "${var.api_port}" + from_port = var.api_port + to_port = var.api_port protocol = "tcp" self = true - security_group_id = "${var.security_group_id}" + security_group_id = var.security_group_id } + diff --git a/modules/vault-security-group-rules/variables.tf b/modules/vault-security-group-rules/variables.tf index 09de1929..2e18f3fe 100644 --- a/modules/vault-security-group-rules/variables.tf +++ b/modules/vault-security-group-rules/variables.tf @@ -9,12 +9,12 @@ variable "security_group_id" { variable "allowed_inbound_cidr_blocks" { description = "A list of CIDR-formatted IP address ranges from which the EC2 Instances will allow connections to Vault" - type = "list" + type = list(string) } variable "allowed_inbound_security_group_ids" { description = "A list of security group IDs that will be allowed to connect to Vault" - type = "list" + type = list(string) } # --------------------------------------------------------------------------------------------------------------------- @@ -35,3 +35,4 @@ variable "cluster_port" { description = "The port to use for Vault server-to-server communication" default = 8201 } + From 90c62324b8dafb25767e11d71388adc739718e4e Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Tue, 25 Jun 2019 12:33:55 -0400 Subject: [PATCH 06/28] feature: upgrade private-tls-cert to terraform 0.12 --- modules/private-tls-cert/main.tf | 52 ++++++++++++++------------- modules/private-tls-cert/outputs.tf | 7 ++-- modules/private-tls-cert/variables.tf | 9 ++--- 3 files changed, 37 insertions(+), 31 deletions(-) diff --git a/modules/private-tls-cert/main.tf b/modules/private-tls-cert/main.tf index 46f45710..599cbf4f 100644 --- a/modules/private-tls-cert/main.tf +++ b/modules/private-tls-cert/main.tf @@ -3,24 +3,25 @@ # --------------------------------------------------------------------------------------------------------------------- resource "tls_private_key" "ca" { - algorithm = "${var.private_key_algorithm}" - ecdsa_curve = "${var.private_key_ecdsa_curve}" - rsa_bits = "${var.private_key_rsa_bits}" + algorithm = var.private_key_algorithm + ecdsa_curve = var.private_key_ecdsa_curve + rsa_bits = var.private_key_rsa_bits } resource "tls_self_signed_cert" "ca" { - key_algorithm = "${tls_private_key.ca.algorithm}" - private_key_pem = "${tls_private_key.ca.private_key_pem}" + key_algorithm = tls_private_key.ca.algorithm + private_key_pem = tls_private_key.ca.private_key_pem is_ca_certificate = true - validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.ca_allowed_uses}"] + validity_period_hours = var.validity_period_hours + allowed_uses = var.ca_allowed_uses subject { - common_name = "${var.ca_common_name}" - organization = "${var.organization_name}" + common_name = var.ca_common_name + organization = var.organization_name } + # Store the CA public key in a file. # Store the CA public key in a file. provisioner "local-exec" { command = "echo '${tls_self_signed_cert.ca.cert_pem}' > '${var.ca_public_key_file_path}' && chmod ${var.permissions} '${var.ca_public_key_file_path}' && chown ${var.owner} '${var.ca_public_key_file_path}'" @@ -32,10 +33,11 @@ resource "tls_self_signed_cert" "ca" { # --------------------------------------------------------------------------------------------------------------------- resource "tls_private_key" "cert" { - algorithm = "${var.private_key_algorithm}" - ecdsa_curve = "${var.private_key_ecdsa_curve}" - rsa_bits = "${var.private_key_rsa_bits}" + algorithm = var.private_key_algorithm + ecdsa_curve = var.private_key_ecdsa_curve + rsa_bits = var.private_key_rsa_bits + # Store the certificate's private key in a file. # Store the certificate's private key in a file. provisioner "local-exec" { command = "echo '${tls_private_key.cert.private_key_pem}' > '${var.private_key_file_path}' && chmod ${var.permissions} '${var.private_key_file_path}' && chown ${var.owner} '${var.private_key_file_path}'" @@ -43,30 +45,32 @@ resource "tls_private_key" "cert" { } resource "tls_cert_request" "cert" { - key_algorithm = "${tls_private_key.cert.algorithm}" - private_key_pem = "${tls_private_key.cert.private_key_pem}" + key_algorithm = tls_private_key.cert.algorithm + private_key_pem = tls_private_key.cert.private_key_pem - dns_names = ["${var.dns_names}"] - ip_addresses = ["${var.ip_addresses}"] + dns_names = var.dns_names + ip_addresses = var.ip_addresses subject { - common_name = "${var.common_name}" - organization = "${var.organization_name}" + common_name = var.common_name + organization = var.organization_name } } resource "tls_locally_signed_cert" "cert" { - cert_request_pem = "${tls_cert_request.cert.cert_request_pem}" + cert_request_pem = tls_cert_request.cert.cert_request_pem - ca_key_algorithm = "${tls_private_key.ca.algorithm}" - ca_private_key_pem = "${tls_private_key.ca.private_key_pem}" - ca_cert_pem = "${tls_self_signed_cert.ca.cert_pem}" + ca_key_algorithm = tls_private_key.ca.algorithm + ca_private_key_pem = tls_private_key.ca.private_key_pem + ca_cert_pem = tls_self_signed_cert.ca.cert_pem - validity_period_hours = "${var.validity_period_hours}" - allowed_uses = ["${var.allowed_uses}"] + validity_period_hours = var.validity_period_hours + allowed_uses = var.allowed_uses + # Store the certificate's public key in a file. # Store the certificate's public key in a file. provisioner "local-exec" { command = "echo '${tls_locally_signed_cert.cert.cert_pem}' > '${var.public_key_file_path}' && chmod ${var.permissions} '${var.public_key_file_path}' && chown ${var.owner} '${var.public_key_file_path}'" } } + diff --git a/modules/private-tls-cert/outputs.tf b/modules/private-tls-cert/outputs.tf index 89dd1dae..078afd86 100644 --- a/modules/private-tls-cert/outputs.tf +++ b/modules/private-tls-cert/outputs.tf @@ -1,11 +1,12 @@ output "ca_public_key_file_path" { - value = "${var.ca_public_key_file_path}" + value = var.ca_public_key_file_path } output "public_key_file_path" { - value = "${var.public_key_file_path}" + value = var.public_key_file_path } output "private_key_file_path" { - value = "${var.private_key_file_path}" + value = var.private_key_file_path } + diff --git a/modules/private-tls-cert/variables.tf b/modules/private-tls-cert/variables.tf index 8fb4b005..57720d84 100644 --- a/modules/private-tls-cert/variables.tf +++ b/modules/private-tls-cert/variables.tf @@ -33,12 +33,12 @@ variable "common_name" { variable "dns_names" { description = "List of DNS names for which the certificate will be valid (e.g. vault.service.consul, foo.example.com)." - type = "list" + type = list(string) } variable "ip_addresses" { description = "List of IP addresses for which the certificate will be valid (e.g. 127.0.0.1)." - type = "list" + type = list(string) } variable "validity_period_hours" { @@ -52,7 +52,7 @@ variable "validity_period_hours" { variable "ca_allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the CA certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "cert_signing", @@ -63,7 +63,7 @@ variable "ca_allowed_uses" { variable "allowed_uses" { description = "List of keywords from RFC5280 describing a use that is permitted for the issued certificate. For more info and the list of keywords, see https://www.terraform.io/docs/providers/tls/r/self_signed_cert.html#allowed_uses." - type = "list" + type = list(string) default = [ "key_encipherment", @@ -90,3 +90,4 @@ variable "private_key_rsa_bits" { description = "The size of the generated RSA key in bits. Should only be used if var.private_key_algorithm is RSA." default = "2048" } + From 0a49e10bafe0f1980ab07c5dae78270895af9021 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Tue, 25 Jun 2019 14:37:09 -0400 Subject: [PATCH 07/28] bug: cleanup tags --- examples/vault-agent/main.tf | 10 ++--- modules/vault-cluster/main.tf | 60 +++++++++++++++++------------- modules/vault-cluster/variables.tf | 2 +- 3 files changed, 40 insertions(+), 32 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 4feb7f9e..0e71f1dd 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -13,7 +13,7 @@ terraform { resource "aws_instance" "example_auth_to_vault" { ami = "${var.ami_id}" instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] key_name = "${var.ssh_key_name}" # Security group that opens the necessary ports for consul @@ -26,7 +26,7 @@ resource "aws_instance" "example_auth_to_vault" { user_data = "${data.template_file.user_data_auth_client.rendered}" iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" - tags { + tags = { Name = "${var.auth_server_name}" } } @@ -74,7 +74,7 @@ module "consul_iam_policies_for_client" { data "template_file" "user_data_auth_client" { template = "${file("${path.module}/user-data-auth-client.