Terraform module to deploy Vault as a container on Google Cloud Run
This is a Terraform module to deploy a Vault instance on Google's Cloud Run service. Vault is an open-source secrets management tool that generally is run in a high-availability (HA) cluster. This implementation is a single instance with auto-unseal and no HA support. Cloud Run is a way to easily run a container on Google Cloud without an orchestrator. This module makes use of the following Google Cloud resources:
To get started, a Google Cloud Project is needed. This should be created ahead of time or using Terraform, but is outside the scope of this module. This project ID is provided to the module invocation and a basic implementation would look like the following:
provider "google" {}
data "google_client_config" "current" {}
module "vault" {
providers = {
google = google
}
source = "git::https://github.com/mbrancato/terraform-google-vault.git"
name = "vault"
project = data.google_client_config.current.project
location = data.google_client_config.current.region
vault_image = "us.gcr.io/${data.google_client_config.current.project}/vault:1.6.1"
}
After creating the resources, the Vault instance may be initialized.
Set the VAULT_ADDR
environment variable. See Vault URL.
$ export VAULT_ADDR=https://vault-jsn3uj5s1c-sg.a.run.app
Ensure the vault is operational (might take a minute or two), uninitialized and sealed.
$ vault status
Key Value
--- -----
Recovery Seal Type gcpckms
Initialized false
Sealed true
Total Recovery Shares 0
Threshold 0
Unseal Progress 0/0
Unseal Nonce n/a
Version n/a
HA Enabled false
Initialize the vault.
$ vault operator init
Recovery Key 1: ...
Recovery Key 2: ...
Recovery Key 3: ...
Recovery Key 4: ...
Recovery Key 5: ...
Initial Root Token: s....
Success! Vault is initialized
Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.
From here, Vault is operational. Configure the auth methods needed and other settings. The Cloud Run Service may scale the container to zero, but the server configuration and unseal keys are configured. When restarting, the Vault should unseal itself automatically using the Google KMS. For more information on deploying Vault, read Deploy Vault.
name
location
project
vault_image
bucket_force_destroy
(optional)false
container_concurrency
(optional)80
vpc_connector
(optional)null
vault_ui
(optional)false
vault_api_addr
(optional)""
vault_kms_keyring_name
(optional)"${var.name}-${lower(random_id.vault.hex)}-kr"
vault_kms_key_rotation
(optional)null
should disable rotation (not recommended)."7776000s"
(90 days)vault_kms_key_algorithm
(optional)"GOOGLE_SYMMETRIC_ENCRYPTION"
vault_kms_key_protection_level
(optional)"SOFTWARE"
vault_service_account_id
(optional)@
symbol.
"vault-sa"
vault_storage_bucket_name
(optional)"${var.name}-${lower(random_id.vault.hex)}-bucket"
The following things may be of concern from a security perspective:
PLEASE READ
Cloud Run will only run containers hosted on gcr.io
(GCR) and its subdomains.
This means that the Vault container will need to be pushed to GCR in the Google
Cloud Project. Terraform cannot currently create the container registry and it
is automatically created using docker push
. Read the
documentation
for more details on pushing containers to GCR.
A quick way to get Vault into GCR for a GCP project:
gcloud auth configure-docker
docker pull hashicorp/vault:latest
docker tag hashicorp/vault:1.6.1 gcr.io/{{ project_id }}/vault:1.6.1
docker push gcr.io/{{ project_id }}/vault:1.6.1