terraform-google-modules / terraform-google-vault Goto Github PK

For instance, I have generated key and certificate via ACME provider:

provider "acme" {
  server_url = "https://acme-v02.api.letsencrypt.org/directory"
  version    = "~> 1.5"
}

resource "tls_private_key" "letsencrypt" {
  algorithm = "RSA"
  rsa_bits  = 4096
}

resource "acme_registration" "letsencrypt" {
  account_key_pem = tls_private_key.letsencrypt.private_key_pem
  email_address   = "[email protected]"
}

resource "acme_certificate" "vault" {
  account_key_pem = acme_registration.letsencrypt.account_key_pem
  common_name     = "vault.example.com"

  recursive_nameservers = [
    "8.8.8.8:53",
    "8.8.4.4:53",
  ]

  key_type = 4096

  dns_challenge {
    provider = "gcloud"
    config = {
      GCE_PROJECT = "myproject"
    }
  }
}

For sure, I can specify it via setting manage_tls = false and do all the TLS-related stuff by myself, but it will be a lot handier if you will add the ability to specify my key and certificate for the module and let the module to the rest: encrypt with KMS and upload files to bucket.

I followed the example to setup the vault server as is . Now I want it to be exposed to a particular service to store and retrieve secrets. How do I go about it. What configurations should I change.

Thank you in advance

There are some more or less important changes and fixes since last 3.0.3 release. Maybe it's time to next release?

Hi,

This is more of a documentation issue perhaps?

I think it's useful to make a note this module does not work with Terraform Cloud, because it uses the local_file provider. Your run on TF Cloud will fail at the last very step, which consists of dowloading generated certificates to the local machine.

There is no work around, my suggestion would be to change the module to use a GCS bucket instead of a local file to save the resulting certificate.

If you - like me - only found this out on the last minute, you can set the execution model of your Terraform Workspace to local, so you'll at least be able to keep using the shared state from the remote backend and not have to destroy everything.

Warning: Use the google_kms_secret_ciphertext resource instead.  on .terraform/modules/vault/terraform-google-modules-terraform-google-vault-54ec44b/tls.tf line 114, in data "google_kms_secret_ciphertext" "vault-tls-key-encrypted":

Doc: https://www.terraform.io/docs/providers/google/d/google_kms_secret_ciphertext.html

Warning: This data source is deprecated. Use the google_kms_secret_ciphertext resource instead.

I'm using the vault-on-gce example and I've been getting the following errors during a terraform apply is anyone else experiencing this?

Error: Error applying plan:

4 error(s) occurred:

* module.vault.google_storage_bucket.vault: 1 error(s) occurred:

* google_storage_bucket.vault: project: required field is not set
* module.vault.google_storage_bucket.vault-assets: 1 error(s) occurred:

* google_storage_bucket.vault-assets: project: required field is not set
* module.vault.module.vault-server.google_compute_firewall.default-ssh: 1 error(s) occurred:

* google_compute_firewall.default-ssh: project: required field is not set
* module.vault.google_service_account.vault-admin: 1 error(s) occurred:

* google_service_account.vault-admin: project: required field is not set

Terraform version: v0.10.8

I experienced this issue before and thought he fix was related to my values

...
kms_keyring_name = "vault"
kms_key_name = "vault-init"
...

However, I'm doing fresh deployment and came across the issue once again, double-checked my terraform.tfvars file to make sure I have the correct values and as you can see they are correct.

Anyone else having this issue and what it related to, did I miss a step?

Error: Error applying plan:

4 error(s) occurred:

* module.vault.google_storage_bucket_object.vault-tls-key: 1 error(s) occurred:

* google_storage_bucket_object.vault-tls-key: Error, either "content" or "source" must be specified
* module.vault.google_storage_bucket_object.vault-sa-key: 1 error(s) occurred:

* google_storage_bucket_object.vault-sa-key: Error, either "content" or "source" must be specified
* module.vault.google_storage_bucket_object.vault-ca-cert: 1 error(s) occurred:

* google_storage_bucket_object.vault-ca-cert: Error, either "content" or "source" must be specified
* module.vault.google_storage_bucket_object.vault-tls-cert: 1 error(s) occurred:

* google_storage_bucket_object.vault-tls-cert: Error, either "content" or "source" must be specified

The default for the tls_ca_subject is throwing an error during validation.