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" example_role_name = "${var.example_role_name}" @@ -182,7 +182,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" example_role_name = "${var.example_role_name}" @@ -249,7 +249,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index b6b26f40..23220333 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -34,32 +34,40 @@ resource "aws_autoscaling_group" "autoscaling_group" { # And only create the cluster after S3 bucket and policies exist # Otherwise Vault might boot and not find the bucket or not yet have the necessary permissions # Not using `depends_on` because these resources might not exist - # TF-UPGRADE-TODO: In Terraform v0.10 and earlier, it was sometimes necessary to - # force an interpolation expression to be interpreted as a list by wrapping it - # in an extra set of list brackets. That form was supported for compatibilty in - # v0.11, but is no longer supported in Terraform v0.12. - # - # If the expression in the following list itself returns a list, remove the - # brackets to avoid interpretation as a list of lists. If the expression - # returns a single list item then leave it as-is and remove this TODO comment. - tags = [ - concat( - [ - { - "key" = var.cluster_tag_key - "value" = var.cluster_name - "propagate_at_launch" = true - "using_s3_bucket_backend" = element(concat(aws_iam_role_policy.vault_s3.*.name, [""]), 0) - "s3_bucket_id" = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) - "using_auto_unseal" = element( - concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, [""]), - 0, - ) - }, - ], - var.cluster_extra_tags, - ), - ] + tag { + key = var.cluster_tag_key + value = var.cluster_name + propagate_at_launch = true + } + + tag { + key = "using_s3_bucket_backend" + value = element(concat(aws_iam_role_policy.vault_s3.*.name, list("")), 0) + propagate_at_launch = true + } + + tag { + key = "s3_bucket_id" + value = element(concat(aws_s3_bucket.vault_storage.*.id, list("")), 0) + propagate_at_launch = true + } + + tag { + key = "using_auto_unseal" + value = element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, list("")), 0) + propagate_at_launch = true + } + + dynamic "tag" { + for_each = var.cluster_extra_tags + + content { + key = tag.key + value = tag.value + propagate_at_launch = tag.propagate_at_launch + } + } + # aws_launch_configuration.launch_configuration in this module sets create_before_destroy to true, which means # everything it depends on, including this resource, must set it as well, or you'll get cyclic dependency errors diff --git a/modules/vault-cluster/variables.tf b/modules/vault-cluster/variables.tf index aff95c66..4067580f 100644 --- a/modules/vault-cluster/variables.tf +++ b/modules/vault-cluster/variables.tf @@ -104,7 +104,7 @@ variable "cluster_tag_key" { variable "cluster_extra_tags" { description = "A list of additional tags to add to each Instance in the ASG. Each element in the list must be a map with the keys key, value, and propagate_at_launch" - type = list(string) + type = list(object({ key : string, value : string, propagate_at_launch : bool })) #example: # default = [ From d794b3e9d03fd9e62de3c13c93dedac05b7ab7e2 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Tue, 25 Jun 2019 15:08:24 -0400 Subject: [PATCH 08/28] bug: fix vars blocks --- examples/vault-auto-unseal/main.tf | 4 ++-- examples/vault-cluster-private/main.tf | 4 ++-- examples/vault-ec2-auth/main.tf | 6 +++--- examples/vault-iam-auth/main.tf | 6 +++--- examples/vault-s3-backend/main.tf | 4 ++-- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index d976a5a3..9ad6a7b7 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -67,7 +67,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" @@ -130,7 +130,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 03e89c79..bc3c550f 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -58,7 +58,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { aws_region = "${data.aws_region.current.name}" consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" @@ -119,7 +119,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index de1c8b23..67bc3c63 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -44,7 +44,7 @@ resource "aws_iam_instance_profile" "example_instance_profile" { data "template_file" "user_data_auth_client" { template = "${file("${path.module}/user-data-auth-client.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" example_role_name = "${var.example_role_name}" @@ -121,7 +121,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { aws_region = "${data.aws_region.current.name}" consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" @@ -189,7 +189,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 485f9615..84ae357b 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -74,7 +74,7 @@ module "consul_iam_policies_for_client" { data "template_file" "user_data_auth_client" { template = "${file("${path.module}/user-data-auth-client.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" example_role_name = "${var.example_role_name}" @@ -182,7 +182,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" example_role_name = "${var.example_role_name}" @@ -249,7 +249,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 34d2b8b3..fee63173 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -62,7 +62,7 @@ module "consul_iam_policies_servers" { data "template_file" "user_data_vault_cluster" { template = "${file("${path.module}/user-data-vault.sh")}" - vars { + vars = { aws_region = "${data.aws_region.current.name}" s3_bucket_name = "${var.s3_bucket_name}" consul_cluster_tag_key = "${var.consul_cluster_tag_key}" @@ -124,7 +124,7 @@ module "consul_cluster" { data "template_file" "user_data_consul" { template = "${file("${path.module}/user-data-consul.sh")}" - vars { + vars = { consul_cluster_tag_key = "${var.consul_cluster_tag_key}" consul_cluster_tag_value = "${var.consul_cluster_name}" } From fc66b4627b61833a56b428d547faf3c33985c961 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Wed, 26 Jun 2019 15:55:31 -0400 Subject: [PATCH 09/28] docs: update comment --- test/vault_main_test.go | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/test/vault_main_test.go b/test/vault_main_test.go index 939ad6ac..ad10ed9f 100644 --- a/test/vault_main_test.go +++ b/test/vault_main_test.go @@ -85,6 +85,7 @@ func TestMainVaultCluster(t *testing.T) { for _, ami := range amisData { // Exclude eu-north-1 as it is missing the instance types we use awsRegion := aws.GetRandomRegion(t, nil, []string{"eu-north-1"}) + test_structure.SaveString(t, WORK_DIR, fmt.Sprintf("awsRegion-%s", ami.Name), awsRegion) if ami.Enterprise { @@ -120,10 +121,10 @@ func TestMainVaultCluster(t *testing.T) { func runTestsOnDifferentPlatforms(t *testing.T) { for _, testCase := range testCases { // This re-assignment necessary, because the variable testCase is defined and set outside the forloop. - // As such, it gets overwritten on each iteration of the forloop. This is fine if you don't have concurrent code in the loop, - // but in this case, because you have a t.Parallel, the t.Run completes before the test function exits, - // which means that the value of testCase might change. - // More information at: + // As such, it gets overwritten on each iteration of the forloop. This is fine if you don't have concurrent code + // in the loop, but in this case, because