allow_public_egress |
Whether to create a NAT for external egress. If false, you must also specify an http_proxy to download required executables including Vault, Fluentd and Stackdriver |
bool |
true |
no |
allow_ssh |
Allow external access to ssh port 22 on the Vault VMs. It is a best practice to set this to false, however it is true by default for the sake of backwards compatibility. |
bool |
true |
no |
domain |
The domain name that will be set in the api_addr. Load Balancer IP used by default |
string |
"" |
no |
http_proxy |
HTTP proxy for downloading agents and vault executable on startup. Only necessary if allow_public_egress is false. This is only used on the first startup of the Vault cluster and will NOT set the global HTTP_PROXY environment variable. i.e. If you configure Vault to manage credentials for other services, default HTTP routes will be taken. |
string |
"" |
no |
kms_crypto_key |
The name of the Cloud KMS Key used for encrypting initial TLS certificates and for configuring Vault auto-unseal. Terraform will create this key. |
string |
"vault-init" |
no |
kms_keyring |
Name of the Cloud KMS KeyRing for asset encryption. Terraform will create this keyring. |
string |
"vault" |
no |
kms_protection_level |
The protection level to use for the KMS crypto key. |
string |
"software" |
no |
load_balancing_scheme |
Options are INTERNAL or EXTERNAL. If EXTERNAL , the forwarding rule will be of type EXTERNAL and a public IP will be created. If INTERNAL the type will be INTERNAL and a random RFC 1918 private IP will be assigned |
string |
"EXTERNAL" |
no |
manage_tls |
Set to false if you'd like to manage and upload your own TLS files. See Managing TLS for more details |
bool |
true |
no |
network |
The self link of the VPC network for Vault. By default, one will be created for you. |
string |
"" |
no |
network_subnet_cidr_range |
CIDR block range for the subnet. |
string |
"10.127.0.0/20" |
no |
project_id |
ID of the project in which to create resources and add IAM bindings. |
string |
n/a |
yes |
project_services |
List of services to enable on the project where Vault will run. These services are required in order for this Vault setup to function. |
list(string) |
[ "cloudkms.googleapis.com", "cloudresourcemanager.googleapis.com", "compute.googleapis.com", "iam.googleapis.com", "logging.googleapis.com", "monitoring.googleapis.com" ] |
no |
region |
Region in which to create resources. |
string |
"us-east4" |
no |
service_account_name |
Name of the Vault service account. |
string |
"vault-admin" |
no |
service_account_project_additional_iam_roles |
List of custom IAM roles to add to the project. |
list(string) |
[] |
no |
service_account_project_iam_roles |
List of IAM roles for the Vault admin service account to function. If you need to add additional roles, update service_account_project_additional_iam_roles instead. |
list(string) |
[ "roles/logging.logWriter", "roles/monitoring.metricWriter", "roles/monitoring.viewer" ] |
no |
service_account_storage_bucket_iam_roles |
List of IAM roles for the Vault admin service account to have on the storage bucket. |
list(string) |
[ "roles/storage.legacyBucketReader", "roles/storage.objectAdmin" ] |
no |
service_label |
The service label to set on the internal load balancer. If not empty, this enables internal DNS for internal load balancers. By default, the service label is disabled. This has no effect on external load balancers. |
string |
null |
no |
ssh_allowed_cidrs |
List of CIDR blocks to allow access to SSH into nodes. |
list(string) |
[ "0.0.0.0/0" ] |
no |
storage_bucket_class |
Type of data storage to use. If you change this value, you will also need to choose a storage_bucket_location which matches this parameter type |
string |
"MULTI_REGIONAL" |
no |
storage_bucket_enable_versioning |
Set to true to enable object versioning in the GCS bucket.. You may want to define lifecycle rules if you want a finite number of old versions. |
string |
false |
no |
storage_bucket_force_destroy |
Set to true to force deletion of backend bucket on terraform destroy |
string |
false |
no |
storage_bucket_lifecycle_rules |
Vault storage lifecycle rules |
list(object({ action = map(object({ type = string, storage_class = string })), condition = map(object({ age = number, created_before = string, with_state = string, is_live = string, matches_storage_class = string, num_newer_versions = number })) })) |
[] |
no |
storage_bucket_location |
Location for the Google Cloud Storage bucket in which Vault data will be stored. |
string |
"us" |
no |
storage_bucket_name |
Name of the Google Cloud Storage bucket for the Vault backend storage. This must be globally unique across of of GCP. If left as the empty string, this will default to: '-vault-data'. |
string |
"" |
no |
subnet |
The self link of the VPC subnetwork for Vault. By default, one will be created for you. |
string |
"" |
no |
tls_ca_subject |
The subject block for the root CA certificate. |
object({ common_name = string, organization = string, organizational_unit = string, street_address = list(string), locality = string, province = string, country = string, postal_code = string, }) |