This default value is not compatible with the variable's type constraint:
all map elements must have the same type.

The street_address in the map is an array and all the other values are strings. So I'm assuming that is the issue right there.

https://github.com/terraform-google-modules/terraform-google-vault/blob/master/variables.tf#L240

Running terraform v0.12.1

Not working!

module.vault.google_service_account_key.vault-admin: google_service_account_key.vault-admin: Error reading Service Account Key "projects/xxxxxxx/serviceAccounts/[email protected]/keys/bcb59907af2222638ccc9d35addccdf7b0d1eb44": googleapi: Error 403: Permission iam.serviceAccountKeys.get is required to perform this operation on service account key projects/xxxxxxx/serviceAccounts/[email protected]/keys/bcb59907af2222638ccc9d35addccdf7b0d1eb44., forbidden

While [email protected] has Owner permissions.

Has anyone got this project working?

I'm not sure if there are any security considerations or other reasons behind the creation of dedicated network/subnetwork in this module. Would like to know the reasons if there are any. Otherwise we can probably work on adding the ability to choose whether to use dedicated network or custom network.

error is googleapi: Error 403: The caller does not have permission, forbidden when calling iam api, while I am owner of the project.

hashicorp/terraform#13109 (comment)

I've been trying to get vault-on-gce running in a brand new project I am owner of. However, I've run into several issues. For instance, I've had to add several Roles to the created Service Account (vault-admin). Additionally, because of the lack of dependencies in the vault-server module, the startup script for the GCE instance fails as the service account used on that instance does not yet have the permissions to authenticate and upload to GStorage. So every time I've run this, I've had to rolling restart the instance group.

Similarly, in the steps laid out here, I've found that I cannot run this command:

JWT_TOKEN=$(gcloud beta iam service-accounts sign-jwt login_request.json \
    signed_jwt.json \
    --iam-account=${SERVICE_ACCOUNT} && cat signed_jwt.json)

without running gcloud auth login and giving myself the Service Account Token Creator role.

After resolving that, this command fails:

vault write -field=token auth/gcp/login role=dev-role jwt=${JWT_TOKEN} > ~/.vault-token

with an error stating the key used to sign the JWT Token does not exist. It looks like the JWT was signed using a service account key that doesn't exist and is not visible on the Service Account UI in the cloud console.

This is the redacted error:

* service account key 'projects/{PROJECT}/serviceAccounts/vault-admin@{PROJECT}.iam.gserviceaccount.com/keys/{NON_EXISTANT_KEY_ID}' does not exist: googleapi: Error 403: Permission iam.serviceAccountKeys.get is required to perform this operation on service account key projects/{PROJECT}/serviceAccounts/vault-admin@{PROJECT}.iam.gserviceaccount.com/keys/{NON_EXISTANT_KEY_ID}., forbidden

How can I resolve this issue?

We should not be encouraging SSH onto the Vault nodes in general and allowing SSH from 0.0.0.0/0 by default seems especially not great since a single change to the forwarding rule ports could make Vault SSH public. Since #81 is merged and users can address the vault network via outputs, it makes sense to deny SSH by default and allow users to add that firewall rule if they need access for testing, otherwise we should only encourage configuring via HTTP.

After a successful terraform apply, Vault is never installed on the created machine. Inspecting the logs reveals the root problem:

vault-us-east1-jvv9 login: Oct 1 18:29:06 vault-us-east1-jvv9 startup-script: INFO startup-script: E: The repository 'http://packages.cloud.google.com/apt google-cloud-monitoring-buster Release' does not have a Release file.