you have a t.Parallel, the t.Run completes before the test function + // exits, which means that the value of testCase might change. More information at: + // // "Be Careful with Table Driven Tests and t.Parallel()" // https://gist.github.com/posener/92a55c4cd441fc5e5e85f27bca008721 testCase := testCase From 559319bd4d7143562493ec78fb30a61594a3f31b Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Wed, 26 Jun 2019 15:57:03 -0400 Subject: [PATCH 10/28] bug: fix tags inline block --- examples/vault-ec2-auth/main.tf | 2 +- examples/vault-iam-auth/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index 67bc3c63..e839cc2d 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -23,7 +23,7 @@ resource "aws_instance" "example_auth_to_vault" { user_data = "${data.template_file.user_data_auth_client.rendered}" iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" - tags { + tags = { Name = "${var.auth_server_name}" } } diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 84ae357b..ae42a7b4 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -26,7 +26,7 @@ resource "aws_instance" "example_auth_to_vault" { user_data = "${data.template_file.user_data_auth_client.rendered}" iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" - tags { + tags = { Name = "${var.auth_server_name}" } } From b6d7cce2dcb0927792fb1e2a65230950c8ba35f9 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Wed, 26 Jun 2019 15:57:34 -0400 Subject: [PATCH 11/28] bug: fix index not found error --- examples/vault-ec2-auth/main.tf | 2 +- examples/vault-iam-auth/main.tf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index e839cc2d..e8055d99 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -10,7 +10,7 @@ terraform { resource "aws_instance" "example_auth_to_vault" { ami = "${var.ami_id}" instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] key_name = "${var.ssh_key_name}" # Security group that opens the necessary ports for consul diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index ae42a7b4..ec683982 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -13,7 +13,7 @@ terraform { resource "aws_instance" "example_auth_to_vault" { ami = "${var.ami_id}" instance_type = "t2.micro" - subnet_id = "${data.aws_subnet_ids.default.ids[0]}" + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] key_name = "${var.ssh_key_name}" # Security group that opens the necessary ports for consul From cc430c0aa355726751eb21549f2597e8fc5f269c Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Wed, 26 Jun 2019 15:57:58 -0400 Subject: [PATCH 12/28] bug: remove unused variable --- test/vault_cluster_s3_backend_test.go | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/test/vault_cluster_s3_backend_test.go b/test/vault_cluster_s3_backend_test.go index 3b2cc694..cb028cf8 100644 --- a/test/vault_cluster_s3_backend_test.go +++ b/test/vault_cluster_s3_backend_test.go @@ -9,7 +9,6 @@ import ( const VAULT_CLUSTER_S3_BACKEND_PATH = "examples/vault-s3-backend" -const VAR_ENABLE_S3_BACKEND = "enable_s3_backend" const VAR_S3_BUCKET_NAME = "s3_bucket_name" const VAR_FORCE_DESTROY_S3_BUCKET = "force_destroy_s3_bucket" @@ -39,9 +38,8 @@ func runVaultWithS3BackendClusterTest(t *testing.T, amiId string, awsRegion, ssh test_structure.RunTestStage(t, "deploy", func() { uniqueId := random.UniqueId() terraformVars := map[string]interface{}{ - VAR_ENABLE_S3_BACKEND: boolToTerraformVar(true), VAR_S3_BUCKET_NAME: s3BucketName(uniqueId), - VAR_FORCE_DESTROY_S3_BUCKET: boolToTerraformVar(true), + VAR_FORCE_DESTROY_S3_BUCKET: true, } deployCluster(t, amiId, awsRegion, examplesDir, uniqueId, terraformVars) }) From 6ab2dd4c0b748519e569be7d2275c252cb8a752d Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:29:50 -0400 Subject: [PATCH 13/28] refactor: cleanup example to use terraform 0.12 syntax --- examples/vault-agent/main.tf | 110 +++++++++++++++--------------- examples/vault-agent/outputs.tf | 49 ++++++------- examples/vault-agent/variables.tf | 1 + 3 files changed, 81 insertions(+), 79 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 0e71f1dd..bf571453 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -11,23 +11,23 @@ terraform { # INSTANCE THAT WILL AUTHENTICATE TO VAULT USING VAULT AGENT # --------------------------------------------------------------------------------------------------------------------- resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" - subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] - key_name = "${var.ssh_key_name}" + subnet_id = tolist(var.data.aws_subnet_ids.default.ids)[0] + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name tags = { - Name = "${var.auth_server_name}" + Name = var.auth_server_name } } @@ -38,12 +38,12 @@ resource "aws_instance" "example_auth_to_vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${aws_iam_role.example_instance_role.name}" + role = aws_iam_role.example_instance_role.name } resource "aws_iam_role" "example_instance_role" { name_prefix = "${var.auth_server_name}-role" - assume_role_policy = "${data.aws_iam_policy_document.example_instance_role.json}" + assume_role_policy = data.aws_iam_policy_document.example_instance_role.json } data "aws_iam_policy_document" "example_instance_role" { @@ -62,7 +62,7 @@ data "aws_iam_policy_document" "example_instance_role" { module "consul_iam_policies_for_client" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${aws_iam_role.example_instance_role.id}" + iam_role_id = aws_iam_role.example_instance_role.id } # --------------------------------------------------------------------------------------------------------------------- @@ -72,12 +72,12 @@ module "consul_iam_policies_for_client" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -87,9 +87,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -99,7 +99,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -108,8 +108,8 @@ resource "aws_security_group_rule" "allow_inbound_api" { resource "aws_iam_role_policy" "vault_iam" { name = "vault_iam" - role = "${module.vault_cluster.iam_role_id}" - policy = "${data.aws_iam_policy_document.vault_iam.json}" + role = module.vault_cluster.iam_role_id + policy = data.aws_iam_policy_document.vault_iam.json } data "aws_iam_policy_document" "vault_iam" { @@ -142,15 +142,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -159,7 +159,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -171,7 +171,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -180,18 +180,16 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" - + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - aws_iam_role_arn = "${aws_iam_role.example_instance_role.arn}" + example_secret = var.example_secret + aws_iam_role_arn = aws_iam_role.example_instance_role.arn } } @@ -204,7 +202,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -219,26 +217,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -247,11 +245,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -263,12 +261,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id == "" ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-agent/outputs.tf b/examples/vault-agent/outputs.tf index 30b51314..16bb9676 100644 --- a/examples/vault-agent/outputs.tf +++ b/examples/vault-agent/outputs.tf @@ -1,95 +1,96 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "auth_role_arn" { - value = "${aws_iam_role.example_instance_role.arn}" + value = aws_iam_role.example_instance_role.arn } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-agent/variables.tf b/examples/vault-agent/variables.tf index 0f86ce5f..3f9a5768 100644 --- a/examples/vault-agent/variables.tf +++ b/examples/vault-agent/variables.tf @@ -78,3 +78,4 @@ variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." default = "" } + From 46b245452069037aabba9d49d873fe6306c0c306 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:33:29 -0400 Subject: [PATCH 14/28] refactor: update =="" to check to for null --- examples/vault-agent/main.tf | 2 +- examples/vault-auto-unseal/main.tf | 2 +- examples/vault-cluster-private/main.tf | 2 +- examples/vault-ec2-auth/main.tf | 2 +- examples/vault-iam-auth/main.tf | 2 +- examples/vault-s3-backend/main.tf | 2 +- main.tf | 4 ++-- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index bf571453..c809ae5d 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -261,7 +261,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id == "" ? true : false + default = var.vpc_id ? true : false id = var.vpc_id } diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 9ad6a7b7..4bcd804e 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -144,7 +144,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" + default = "${var.vpc_id ? true : false}" id = "${var.vpc_id}" } diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index bc3c550f..49209b34 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -133,7 +133,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" + default = "${var.vpc_id ? true : false}" id = "${var.vpc_id}" } diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index e8055d99..3ebd82d3 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -203,7 +203,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" + default = "${var.vpc_id ? true : false}" id = "${var.vpc_id}" } diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index ec683982..a0e2134d 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -263,7 +263,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" + default = "${var.vpc_id ? true : false}" id = "${var.vpc_id}" } diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index fee63173..a1e41dcd 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -138,7 +138,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id == "" ? true : false}" + default = "${var.vpc_id ? true : false}" id = "${var.vpc_id}" } diff --git a/main.tf b/main.tf index d7d3c8a0..3ad1c078 100644 --- a/main.tf +++ b/main.tf @@ -63,7 +63,7 @@ module "vault_cluster" { cluster_size = var.vault_cluster_size instance_type = var.vault_instance_type - ami_id = var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_vault_cluster.rendered vpc_id = data.aws_vpc.default.id @@ -180,7 +180,7 @@ module "consul_cluster" { cluster_tag_key = var.consul_cluster_tag_key cluster_tag_value = var.consul_cluster_name - ami_id = var.ami_id == "" ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_consul.rendered vpc_id = data.aws_vpc.default.id From f0e7d8863ba1fc0ab0f67c9c46bc07a98ca3b0c8 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:35:23 -0400 Subject: [PATCH 15/28] docs: remove double comments --- modules/private-tls-cert/main.tf | 3 --- 1 file changed, 3 deletions(-) diff --git a/modules/private-tls-cert/main.tf b/modules/private-tls-cert/main.tf index 599cbf4f..f906b61e 100644 --- a/modules/private-tls-cert/main.tf +++ b/modules/private-tls-cert/main.tf @@ -21,7 +21,6 @@ resource "tls_self_signed_cert" "ca" { organization = var.organization_name } - # Store the CA public key in a file. # Store the CA public key in a file. provisioner "local-exec" { command = "echo '${tls_self_signed_cert.ca.cert_pem}' > '${var.ca_public_key_file_path}' && chmod ${var.permissions} '${var.ca_public_key_file_path}' && chown ${var.owner} '${var.ca_public_key_file_path}'" @@ -37,7 +36,6 @@ resource "tls_private_key" "cert" { ecdsa_curve = var.private_key_ecdsa_curve rsa_bits = var.private_key_rsa_bits - # Store the certificate's private key in a file. # Store the certificate's private key in a file. provisioner "local-exec" { command = "echo '${tls_private_key.cert.private_key_pem}' > '${var.private_key_file_path}' && chmod ${var.permissions} '${var.private_key_file_path}' && chown ${var.owner} '${var.private_key_file_path}'" @@ -67,7 +65,6 @@ resource "tls_locally_signed_cert" "cert" { validity_period_hours = var.validity_period_hours allowed_uses = var.allowed_uses - # Store the certificate's public key in a file. # Store the certificate's public key in a file. provisioner "local-exec" { command = "echo '${tls_locally_signed_cert.cert.cert_pem}' > '${var.public_key_file_path}' && chmod ${var.permissions} '${var.public_key_file_path}' && chown ${var.owner} '${var.public_key_file_path}'" From 88aa91789c20222b84927551844f0176b69a312f Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:40:52 -0400 Subject: [PATCH 16/28] refactor: replace list("") with [""] --- modules/vault-cluster/main.tf | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 23220333..5aa17c10 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -42,19 +42,19 @@ resource "aws_autoscaling_group" "autoscaling_group" { tag { key = "using_s3_bucket_backend" - value = element(concat(aws_iam_role_policy.vault_s3.*.name, list("")), 0) + value = element(concat(aws_iam_role_policy.vault_s3.*.name, [""]), 0) propagate_at_launch = true } tag { key = "s3_bucket_id" - value = element(concat(aws_s3_bucket.vault_storage.*.id, list("")), 0) + value = element(concat(aws_s3_bucket.vault_storage.*.id, [""]), 0) propagate_at_launch = true } tag { key = "using_auto_unseal" - value = element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, list("")), 0) + value = element(concat(aws_iam_role_policy.vault_auto_unseal_kms.*.name, [""]), 0) propagate_at_launch = true } From bbe0579ca520fea70031a946b621ce2eb8e8b378 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:57:25 -0400 Subject: [PATCH 17/28] feat: upgrade example vault-agent to tf12 --- examples/vault-agent/main.tf | 13 ++++++------- examples/vault-agent/variables.tf | 15 ++++++++++++++- 2 files changed, 20 insertions(+), 8 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index c809ae5d..5bf9f871 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -1,10 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -118,7 +117,7 @@ data "aws_iam_policy_document" "vault_iam" { actions = ["iam:GetRole", "iam:GetUser"] # List of arns it can query, for more security, it could be set to specific roles or user - # resources = ["${aws_iam_role.example_instance_role.arn}"] + # resources = ["aws_iam_role.example_instance_role.arn"] resources = [ "arn:aws:iam::*:user/*", "arn:aws:iam::*:role/*", diff --git a/examples/vault-agent/variables.tf b/examples/vault-agent/variables.tf index 3f9a5768..9abf58af 100644 --- a/examples/vault-agent/variables.tf +++ b/examples/vault-agent/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,51 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } From 7027e0a4e1ef1d72c5721e38b567f4cc8f86ff3c Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 10:59:00 -0400 Subject: [PATCH 18/28] feat: upgrade example vault-auto-unseal to tf12 --- examples/vault-auto-unseal/main.tf | 80 ++++++++++++------------- examples/vault-auto-unseal/outputs.tf | 43 ++++++------- examples/vault-auto-unseal/variables.tf | 15 ++++- 3 files changed, 76 insertions(+), 62 deletions(-) diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 4bcd804e..7cb4dd02 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -1,10 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } data "aws_kms_alias" "vault-example" { @@ -21,21 +20,21 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # This setting will create the AWS policy that allows the vault cluster to # access KMS and use this key for encryption and decryption enable_auto_unseal = true - auto_unseal_kms_key_arn = "${data.aws_kms_alias.vault-example.target_key_arn}" + auto_unseal_kms_key_arn = data.aws_kms_alias.vault-example.target_key_arn # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -44,7 +43,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -56,7 +55,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -65,14 +64,13 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - - kms_key_id = "${data.aws_kms_alias.vault-example.target_key_id}" - aws_region = "${data.aws_region.current.name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + kms_key_id = data.aws_kms_alias.vault-example.target_key_id + aws_region = data.aws_region.current.name } } @@ -85,7 +83,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -100,26 +98,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -128,11 +126,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -144,12 +142,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-auto-unseal/outputs.tf b/examples/vault-auto-unseal/outputs.tf index 97b842b6..9e7ebd3b 100644 --- a/examples/vault-auto-unseal/outputs.tf +++ b/examples/vault-auto-unseal/outputs.tf @@ -1,83 +1,84 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-auto-unseal/variables.tf b/examples/vault-auto-unseal/variables.tf index 8b090544..03847da8 100644 --- a/examples/vault-auto-unseal/variables.tf +++ b/examples/vault-auto-unseal/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "auto_unseal_kms_key_alias" { description = "The alias of AWS KMS key used for encryption and decryption" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,45 +34,55 @@ variable "auto_unseal_kms_key_alias" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + From bbdf145ec7a5ec0e9344df538dd8e7f0959ebdc0 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 11:00:12 -0400 Subject: [PATCH 19/28] feat: upgrade example vault-cluster-private to tf12 --- examples/vault-cluster-private/main.tf | 76 ++++++++++----------- examples/vault-cluster-private/outputs.tf | 43 ++++++------ examples/vault-cluster-private/variables.tf | 13 +++- 3 files changed, 72 insertions(+), 60 deletions(-) diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 49209b34..0f736f3f 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -1,11 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, -# running in a separate cluster, as its storage backend. -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- @@ -18,15 +16,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-vault.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -35,7 +33,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -47,7 +45,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -56,12 +54,12 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -74,7 +72,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -89,26 +87,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -117,11 +115,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -133,12 +131,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-cluster-private/outputs.tf b/examples/vault-cluster-private/outputs.tf index 97b842b6..9e7ebd3b 100644 --- a/examples/vault-cluster-private/outputs.tf +++ b/examples/vault-cluster-private/outputs.tf @@ -1,83 +1,84 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-cluster-private/variables.tf b/examples/vault-cluster-private/variables.tf index e99e3261..3e919aff 100644 --- a/examples/vault-cluster-private/variables.tf +++ b/examples/vault-cluster-private/variables.tf @@ -14,10 +14,12 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -27,40 +29,49 @@ variable "ssh_key_name" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + From 0ba9b1a15c581d5a6bc508cefa3a4ea3bd7ceb22 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 11:02:04 -0400 Subject: [PATCH 20/28] feat: upgrade example vault-ec2-auth to tf12 --- examples/vault-ec2-auth/main.tf | 113 +++++++++++++-------------- examples/vault-ec2-auth/outputs.tf | 47 +++++------ examples/vault-ec2-auth/variables.tf | 16 +++- 3 files changed, 95 insertions(+), 81 deletions(-) diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index 3ebd82d3..79f07e80 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -1,30 +1,29 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] - key_name = "${var.ssh_key_name}" + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name tags = { - Name = "${var.auth_server_name}" + Name = var.auth_server_name } } @@ -33,7 +32,7 @@ resource "aws_instance" "example_auth_to_vault" { # access the DNS registry for the vault server resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${module.vault_cluster.iam_role_name}" + role = module.vault_cluster.iam_role_name } # --------------------------------------------------------------------------------------------------------------------- @@ -42,12 +41,12 @@ resource "aws_iam_instance_profile" "example_instance_profile" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -56,9 +55,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -68,7 +67,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -81,15 +80,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -98,7 +97,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -110,7 +109,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -119,19 +118,17 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - aws_region = "${data.aws_region.current.name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" - + aws_region = data.aws_region.current.name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - ami_id = "${var.ami_id}" + example_secret = var.example_secret + ami_id = var.ami_id } } @@ -144,7 +141,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -159,26 +156,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -187,11 +184,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -203,12 +200,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-ec2-auth/outputs.tf b/examples/vault-ec2-auth/outputs.tf index 17ca8e2d..8694fbce 100644 --- a/examples/vault-ec2-auth/outputs.tf +++ b/examples/vault-ec2-auth/outputs.tf @@ -1,91 +1,92 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-ec2-auth/variables.tf b/examples/vault-ec2-auth/variables.tf index 098a72db..f04b84ea 100644 --- a/examples/vault-ec2-auth/variables.tf +++ b/examples/vault-ec2-auth/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,50 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.nano" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + From 68a022ef74b85e5fa1c7d472ec8a7220b2f1b5e9 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 11:03:25 -0400 Subject: [PATCH 21/28] feat: upgrade example vault-iam-auth to tf12 --- examples/vault-iam-auth/main.tf | 119 +++++++++++++-------------- examples/vault-iam-auth/outputs.tf | 49 +++++------ examples/vault-iam-auth/variables.tf | 16 +++- 3 files changed, 99 insertions(+), 85 deletions(-) diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index a0e2134d..42b91683 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -1,33 +1,32 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to launch a vault cluster and then authenticate an instance to the cluster -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.11.0" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- # INSTANCE THAT WILL AUTHENTICATE TO VAULT USING IAM METHOD # --------------------------------------------------------------------------------------------------------------------- resource "aws_instance" "example_auth_to_vault" { - ami = "${var.ami_id}" + ami = var.ami_id instance_type = "t2.micro" subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] - key_name = "${var.ssh_key_name}" + key_name = var.ssh_key_name # Security group that opens the necessary ports for consul # And security group that opens the port to our simple web server security_groups = [ - "${module.consul_cluster.security_group_id}", - "${aws_security_group.auth_instance.id}", + module.consul_cluster.security_group_id, + aws_security_group.auth_instance.id, ] - user_data = "${data.template_file.user_data_auth_client.rendered}" - iam_instance_profile = "${aws_iam_instance_profile.example_instance_profile.name}" + user_data = data.template_file.user_data_auth_client.rendered + iam_instance_profile = aws_iam_instance_profile.example_instance_profile.name tags = { - Name = "${var.auth_server_name}" + Name = var.auth_server_name } } @@ -38,12 +37,12 @@ resource "aws_instance" "example_auth_to_vault" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_iam_instance_profile" "example_instance_profile" { path = "/" - role = "${aws_iam_role.example_instance_role.name}" + role = aws_iam_role.example_instance_role.name } resource "aws_iam_role" "example_instance_role" { name_prefix = "${var.auth_server_name}-role" - assume_role_policy = "${data.aws_iam_policy_document.example_instance_role.json}" + assume_role_policy = data.aws_iam_policy_document.example_instance_role.json } data "aws_iam_policy_document" "example_instance_role" { @@ -62,7 +61,7 @@ data "aws_iam_policy_document" "example_instance_role" { module "consul_iam_policies_for_client" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${aws_iam_role.example_instance_role.id}" + iam_role_id = aws_iam_role.example_instance_role.id } # --------------------------------------------------------------------------------------------------------------------- @@ -72,12 +71,12 @@ module "consul_iam_policies_for_client" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_auth_client" { - template = "${file("${path.module}/user-data-auth-client.sh")}" + template = file("${path.module}/user-data-auth-client.