hashicorp / vault-guides Goto Github PK

Example usage of HashiCorp Vault secrets management

License: Mozilla Public License 2.0

Ruby 2.24% Shell 34.57% HCL 30.57% HTML 0.59% C# 3.00% Makefile 0.62% JavaScript 12.43% Java 0.76% Smarty 0.27% Dockerfile 0.37% Lua 3.47% Go 10.43% TSQL 0.02% CSS 0.66%

vault secrets

vault-guides's Introduction

Website: https://www.vaultproject.io
GitHub repository: https://github.com/hashicorp/vault
Announcement list: Google Groups
Discussion list: Google Groups

Vault-Guides

This repository provides the technical content to support the Vault learn site.

Operations

This area will contain instructions to operationalize Vault.

Secrets

This directory contains example use cases involving secrets management.

Identity

This directory contains example use cases involving identity.

Encryption

This directory contains example use cases involving encryption as a service.

Assets

This directory contains graphics and other material for the repository.

`gitignore.tf` Files

You may notice some gitignore.tf files in certain directories. .tf files that contain the word "gitignore" are ignored by git in the .gitignore file.

If you have local Terraform configuration that you want ignored (like Terraform backend configuration), create a new file in the directory (separate from gitignore.tf) that contains the word "gitignore" (e.g. backend.gitignore.tf) and it won't be picked up as a change.

Contributing

We welcome contributions and feedback! For guide submissions, please see the contributions guide

vault-guides's People

Contributors

Stargazers

Watchers

Forkers

chrismatteson nrvale0 vinodverma7584 srve4 stalafuse oesquivels sshyran adamcavaliere whatsaranjit suhas-joshi jsoref nedshawa norsig cvbarros oswaldrob jvanbrunschot-coolblue dionis1030 russparsloe semantixinfinitepossibilities e-n-g-xor viyoma eelrb taraskobzar emailtomanishkr madhupaluru ncorrare nikiel1 martinthiele golang-alex-alex2006hw schatterjee4 jgerson kmcquade mrserfr cmeinco vingao azurecloudmonk acsujea virprataputtam kumarchatla rangastartup petems hayoade1 msharma1 adesanluj brentdorsey smwilson1230 bangpound nehrman degilq furikuri tuannvm fisen sravanmantada gmlp dockerneel brooksgarrett sadhananatarajan12 johndohoneyjr ametanchuk mocofound wolfsrudel amcbarnett mpeters413 arslan-se thehob akamalov superwese tomonline piyush1683 flavioimbertdomingos chrisolido bderickson devopsotrator goodeman syldej alahino vonglasow ykhemani strikingraghu fraducu tuffy-cloud spannee dt021 kainlite mpetka-td rahulrairai59 najibben mdanidl btbamman989 manjeet-github akavanagh1 ilapost ndevops axiom215 meashishk jritenour jelinn geraldoandradee maverych netsec

vault-guides's Issues

encryption/vault-transit-rewrap throws an error when parsing dates from RandomUser

I get the following error when running the Transit Rewrap example:

Unhandled Exception: Newtonsoft.Json.JsonReaderException: Unexpected character encountered while parsing value: {. Path 'results[0].dob', line 1, position 664.
   at Newtonsoft.Json.JsonTextReader.ReadStringValue(ReadType readType)
   at Newtonsoft.Json.JsonTextReader.ReadAsString()
   at Newtonsoft.Json.JsonReader.ReadForType(JsonContract contract, Boolean hasConverter)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateList(IList list, JsonReader reader, JsonArrayContract contract, JsonProperty containerProperty, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateList(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, Object existingValue, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.SetPropertyValue(JsonProperty property, JsonConverter propertyConverter, JsonContainerContract containerContract, JsonProperty containerProperty, JsonReader reader, Object target)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.PopulateObject(Object newObject, JsonReader reader, JsonObjectContract contract, JsonProperty member, String id)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.CreateObject(JsonReader reader, Type objectType, JsonContract contract, JsonProperty member, JsonContainerContract containerContract, JsonProperty containerMember, Object existingValue)
   at Newtonsoft.Json.Serialization.JsonSerializerInternalReader.Deserialize(JsonReader reader, Type objectType, Boolean checkAdditionalContent)
   at Newtonsoft.Json.JsonSerializer.DeserializeInternal(JsonReader reader, Type objectType)
   at Newtonsoft.Json.JsonConvert.DeserializeObject(String value, Type type, JsonSerializerSettings settings)
   at Newtonsoft.Json.JsonConvert.DeserializeObject[T](String value, JsonSerializerSettings settings)
   at RewrapExample.WebHelper.<GetUserRecordsAsync>d__2.MoveNext() in /Users/jkodroff/src/vault-guides/encryption/vault-transit-rewrap/WebHelper.cs:line 36
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at RewrapExample.Program.<SeedDB>d__3.MoveNext() in /Users/jkodroff/src/vault-guides/encryption/vault-transit-rewrap/Program.cs:line 60
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at RewrapExample.Program.Main(String[] args) in /Users/jkodroff/src/vault-guides/encryption/vault-transit-rewrap/Program.cs:line 40

And here's what I believe is the relevant part of the JSON payload:

      "dob": {
        "date": "1993-06-09T14:45:48Z",
        "age": 25
      },

I've verified that JSONLint thinks the payload is valid JSON.