Taking a look at Google's repository I can see entries for jessie and strech, but not buster, so perhaps a downgrade is necessary.

OSX doesn't have the md5sum tool by default so the gcpkms-encrypt.sh script fails to execute successfully.

The tool can be easily installed using brew install md5sha1sum but there's no mention of this anywhere.

Outputting the NAT-ips will help to configure other resources via terraform that can depend on this value.

For example, the NAT-ips can be whitelisted in the firewall to allow vault to reach, say databases for managing database secret-engine.

Right now, we have to manually go and fetch the IPs from Google Cloud Console and insert it in the terraform files.

The instance startup script runs the gcloud command to generated and save the service account JSON for the GCP auth plugin. If the instance is recreated, the boot disk is lost and this action is run again.

Should have Terraform generate the service account key JSON through an external resource, encrypt it and store it in the assets bucket like how the TLS certs are handled.

{resource "google_project_iam_policy" "vault" { project = "${var.project_id}" policy_data = "${data.google_iam_policy.vault.policy_data}" }

Which makes problem!that when you destroy vault using terraform it will restore the project iam policy to the state that was before destroying.

That means all the new iam policies that was created during the period that Vault was created by terraform and till the the time vault was destroyed are gonna be gone !

Hi

I'm setting the terraform variables on the plan and apply, but getting the following error message. Using default settings on the example repo using the hard coded US based regions and zone works but setting the location variables europe-west2 seems to be causing issues:

`Error applying plan:

4 error(s) occurred:

• google_storage_bucket.vault: 1 error(s) occurred:

• google_storage_bucket.vault: project: required field is not set

• google_service_account.vault-admin: 1 error(s) occurred:

• google_service_account.vault-admin: project: required field is not set

• google_storage_bucket.vault-assets: 1 error(s) occurred:

• google_storage_bucket.vault-assets: project: required field is not set

• module.vault-server.google_compute_firewall.default-ssh: 1 error(s) occurred:

• google_compute_firewall.default-ssh: project: required field is not set`

I ran the terraform scripts previously 2 weeks ago and everything worked fine. Running them again today I end up with variations of

* module.vault.data.external.sa-key: data.external.sa-key: failed to execute "/home/robert/terraform-google-vault/examples/vault-on-gce/.terraform/modules/85d849467b2166b96780a48cb9f
6e5d7/get_sa_key.sh": fork/exec /home/robert/terraform-google-vault/examples/vault-on-gce/.terraform/modules/85d849467b2166b96780a48cb9f6e5d7/get_sa_key.sh: no such file or directory

I've verified that these scripts exist at the exact location specified. Any idea what's wrong?

Warning: module.vault.module.vault-server.google_compute_instance_group_manager.default: "auto_healing_policies": [DEPRECATED] This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.

Warning: module.vault.module.vault-server.google_compute_instance_group_manager.default: "rolling_update_policy": [DEPRECATED] This field is in beta and will be removed from this provider. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.

Warning: module.vault.module.vault-server.google_compute_instance_template.default: "network_interface.0.address": [DEPRECATED] Please use network_ip

If I run a plan after a clean apply, I get this diff:

  # module.vault.data.external.vault-tls-key-encrypted[0] will be read during apply
  # (config refers to values not yet known)
 <= data "external" "vault-tls-key-encrypted"  {
      + id      = (known after apply)
      + program = [
          + ".terraform/modules/vault/terraform-google-modules-terraform-google-vault-88211c5/scripts/gcpkms-encrypt.sh",
        ]
      + query   = {
          + "data"     = "[redacted]"
          + "key"      = "vault-init"
          + "keyring"  = "vault"
          + "location" = "europe-west2"
          + "project"  = "[redacted]"
          + "root"     = ".terraform/modules/vault/terraform-google-modules-terraform-google-vault-88211c5"
        }
      + result  = (known after apply)
    }

