forked from hashicorp/vault-guides
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathoutputs.tf
153 lines (116 loc) · 4.25 KB
/
outputs.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
output "zREADME" {
value = <<README
Your "${var.name}" AWS Vault Best Practices cluster has been
successfully provisioned!
${module.network_aws.zREADME}To force the generation of a new key, the private key instance can be "tainted"
using the below command.
$ terraform taint -module=ssh_keypair_aws_override.tls_private_key \
tls_private_key.key
${var.download_certs ?
"\n${module.root_tls_self_signed_ca.zREADME}
${module.leaf_tls_self_signed_cert.zREADME}
# ------------------------------------------------------------------------------
# Local HTTP API Requests
# ------------------------------------------------------------------------------
If you're making HTTPS API requests outside the Bastion (locally), set
the below env vars.
The `vault_public` and `consul_public` variables must be set to true for
requests to work.
`vault_public`: ${var.vault_public}
`consul_public`: ${var.consul_public}
$ export VAULT_ADDR=https://${module.vault_aws.vault_lb_dns}:8200
$ export VAULT_CACERT=./${module.leaf_tls_self_signed_cert.ca_cert_filename}
$ export VAULT_CLIENT_CERT=./${module.leaf_tls_self_signed_cert.leaf_cert_filename}
$ export VAULT_CLIENT_KEY=./${module.leaf_tls_self_signed_cert.leaf_private_key_filename}
$ export CONSUL_ADDR=https://${module.consul_aws.consul_lb_dns}:8080 # HTTPS
$ export CONSUL_ADDR=http://${module.consul_aws.consul_lb_dns}:8500 # HTTP
$ export CONSUL_CACERT=./${module.leaf_tls_self_signed_cert.ca_cert_filename}
$ export CONSUL_CLIENT_CERT=./${module.leaf_tls_self_signed_cert.leaf_cert_filename}
$ export CONSUL_CLIENT_KEY=./${module.leaf_tls_self_signed_cert.leaf_private_key_filename}\n" : ""}
# ------------------------------------------------------------------------------
# Vault Best Practices
# ------------------------------------------------------------------------------
Once on the Bastion host, you can use Consul's DNS functionality to seamlessly
SSH into other Consul or Vault nodes if they exist.
$ ssh -A ${module.consul_aws.consul_username}@consul.service.consul
# Vault must be initialized & unsealed for this command to work
$ ssh -A ${module.vault_aws.vault_username}@vault.service.consul
${module.vault_aws.zREADME}
${module.consul_aws.zREADME}
README
}
output "vpc_cidr" {
value = "${module.network_aws.vpc_cidr}"
}
output "vpc_id" {
value = "${module.network_aws.vpc_id}"
}
output "subnet_public_ids" {
value = "${module.network_aws.subnet_public_ids}"
}
output "subnet_private_ids" {
value = "${module.network_aws.subnet_private_ids}"
}
output "bastion_security_group" {
value = "${module.network_aws.bastion_security_group}"
}
output "bastion_ips_public" {
value = "${module.network_aws.bastion_ips_public}"
}
output "bastion_username" {
value = "${module.network_aws.bastion_username}"
}
output "private_key_name" {
value = "${module.ssh_keypair_aws_override.private_key_name}"
}
output "private_key_filename" {
value = "${module.ssh_keypair_aws_override.private_key_filename}"
}
output "private_key_pem" {
value = "${module.ssh_keypair_aws_override.private_key_pem}"
}
output "public_key_pem" {
value = "${module.ssh_keypair_aws_override.public_key_pem}"
}
output "public_key_openssh" {
value = "${module.ssh_keypair_aws_override.public_key_openssh}"
}
output "ssh_key_name" {
value = "${module.ssh_keypair_aws_override.name}"
}
output "consul_asg_id" {
value = "${module.consul_aws.consul_asg_id}"
}
output "consul_sg_id" {
value = "${module.consul_aws.consul_sg_id}"
}
output "consul_lb_sg_id" {
value = "${module.consul_aws.consul_lb_sg_id}"
}
output "consul_tg_http_8500_arn" {
value = "${module.consul_aws.consul_tg_http_8500_arn}"
}
output "consul_tg_https_8080_arn" {
value = "${module.consul_aws.consul_tg_https_8080_arn}"
}
output "consul_lb_dns" {
value = "${module.consul_aws.consul_lb_dns}"
}
output "vault_asg_id" {
value = "${module.vault_aws.vault_asg_id}"
}
output "vault_sg_id" {
value = "${module.vault_aws.vault_sg_id}"
}
output "vault_lb_sg_id" {
value = "${module.vault_aws.vault_lb_sg_id}"
}
output "vault_tg_http_8200_arn" {
value = "${module.vault_aws.vault_tg_http_8200_arn}"
}
output "vault_tg_https_8200_arn" {
value = "${module.vault_aws.vault_tg_https_8200_arn}"
}
output "vault_lb_dns" {
value = "${module.vault_aws.vault_lb_dns}"
}