diff --git a/modules/cluster/main.tf b/modules/cluster/main.tf index 2692aa0..711714f 100644 --- a/modules/cluster/main.tf +++ b/modules/cluster/main.tf @@ -43,6 +43,44 @@ data "google_compute_zones" "available" { region = var.region } +resource "terraform_data" "startup_script" { + input = templatefile("${path.module}/templates/startup.sh.tpl", + { + custom_http_proxy = var.http_proxy + service_account_email = var.vault_service_account_email + internal_lb = local.use_internal_lb + vault_args = var.vault_args + vault_port = var.vault_port + vault_proxy_port = var.vault_proxy_port + vault_version = var.vault_version + vault_tls_bucket = local.vault_tls_bucket + vault_ca_cert_filename = var.vault_ca_cert_filename + vault_tls_key_filename = var.vault_tls_key_filename + vault_tls_cert_filename = var.vault_tls_cert_filename + kms_project = var.vault_tls_kms_key_project == "" ? var.project_id : var.vault_tls_kms_key_project + kms_crypto_key = local.vault_tls_kms_key + user_startup_script = var.user_startup_script + # Render the Vault configuration. + config = templatefile("${path.module}/templates/config.hcl.tpl", + { + kms_project = var.project_id + kms_location = google_kms_key_ring.vault.location + kms_keyring = google_kms_key_ring.vault.name + kms_crypto_key = google_kms_crypto_key.vault-init.name + lb_ip = local.lb_ip + api_addr = local.api_addr + storage_bucket = var.vault_storage_bucket + vault_log_level = var.vault_log_level + vault_port = var.vault_port + vault_proxy_port = var.vault_proxy_port + vault_tls_disable_client_certs = var.vault_tls_disable_client_certs + vault_tls_require_and_verify_client_cert = var.vault_tls_require_and_verify_client_cert + vault_ui_enabled = var.vault_ui_enabled + user_vault_config = var.user_vault_config + }) + }) +} + resource "google_compute_instance_template" "vault" { project = var.project_id region = var.region @@ -78,41 +116,7 @@ resource "google_compute_instance_template" "vault" { "google-compute-enable-virtio-rng" = "true" # Render the startup script. This script installs and configures # Vault and all dependencies. - "startup-script" = templatefile("${path.module}/templates/startup.sh.tpl", - { - custom_http_proxy = var.http_proxy - service_account_email = var.vault_service_account_email - internal_lb = local.use_internal_lb - vault_args = var.vault_args - vault_port = var.vault_port - vault_proxy_port = var.vault_proxy_port - vault_version = var.vault_version - vault_tls_bucket = local.vault_tls_bucket - vault_ca_cert_filename = var.vault_ca_cert_filename - vault_tls_key_filename = var.vault_tls_key_filename - vault_tls_cert_filename = var.vault_tls_cert_filename - kms_project = var.vault_tls_kms_key_project == "" ? var.project_id : var.vault_tls_kms_key_project - kms_crypto_key = local.vault_tls_kms_key - user_startup_script = var.user_startup_script - # Render the Vault configuration. - config = templatefile("${path.module}/templates/config.hcl.tpl", - { - kms_project = var.project_id - kms_location = google_kms_key_ring.vault.location - kms_keyring = google_kms_key_ring.vault.name - kms_crypto_key = google_kms_crypto_key.vault-init.name - lb_ip = local.lb_ip - api_addr = local.api_addr - storage_bucket = var.vault_storage_bucket - vault_log_level = var.vault_log_level - vault_port = var.vault_port - vault_proxy_port = var.vault_proxy_port - vault_tls_disable_client_certs = var.vault_tls_disable_client_certs - vault_tls_require_and_verify_client_cert = var.vault_tls_require_and_verify_client_cert - vault_ui_enabled = var.vault_ui_enabled - user_vault_config = var.user_vault_config - }) - }) + "startup-script" = terraform_data.startup_script.output }, ) diff --git a/modules/cluster/templates/startup.sh.tpl b/modules/cluster/templates/startup.sh.tpl index 3709f69..7f1904c 100644 --- a/modules/cluster/templates/startup.sh.tpl +++ b/modules/cluster/templates/startup.sh.tpl @@ -2,8 +2,8 @@ set -xe set -o pipefail -# Only run the script once -if [ -f ~/.startup-script-complete ]; then +# Only run the script once or in version upgrades +if [ -f ~/.startup-script-complete-${vault_version} ]; then echo "Startup script already ran, exiting" exit 0 fi @@ -37,11 +37,11 @@ fi /sbin/setcap cap_ipc_lock=+ep /usr/local/bin/vault # Add Vault user -useradd -d /etc/vault.d -s /bin/false vault +id -u vault &>/dev/null || useradd -d /etc/vault.d -s /bin/false vault # Vault config mkdir -p /etc/vault.d -mkdir /etc/vault.d/plugins +mkdir -p /etc/vault.d/plugins cat <<"EOF" > /etc/vault.d/config.hcl ${config} EOF @@ -295,4 +295,4 @@ service stackdriver-agent restart ${user_startup_script} # Signal this script has run -touch ~/.startup-script-complete +touch ~/.startup-script-complete-${vault_version}