20200203 - CfgMgmtCamp 2020 - Vault Deploy: Organizing Terraform Code for Multiple Vault Clusters, Shobhna Shastri

by Thierry de Pauw on

##cfgmgmtcamp

Vault Deploy: Organizing Terraform Code for Multiple Vault Clusters, Shobhna Shastri, @shobshas3

Vault Cluster in HA: 8-9 nodes
- 3 vault servers
- 6 consul nodes

more involved: VPC, subnets, 3 AZs

deployed by Terraform

to deploy a Vault Cluster: use a module
=> Terraform registry

copy and paste into your Terraform configuration and modify the required variables, terraform init

Typical directory structure:


vault-deploy
|- root.tf: main
|- variables.tf
|- outputs.tf
|- backend.tf: remote state declaration

that is for one cluster

but what about multiple clusters: Region A and Region B (disaster recovery, performance)

solution 1: duplicate directory structure


vault-deploy
|- vault-us-west-1
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf
|- vault-us-west-2
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf

you go in each of region directories and perform terraform plan, terraform apply
=> lots of duplication, any change has to be duplicated

pro:
- simple
- easy to onboard
- no overlap between clusters
cons:
- duplication
- difficult to maintain as it scales
- can get out of sync

solution 2: variable files


vault-deploy
|- root.tf
|- variables.tf
|- outputs.tf
|- backend.tf
|- us-west-1.tfvar
|- us-west-2.tfvar

backend uses workspaces:

workspaces {
name = var.region_name
}

=> remote state clash

require additional steps to ensure input parameters are applied to the correct state


terraform plan -input=true -reconfigure -var-name= ... pass remote state config as variables

common solutions to handle the additional setup for backend and input parameters:
- wrapper scripts

tfwrapper init us-west-1
tfwrapper plan
tfwrapper apply

- makefile

make init TENANT="us-west-1"
make plan TENANT="us-west-1"
make apply TENANT="us-west-1"

pros:
- reduces duplication
- single source of configuration
cons:
- requires additional scaffolding