Vault Home

»Configuring Vault Helm with Terraform

Terraform may also be used to configure and deploy the Vault Helm chart, by using the Helm provider.

For example, to configure the chart to deploy HA Vault with integrated storage (raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration:

$ helm install vault hashicorp/vault \
  --set='server.ha.enabled=true' \
  --set='server.ha.raft.enabled=true'

$ helm install vault hashicorp/vault \
  --set='server.ha.enabled=true' \
  --set='server.ha.raft.enabled=true'

server:
  ha:
    enabled: true
    raft:
      enabled: true

server:
  ha:
    enabled: true
    raft:
      enabled: true

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
}

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
}

The values file can also be used directly in the Terraform configuration with the values directive.

Further Examples

Vault config as a multi-line string

server:
  ha:
    enabled: true
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = false

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/vault/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "us-west-2"
          kms_key_id = "alias/my-kms-key"
        }

server:
  ha:
    enabled: true
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = false

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/vault/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "us-west-2"
          kms_key_id = "alias/my-kms-key"
        }

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.setNodeId"
    value = "true"
  }
  set {
    name  = "server.ha.raft.config"
    value = <<EOT
ui = false

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path    = "/vault/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region     = "us-west-2"
  kms_key_id = "alias/my-kms-key"
}
EOT
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.setNodeId"
    value = "true"
  }
  set {
    name  = "server.ha.raft.config"
    value = <<EOT
ui = false

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path    = "/vault/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region     = "us-west-2"
  kms_key_id = "alias/my-kms-key"
}
EOT
  }
}

Lists of volumes and volumeMounts

server:
  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /vault/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true

server:
  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /vault/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.volumes[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumes[0].secret.defaultMode"
    value = "420"
  }
  set {
    name  = "server.volumes[0].secret.secretName"
    value = "my-gcp-iam"
  }

  set {
    name  = "server.volumeMounts[0].mountPath"
    value = "/vault/userconfig/my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].readOnly"
    value = "true"
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.volumes[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumes[0].secret.defaultMode"
    value = "420"
  }
  set {
    name  = "server.volumes[0].secret.secretName"
    value = "my-gcp-iam"
  }

  set {
    name  = "server.volumeMounts[0].mountPath"
    value = "/vault/userconfig/my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].readOnly"
    value = "true"
  }
}

Annotations

Annotations can be set as a YAML map:

server:
  ingress:
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

server:
  ingress:
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
    value = "true"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
    value = "apps-subnet"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
    value = "true"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
    value = "apps-subnet"
  }

or as a multi-line string:

server:
  ingress:
    annotations: |
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

server:
  ingress:
    annotations: |
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

  set {
    name = "server.ingress.annotations"
    value = yamlencode({
      "service.beta.kubernetes.io/azure-load-balancer-internal": "true"
      "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
    })
    type = "auto"
  }

  set {
    name = "server.ingress.annotations"
    value = yamlencode({
      "service.beta.kubernetes.io/azure-load-balancer-internal": "true"
      "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
    })
    type = "auto"
  }
Edit this page on GitHub