Deploy HCP Vault with Terraform
HashiCorp Cloud Platform (HCP) portal features a web user interface to deploy and manage resources, including HCP Vault deployments. If you prefer to automate HCP Vault deployment however, one recommended approach is to use HashiCorp Terraform with the HCP provider.
You can use Terraform CLI and the HCP provider with your HCP account credentials from a terminal session to successfully deploy a HCP Vault cluster. This enables you to leverage HCP to rapidly and reliably deploy Vault clusters, while offloading the operations burden to SRE experts at HashiCorp.
Prerequisites
To complete the steps listed in this tutorial, you need:
The Terraform CLI (version 0.14.+) installed on your computer. Follow the Install Terraform tutorial if you need to learn how to install it.
A HCP account.
A git clone of the vault-guides repository; you will be instructed on how to clone and use the repository in later steps.
The tutorial example scenario also automatically deploys an AWS VPC, and peers it with your HashiCorp Virtual Network (HVN).
Note
This tutorial provisions resources that qualify under the AWS free-tier. If your account doesn't qualify under the AWS free-tier, HashiCorp is not responsible for any charges that you may incur.
To successfully follow example, you need the following AWS related items.
An AWS account.
Your AWS credentials configured locally. To do this with IAM user authentication, set your AWS access key ID as an environment variable.
Now set your secret key.
Tip
If you don't have access to IAM user credentials, use another authentication method described in the AWS provider documentation.
Create service principal and key
Begin in the HCP portal to create a Service Principal and associated key that you will use with Terraform to deploy the HCP Vault cluster.
From the navigation menu, select Access control (IAM).
Select Service principals, and then click Create service principal.
Enter the name you prefer in the Name field.
For example,
learn-hcp-vault
for this tutorial.Choose
Contributor
from the Role select field.Click Save. The Service principal is created and displays the overview page.
Click Create service principal key.
A dialog like the following example appears:
Copy the Client ID.
In a terminal, export the variable
HCP_CLIENT_ID
to the Client ID.Terraform authenticate with HCP with this ID.
Copy the Client secret.
In a terminal, export the variable
HCP_CLIENT_SECRET
to the Client secret.Terraform authenticate with HCP with this secret.
Clone vault-guides repository
Clone the vault-guides repository to get the necessary Terraform configuration for the example scenarios.
Ensure that you are in a directory that you wish to work through this tutorial in, and clone the repository.
Change into the directory containing the base example scenario Terraform configuration.
Verify that you are in the correct directory before proceeding.
The configuration in hcp-vault-vpc
is the minimum configuration necessary to deploy HCP Vault using the Terraform HCP provider with peered VPC, as an example for this tutorial. You will need to significantly expand on this example to build a more advanced configurations for actual use cases.
Tip
The commands you use for the rest of the example should all be executed from within this directory.
Define variables
Examine the file variables.tf
and determine what you might need to update to match your own AWS setup. The file defines all Terraform variables for the project expressed in HashiCorp Configuration Language (HCL).
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435363738394041
Note the description values to understand each variable.
Line 37 through 41 defines the values for HCP Vault cluster tier. This is an optional parameter and the default value is dev
; therefore, you can omit this parameter. However, if you wish to create a cluster other than a Dev cluster, overwrite this value by creating a terraform.tfvars
file.
Example:
The same for other variables. Make necessary changes before proceeding.
Note
Currently, AWS is the only supported cloud_provider
type for the HCP provider, and values other than "aws" are not recognized.
Define HVN
Before you can deploy the HCP Vault cluster, you need to first configure an HVN. HVNs enable you to deploy HashiCorp Cloud products without the need to manage networking details.
You can define an HVN using the hcp_hvn
resource. Examine the vault.tf
file line 1 through 5 to learn about the resource configured for the example.
1 2 3 4 5 6 7 8 9 101112
The configuration specifies an HVN resource named learn_hcp_vault_hvn
that uses the variable values from the variables.tf
to declare the HVN ID, the cloud provider name, and cloud provider region.
Define HCP Vault cluster
For this tutorial you will deploy a single Vault cluster.
You can define an HCP Vault cluster using the hcp_vault_cluster
resource. Examine the vault.tf
file line 7 through 12 to learn about the resource configured for the example.
1 2 3 4 5 6 7 8 9 101112
The configuration specifies an HCP Vault cluster resource named learn_hcp_vault
that uses the variable value from variables.tf
to declare the HVN ID, and set the cluster ID to learn-hcp-vault-cluster
.
The public_endpoint
parameter is commented out at line 11. See the Enable public cluster address section for more details about this optional parameter.
Tip
You can edit the variables.tf
file to change some attributes for the Vault cluster. You can learn more about the available options in the Terraform HCP provider documentation.
Performance Replication
You can enable performance replication for HCP Vault by adding an additional hcp_hvn
and hcp_vault_cluster
block, then set the primary_link
parameter. For more information please visit the Configure Vault performance replication - HCP Provider guide.
Define VPC peering
The HVN to VPC peering is defined in the vpc-peering.tf
file.
