by Thierry de Pauw on
##cfgmgmtcamp
Vault Cluster in HA: 8-9 nodes
- 3 vault servers
- 6 consul nodes
more involved: VPC, subnets, 3 AZs
deployed by Terraform
to deploy a Vault Cluster: use a module
=> Terraform registry
copy and paste into your Terraform configuration and modify the required variables, terraform init
Typical directory structure:
vault-deploy
|- root.tf: main
|- variables.tf
|- outputs.tf
|- backend.tf: remote state declaration
that is for one cluster
but what about multiple clusters: Region A and Region B (disaster recovery, performance)
solution 1: duplicate directory structure
vault-deploy
|- vault-us-west-1
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf
|- vault-us-west-2
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf
you go in each of region directories and perform terraform plan, terraform apply
=> lots of duplication, any change has to be duplicated
pro:
- simple
- easy to onboard
- no overlap between clusters
cons:
- duplication
- difficult to maintain as it scales
- can get out of sync
solution 2: variable files
vault-deploy
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf
|- us-west-1.tfvar
|- us-west-2.tfvar
backend uses workspaces:
workspaces {
name = var.region_name
}
=> remote state clash
require additional steps to ensure input parameters are applied to the correct state
terraform plan -input=true -reconfigure -var-name= ... pass remote state config as variables
common solutions to handle the additional setup for backend and input parameters:
- wrapper scripts
tfwrapper init us-west-1
tfwrapper plan
tfwrapper apply
- makefile
make init TENANT="us-west-1"
make plan TENANT="us-west-1"
make apply TENANT="us-west-1"
pros:
- reduces duplication
- single source of configuration
cons:
- requires additional scaffolding