Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 39 additions & 35 deletions modules/cluster/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,44 @@ data "google_compute_zones" "available" {
region = var.region
}

resource "terraform_data" "startup_script" {
input = templatefile("${path.module}/templates/startup.sh.tpl",
{
custom_http_proxy = var.http_proxy
service_account_email = var.vault_service_account_email
internal_lb = local.use_internal_lb
vault_args = var.vault_args
vault_port = var.vault_port
vault_proxy_port = var.vault_proxy_port
vault_version = var.vault_version
vault_tls_bucket = local.vault_tls_bucket
vault_ca_cert_filename = var.vault_ca_cert_filename
vault_tls_key_filename = var.vault_tls_key_filename
vault_tls_cert_filename = var.vault_tls_cert_filename
kms_project = var.vault_tls_kms_key_project == "" ? var.project_id : var.vault_tls_kms_key_project
kms_crypto_key = local.vault_tls_kms_key
user_startup_script = var.user_startup_script
# Render the Vault configuration.
config = templatefile("${path.module}/templates/config.hcl.tpl",
{
kms_project = var.project_id
kms_location = google_kms_key_ring.vault.location
kms_keyring = google_kms_key_ring.vault.name
kms_crypto_key = google_kms_crypto_key.vault-init.name
lb_ip = local.lb_ip
api_addr = local.api_addr
storage_bucket = var.vault_storage_bucket
vault_log_level = var.vault_log_level
vault_port = var.vault_port
vault_proxy_port = var.vault_proxy_port
vault_tls_disable_client_certs = var.vault_tls_disable_client_certs
vault_tls_require_and_verify_client_cert = var.vault_tls_require_and_verify_client_cert
vault_ui_enabled = var.vault_ui_enabled
user_vault_config = var.user_vault_config
})
})
}

resource "google_compute_instance_template" "vault" {
project = var.project_id
region = var.region
Expand Down Expand Up @@ -78,41 +116,7 @@ resource "google_compute_instance_template" "vault" {
"google-compute-enable-virtio-rng" = "true"
# Render the startup script. This script installs and configures
# Vault and all dependencies.
"startup-script" = templatefile("${path.module}/templates/startup.sh.tpl",
{
custom_http_proxy = var.http_proxy
service_account_email = var.vault_service_account_email
internal_lb = local.use_internal_lb
vault_args = var.vault_args
vault_port = var.vault_port
vault_proxy_port = var.vault_proxy_port
vault_version = var.vault_version
vault_tls_bucket = local.vault_tls_bucket
vault_ca_cert_filename = var.vault_ca_cert_filename
vault_tls_key_filename = var.vault_tls_key_filename
vault_tls_cert_filename = var.vault_tls_cert_filename
kms_project = var.vault_tls_kms_key_project == "" ? var.project_id : var.vault_tls_kms_key_project
kms_crypto_key = local.vault_tls_kms_key
user_startup_script = var.user_startup_script
# Render the Vault configuration.
config = templatefile("${path.module}/templates/config.hcl.tpl",
{
kms_project = var.project_id
kms_location = google_kms_key_ring.vault.location
kms_keyring = google_kms_key_ring.vault.name
kms_crypto_key = google_kms_crypto_key.vault-init.name
lb_ip = local.lb_ip
api_addr = local.api_addr
storage_bucket = var.vault_storage_bucket
vault_log_level = var.vault_log_level
vault_port = var.vault_port
vault_proxy_port = var.vault_proxy_port
vault_tls_disable_client_certs = var.vault_tls_disable_client_certs
vault_tls_require_and_verify_client_cert = var.vault_tls_require_and_verify_client_cert
vault_ui_enabled = var.vault_ui_enabled
user_vault_config = var.user_vault_config
})
})
"startup-script" = terraform_data.startup_script.output
},
)

Expand Down
10 changes: 5 additions & 5 deletions modules/cluster/templates/startup.sh.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,8 @@
set -xe
set -o pipefail

# Only run the script once
if [ -f ~/.startup-script-complete ]; then
# Only run the script once or in version upgrades
if [ -f ~/.startup-script-complete-${vault_version} ]; then
echo "Startup script already ran, exiting"
exit 0
fi
Expand Down Expand Up @@ -37,11 +37,11 @@ fi
/sbin/setcap cap_ipc_lock=+ep /usr/local/bin/vault

# Add Vault user
useradd -d /etc/vault.d -s /bin/false vault
id -u vault &>/dev/null || useradd -d /etc/vault.d -s /bin/false vault

# Vault config
mkdir -p /etc/vault.d
mkdir /etc/vault.d/plugins
mkdir -p /etc/vault.d/plugins
cat <<"EOF" > /etc/vault.d/config.hcl
${config}
EOF
Expand Down Expand Up @@ -295,4 +295,4 @@ service stackdriver-agent restart
${user_startup_script}

# Signal this script has run
touch ~/.startup-script-complete
touch ~/.startup-script-complete-${vault_version}