Deploy a Consul to protect the Vault
• Mark Eschbach
Today I hope to stand up a Vault cluster. If all goes well perhaps I may avoid the need to setup Consul too, just to simplify things.
First up on the docket is creating a new set of subnets and related facets. The Vault cluster should run in multiple AZs however they should have very stricktly controlled access from all elements within the cluster. Our VPC file happened to house our entire network configuration. This wasn’t such a big problem when we only had a handful of instance types and rules. Now that we have approached the DoD CC SRG the entire file is large. I routinely get lost in the 1 KSLOC file given many of the structures are the smae.
I’m piloting a new approach with many VPC files. Each file will contain a subnet of the system intended to serve a specific function. For instance there is one specific to our ECS deployment which contains the subnet declaration, security group, network ACL. I am not entirely sold this is the best approach but we will see where the system fails. At least I know where to start on the new subnet. I think we are slowly approaching the point where I will need to break out some of the ECS stuff out.
Hmm…we may have created an indirection monster within our Terraform modules. I’m not able to easily discern how the subnet structure. At the core of the indirection there is cidsubnet/3. Fairly straight forward, howver a Google Search returns all the functions available for interpolation. fishingcatblog does a much better job at concisely expressing the issue.
After a little bit of work I’ve got a few EC2 hosts spun up. I’ve been bitten by a network problem though. The new hosts can’t access the ineternet which means I can’t get the AWS CloudWatch agent installed. I think the ROI will be higher if I bypass the network security right now, but it really pains me to do so. Gar! Apparently Terraform, at least for v0.8.8
gets really angry when you manually delete network access control lists. Only way to clean it up is to use terraform state rm {object-to-delete}
…repeatedly. Hey! You can apparently delete multiple nodes at the same time.
Tomorrow I shall wrestle with the network ACL bears. I must now train.