README.md 2.0 KB
Vault Setup Steps
- Run the 090-instance-vault module first
terragrunt apply
- Run these salt states on the Vault instances
salt vault*com saltutil.sync_allsalt vault*com saltutil.refresh_pillarsalt vault*com state.sls os_modifications test=true --state-output=changessalt vault*com state.highstate test=true --state-output=changessalt vault*com state.sls vault test=true --state-output=changes
- Ensure Vault is running and unseal the Vault via CLI on ONE of the Vault servers
export VAULT_ADDR=https://127.0.0.1export VAULT_SKIP_VERIFY=1vault statusvault operator init -recovery-shares=5 -recovery-threshold=2- Copy root token and 5 recovery shares to safe place
- On your Laptop, use the root Vault token to run the Terraform 099-vault-configuration module
vim ~/.vault-token- The DNS in the Terraform Vault provider will be used. To test connectivity be sure to run this command:
export VAULT_ADDR=https://internal-vault-alb-test-778772793.us-gov-east-1.elb.amazonaws.com. Replace the ALB address with the current ALB DNS address. This is due to Golang DNS not updating when connected to XDR over VPN. Vault binary is written in Go. - Why not use the accenturefederal address? This is due to golang DNS issues.
- Download the vault binary ( might not be needed? Is the binary in the TF provider? )
terragrunt apply- The Terraform Vault provider will look at ~/.vault-token for the token and the bash variables for the address to connect to.
- Revoke the root token
vault token revoke <root-token>
- Distribute Vault shareds to the appriopriate individuals.
- Export/Import secrets
For additional Vault documentation see these locations:
https://github.mdr.defpoint.com/mdr-engineering/infrastructure-notes/blob/master/Vault%20Notes.md