• HashiCorp Developer

  • HashiCorp Cloud Platform
  • Terraform
  • Packer
  • Consul
  • Vault
  • Boundary
  • Nomad
  • Waypoint
  • Vagrant
Vault
  • Install
  • Tutorials
  • Documentation
  • API
  • Try Cloud(opens in new tab)
  • Sign up
Vault Home

Documentation

Skip to main contentOverview
  • What is Vault?
  • Use Cases

  • Browser Support
  • Installing Vault

  • Vault Integration Program
  • Vault Interoperability Matrix
  • Troubleshoot

    • Overview
      • Overview
      • Agent Injector vs. Vault CSI Provider
        • Overview
        • Running Vault
        • Enterprise Licensing
        • Running Vault on OpenShift
        • Configuration
        • Terraform





  • Glossary


  • Resources

  • Tutorial Library
  • Certifications
  • Community Forum
    (opens in new tab)
  • Support
    (opens in new tab)
  • GitHub
    (opens in new tab)
  1. Developer
  2. Vault
  3. Documentation
  4. Platforms
  5. Kubernetes
  6. Helm Chart
  7. Terraform
  • Vault
  • v1.11.x
  • v1.10.x
  • v1.9.x
  • v1.8.x
  • v1.7.x
  • v1.6.x
  • v1.5.x
  • v1.4.x

»Configuring Vault Helm with Terraform

Terraform may also be used to configure and deploy the Vault Helm chart, by using the Helm provider.

For example, to configure the chart to deploy HA Vault with integrated storage (raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration:

$ helm install vault hashicorp/vault \
  --set='server.ha.enabled=true' \
  --set='server.ha.raft.enabled=true'
server:
  ha:
    enabled: true
    raft:
      enabled: true
provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
}

The values file can also be used directly in the Terraform configuration with the values directive.

Further Examples

Vault config as a multi-line string

server:
  ha:
    enabled: true
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = false

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/vault/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "us-west-2"
          kms_key_id = "alias/my-kms-key"
        }
resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.setNodeId"
    value = "true"
  }
  set {
    name  = "server.ha.raft.config"
    value = <<EOT
ui = false

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path    = "/vault/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region     = "us-west-2"
  kms_key_id = "alias/my-kms-key"
}
EOT
  }
}

Lists of volumes and volumeMounts

server:
  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /vault/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true
resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.volumes[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumes[0].secret.defaultMode"
    value = "420"
  }
  set {
    name  = "server.volumes[0].secret.secretName"
    value = "my-gcp-iam"
  }

  set {
    name  = "server.volumeMounts[0].mountPath"
    value = "/vault/userconfig/my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].readOnly"
    value = "true"
  }
}

Annotations

Annotations can be set as a YAML map:

server:
  ingress:
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
    value = "true"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
    value = "apps-subnet"
  }

or as a multi-line string:

server:
  ingress:
    annotations: |
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet
  set {
    name = "server.ingress.annotations"
    value = yamlencode({
      "service.beta.kubernetes.io/azure-load-balancer-internal": "true"
      "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
    })
    type = "auto"
  }
Edit this page on GitHub

On this page

  1. Configuring Vault Helm with Terraform
  2. Further Examples
Give Feedback(opens in new tab)
  • Certifications
  • System Status
  • Terms of Use
  • Security
  • Privacy
  • Trademark Policy
  • Trade Controls
  • Give Feedback(opens in new tab)