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name } } @@ -87,9 +86,9 @@ data "template_file" "user_data_auth_client" { # --------------------------------------------------------------------------------------------------------------------- resource "aws_security_group" "auth_instance" { - name = "${var.auth_server_name}" + name = var.auth_server_name description = "Security group for ${var.auth_server_name}" - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id } resource "aws_security_group_rule" "allow_inbound_api" { @@ -99,7 +98,7 @@ resource "aws_security_group_rule" "allow_inbound_api" { protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] - security_group_id = "${aws_security_group.auth_instance.id}" + security_group_id = aws_security_group.auth_instance.id } # --------------------------------------------------------------------------------------------------------------------- @@ -108,8 +107,8 @@ resource "aws_security_group_rule" "allow_inbound_api" { resource "aws_iam_role_policy" "vault_iam" { name = "vault_iam" - role = "${module.vault_cluster.iam_role_id}" - policy = "${data.aws_iam_policy_document.vault_iam.json}" + role = module.vault_cluster.iam_role_id + policy = data.aws_iam_policy_document.vault_iam.json } data "aws_iam_policy_document" "vault_iam" { @@ -142,15 +141,15 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -159,7 +158,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -171,7 +170,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -180,18 +179,16 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" - example_role_name = "${var.example_role_name}" - + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name + example_role_name = var.example_role_name # Please note that normally we would never pass a secret this way # This is just for test purposes so we can verify that our example instance is authenticating correctly - example_secret = "${var.example_secret}" - - aws_iam_role_arn = "${aws_iam_role.example_instance_role.arn}" + example_secret = var.example_secret + aws_iam_role_arn = aws_iam_role.example_instance_role.arn } } @@ -204,7 +201,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -219,26 +216,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -247,11 +244,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -263,12 +260,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-iam-auth/outputs.tf b/examples/vault-iam-auth/outputs.tf index 30b51314..16bb9676 100644 --- a/examples/vault-iam-auth/outputs.tf +++ b/examples/vault-iam-auth/outputs.tf @@ -1,95 +1,96 @@ output "auth_client_public_ip" { - value = "${aws_instance.example_auth_to_vault.public_ip}" + value = aws_instance.example_auth_to_vault.public_ip } output "auth_client_instance_id" { - value = "${aws_instance.example_auth_to_vault.id}" + value = aws_instance.example_auth_to_vault.id } output "auth_role_arn" { - value = "${aws_iam_role.example_instance_role.arn}" + value = aws_iam_role.example_instance_role.arn } output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } + diff --git a/examples/vault-iam-auth/variables.tf b/examples/vault-iam-auth/variables.tf index 0f86ce5f..9abf58af 100644 --- a/examples/vault-iam-auth/variables.tf +++ b/examples/vault-iam-auth/variables.tf @@ -14,14 +14,17 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } variable "example_secret" { description = "Example secret to be written into vault server" + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -31,50 +34,61 @@ variable "example_secret" { variable "example_role_name" { description = "The name of the vault role" + type = string default = "example-role" } variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-example" } variable "auth_server_name" { description = "What to name the server authenticating to vault" + type = string default = "auth-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 1 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } + From 2217a137d3c7522226a3ca47e51a47df6265a30e Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 11:04:53 -0400 Subject: [PATCH 22/28] feat: upgrade example vault-s3-backend to tf12 --- examples/vault-s3-backend/main.tf | 70 +++++++++++++------------- examples/vault-s3-backend/outputs.tf | 45 +++++++++-------- examples/vault-s3-backend/variables.tf | 15 +++++- 3 files changed, 73 insertions(+), 57 deletions(-) diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index a1e41dcd..62511cfa 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -18,19 +18,19 @@ module "vault_cluster" { # source = "github.com/hashicorp/terraform-aws-consul.git/modules/vault-cluster?ref=v0.0.1" source = "../../modules/vault-cluster" - cluster_name = "${var.vault_cluster_name}" - cluster_size = "${var.vault_cluster_size}" - instance_type = "${var.vault_instance_type}" + cluster_name = var.vault_cluster_name + cluster_size = var.vault_cluster_size + instance_type = var.vault_instance_type - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_vault_cluster.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_vault_cluster.rendered enable_s3_backend = true - s3_bucket_name = "${var.s3_bucket_name}" - force_destroy_s3_bucket = "${var.force_destroy_s3_bucket}" + s3_bucket_name = var.s3_bucket_name + force_destroy_s3_bucket = var.force_destroy_s3_bucket - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -39,7 +39,7 @@ module "vault_cluster" { allowed_inbound_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_security_group_ids = [] allowed_inbound_security_group_count = 0 - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -51,7 +51,7 @@ module "vault_cluster" { module "consul_iam_policies_servers" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-iam-policies?ref=v0.7.0" - iam_role_id = "${module.vault_cluster.iam_role_id}" + iam_role_id = module.vault_cluster.iam_role_id } # --------------------------------------------------------------------------------------------------------------------- @@ -60,13 +60,13 @@ module "consul_iam_policies_servers" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_vault_cluster" { - template = "${file("${path.module}/user-data-vault.sh")}" + template = file("${path.module}/user-data-vault.sh") vars = { - aws_region = "${data.aws_region.current.name}" - s3_bucket_name = "${var.s3_bucket_name}" - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + aws_region = data.aws_region.current.name + s3_bucket_name = var.s3_bucket_name + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -79,7 +79,7 @@ data "template_file" "user_data_vault_cluster" { module "security_group_rules" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-client-security-group-rules?ref=v0.7.0" - security_group_id = "${module.vault_cluster.security_group_id}" + security_group_id = module.vault_cluster.security_group_id # To make testing easier, we allow requests from any IP address here but in a production deployment, we *strongly* # recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. @@ -94,26 +94,26 @@ module "security_group_rules" { module "consul_cluster" { source = "github.com/hashicorp/terraform-aws-consul.git//modules/consul-cluster?ref=v0.7.0" - cluster_name = "${var.consul_cluster_name}" - cluster_size = "${var.consul_cluster_size}" - instance_type = "${var.consul_instance_type}" + cluster_name = var.consul_cluster_name + cluster_size = var.consul_cluster_size + instance_type = var.consul_instance_type # The EC2 Instances will use these tags to automatically discover each other and form a cluster - cluster_tag_key = "${var.consul_cluster_tag_key}" - cluster_tag_value = "${var.consul_cluster_name}" + cluster_tag_key = var.consul_cluster_tag_key + cluster_tag_value = var.consul_cluster_name - ami_id = "${var.ami_id}" - user_data = "${data.template_file.user_data_consul.rendered}" + ami_id = var.ami_id + user_data = data.template_file.user_data_consul.rendered - vpc_id = "${data.aws_vpc.default.id}" - subnet_ids = "${data.aws_subnet_ids.default.ids}" + vpc_id = data.aws_vpc.default.id + subnet_ids = data.aws_subnet_ids.default.ids # To make testing easier, we allow Consul and SSH requests from any IP address here but in a production # deployment, we strongly recommend you limit this to the IP address ranges of known, trusted servers inside your VPC. allowed_ssh_cidr_blocks = ["0.0.0.0/0"] allowed_inbound_cidr_blocks = ["0.0.0.0/0"] - ssh_key_name = "${var.ssh_key_name}" + ssh_key_name = var.ssh_key_name } # --------------------------------------------------------------------------------------------------------------------- @@ -122,11 +122,11 @@ module "consul_cluster" { # --------------------------------------------------------------------------------------------------------------------- data "template_file" "user_data_consul" { - template = "${file("${path.module}/user-data-consul.sh")}" + template = file("${path.module}/user-data-consul.sh") vars = { - consul_cluster_tag_key = "${var.consul_cluster_tag_key}" - consul_cluster_tag_value = "${var.consul_cluster_name}" + consul_cluster_tag_key = var.consul_cluster_tag_key + consul_cluster_tag_value = var.consul_cluster_name } } @@ -138,12 +138,14 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = "${var.vpc_id ? true : false}" - id = "${var.vpc_id}" + default = var.vpc_id ? true : false + id = var.vpc_id } data "aws_subnet_ids" "default" { - vpc_id = "${data.aws_vpc.default.id}" + vpc_id = data.aws_vpc.default.id +} + +data "aws_region" "current" { } -data "aws_region" "current" {} diff --git a/examples/vault-s3-backend/outputs.tf b/examples/vault-s3-backend/outputs.tf index 850bce74..e1af7046 100644 --- a/examples/vault-s3-backend/outputs.tf +++ b/examples/vault-s3-backend/outputs.tf @@ -1,87 +1,88 @@ output "asg_name_vault_cluster" { - value = "${module.vault_cluster.asg_name}" + value = module.vault_cluster.asg_name } output "launch_config_name_vault_cluster" { - value = "${module.vault_cluster.launch_config_name}" + value = module.vault_cluster.launch_config_name } output "iam_role_arn_vault_cluster" { - value = "${module.vault_cluster.iam_role_arn}" + value = module.vault_cluster.iam_role_arn } output "iam_role_id_vault_cluster" { - value = "${module.vault_cluster.iam_role_id}" + value = module.vault_cluster.iam_role_id } output "security_group_id_vault_cluster" { - value = "${module.vault_cluster.security_group_id}" + value = module.vault_cluster.security_group_id } output "asg_name_consul_cluster" { - value = "${module.consul_cluster.asg_name}" + value = module.consul_cluster.asg_name } output "launch_config_name_consul_cluster" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_consul_cluster" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_consul_cluster" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_consul_cluster" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "aws_region" { - value = "${data.aws_region.current.name}" + value = data.aws_region.current.name } output "vault_servers_cluster_tag_key" { - value = "${module.vault_cluster.cluster_tag_key}" + value = module.vault_cluster.cluster_tag_key } output "vault_servers_cluster_tag_value" { - value = "${module.vault_cluster.cluster_tag_value}" + value = module.vault_cluster.cluster_tag_value } output "ssh_key_name" { - value = "${var.ssh_key_name}" + value = var.ssh_key_name } output "vault_cluster_size" { - value = "${var.vault_cluster_size}" + value = var.vault_cluster_size } output "launch_config_name_servers" { - value = "${module.consul_cluster.launch_config_name}" + value = module.consul_cluster.launch_config_name } output "iam_role_arn_servers" { - value = "${module.consul_cluster.iam_role_arn}" + value = module.consul_cluster.iam_role_arn } output "iam_role_id_servers" { - value = "${module.consul_cluster.iam_role_id}" + value = module.consul_cluster.iam_role_id } output "security_group_id_servers" { - value = "${module.consul_cluster.security_group_id}" + value = module.consul_cluster.security_group_id } output "consul_cluster_cluster_tag_key" { - value = "${module.consul_cluster.cluster_tag_key}" + value = module.consul_cluster.cluster_tag_key } output "consul_cluster_cluster_tag_value" { - value = "${module.consul_cluster.cluster_tag_value}" + value = module.consul_cluster.cluster_tag_value } output "s3_bucket_arn" { - value = "${module.vault_cluster.s3_bucket_arn}" + value = module.vault_cluster.s3_bucket_arn } + diff --git a/examples/vault-s3-backend/variables.tf b/examples/vault-s3-backend/variables.tf index 2ed6b2b0..f526eaaa 100644 --- a/examples/vault-s3-backend/variables.tf +++ b/examples/vault-s3-backend/variables.tf @@ -14,10 +14,12 @@ variable "ami_id" { description = "The ID of the AMI to run in the cluster. This should be an AMI built from the Packer template under examples/vault-consul-ami/vault-consul.json." + type = string } variable "ssh_key_name" { description = "The name of an EC2 Key Pair that can be used to SSH to the EC2 Instances in this cluster. Set to an empty string to not associate a Key Pair." + type = string } # --------------------------------------------------------------------------------------------------------------------- @@ -27,50 +29,61 @@ variable "ssh_key_name" { variable "vault_cluster_name" { description = "What to name the Vault server cluster and all of its associated resources" + type = string default = "vault-s3-example" } variable "consul_cluster_name" { description = "What to name the Consul server cluster and all of its associated resources" + type = string default = "consul-s3-example" } variable "vault_cluster_size" { description = "The number of Vault server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "consul_cluster_size" { description = "The number of Consul server nodes to deploy. We strongly recommend using 3 or 5." + type = number default = 3 } variable "vault_instance_type" { description = "The type of EC2 Instance to run in the Vault ASG" + type = string default = "t2.micro" } variable "consul_instance_type" { description = "The type of EC2 Instance to run in the Consul ASG" + type = string default = "t2.micro" } variable "consul_cluster_tag_key" { description = "The tag the Consul EC2 Instances will look for to automatically discover each other and form a cluster." + type = string default = "consul-vault-s3-servers" } variable "vpc_id" { description = "The ID of the VPC to deploy into. Leave an empty string to use the Default VPC in this region." - default = "" + type = string + default = null } variable "s3_bucket_name" { description = "The name of an S3 bucket to create and use as a storage backend (if configured). Note: S3 bucket names must be *globally* unique." + type = string default = "my-vault-bucket" } variable "force_destroy_s3_bucket" { description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves." + type = bool default = false } + From 41d36981b091e043b851e0ffa7714d9c8ae7e6d0 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 11:12:44 -0400 Subject: [PATCH 23/28] bug: fix missed `required_version` blocks --- examples/vault-s3-backend/main.tf | 12 +++++------- modules/vault-cluster/main.tf | 10 +++++----- modules/vault-elb/main.tf | 10 +++++----- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index 62511cfa..c7c56f5a 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -1,11 