# Vault Setup Steps

- Run the 090-instance-vault module first
  - `terragrunt apply`
- Run these salt states on the Vault instances
  - `salt vault*com saltutil.sync_all`
  - `salt vault*com saltutil.refresh_pillar`
  - `salt vault*com state.sls os_modifications test=true --state-output=changes`
  - `salt vault*com state.highstate test=true --state-output=changes`
  - `salt vault*com state.sls salt_minion.salt_minion_proxy test=true --state-output=changes`
  - `salt vault*com state.sls vault test=true --state-output=changes`
  - `salt vault*com state.sls vault pillar='{"kms_key_id": "<new-kms-key>"}' test=true --state-output=changes`
- Ensure Vault is running and unseal the Vault via CLI on ONE of the Vault servers
  - `export VAULT_ADDR=https://127.0.0.1`
  - `export VAULT_SKIP_VERIFY=1`
  - `vault status`
  - `vault operator init -recovery-shares=5 -recovery-threshold=2`
  - Copy root token and 5 recovery shares to safe place
- On your Laptop, use the root Vault token to run the Terraform 099-vault-configuration module
  - `vim ~/.vault-token`
  - The DNS in the Terraform Vault provider will be used. To test connectivity be sure to run this command: `export VAULT_ADDR=https://internal-vault-alb-test-778772793.us-gov-east-1.elb.amazonaws.com`. Replace the ALB address with the current ALB DNS address. This is due to Golang DNS not updating when connected to XDR over VPN. Vault binary is written in Go.  
  - Why not use the accenturefederal address? This is due to golang DNS issues.
  - Download the Vault binary ( might not be needed? Is the binary in the TF provider? )
  - `terragrunt apply`
  - Might need this command as well. See main.tf in module for more information.
  - `vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-east-1.amazonaws.com sts_region=us-gov-east-1`
  - The Terraform Vault provider will look at ~/.vault-token for the token and the bash variables for the address to connect to. You can also add it to the command line (see below).
- Revoke the root token
  - `vault token revoke <root-token>`
- Distribute Vault shareds to the appriopriate individuals. 
- Export/Import secrets
  - https://github.com/adamdecaf/vault-backend-migrator 
- This module is dependent on AWS Secrets Manager for creds to authenticate to OKTA via OIDC and OKTA auth. 
For additional Vault documentation see these locations:

https://github.mdr.defpoint.com/mdr-engineering/infrastructure-notes/blob/master/Vault%20Notes.md

https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/blob/develop/salt/fileroots/vault/README.md

## To apply Terraform Changes without putting credentials in the terragrunt.hcl

- `VAULT_TOKEN`: Login to vault, and click your name dropdown, then copy token. You'll need it more than once.

Then apply:
```
VAULT_TOKEN=<fromvault> terragrunt apply
```