🎉 initial commit

Author: colinwilson

README.md

@@ -0,0 +1,2 @@
+# terraform-docker-vault-dev
+A Terraform module to provision a HashiCorp [Vault](https://learn.hashicorp.com/vault) development container on a Docker host proxied by Traefik v2.3 (see https://github.com/colinwilson/terraform-docker-traefik-v2). See the variables file for the available configuration options.

outputs.tf

@@ -0,0 +1,71 @@
+# Create Vault service
+resource "docker_service" "vault-dev" {
+  name = "vault-dev"
+
+  task_spec {
+    container_spec {
+      image = "vault:${var.image_version}"
+
+      args = ["server"] # automatically loads mounted vault-config.hcl
+
+      env = {
+        VAULT_ADDR = "http://127.0.0.1:8200"
+        VAULT_API_ADDR = "http://127.0.0.1:8200"
+        SKIP_SETCAP = true
+      }
+
+      labels {
+        label = "traefik.enable"
+        value = true
+      }
+
+      labels {
+        label = "traefik.http.routers.vault-dev.rule"
+        value = "Host(`${var.hostname}`)"
+      }
+
+      labels {
+        label = "traefik.http.routers.vault-dev.entrypoints"
+        value = "https"
+      }
+
+      labels {
+        label = "traefik.http.services.vault-dev.loadbalancer.server.port"
+        value = "8200"
+      }
+
+      labels {
+        label = "traefik.http.routers.vault-dev.tls.certresolver"
+        value = "letsEncrypt"
+      }
+
+      configs {
+        config_id   = docker_config.vault_hcl.id
+        config_name = docker_config.vault_hcl.name
+        file_name   = "/vault/config/vault-config.hcl"
+      }
+
+      mounts {
+        source    = docker_volume.vault_data.name
+        target    = "/vault/file"
+        type      = "volume"
+        read_only = false
+      }
+
+      mounts {
+        source    = docker_volume.vault_logs.name
+        target    = "/vault/logs"
+        type      = "volume"
+        read_only = false
+      }
+
+      mounts {
+        source    = docker_volume.vault_policies.name
+        target    = "/vault/policies"
+        type      = "volume"
+        read_only = false
+      }
+    }
+    networks = var.networks
+  }
+}

service.tf

@@ -0,0 +1,9 @@
+resource "docker_config" "vault_hcl" {
+  name = "vault_hcl-${replace(timestamp(), ":", ".")}"
+  data = base64encode(data.template_file.vault_hcl.rendered)
+
+  lifecycle {
+    ignore_changes        = [name]
+    create_before_destroy = true
+  }
+}

service_conf.tf

@@ -0,0 +1,18 @@
+# Required variables
+variable "hostname" {
+  type        = string
+  description = "Hostname for traefik route"
+}
+
+# Optional variables
+variable "networks" {
+  type        = list
+  description = "List of networks to connect Vault to."
+  default     = ["traefik"]
+}
+
+variable "image_version" {
+  type        = string
+  description = "Vault Docker image version."
+  default     = "1.6.0"
+}

variables.tf

@@ -0,0 +1,11 @@
+storage "file" {
+    path    = "/vault/file"
+}
+
+listener "tcp" {
+    address     = "0.0.0.0:8200"
+    tls_disable = true
+}
+
+ui = true
+disable_mlock = true

vault-config.hcl

@@ -0,0 +1,10 @@
+data "local_file" "vault_hcl" {
+  filename = "${path.module}/vault-config.hcl"
+}
+data "template_file" "vault_hcl" {
+  template = "${file("${path.module}/vault-config.hcl")}"
+
+#   vars = {
+#     traefik_network  = var.traefik_network
+#   }
+}

vault_tpl.tf

@@ -0,0 +1,8 @@
+terraform {
+    required_providers {
+        docker = {
+            source = "terraform-providers/docker"
+        }
+    }
+    required_version = ">= 0.13, <= 0.14"
+}

version.tf

@@ -0,0 +1,11 @@
+resource "docker_volume" "vault_data" {
+  name = "vault_data"
+}
+
+resource "docker_volume" "vault_logs" {
+  name = "vault_logs"
+}
+
+resource "docker_volume" "vault_policies" {
+  name = "vault_polices"
+}