  # module.vault.google_storage_bucket_object.vault-private-key[0] must be replaced
-/+ resource "google_storage_bucket_object" "vault-private-key" {
        bucket         = "[redacted]-vault-data"
      ~ content        = (sensitive value)
      ~ content_type   = "text/plain; charset=utf-8" -> (known after apply)
      ~ crc32c         = "[redacted]" -> (known after apply)
      ~ detect_md5hash = "[redacted]" -> "different hash" # forces replacement
      ~ id             = "[redacted]-vault-data-vault.key.enc" -> (known after apply)
      ~ md5hash        = "[redacted (same as detect_md5hash)]==" -> (known after apply)
        name           = "vault.key.enc"
      ~ output_name    = "vault.key.enc" -> (known after apply)
      ~ self_link      = "https://www.googleapis.com/storage/v1/b/[redacted]-vault-data/o/vault.key.enc" -> (known after apply)
      ~ storage_class  = "MULTI_REGIONAL" -> (known after apply)
    }

This is my module config:

module "vault" {
  source         = "terraform-google-modules/vault/google"
  version        = "3.0.0"
  project_id     = var.google_project
  region         = var.google_region
  storage_bucket_location = "eu"

  tls_ca_subject = {[redacted]}

  tls_cn         = "vault.[redacted]"
  tls_dns_names  = ["vault.[redacted]"]
}

(let me know if i over-redacted. there's no interpolation in any of the values, they are all just static string literals)

The README.md states "You can alter the load balancer to be an internal-only load balancer if needed" (https://github.com/terraform-google-modules/terraform-google-vault/blob/master/README.md#faq). However, there is no guidance on how this would be done.

Looking at the module, it appears to be hard-coded. This implies that having an internal-only load balancer requires forking the module which is less than ideal

If I am mistaken, is it possible to include some guidance on how to achieve this or if it doesn't currently support this, can support for an Internal LB be added? Thanks

The README.md refers to setting min_num_vault_servers but the actual variable is vault_min_num_servers

Thank for the helpful module, I was wondering how would you update/upgrade vault in this model without loosing data and interrupting the service?

Hi there,

In attempt to perform terraform apply/plan, an error message indicating that a missing reference is in the code, particular as follow:

Error: Missing resource instance key

  on tls.tf line 124, in resource "google_storage_bucket_object" "vault-private-key":
 124:   content = data.google_kms_secret_ciphertext.vault-tls-key-encrypted.ciphertext

Because data.google_kms_secret_ciphertext.vault-tls-key-encrypted has "count"
set, its attributes must be accessed on specific instances.

For example, to correlate with indices of a referring resource, use:
    data.google_kms_secret_ciphertext.vault-tls-key-encrypted[count.index]

The line is referencing the ciphertext call that doesn't look to have been assigned

# Encrypt server key with GCP KMS
data "google_kms_secret_ciphertext" "vault-tls-key-encrypted" {
  count      = local.manage_tls_count
  crypto_key = google_kms_crypto_key.vault-init.self_link
  plaintext  = tls_private_key.vault-server[0].private_key_pem
}

resource "google_storage_bucket_object" "vault-private-key" {
  count = local.manage_tls_count

  name    = var.vault_tls_key_filename
  content = data.google_kms_secret_ciphertext.vault-tls-key-encrypted.ciphertext
  bucket  = local.vault_tls_bucket

  depends_on = [google_storage_bucket.vault]

  lifecycle {
    ignore_changes = [
      content,
    ]
  }
}

As this looks to be a 0.12+ requirement, is there anyway around this?
Thanks for the work!

Can we update the default version of vault to support secrets?

In this example the version is 0.9.5.
https://www.youtube.com/watch?v=TEPuFFZdmfA

variable vault_version {
description = "The version of vault to install."
default = "0.9.0"
}

I was wondering what extra config would be required to add a load balancer and an ASG that would scale out automatically based on CPU usage ?

