Products
Deploy HCP Vault with Terraform
HashiCorp Cloud Platform (HCP) features a web user interface to deploy and manage resources, including HCP Vault deployments in AWS. If you prefer to automate HCP Vault deployment however, one recommended approach is to use HashiCorp Terraform with the HCP provider.
You can use Terraform CLI and the HCP provider with your HCP account credentials from a terminal session to successfully deploy a HCP Vault cluster. This enables you to leverage HCP to rapidly and reliably deploy Vault clusters in AWS, while offloading the operations burden to SRE experts at HashiCorp.
Prerequisites
To complete the steps listed in this tutorial, you need:
The Terraform CLI (version 0.14.+) installed on your computer. Follow the Install Terraform tutorial if you need to learn how to install it.
A HCP account.
A git clone of the vault-guides repository; you will be instructed on how to clone and use the repository in later steps.
The tutorial example scenario also automatically deploys an AWS VPC, and peers it with your HashiCorp Virtual Network (HVN).
Note: This tutorial provisions resources that qualify under the AWS free-tier. If your account doesn't qualify under the AWS free-tier, HashiCorp is not responsible for any charges that you may incur.
To successfully follow example, you need the following AWS related items.
An AWS account.
Your AWS credentials configured locally. To do this with IAM user authentication, set your AWS access key ID as an environment variable.
Now set your secret key.
Tip: If you don't have access to IAM user credentials, use another authentication method described in the AWS provider documentation.
Create service principal and key
Begin in the HCP portal to create a Service Principal and associated key that you will use with Terraform to deploy the HCP Vault cluster.
From the navigation menu, select Access control (IAM).
Select Service principals, and then click Create service principal.
Enter the name you prefer in the Name field.
For example,
learn-hcp-vaultfor this tutorial.Choose
Contributorfrom the Role select field.
Click Save. The Service principal is created and displays the overview page.
Click Create service principal key.
A dialog like the following example appears:
Copy the Client ID.
In a terminal, export the variable
HCP_CLIENT_IDto the Client ID.Terraform authenticate with HCP with this ID.
Copy the Client secret.
In a terminal, export the variable
HCP_CLIENT_SECRETto the Client secret.Terraform authenticate with HCP with this secret.
Clone vault-guides repository
Clone the vault-guides repository to get the necessary Terraform configuration for the example scenarios.
Ensure that you are in a directory that you wish to work through this tutorial in, and clone the repository.
Change into the directory containing the base example scenario Terraform configuration.
Verify that you are in the correct directory before proceeding.
The configuration in hcp-vault-vpc is the minimum configuration necessary to deploy HCP Vault using the Terraform HCP provider with peered VPC, as an example for this tutorial. You will need to significantly expand on this example to build a more advanced configurations for actual use cases.
Tip: The commands you use for the rest of the example should all be executed from within this directory.
Define variables
Examine the file variables.tf and determine what you might need to update to match your own AWS setup. The file defines all Terraform variables for the project expressed in HashiCorp Configuration Language (HCL).
variables.tf
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435363738394041Note the description values to understand each variable.
Line 37 through 41 defines the values for HCP Vault cluster tier. This is an optional parameter and the default value is dev; therefore, you can omit this parameter. However, if you wish to create a cluster other than a Dev cluster, overwrite this value by creating a terraform.tfvars file.
Example:
The same for other variables. Make necessary changes before proceeding.
Note: Currently, AWS is the only supported cloud_provider type for the HCP provider, and values other than "aws" are not recognized.
Define HVN
Before you can deploy the HCP Vault cluster, you need to first configure an HVN. HVNs enable you to deploy HashiCorp Cloud products without the need to manage networking details.
You can define an HVN using the hcp_hvn resource. Examine the vault.tf file line 1 through 5 to learn about the resource configured for the example.
vault.tf
1 2 3 4 5 6 7 8 9 101112The configuration specifies an HVN resource named learn_hcp_vault_hvn that uses the variable values from the variables.tf to declare the HVN ID, the cloud provider name, and cloud provider region.
Define HCP Vault cluster
For this tutorial you will deploy a single Vault cluster.
