Comments (7)
Hi @chanux - in general, you want to isolate Vault as much as possible from other services. This is also mentioned in the Vault hardening guide. It's not a hard requirement, but Vault should really be on its own dedicated network/IP space and traffic to that network should be restricted behind a firewall.
Let me know if you have other questions.
from terraform-google-vault.
@sethvargo I think the enterprise best practice is to use a Shared VPC so Vault can be connected over private space. It can still be restricted by firewall rules for the subnet or service account.
IMO it would make sense to allow this module to accept a custom network input.
from terraform-google-vault.
@morgante wouldn't best practice be to run a dedicated VPC and then use VPC peering instead?
from terraform-google-vault.
FWIW, I'm okay with this change, just trying to figure out what the "default" should be.
from terraform-google-vault.
@sethvargo VPC peering has a number of limitations which make it unsuitable in certain environments. I think a dedicated service account (with locked down firewall rules) in a shared VPC is an acceptable tradeoff.
from terraform-google-vault.
I think the default should be the current implementation with completely separated VPC and networks. But it would be OK if someone really really wants to be able to put all the eggs into one basket.
from terraform-google-vault.
I'll go ahead and get a PR up for this. We also need outputs of the subnet/network as well in case someone does want to put a bastion or firewall rule on that network after Vault is created.
from terraform-google-vault.
Related Issues (20)
- Use backend service for external balancer HOT 1
- Remove google project reference so module can be used with count HOT 2
- Provide existing KMS Key for init keys encryption HOT 1
- Unable to use module on Apply M1. HOT 2
- google_compute_instance_group_manager HOT 1
- Tls provider compatibility issue with M1 chip HOT 1
- The root ca and server cert validity_period is hardcoded HOT 1
- Usage of deprecated template_file
- Autoscaling on active/standby node HOT 1
- Dependency Dashboard
- Examples do not work - circular dependency? HOT 1
- Allow tls_save_ca_to_disk to also chose the filename of the full path of the local CA public certificate copy HOT 3
- Recreate MIG VMs after TLS cert update HOT 1
- compute router bgp keepalive_interval is not set HOT 2
- Support deployment to shared VPC with allow_public_egress
- Is bullseye officially supported yet for this module? HOT 1
- Permission 'cloudkms.cryptoKeys.get' denied on init setup HOT 3
- Autohealing port doesn't align with firewall rule port when not using internal LB HOT 1
- Permission 'cloudkms.cryptoKeys.get' denied on init setup HOT 2
- Googleapi error 403 Required 'compute.zones.list' permission for 'projects/XXX', forbidden
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-google-vault.