Unfortunately, adding this to Program.Main() did not help:

            JsonConvert.DefaultSettings = () => new JsonSerializerSettings
            {
                DateParseHandling = DateParseHandling.None
            };

ExampleApp is loggin errors during start

When starting the container on Minikube, the ExampleApp logs errors

k logs exampleapp-8d69ff48d-nc4zp

[2020-03-13 09:37:04] INFO WEBrick 1.4.2
[2020-03-13 09:37:04] INFO ruby 2.6.2 (2019-03-13) [x86_64-linux]
[2020-03-13 09:37:04] INFO WEBrick::HTTPServer#start: pid=1 port=8080
2020-03-13 09:37:47 - NoMethodError - undefined method []' for nil:NilClass: /app/lib/service.rb:51:in block in class:ExampleApp'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1635:in call' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1635:in block in compile!'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:987:in block (3 levels) in route!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1006:in route_eval'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:987:in block (2 levels) in route!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1035:in block in process_route'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1033:in catch' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1033:in process_route'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:985:in block in route!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:984:in each'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:984:in route!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1097:in block in dispatch!'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in block in invoke' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in catch'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in invoke' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1094:in dispatch!'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:919:in block in call!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in block in invoke'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in catch' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:1071:in invoke'
/usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:919:in call!' /usr/local/bundle/gems/sinatra-2.0.7/lib/sinatra/base.rb:908:in call'
/usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/xss_header.rb:18:in call' /usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/path_traversal.rb:16:in call'
/usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/json_csrf.rb:26:in call' /usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/base.rb:50:in call'
/usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/base.rb:50:in call' /usr/local/bundle/gems/rack-protection-2.0.7/lib/rack/protection/frame_options.rb:31:in call'

Verify CA and CRL path with Venafi monitor

Is the path of v1/venafi correct here or should this be v1/subca based on the guide / example?

vault-guides/secrets/vault-venafi-pki-integration/5_init_subca.sh

Lines 54 to 55 in ae3f6e1

    
           issuing_certificates="$PUBLIC_VAULT_ADDR/v1/venafi/ca" \ 
        
           crl_distribution_points="$PUBLIC_VAULT_ADDR/v1/venafi/crl"

maybe the mount path should be a variable in the script to make this more clear?

cc: @jgerson

Cluster does not resume normal operation after Recovery mode

Under https://learn.hashicorp.com/vault/operations/raft-storage-aws#resume-normal-operations
The Vault_3 is listed as the only member in the cluster.

I stopped and tried to force the join of the cluster by Vault_2 and Vault_4 but they will not joing Vault_3 the one where the recovery procedure is run.

Can you please clarify what needs to be done to return the cluster to its initial state of 3 nodes.

Cluster reset: When a node is brought up in recovery mode, it resets the list of cluster members. This means that when resuming normal operations, each node will need to rejoin the cluster.

I tried this but got the following errors back... from Vault_2 and Vault_4

Error joining the node to the raft cluster: Error making API request.

URL: POST http://127.0.0.1:8200/v1/sys/storage/raft/join
Code: 500. Errors:

* raft storage is already initialized

lambda vault integration error reading secrets

I followed this blog and created a new environment.
But lambda execution giving this error:

error reading file: open /tmp/vault_secret.json: no such file or directory

how to Using HashiCorp Vault Agent with .NET Core on k8s?

Vault raft storage local guide: ./cluster.sh setup vault_1 error - failed to read environment: open /etc/vault.d/client-certs/client-cert.pem: no such file or directory

$ vault --version
Vault v1.5.3 (9fcd81405feb320390b9d71e15a691c3bc1daeef)

Following the local raft Vault cluster guide:

$ ./cluster.sh setup vault_1

[vault_1] starting Vault server @ http://127.0.0.1:8200

[vault_1] initializing and capturing the unseal key and root token
failed to read environment: open /etc/vault.d/client-certs/client-cert.pem: no such file or directory

The log file:

==> Vault server configuration:

             Api Address: http://127.0.0.1:8200
                     Cgo: disabled
         Cluster Address: https://127.0.0.1:8201
              Go Version: go1.14.7
              Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
               Log Level: trace
                   Mlock: supported: true, enabled: false
           Recovery Mode: false
                 Storage: inmem
                 Version: Vault v1.5.3
             Version Sha: 9fcd81405feb320390b9d71e15a691c3bc1daeef

==> Vault server started! Log data will stream in below:

2020-09-15T22:30:50.645+1000 [INFO]  proxy environment: http_proxy= https_proxy= no_proxy=
2020-09-15T22:30:50.646+1000 [DEBUG] storage.cache: creating LRU cache: size=0
2020-09-15T22:30:50.646+1000 [DEBUG] cluster listener addresses synthesized: cluster_addresses=[127.0.0.1:8201]