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# DEPLOY A VAULT SERVER CLUSTER AND A CONSUL SERVER CLUSTER IN AWS -# This is an example of how to use the vault-cluster module to deploy a Vault cluster in AWS. This cluster uses Consul, -# running in a separate cluster, as its storage backend. -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- diff --git a/modules/vault-cluster/main.tf b/modules/vault-cluster/main.tf index 5aa17c10..715c3f00 100644 --- a/modules/vault-cluster/main.tf +++ b/modules/vault-cluster/main.tf @@ -1,9 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# THESE TEMPLATES REQUIRE TERRAFORM VERSION 0.8 AND ABOVE -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- diff --git a/modules/vault-elb/main.tf b/modules/vault-elb/main.tf index 984aa866..0f85aea4 100644 --- a/modules/vault-elb/main.tf +++ b/modules/vault-elb/main.tf @@ -1,9 +1,9 @@ -# --------------------------------------------------------------------------------------------------------------------- -# THESE TEMPLATES REQUIRE TERRAFORM VERSION 0.8 AND ABOVE -# --------------------------------------------------------------------------------------------------------------------- - +# ---------------------------------------------------------------------------------------------------------------------- +# REQUIRE A SPECIFIC TERRAFORM VERSION OR HIGHER +# This module has been updated with 0.12 syntax, which means it is no longer compatible with any versions below 0.12. +# ---------------------------------------------------------------------------------------------------------------------- terraform { - required_version = ">= 0.9.3" + required_version = ">= 0.12" } # --------------------------------------------------------------------------------------------------------------------- From 8d5426d546844f65212730702ac5dac61f37f65f Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 12:15:03 -0400 Subject: [PATCH 24/28] bug: fix check if vpc null --- examples/vault-agent/main.tf | 2 +- examples/vault-auto-unseal/main.tf | 2 +- examples/vault-cluster-private/main.tf | 2 +- examples/vault-ec2-auth/main.tf | 2 +- examples/vault-iam-auth/main.tf | 2 +- examples/vault-s3-backend/main.tf | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index 5bf9f871..cb860e5d 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -260,7 +260,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } diff --git a/examples/vault-auto-unseal/main.tf b/examples/vault-auto-unseal/main.tf index 7cb4dd02..9aa8eadd 100644 --- a/examples/vault-auto-unseal/main.tf +++ b/examples/vault-auto-unseal/main.tf @@ -142,7 +142,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } diff --git a/examples/vault-cluster-private/main.tf b/examples/vault-cluster-private/main.tf index 0f736f3f..8d799c37 100644 --- a/examples/vault-cluster-private/main.tf +++ b/examples/vault-cluster-private/main.tf @@ -131,7 +131,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } diff --git a/examples/vault-ec2-auth/main.tf b/examples/vault-ec2-auth/main.tf index 79f07e80..18e38b46 100644 --- a/examples/vault-ec2-auth/main.tf +++ b/examples/vault-ec2-auth/main.tf @@ -200,7 +200,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } diff --git a/examples/vault-iam-auth/main.tf b/examples/vault-iam-auth/main.tf index 42b91683..79b8e108 100644 --- a/examples/vault-iam-auth/main.tf +++ b/examples/vault-iam-auth/main.tf @@ -260,7 +260,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } diff --git a/examples/vault-s3-backend/main.tf b/examples/vault-s3-backend/main.tf index c7c56f5a..1988d6be 100644 --- a/examples/vault-s3-backend/main.tf +++ b/examples/vault-s3-backend/main.tf @@ -136,7 +136,7 @@ data "template_file" "user_data_consul" { # --------------------------------------------------------------------------------------------------------------------- data "aws_vpc" "default" { - default = var.vpc_id ? true : false + default = var.vpc_id == null ? true : false id = var.vpc_id } From d36c506d51be0d2d561f95658a1bdd8eac3ae790 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 12:16:31 -0400 Subject: [PATCH 25/28] bug: fix typo --- examples/vault-agent/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/vault-agent/main.tf b/examples/vault-agent/main.tf index cb860e5d..e7a4d5a3 100644 --- a/examples/vault-agent/main.tf +++ b/examples/vault-agent/main.tf @@ -12,7 +12,7 @@ terraform { resource "aws_instance" "example_auth_to_vault" { ami = var.ami_id instance_type = "t2.micro" - subnet_id = tolist(var.data.aws_subnet_ids.default.ids)[0] + subnet_id = tolist(data.aws_subnet_ids.default.ids)[0] key_name = var.ssh_key_name # Security group that opens the necessary ports for consul From ecdef94b1b95bdc7a8928ef8c6e84c589ebf19f4 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Thu, 27 Jun 2019 13:54:09 -0400 Subject: [PATCH 26/28] bug: fix a null check --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 3ad1c078..206a9184 100644 --- a/main.tf +++ b/main.tf @@ -63,7 +63,7 @@ module "vault_cluster" { cluster_size = var.vault_cluster_size instance_type = var.vault_instance_type - ami_id = var.ami_id ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id != null ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_vault_cluster.rendered vpc_id = data.aws_vpc.default.id @@ -180,7 +180,7 @@ module "consul_cluster" { cluster_tag_key = var.consul_cluster_tag_key cluster_tag_value = var.consul_cluster_name - ami_id = var.ami_id ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id != null ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_consul.rendered vpc_id = data.aws_vpc.default.id From 5d9a57f7e3dbffd27bbbccea87d8e332e665beb5 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Mon, 1 Jul 2019 14:37:30 -0400 Subject: [PATCH 27/28] bug: fix ternary compare to null --- main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main.tf b/main.tf index 206a9184..3e2db19f 100644 --- a/main.tf +++ b/main.tf @@ -63,7 +63,7 @@ module "vault_cluster" { cluster_size = var.vault_cluster_size instance_type = var.vault_instance_type - ami_id = var.ami_id != null ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id == null ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_vault_cluster.rendered vpc_id = data.aws_vpc.default.id @@ -180,7 +180,7 @@ module "consul_cluster" { cluster_tag_key = var.consul_cluster_tag_key cluster_tag_value = var.consul_cluster_name - ami_id = var.ami_id != null ? data.aws_ami.vault_consul.image_id : var.ami_id + ami_id = var.ami_id == null ? data.aws_ami.vault_consul.image_id : var.ami_id user_data = data.template_file.user_data_consul.rendered vpc_id = data.aws_vpc.default.id From 4db50ecda50547c70a21424d60dcc6fa9ae8bc55 Mon Sep 17 00:00:00 2001 From: Matt Calhoun Date: Mon, 1 Jul 2019 14:54:52 -0400 Subject: [PATCH 28/28] feature: add comments for test stages --- test/vault_main_test.go | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/test/vault_main_test.go b/test/vault_main_test.go index ad10ed9f..e694e8c2 100644 --- a/test/vault_main_test.go +++ b/test/vault_main_test.go @@ -77,6 +77,16 @@ var testCases = []testCase{ func TestMainVaultCluster(t *testing.T) { t.Parallel() + // For convenience - uncomment these as well as the "os" import + // when doing local testing if you need to skip any sections. + + // os.Setenv("SKIP_setup_amis", "true") + // os.Setenv("SKIP_deploy", "true") + // os.Setenv("SKIP_validate", "true") + // os.Setenv("SKIP_log", "true") + // os.Setenv("SKIP_teardown", "true") + // os.Setenv("SKIP_delete_amis", "true") + test_structure.RunTestStage(t, "setup_amis", func() { tlsCert := generateSelfSignedTlsCert(t) saveTlsCert(t, WORK_DIR, tlsCert) @@ -119,6 +129,7 @@ func TestMainVaultCluster(t *testing.T) { } func runTestsOnDifferentPlatforms(t *testing.T) { + for _, testCase := range testCases { // This re-assignment necessary, because the variable testCase is defined and set outside the forloop. // As such, it gets overwritten on each iteration of the forloop. This is fine if you don't have concurrent code