What source should I use on this example? The original is commented out and when I put it back in I get this error:

Downloading github.com/GoogleCloudPlatform/terraform-google-vault for vault...
- vault in .terraform/modules/vault
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Invalid default value for variable

  on .terraform/modules/vault/variables.tf line 272, in variable "tls_ca_subject":
 272:   default = {
 273:     common_name         = "Example Inc. Root"
 274:     organization        = "Example, Inc"
 275:     organizational_unit = "Department of Certificate Authority"
 276:     street_address      = ["123 Example Street"]
 277:     locality            = "The Intranet"
 278:     province            = "CA"
 279:     country             = "US"
 280:     postal_code         = "95559-1227"
 281:   }

This default value is not compatible with the variable's type constraint: all
map elements must have the same type.

in the documentation it state that address can be outputed using the following call,

terraform output -module=vault vault_addr

however, it returns error :

Error: Unsupported option

The -module option is no longer supported since Terraform 0.12, because now
only root outputs are persisted in the state.```

https://github.com/GoogleCloudPlatform/terraform-google-vault/blob/86091ab37c4ab2287529f3f0276d0f895668164c/main.tf#L95

Terraform docs warns not to use external data source, (and they have even removed the link to it in the original docs about types of data source providers , I was wondering was there a good reason to choose external data source?

network and subnetwork are listed as input variables for terrform-google-vault but neither of them is used. when attempting to use them they are ignored

  source = "github.com/GoogleCloudPlatform/terrform-google-vault"
  project_id           = "${var.project_id}"
  region               = "${var.region}"
  zone                 = "${var.zone}"
  storage_bucket       = "${var.storage_bucket}"
  kms_keyring_name     = "${var.kms_keyring_name}"
  network              = "foo"
  subnetwork           = "bar"
}

• Downloading plugin for provider "null" (2.0.0)...

The expectation was that something else than null would be returned while running terraform init

Many users have strict requirements about systems reaching out to the internet. Private Google Access alleviates some of these concerns, but in this module, the nat, external IP are generated by default with no way to override.

To address these concerns, we should:

• Make the NAT, external IP and router optional using a flag variable. Something like allow_public_egress
• If there is no NAT, we need to adjust the startup script to not make external curl calls. Possibly pass in a http_proxy to the script

Following solution guide https://cloud.google.com/solutions/using-vault-for-secret-management, but I got the following error when running the vault unseal command.

Error checking seal status: Get https://127.0.0.1:8200/v1/sys/seal-status: x509: certificate signed by unknown authority

I made sure these variables were set, but I must be missing something.

export VAULT_ADDR=https://127.0.0.1:8200
export VAULT_CACERT=/etc/vault/vault-server.ca.crt.pem
export VAULT_CLIENT_CERT=/etc/vault/vault-server.crt.pem
export VAULT_CLIENT_KEY=/etc/vault/vault-server.key.pem

terraform plan
Error: Invalid default value for variable
on ../../variables.tf line 76, in variable "tls_ca_subject":
76: default = {
77: common_name = "Example Inc. Root"
78: organization = "Example, Inc"
79: organizational_unit = "Department of Certificate Authority"
80: street_address = ["123 Example Street"]
81: locality = "The Intranet"
82: province = "CA"
83: country = "US"
84: postal_code = "95559-1227"
85: }
This default value is not compatible with the variable's type constraint: all
map elements must have the same type.

changing street_address type to String fixing the issue.

In regards to:

I think IPs are global, and Cloud NATs are regional (multizone), so I dont completetly understand why we want two NAT IPs for outbound traffic... probably Im missing something, but just in case we can change this...

Deploying the latest vault module (Master):

module "vault" {
  source = "github.com/terraform-google-modules/terraform-google-vault?ref=810e6d1559b68023a84379f518dbfa5c0f15253a"

  project_id = "old"
...