You can define an HCP Vault cluster using the hcp_vault_cluster resource. Examine the vault.tf file line 7 through 12 to learn about the resource configured for the example.
vault.tf
1 2 3 4 5 6 7 8 9 101112The configuration specifies an HCP Vault cluster resource named learn_hcp_vault that uses the variable value from variables.tf to declare the HVN ID, and set the cluster ID to learn-hcp-vault-cluster.
The public_endpoint parameter is commented out at line 11. See the Enable public cluster address section for more details about this optional parameter.
Tip: You can edit the variables.tf file to change some attributes for the Vault cluster. You can learn more about the available options in the Terraform HCP provider documentation.
Performance Replication: You can enable performance replication for HCP Vault by adding an additional hcp_hvn and hcp_vault_cluster block, then set the primary_link parameter. For more information please visit the Configure Vault performance replication - HCP Provider guide.
Define VPC peering
The HVN to VPC peering is defined in the vpc-peering.tf file.
vpc-peering.tf
1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031After making any necessary changes to vpc-peering.tf, proceed to deploy the infrastructure.
Deploy infrastructure
After you have cloned the repository and defined the environment variables for HCP (and optionally AWS) in the example you wish to try, you are ready to deploy infrastructure.
First, initialize terraform; this downloads the necessary providers and initializes the backend.
After Terraform is initialized, you can verify that the resources will be created using terraform plan.
You should note resources listed in the output, and at the end a summary that lists 5 resources to add.
Finally, you can deploy the resources with terraform apply.
Confirm the run by entering yes.
Once you confirm, it will take a few minutes to complete the deploy. If the deploy was successful, you should observe output at the end resembling this example.
Access Vault
Return to the HCP portal to inspect the newly created Vault cluster.
From the navigation menu within the Resources section, select Vault.
Click learn-hcp-vault-cluster to access cluster details.
The HCP Vault cluster overview is shown and the State is
Running. You can interact with the cluster from this overview to perform a range of operational tasks.To confirm the HVN to VPC peering status, return to the main menu, and select HashiCorp Virtual Network.
Click learn-hcp-vault-hvn to access the HVN details.
Click Peering connections.
Select the learn-peering link.
The details for the VPC peering connection you deployed are shown. The HVN and VPC are peered and ready to use.
Note: By default, the datacenter is not accessible from the internet. If you want to access the Vault API or UI, you will have to do it from a machine running inside your AWS VPC (recommended), or you need to configure your HCP Vault cluster to be publicly accessible.
VPC peering
Establish a VPC peering from your AWS VPC and HVN. By doing so, you can ensure that trusted clients (users, applications, containers, etc.) running inside the VPC connect to Vault and avoid systems outside of your selected network attempting to connect.
Follow the Peering an AWS VPC with HashiCorp Cloud Platform
(HCP) tutorial to
create and establish a VPC peering. Vault clients running in the VPC can connect
to learn-hcp-vault-cluster using the private cluster URL.
Enable public cluster address
If you want to enable the public cluster address, update the vault.tf file with
public_endpoint set to true for the hcp_vault_cluster resource.
vault.tf
1 2 3 4 5 6 7 8 9 1011Re-run the terraform apply command.
When prompted, enter yes to continue.
When it completes, you can access your HCP Vault cluster using its public address.
Clean up
Use terraform destroy to clean up all of the resources that you created.
Terraform will prompt you for confirmation.
Confirm by entering yes.
Once you confirm, it will take a few minutes to complete the the destroy. When successful, you should observe output resembling the following example.
In this tutorial you learned how to automate the deployment of an HCP Vault cluster using the Terraform HCP provider. You also learned about some of the resources available with the provider.
You can find the full documentation for the HashiCorp Cloud Platform Terraform provider in the Terraform registry documentation.
Next steps
From here you can learn more about HCP Vault including Vault Operation Tasks specific to HCP Vault.
With Vault in your HVN, and your HVN peered to an AWS VPC, you can deploy further AWS resources into the same VPC and access Vault with them through the Vault HTTP API or CLI.