forked from acsnow/terraform-gcp-vault
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathinstall_vault.sh.tpl
100 lines (76 loc) · 3.15 KB
/
install_vault.sh.tpl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#!/usr/bin/env bash
export instance_id="$(curl -s http://metadata.google.internal/computeMetadata/v1/instance/id -H Metadata-Flavor:Google)"
export local_ipv4="$(curl -s http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip -H Metadata-Flavor:Google)"
# install package
curl -fsSL https://apt.releases.hashicorp.com/gpg | apt-key add -
apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
apt-get update
apt-get install -y vault-enterprise=${vault_version}+ent-1 jq
#RHEL installation information
#yum install -y yum-utils
#yum-config-manager --add-repo https://rpm.releases.hashicorp.com/RHEL/hashicorp.repo
#yum -y install vault-enterprise-${vault_version}+ent-1 jq
systemctl stop firewalld
systemctl disable firewalld
echo "Configuring system time"
timedatectl set-timezone UTC
# removing any default installation files from /opt/vault/tls/
rm -rf /opt/vault/tls/*
# /opt/vault/tls should be readable by all users of the system
chmod 0755 /opt/vault/tls
# vault-key.pem should be readable by the vault group only
touch /opt/vault/tls/vault-key.pem
chown root:vault /opt/vault/tls/vault-key.pem
chmod 0640 /opt/vault/tls/vault-key.pem
secret_result=$(gcloud secrets versions access latest --secret=${tls_secret_id})
jq -r .vault_cert <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-cert.pem
jq -r .vault_ca <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-ca.pem
jq -r .vault_pk <<< "$secret_result" | base64 -d > /opt/vault/tls/vault-key.pem
gsutil cp "gs://${gcs_bucket_vault_license}/${vault_license_name}" /opt/vault/vault.hclic
# vault.hclic should be readable by the vault group only
chown root:vault /opt/vault/vault.hclic
chmod 0640 /opt/vault/vault.hclic
cat << EOF > /etc/vault.d/vault.hcl
disable_performance_standby = true
ui = true
disable_mlock = true
storage "raft" {
path = "/opt/vault/data"
node_id = "$instance_id"
retry_join {
auto_join = "provider=gce tag_value=${resource_name_prefix}-vault"
auto_join_scheme = "https"
leader_tls_servername = "${leader_tls_servername}"
leader_ca_cert_file = "/opt/vault/tls/vault-ca.pem"
leader_client_cert_file = "/opt/vault/tls/vault-cert.pem"
leader_client_key_file = "/opt/vault/tls/vault-key.pem"
}
}
cluster_addr = "https://$local_ipv4:8201"
api_addr = "https://$local_ipv4:8200"
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = false
tls_cert_file = "/opt/vault/tls/vault-cert.pem"
tls_key_file = "/opt/vault/tls/vault-key.pem"
tls_client_ca_file = "/opt/vault/tls/vault-ca.pem"
}
seal "gcpckms" {
project = "${project}"
region = "${location}"
key_ring = "${key_ring}"
crypto_key = "${crypto_key}"
}
license_path = "/opt/vault/vault.hclic"
EOF
# vault.hcl should be readable by the vault group only
chown root:root /etc/vault.d
chown root:vault /etc/vault.d/vault.hcl
chmod 640 /etc/vault.d/vault.hcl
systemctl enable vault
systemctl start vault
echo "Setup Vault profile"
cat <<PROFILE | sudo tee /etc/profile.d/vault.sh
export VAULT_ADDR="https://127.0.0.1:8200"
export VAULT_CACERT="/opt/vault/tls/vault-ca.pem"
PROFILE