Run plan/apply then change the project_id to something, such as 'new', plan+apply causes this error:

1 error occurred:
	* module.vault.google_compute_region_instance_group_manager.vault: 1 error occurred:
	* google_compute_region_instance_group_manager.vault: Error waiting for Creating InstanceGroupManager: The user does not have access to service account '[email protected]'.  User: 'terraform@<redacted>.iam.gserviceaccount.com'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account

The expected behaviour is that the resource would be changed or recreated to match the new project_id.

I'm running the module using the following arguments:

# project configurations
project_id = "<project_id>"
region = "europe-west1"
# KMS configuration
kms_location = "europe-west1"
# storage location
storage_bucket_class = "REGIONAL"
storage_bucket_location = "europe-west1"
# version
vault_version = "1.2.2"

I find myself in the interesting position where, because the instance is unhealthy behind the load balancer, the steps in the readme:

$ export VAULT_ADDR="$(terraform output vault_addr)"
$ export VAULT_CACERT="$(pwd)/ca.crt"
$ vault operator init \
    -recovery-shares 5 \
    -recovery-threshold 3

cannot be executed, because I do not have access to any of the instances outside of the LB.

No worries, I thought. SSH to the rescue, but using the same credentials, I am unable to even get the vault status without getting a 404 of this form:

Error checking seal status: Error making API request.
URL: GET http://127.0.0.1/v1/sys/seal-status
Code: 404. Raw Message:
<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.10.3</center>
</body>
</html>

Is there some simple step I am missing to be able to perform the vault operator init .. step?

Managed instance group for Vault server does not have a health check. If the instance is non-responsive, it's not automatically restarted.

Need a http -> https proxy to support GCE instance HTTP health checks to the vault REST API.

Example proxy upstream URI:

https://127.0.0.1:8200/v1/sys/health?standbyok=true&sealedcode=200

An alternative to bastion could be Identity Aware proxy with ssh tunnel.

The Vault nodes are not publicly accessible. They do have SSH enabled, but require a bastion host on their dedicated network to access. You can disable SSH access entirely by setting ssh_allowed_cidrs to the empty list.

While experimenting with this module, I've noticed the following issue:

after wanting to remove the module from my terraform config and the state, terraform apply fails with a bunch of errors that look like the one below.

In the terraform state, all GCP resources reference the provider defined in the module that does not exist after the module is deleted. The only way to remove the resources was using terraform destroy -target=... and listing the vault resources one by one.

Error: Provider configuration not present

To work with module.vault.module.vault.google_kms_crypto_key_iam_member.ck-iam
its original provider configuration at
module.vault.module.vault.provider.google is required, but it has been
removed. This occurs when a provider configuration is removed while objects
created by that provider still exist in the state. Re-add the provider
configuration to destroy
module.vault.module.vault.google_kms_crypto_key_iam_member.ck-iam, after which
you can remove the provider configuration again.

Hi, I'm curious what the recommended version to use for Terraform 0.11 is? I've not been able to move to 0.12 due to blocks in other modules I'm reliant upon, but the README.md doesn't have any guidance on what version to choose.

I took a quick poke around the commits, and I'm guessing 2.1.0, but wanted to get your feel for it before committing.

I'm getting this error message after a terraform plan

Error: Error refreshing state: 1 error(s) occurred:

* module.vault.module.vault-server.data.google_compute_instance_group.zonal: 1 error(s) occurred:

* module.vault.module.vault-server.data.google_compute_instance_group.zonal: data.google_compute_instance_group.zonal: project: required field is not set

when i run "terraform apply" and it come complete, but startup.sh.tpl contents has not run, and in VM instance detail page, I can see startup-script with the startup.sh.tpl contents, I don't know why startup.sh.tpl doesn't run. Can anyone help me with this issue, thanks!

Note this issue is related to #34 but I am getting a slightly different error.

Problem: When attempting to use the vault-on-gce example I get the following errors after executing terraform plan.

