These assets help you to perform the tasks described in the Auto-unseal with Google Cloud KMS tutorial.
-
Clone this respository:
git clone https://github.com/hashicorp-education/learn-gcp-kms-unseal.git
-
Change your working directory to
learn-gcp-kms-unseal:cd learn-gcp-kms-unseal -
Provide necessary GCP account information in the
terraform.tfvars.example, and save it asterraform.tfvars.Example:
gcloud-project = "vault-test" account_file_path = "/tmp/GCP/my-service-account.json"
Set the
account_file_pathto the location of your Cloud IAM service account file. This is the service account that the Terraform uses to provision GCP resources. If you do not have one, follow the GCP documentation to create a service account and download the JSON file. -
This guide expects a Cloud KMS key ring and crypto key to already exist. If you don't have one to use for Vault auto-unseal, un-comment the key ring and key creation part of the
main.tffile. NOTE: Keep line 93 commented out and use line 92.... # Create a KMS key ring resource "google_kms_key_ring" "key_ring" { project = "${var.gcloud-project}" name = "${var.key_ring}" location = "${var.keyring_location}" } # Create a crypto key for the key ring resource "google_kms_crypto_key" "crypto_key" { name = "${var.crypto-key}" key_ring = "${google_kms_key_ring.key_ring.self_link}" rotation_period = "100000s" } # Add the service account to the Keyring resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" { key_ring_id = "${google_kms_key_ring.key_ring.id}" # key_ring_id = "${var.gcloud-project}/${var.keyring_location}/${var.key_ring}" role = "roles/owner" members = [ "serviceAccount:${var.service_acct_email}", ] }
NOTE: By default, this will create a Cloud KMS key ring named, "test" in the global location, and a key named, "vault-test".
If you are using your own KMS key ring and its crypto key, be sure to set the correct
key_ringandcrypto_keyvalues in theterraform.tfvarsfile.Example:
terraform.tfvarsgcloud-project = "my-project" account_file_path = "/usr/gcp/my-project.json" key_ring = "key_ring_name" crypto_key = "crypto_key_name" keyring_location = "global"In the
main.tffile, un-comment line 92, and comment out line 92 as shown below:... # Add the service account to the Keyring resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" { # key_ring_id = "${google_kms_key_ring.key_ring.id}" key_ring_id = "${var.gcloud-project}/${var.keyring_location}/${var.key_ring}" role = "roles/owner" members = [ "serviceAccount:${var.service_acct_email}", ] }
-
Terraform commands:
# Pull necessary plugins $ terraform init $ terraform plan # Output provides the SSH instruction $ terraform apply
-
$ export instance_id=$(terraform output vault_server_instance_id) $ export project=$(terraform output project) $ gcloud compute ssh ${instance_id} --project ${project} -
Check the Vault server status
$ vault status Key Value --- ----- Recovery Seal Type gcpckms Initialized false Sealed true Total Recovery Shares 0 Threshold 0 Unseal Progress 0/0 Unseal Nonce n/a Version n/a HA Enabled false -
Initialize Vault
$ vault operator init -key-shares=1 -key-threshold=1 -
Stop and start the Vault server
$ sudo systemctl restart vault
-
Check to verify that the Vault is auto-unsealed
$ vault status Key Value --- ----- Recovery Seal Type shamir Initialized true Sealed false Total Recovery Shares 1 Threshold 1 Version 1.0.0-beta1 Cluster Name vault-cluster-a78acfcd Cluster ID fdfcaf84-6333-8689-a99a-e57d60bf347f HA Enabled false -
Explorer the Vault configuration file
$ cat /test/vault/config.hcl -
Clean up
$ terraform destroy -force $ rm -rf .terraform terraform.tfstate* private.key