hashicorp · brikis98 · Feb 16, 2021 · Jan 26, 2021 · Jan 27, 2021 · Jan 27, 2021
@@ -1,6 +1,6 @@
 repos:
   - repo: https://github.com/gruntwork-io/pre-commit
-    rev:  v0.1.10
+    rev:  v0.1.12
     hooks:
       - id: terraform-fmt
       - id: gofmt
@@ -1,10 +1,10 @@
 {
-  "min_packer_version": "0.12.0",
+  "min_packer_version": "1.5.4",
   "variables": {
     "aws_region": "us-east-1",
-    "vault_version": "1.5.4",
+    "vault_version": "1.6.1",
     "consul_module_version": "v0.8.0",
-    "consul_version": "1.5.3",
+    "consul_version": "1.9.2",
     "consul_download_url": "{{env `CONSUL_DOWNLOAD_URL`}}",
     "vault_download_url": "{{env `VAULT_DOWNLOAD_URL`}}",
     "install_auth_signing_script": "true",

@@ -9,7 +9,7 @@ terraform {
 }
 
 # ---------------------------------------------------------------------------------------------------------------------
-# DEPLOY THE VAULT SERVER CLUSTER
+# DEPLOY THE DYNAMODB STORAGE BACKEND
 # ---------------------------------------------------------------------------------------------------------------------
 
 module "backend" {
@@ -19,6 +19,10 @@ module "backend" {
   write_capacity = var.dynamo_write_capacity
 }
 
+# ---------------------------------------------------------------------------------------------------------------------
+# DEPLOY THE VAULT SERVER CLUSTER
+# ---------------------------------------------------------------------------------------------------------------------
+
 module "vault_cluster" {
   # When using these modules in your own templates, you will need to use a Git URL with a ref attribute that pins you
   # to a specific version of the modules, such as the following example:
@@ -32,6 +36,11 @@ module "vault_cluster" {
   ami_id    = var.ami_id
   user_data = data.template_file.user_data_vault_cluster.rendered
 
+  # Enable S3 storage backend
+  enable_s3_backend       = true
+  s3_bucket_name          = var.s3_bucket_name
+  force_destroy_s3_bucket = var.force_destroy_s3_bucket
+
   vpc_id     = data.aws_vpc.default.id
   subnet_ids = data.aws_subnet_ids.default.ids
 
@@ -44,16 +53,23 @@ module "vault_cluster" {
   allowed_inbound_security_group_count = 0
   ssh_key_name                         = var.ssh_key_name
 
+  # Enable DynamoDB high availability storage backend
   enable_dynamo_backend = true
   dynamo_table_name     = var.dynamo_table_name
 }
 
+# ---------------------------------------------------------------------------------------------------------------------
+# THE USER DATA SCRIPT THAT WILL RUN ON EACH VAULT SERVER WHEN IT'S BOOTING
+# This script will configure and start Vault
+# ---------------------------------------------------------------------------------------------------------------------
+
 data "template_file" "user_data_vault_cluster" {
   template = file("${path.module}/user-data-vault.sh")
 
   vars = {
     aws_region        = data.aws_region.current.name
     dynamo_table_name = var.dynamo_table_name
+    s3_bucket_name    = var.s3_bucket_name
   }
 }
 

@@ -20,4 +20,7 @@ readonly VAULT_TLS_KEY_FILE="/opt/vault/tls/vault.key.pem"
   --dynamo-table "${dynamo_table_name}" \
   --dynamo-region "${aws_region}" \
   --tls-cert-file "$VAULT_TLS_CERT_FILE" \
-  --tls-key-file "$VAULT_TLS_KEY_FILE"
+  --tls-key-file "$VAULT_TLS_KEY_FILE" \
+  --enable-s3-backend \
+  --s3-bucket "${s3_bucket_name}" \
+  --s3-bucket-region "${aws_region}"
@@ -65,3 +65,15 @@ variable "dynamo_write_capacity" {
   description = "Sets the DynamoDB write capacity for storage backend"
   default     = 5
 }
+
+variable "s3_bucket_name" {
+  description = "The name of an S3 bucket to create and use as a storage backend (if configured). Note: S3 bucket names must be *globally* unique."
+  type        = string
+  default     = "my-vault-bucket"
+}
+
+variable "force_destroy_s3_bucket" {
+  description = "If you set this to true, when you run terraform destroy, this tells Terraform to delete all the objects in the S3 bucket used for backend storage (if configured). You should NOT set this to true in production or you risk losing all your data! This property is only here so automated tests of this module can clean up after themselves."
+  type        = bool
+  default     = false
+}
@@ -86,4 +86,3 @@ variable "force_destroy_s3_bucket" {
   type        = bool
   default     = false
 }
-
Original file line number	Diff line number	Diff line change
Expand Up		@@ -86,4 +86,3 @@ variable "force_destroy_s3_bucket" {
		type = bool
		default = false
		}