Error: module.vault.module.vault-server.google_compute_instance_group_manager.default: "auto_healing_policies.0.initial_delay_sec": [REMOVED] This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.

Error: module.vault.module.vault-server.google_compute_instance_group_manager.default: "rolling_update_policy": [REMOVED] This field is in beta. Use it in the the google-beta provider instead. See https://terraform.io/docs/providers/google/provider_versions.html for more details.

Error: module.vault.module.vault-server.google_compute_instance_template.default: "network_interface.0.address": [REMOVED] Please use network_ip

Attempted fixes:

1. I attempted to execute the terraform execution in the context of google cloud shell to see if there was perhaps something unique about my local environment but that did not change the outcome.

2. Reading the error and associated documentation link it appears to me that I should be able to switch from the google provider to the google-beta provider to resolve this issue. I edited the following line to be google-beta.

This did not resolve the issue. I still see the google provider being provisioned during terraform init. I am fairly new to terraform and in reading about the plugin system it seems there isn't a straightforward way to remove old providers.

To help mitigate the potential of an old google version of the provider being the issue I started over again in a new folder, as terraform will provision providers for only the current working directory. However when I execute terraform init I still see the google provider being initialized.

* provider.google: version = "~> 2.0"
* provider.google-beta: version = "~> 2.0"

Attempting terraform plan after the initialization in a new folder does still trigger the same error.

I searched through the remainder of the codebase in the hope that I would find a call to the original google provider but I haven't been able to find anything. This is literally my first time using terraform, I very well may be chasing the wrong issue.

System information:

• osx: 10.14.3
• Terraform: v0.11.11

I would like to have Vault in a HA cluster backed by Consul as a module

Setting vault_ui_enabled to true does not enable the UI for me. No matter what value I try setting it to the instance template sets it to false. I have a workaround/fix and would be happy to submit a merge request, but first wanted to verify this is not a problem with the way I'm doing things.

Versions:

(gcp-vault) C02VJ7T0HTD6:gcp-vault cworden$ terraform version
Terraform v0.11.11
+ provider.external v1.0.0
+ provider.google v2.1.0
+ provider.local v1.1.0
+ provider.template v2.1.0
+ provider.tls v1.2.0

{
  "Modules": [
    {
      "Source": "terraform-google-modules/vault/google",
      "Key": "1.vault;terraform-google-modules/vault/google.2.0.0",
      "Version": "2.0.0",
      "Dir": ".terraform/modules/61e6366303a658a4103537a91df0988a",
      "Root": "terraform-google-modules-terraform-google-vault-c403901"
    }
  ]
}

Configuration:

main.tf:

module "vault" {
  source  = "terraform-google-modules/vault/google"
  version = "2.0.0"

  project_id       = "${var.project_id}"
  kms_keyring = "${var.kms_keyring}"
  network_subnet_cidr_range = "${var.network_subnet_cidr_range}"
  project_services = "${var.project_services}"
  region           = "${var.region}"
  ssh_allowed_cidrs = "${var.ssh_allowed_cidrs}"
  storage_bucket_force_destroy = "${var.storage_bucket_force_destroy}"
  storage_bucket_name   = "${var.storage_bucket_name}"
  tls_ca_subject = "${var.tls_ca_subject}"
  tls_cn = "${var.tls_cn}"
  tls_dns_names = "${var.tls_dns_names}"
  tls_ips = "${var.tls_ips}"
  tls_ou = "${var.tls_ou}"
  vault_allowed_cidrs = "${var.vault_allowed_cidrs}"
  vault_args = "${var.vault_args}"
  vault_instance_labels = "${var.vault_instance_labels}"
  vault_instance_metadata = "${var.vault_instance_metadata}"
  vault_instance_tags = "${var.vault_instance_tags}"
  vault_log_level = "${var.vault_log_level}"
  vault_machine_type = "${var.vault_machine_type}"
  vault_max_num_servers = "${var.vault_max_num_servers}"
  vault_min_num_servers = "${var.vault_min_num_servers}"
  vault_ui_enabled = "${var.vault_ui_enabled}"
  vault_version = "${var.vault_version}"
  vault_tls_disable_client_certs = "${var.vault_tls_disable_client_certs}"