{ "common_name": "Example Inc. Root", "country": "US", "locality": "The Intranet", "organization": "Example, Inc", "organizational_unit": "Department of Certificate Authority", "postal_code": "95559-1227", "province": "CA", "street_address": [ "123 Example Street" ] } |
no |
tls_cn |
The TLS Common Name for the TLS certificates |
string |
"vault.example.net" |
no |
tls_dns_names |
List of DNS names added to the Vault server self-signed certificate |
list(string) |
[ "vault.example.net" ] |
no |
tls_ips |
List of IP addresses added to the Vault server self-signed certificate |
list(string) |
[ "127.0.0.1" ] |
no |
tls_ou |
The TLS Organizational Unit for the TLS certificate |
string |
"IT Security Operations" |
no |
tls_save_ca_to_disk |
Save the CA public certificate on the local filesystem. The CA is always stored in GCS, but this option also saves it to the filesystem. |
bool |
true |
no |
user_startup_script |
Additional user-provided code injected after Vault is setup |
string |
"" |
no |
vault_allowed_cidrs |
List of CIDR blocks to allow access to the Vault nodes. Since the load balancer is a pass-through load balancer, this must also include all IPs from which you will access Vault. The default is unrestricted (any IP address can access Vault). It is recommended that you reduce this to a smaller list. |
list(string) |
[ "0.0.0.0/0" ] |
no |
vault_args |
Additional command line arguments passed to Vault server |
string |
"" |
no |
vault_ca_cert_filename |
GCS object path within the vault_tls_bucket. This is the root CA certificate. |
string |
"ca.crt" |
no |
vault_instance_base_image |
Base operating system image in which to install Vault. This must be a Debian-based system at the moment due to how the metadata startup script runs. |
string |
"debian-cloud/debian-10" |
no |
vault_instance_labels |
Labels to apply to the Vault instances. |
map(string) |
{} |
no |
vault_instance_metadata |
Additional metadata to add to the Vault instances. |
map(string) |
{} |
no |
vault_instance_tags |
Additional tags to apply to the instances. Note 'allow-ssh' and 'allow-vault' will be present on all instances. |
list(string) |
[] |
no |
vault_log_level |
Log level to run Vault in. See the Vault documentation for valid values. |
string |
"warn" |
no |
vault_machine_type |
Machine type to use for Vault instances. |
string |
"e2-standard-2" |
no |
vault_max_num_servers |
Maximum number of Vault server nodes to run at one time. The group will not autoscale beyond this number. |
string |
"7" |
no |
vault_min_num_servers |
Minimum number of Vault server nodes in the autoscaling group. The group will not have less than this number of nodes. |
string |
"1" |
no |
vault_port |
Numeric port on which to run and expose Vault. |
string |
"8200" |
no |
vault_proxy_port |
Port to expose Vault's health status endpoint on over HTTP on /. This is required for the health checks to verify Vault's status is using an external load balancer. Only the health status endpoint is exposed, and it is only accessible from Google's load balancer addresses. |
string |
"58200" |
no |
vault_tls_bucket |
GCS Bucket override where Vault will expect TLS certificates are stored. |
string |
"" |
no |
vault_tls_cert_filename |
GCS object path within the vault_tls_bucket. This is the vault server certificate. |
string |
"vault.crt" |
no |
vault_tls_disable_client_certs |
Use client certificates when provided. You may want to disable this if users will not be authenticating to Vault with client certificates. |
string |
false |
no |
vault_tls_key_filename |
Encrypted and base64 encoded GCS object path within the vault_tls_bucket. This is the Vault TLS private key. |
string |
"vault.key.enc" |
no |
vault_tls_kms_key |
Fully qualified name of the KMS key, for example, vault_tls_kms_key = "projects/PROJECT_ID/locations/LOCATION/keyRings/KEYRING/cryptoKeys/KEY_NAME". This key should have been used to encrypt the TLS private key if Terraform is not managing TLS. The Vault service account will be granted access to the KMS Decrypter role once it is created so it can pull from this the vault_tls_bucket at boot time. This option is required when manage_tls is set to false. |
string |
"" |
no |
vault_tls_kms_key_project |
Project ID where the KMS key is stored. By default, same as project_id |
string |
"" |
no |
vault_tls_require_and_verify_client_cert |
Always use client certificates. You may want to disable this if users will not be authenticating to Vault with client certificates. |
string |
false |
no |
vault_ui_enabled |
Controls whether the Vault UI is enabled and accessible. |
string |
true |
no |
vault_update_policy_type |
Options are OPPORTUNISTIC or PROACTIVE. If PROACTIVE , the instance group manager proactively executes actions in order to bring instances to their target versions |
string |
"OPPORTUNISTIC" |
no |
vault_version |
Version of vault to install. This version must be 1.0+ and must be published on the HashiCorp releases service. |
string |
"1.6.0" |
no |
请发表评论