Home

Awesome

Vault Google Cloud Run Module

This is a Terraform module to deploy a Vault instance on Google's Cloud Run service. Vault is an open-source secrets management tool that generally is run in a high-availability (HA) cluster. This implementation is a single instance with auto-unseal and no HA support. Cloud Run is a way to easily run a container on Google Cloud without an orchestrator. This module makes use of the following Google Cloud resources:


Table of Contents

Getting Started

To get started, a Google Cloud Project is needed. This should be created ahead of time or using Terraform, but is outside the scope of this module. This project ID is provided to the module invocation and a basic implementation would look like the following:

provider "google" {}

data "google_client_config" "current" {}

module "vault" {
  providers = {
    google = google
  }

  source      = "git::https://github.com/mbrancato/terraform-google-vault.git"
  name        = "vault"
  project     = data.google_client_config.current.project
  location    = data.google_client_config.current.region
  vault_image = "us.gcr.io/${data.google_client_config.current.project}/vault:1.6.1"
}

After creating the resources, the Vault instance may be initialized.

Set the VAULT_ADDR environment variable. See Vault URL.

$ export VAULT_ADDR=https://vault-jsn3uj5s1c-sg.a.run.app

Ensure the vault is operational (might take a minute or two), uninitialized and sealed.

$ vault status
Key                      Value
---                      -----
Recovery Seal Type       gcpckms
Initialized              false
Sealed                   true
Total Recovery Shares    0
Threshold                0
Unseal Progress          0/0
Unseal Nonce             n/a
Version                  n/a
HA Enabled               false

Initialize the vault.

$ vault operator init
Recovery Key 1: ...
Recovery Key 2: ...
Recovery Key 3: ...
Recovery Key 4: ...
Recovery Key 5: ...

Initial Root Token: s....

Success! Vault is initialized

Recovery key initialized with 5 key shares and a key threshold of 3. Please
securely distribute the key shares printed above.

From here, Vault is operational. Configure the auth methods needed and other settings. The Cloud Run Service may scale the container to zero, but the server configuration and unseal keys are configured. When restarting, the Vault should unseal itself automatically using the Google KMS. For more information on deploying Vault, read Deploy Vault.

Variables

name

location

project

vault_image

bucket_force_destroy (optional)

container_concurrency (optional)

vpc_connector (optional)

vault_ui (optional)

vault_api_addr (optional)

vault_kms_keyring_name (optional)

vault_kms_key_rotation (optional)

vault_kms_key_algorithm (optional)

vault_kms_key_protection_level (optional)

vault_service_account_id (optional)

vault_storage_bucket_name (optional)

Security Concerns

The following things may be of concern from a security perspective:

Caveats

PLEASE READ

Google Cloud Container Registry

Cloud Run will only run containers hosted on gcr.io (GCR) and its subdomains. This means that the Vault container will need to be pushed to GCR in the Google Cloud Project. Terraform cannot currently create the container registry and it is automatically created using docker push. Read the documentation for more details on pushing containers to GCR.

A quick way to get Vault into GCR for a GCP project:

gcloud auth configure-docker
docker pull hashicorp/vault:latest
docker tag hashicorp/vault:1.6.1 gcr.io/{{ project_id }}/vault:1.6.1
docker push gcr.io/{{ project_id }}/vault:1.6.1