This repository provides demo code on how to establish cross-region connections from consumer VPCs to HCP Vault Dedicated using AWS PrivateLink. It includes Terraform code to deploy the complete infrastructure and all necessary DNS configurations.
Step 1: Configure AWS credentials. For example:
export AWS_ACCESS_KEY_ID=example
export AWS_SECRET_ACCESS_KEY=example
export AWS_SESSION_TOKEN=exampleStep 2: Configure HCP credentials. For example:
export HCP_CLIENT_ID=example
export HCP_CLIENT_SECRET=example
export HCP_PROJECT_ID=exampleStep 3: In the tf directory, copy tf/terraform.tfvars.example to terraform.tfvars and change the environment variables accordingly.
Step 4: In the tf directory, run an apply, review the plan output, and approve the plan accordingly.
terraform init
terraform applyHCP Vault overview shows the vault cluster is private
HCP Vault configured with AWS PrivateLink that allows the cross-region, us-east-1
VPC Interface Endpoint created in the consumer VPC using the service name from HCP Vault endpoint service.
PHZ created for hashicorp.cloud with a CNAME record pointing HCP Vault's private DNS name to the VPC Interface Endpoint's DNS entry. This is essential for certificate validation that requires the Vault DNS name.
Connect to the EC2 instance using AWS Systems Manager Session Manager. Then run the following to set the environment variables and get the vault status. This shows that Vault is unsealed.
Note
Environment variables needed to connect to Vault are pre-loaded into /etc/profile.d/vault.sh
source /etc/profile.d/vault.sh
vault status
List current secrets engines, enable KV V2 and list secrets engines again
vault secrets list
vault secrets enable kv-v2
vault secrets list
In the tf directory, run destroy. Review the destroy output before approving.
terraform destroy