notes taken from hashicorp/vault#7471
My vaut config:
{
"ui": true,
"pid_file": "/run/vault/vault.pid",
"storage": {
"consul": {
"address": "unix:///var/local/consul/consul.sock"
}
},
"listener": {
"tcp": {
"address": "0.0.0.0:8200",
"tls_cert_file": "/etc/vault.d/server.cert",
"tls_key_file": "/etc/vault.d/server.key"
}
},
"seal": {
"awskms": {
"region": "eu-west-1",
"kms_key_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
My LB config (terraform config, which I think is worth many words ;) )
resource "aws_lb" "vault" {
name = "${var.project_name}-vault-nlb"
internal = true
load_balancer_type = "network"
subnets = "${aws_subnet.main.*.id}"
enable_cross_zone_load_balancing = true
tags = var.tags
}
resource "aws_lb_target_group" "vault" {
name = "${var.project_name}-vault-nlb-tg"
port = 8200
protocol = "TLS"
vpc_id = "${aws_vpc.vpc.id}"
target_type = "instance"
health_check {
path = "/v1/sys/health"
port = "traffic-port"
protocol = "HTTPS"
enabled = true
healthy_threshold = 2
unhealthy_threshold = 2
}
tags = var.tags
}
resource "aws_acm_certificate" "certificate" {
domain_name = "${var.domain_name}"
validation_method = "DNS"
tags = var.tags
lifecycle {
create_before_destroy = true
}
}
resource "aws_lb_listener" "vault" {
load_balancer_arn = "${aws_lb.vault.arn}"
port = "443"
protocol = "TLS"
ssl_policy = "ELBSecurityPolicy-2016-08"
certificate_arn = "${aws_acm_certificate.certificate.arn}"
default_action {
type = "forward"
target_group_arn = "${aws_lb_target_group.vault.arn}"
}
}
resource "aws_vpc_endpoint_service" "vault" {
acceptance_required = true
network_load_balancer_arns = ["${aws_lb.vault.arn}"]
tags = merge(var.tags, {
"Name" = "${var.project_name}_vault_vpces"
})
}
also be awaee of https://github.com/jen20/vault-health-checker