Configure Vault Helm using Terraform

Terraform may also be used to configure and deploy the Vault Helm chart, by using the Helm provider.

For example, to configure the chart to deploy HA Vault with integrated storage (raft), the values overrides can be set on the command-line, in a values yaml file, or with a Terraform configuration:

$ helm install vault hashicorp/vault \
  --set='server.ha.enabled=true' \
  --set='server.ha.raft.enabled=true'

provider "helm" {
  kubernetes {
    config_path = "~/.kube/config"
  }
}

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
}

The values file can also be used directly in the Terraform configuration with the values directive.

Further examples

Vault config as a multi-line string

server:
  ha:
    enabled: true
    raft:
      enabled: true
      setNodeId: true
      config: |
        ui = false

        listener "tcp" {
          tls_disable = 1
          address = "[::]:8200"
          cluster_address = "[::]:8201"
        }

        storage "raft" {
          path    = "/vault/data"
        }

        service_registration "kubernetes" {}

        seal "awskms" {
          region     = "us-west-2"
          kms_key_id = "alias/my-kms-key"
        }

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.ha.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.enabled"
    value = "true"
  }
  set {
    name  = "server.ha.raft.setNodeId"
    value = "true"
  }
  set {
    name  = "server.ha.raft.config"
    value = <<EOT
ui = false

listener "tcp" {
  tls_disable = 1
  address = "[::]:8200"
  cluster_address = "[::]:8201"
}

storage "raft" {
  path    = "/vault/data"
}

service_registration "kubernetes" {}

seal "awskms" {
  region     = "us-west-2"
  kms_key_id = "alias/my-kms-key"
}
EOT
  }
}

Lists of volumes and volumeMounts

server:
  volumes:
    - name: userconfig-my-gcp-iam
      secret:
        defaultMode: 420
        secretName: my-gcp-iam

  volumeMounts:
    - mountPath: /vault/userconfig/my-gcp-iam
      name: userconfig-my-gcp-iam
      readOnly: true

resource "helm_release" "vault" {
  name       = "vault"
  repository = "https://helm.releases.hashicorp.com"
  chart      = "vault"

  set {
    name  = "server.volumes[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumes[0].secret.defaultMode"
    value = "420"
  }
  set {
    name  = "server.volumes[0].secret.secretName"
    value = "my-gcp-iam"
  }

  set {
    name  = "server.volumeMounts[0].mountPath"
    value = "/vault/userconfig/my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].name"
    value = "userconfig-my-gcp-iam"
  }
  set {
    name  = "server.volumeMounts[0].readOnly"
    value = "true"
  }
}

Annotations

Annotations can be set as a YAML map:

server:
  ingress:
    annotations:
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal"
    value = "true"
  }

  set {
    name = "server.ingress.annotations.service\\.beta\\.kubernetes\\.io/azure-load-balancer-internal-subnet"
    value = "apps-subnet"
  }

or as a multi-line string:

server:
  ingress:
    annotations: |
      service.beta.kubernetes.io/azure-load-balancer-internal: true
      service.beta.kubernetes.io/azure-load-balancer-internal-subnet: apps-subnet

  set {
    name = "server.ingress.annotations"
    value = yamlencode({
      "service.beta.kubernetes.io/azure-load-balancer-internal": "true"
      "service.beta.kubernetes.io/azure-load-balancer-internal-subnet": "apps-subnet"
    })
    type = "auto"
  }