}

Relavant line of vars.tf:

variable "vault_ui_enabled" {
  default = true
}

Expected Results:

An instance template is created in GCP with the configuration setting ui set to true

startup-script snippet:

# Vault config
mkdir -p /etc/vault.d
cat <<"EOF" > /etc/vault.d/config.hcl
# Run Vault in HA mode. Even if there's only one Vault node, it doesn't hurt to
# have this set.
api_addr = "https://XXXXXX:8200"
cluster_addr = "https://LOCAL_IP:8201"

# Set debugging level
log_level = "warn"

# Enable the UI
ui = true

# Enable auto-unsealing with Google Cloud KMS
seal "gcpckms" {
  project    = "XXXXXX"
  region     = "us-west1"
  key_ring   = "vault_keyring1"
  crypto_key = "vault-init"
}

Actual Results:

An instance template is created in GCP with the configuration setting ui set to false

startup-script snippet:

# Vault config
mkdir -p /etc/vault.d
cat <<"EOF" > /etc/vault.d/config.hcl
# Run Vault in HA mode. Even if there's only one Vault node, it doesn't hurt to
# have this set.
api_addr = "https://XXXXXX:8200"
cluster_addr = "https://LOCAL_IP:8201"

# Set debugging level
log_level = "warn"

# Enable the UI
ui = false

# Enable auto-unsealing with Google Cloud KMS
seal "gcpckms" {
  project    = "XXXXXX"
  region     = "us-west1"
  key_ring   = "vault_keyring1"
  crypto_key = "vault-init"
}

Problem Code

I played around with this for a while and found that the ternary in config.hcl.tpl always results in the second value (false) no matter the value of vault_ui_enabled. If I switched true to false and vice versa in the ternary, no matter the value of vault_ui_enabled the resulting startup-script would have ui = true

Relavant snippet from config.hcl.tpl

# Enable the UI
ui = ${vault_ui_enabled == 1 ? true : false}

Workaround/fix

If I move the ternary to the data "template_file" section of main.tf everything works as expected for me.

So config.hcl.tpl becomes:

# Run Vault in HA mode. Even if there's only one Vault node, it doesn't hurt to
# have this set.
api_addr = "https://${lb_ip}:${vault_port}"
cluster_addr = "https://LOCAL_IP:8201"

# Set debugging level
log_level = "${vault_log_level}"

# Enable the UI
ui = ${vault_ui_enabled}

# Enable auto-unsealing with Google Cloud KMS
seal "gcpckms" {
  project    = "${kms_project}"
  region     = "${kms_location}"
  key_ring   = "${kms_keyring}"
  crypto_key = "${kms_crypto_key}"
}
...

and main.tf becomes:

...
# Compile the Vault configuration.
data "template_file" "vault-config" {
  template = "${file("${format("%s/scripts/config.hcl.tpl", path.module)}")}"

  vars {
    kms_project    = "${var.project_id}"
    kms_location   = "${google_kms_key_ring.vault.location}"
    kms_keyring    = "${google_kms_key_ring.vault.name}"
    kms_crypto_key = "${google_kms_crypto_key.vault-init.name}"

    lb_ip          = "${google_compute_address.vault.address}"
    storage_bucket = "${google_storage_bucket.vault.name}"

    vault_log_level                = "${var.vault_log_level}"
    vault_port                     = "${var.vault_port}"
    vault_tls_disable_client_certs = "${var.vault_tls_disable_client_certs}"
    vault_ui_enabled = "${var.vault_ui_enabled == 1 ? true : false}"
  }
}

Hi,
It would be much more seamless to have a note (if I haven't missed) it on the required permissions of the service account from the examples. I am trying one by one currently.

Cheers