1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031
After making any necessary changes to vpc-peering.tf
, proceed to deploy the infrastructure.
Deploy infrastructure
After you have cloned the repository and defined the environment variables for HCP (and optionally AWS) in the example you wish to try, you are ready to deploy infrastructure.
First, initialize terraform; this downloads the necessary providers and initializes the backend.
After Terraform is initialized, you can verify that the resources will be created using terraform plan
.
You should note resources listed in the output, and at the end a summary that lists 5 resources to add.
Finally, you can deploy the resources with terraform apply
.
Confirm the run by entering yes
.
Once you confirm, it will take a few minutes to complete the deploy. If the deploy was successful, you should observe output at the end resembling this example.
Access Vault
Return to the HCP portal to inspect the newly created Vault cluster.
From the navigation menu within the Resources section, select Vault.
Click learn-hcp-vault-cluster to access cluster details.
The HCP Vault cluster overview is shown and the State is
Running
. You can interact with the cluster from this overview to perform a range of operational tasks.To confirm the HVN to VPC peering status, return to the main menu, and select HashiCorp Virtual Network.
Click learn-hcp-vault-hvn to access the HVN details.
Click Peering connections.
Select the learn-peering link.
The details for the VPC peering connection you deployed are shown. The HVN and VPC are peered and ready to use.
Note
By default, the datacenter is not accessible from the internet. If you want to access the Vault API or UI, you will have to do it from a machine running inside your AWS VPC (recommended), or you need to configure your HCP Vault cluster to be publicly accessible.
VPC peering
Establish a VPC peering from your AWS VPC and HVN. By doing so, you can ensure that trusted clients (users, applications, containers, etc.) running inside the VPC connect to Vault and avoid systems outside of your selected network attempting to connect.

Follow the Peering an AWS VPC with HashiCorp Cloud Platform
(HCP) tutorial to
create and establish a VPC peering. Vault clients running in the VPC can connect
to learn-hcp-vault-cluster
using the private cluster URL.
Updating AWS security groups
Note
Configuring, managing, and securing access to your AWS workloads is a critical component of the shared responsibility model. Terraform changes the default AWS behavior of managing security groups. This section is provided to assist with understanding how you can manage access using Terraform. Refer to the Terraform AWS Provider documentation for a full list of available resources for AWS.
Once your AWS VPC is peered with the HVN, you will need to consider how to manage access from your AWS workloads to connect to HCP Vault.
When creating a new security group through the AWS console or AWS CLI, the default behavior is to create an egress or outbound
rule that permits all traffic from the AWS workload to any destination, represented by the 0.0.0.0/0
CIDR notation.
However, if you manage your AWS security groups using Terraform, the default Terraform behavior is to remove the default egress rule. Once the default egress rule is removed, you need to explicitly add a rule to permit traffic from your AWS workloads to the desired destination.
How you utilize security groups in your organization will guide you on the best way to approach managing access to your HCP Vault cluster.
If you are already using Terraform to manage your AWS security groups, one option is to add an egress rule that will permit TCP traffic
on port 8200
using the aws_security_group_rule
resource to an existing security group.
Note
If you are already using the aws_security_group
resource with in-line rules, you will need to update the existing Terraform configuration with a rule to allow port 8200
. You cannot
use both the aws_security_group and the aws_security_group_rule resources together.
12345678
- Line 2: The
type
parameter allows you to define whether the rule is foringress
(inbound) oregress
(outbound). - Line 3-4: The
from_port
andto_port
parameters allow you to define one or more port numbers. For Vault, clients will connect on port8200
. - Line 5: The
protocol
field specifies the type of traffic allowed. - Line 6: The
cidr_blocks
field contains the IP address the rule will permit access to, or from and should match the CIDR of your HVN. - Line 7: The
security_group_id
is the ID of the security group you want to update.
If you are not familiar with AWS security groups, refer to the AWS documentation on Control traffic to resources using security groups.
Enable public cluster address
If you want to enable the public cluster address, update the vault.tf
file with
public_endpoint
set to true
for the hcp_vault_cluster
resource.
1 2 3 4 5 6 7 8 9 1011
Re-run the terraform apply
command.
When prompted, enter yes
to continue.
When it completes, you can access your HCP Vault cluster using its public address.
Clean up
Use terraform destroy
to clean up all of the resources that you created.
Terraform will prompt you for confirmation.
Confirm by entering yes
.
Once you confirm, it will take a few minutes to complete the the destroy. When successful, you should observe output resembling the following example.
In this tutorial you learned how to automate the deployment of an HCP Vault cluster using the Terraform HCP provider. You also learned about some of the resources available with the provider.
You can find the full documentation for the HashiCorp Cloud Platform Terraform provider in the Terraform registry documentation.
Next steps
From here you can learn more about HCP Vault including Vault Operation Tasks specific to HCP Vault.
With Vault in your HVN, and your HVN peered to an AWS VPC, you can deploy further AWS resources into the same VPC and access Vault with them through the Vault HTTP API or CLI.