The vault_1 configuration:

storage "inmem" {}
listener "tcp" {
  address = "127.0.0.1:8200"
  tls_disable = true
}
disable_mlock = true

KMS looks to us-east-1 when running in a different region

All my services run in eu-west-1, so I modified the /operations/aws-kms-unseal-ha/terraform to use that region:

aws-kms-unseal-ha/terraform/variables.tf:

variable aws_region {
  default = "eu-west-1"
}

userdata.tpl:

cat << EOF > /etc/vault.d/vault.hcl
storage "consul" {
  address = "127.0.0.1:8500"
}
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}
seal "awskms" {
  aws_region = "${aws_region}"
  kms_key_id = "${kms_key}"
}
ui=true
EOF

However, when the vault service starts, it looks to region us-east-1 for its KMS seal key:

# vault server -config /etc/vault.d -log-level DEBUG
Error parsing Seal configuration: error fetching AWS KMS sealkey information: NotFoundException: Key 'arn:aws:kms:us-east-1:507527533403:key/c769aa01-5e52-4be2-981e-ecc43d1bd0ef' does not exist

This is correct: the key referenced above does exist but in eu-west-1. Why is vault looking to us-east-1 even though it is configured to use eu-west-1?

Image is not found

Am trying out the https://github.com/hashicorp/vault-guides/tree/master/operations/provision-vault/quick-start/terraform-aws

When i do a terraform plan it tells me that

Error: Error refreshing state: 1 error(s) occurred:

* data.aws_ami.base: 1 error(s) occurred:

* data.aws_ami.base: data.aws_ami.base: Your query returned no results. Please change your search criteria and try again.

I am using the default terraform scripts

Ami name is as per RHEL-7.3_HVM_GA- and in the aws console I can find RHEL-7.3_HVM_GA-20161026-x86_64-1-Hourly2-GP2 - ami-2c95344f

Is there anything I am missing?

Adrian

Consul template is not reading token in $HOME./vault

I tried following the example in vault-agent-k8s-demo using gke instead of minikube. Consul-template container keeps failing, and when I run "kubectl logs vault-agent-example consul-template", I see the following error in the logs:

2019/01/01 16:18:14.061809 [WARN] (view) vault.read(secret/myapp/config): vault.read(secret/myapp/config): Error making API request.

URL: GET http://xx.xxx.xx.xx:8200/v1/secret/myapp/config
Code: 400. Errors:

missing client token (retry attempt 4 after "8s")

I'm able to see the token when I exec into the vault-agent container with the following commands

$ kubectl exec -it vault-agent-example --container vault-agent-auth sh

/# echo $(cat /home/vault/.vault-token)

Also, I'm able to successfully authenticate with the token obtain with the command above using the CLI.

The consul template container also works when I hard code a valid token in the nano example-k8s-spec.yml as an environment variable.

all files in the repo were unaltered except for the nano example-k8s-spec.yml file as I had to point the Vault url to my vault service.

operations/provision-vault/dev/terraform-aws gives errors

Today's branch:

$ git rev-parse HEAD
001485be5f35bc20f4a092cd36fc82f2b7117ec1

Version built with go get github.com/hashicorp/terraform:

$ terraform -v
Terraform v0.11.8-dev
+ provider.aws v1.24.0
+ provider.null v1.0.0
+ provider.random v1.3.1
+ provider.template v1.0.0
+ provider.tls v1.1.0

Yes, my AWS region is already configured:

$ cat ~/.aws/config
[default]
output = json
region = us-east-1

I'm running in an EC2 instance under a role with full privileges

$ curl 169.254.169.254/latest/meta-data/iam/security-credentials/AWS_Admin
{
  "Code" : "Success",
  "LastUpdated" : "2018-06-23T01:12:19Z",
  "Type" : "AWS-HMAC",
  "AccessKeyId" : "...redacted...",
  "SecretAccessKey" : "...redacted...",
  "Token" : "...redacted...",
  "Expiration" : "2018-06-23T07:43:49Z"
}

$ pwd
/home/ji/workspace/vault-guides/operations/provision-vault/dev/terraform-aws

$ terraform apply
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: us-east-1

provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: us-east-1

provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value: us-east-1


Error: module.consul_lb_aws.provider.aws: "region": required field is not set

Error: module.network_aws.module.bastion_consul_client_sg.provider.aws: "region": required field is not set

Error: module.network_aws.module.consul_auto_join_instance_role.provider.aws: "region": required field is not set

Error: module.network_aws.module.ssh_keypair_aws.provider.aws: "region": required field is not set

Error: module.network_aws.provider.aws: "region": required field is not set

Error: module.ssh_keypair_aws.provider.aws: "region": required field is not set

Error: module.vault_aws.module.consul_auto_join_instance_role.provider.aws: "region": required field is not set

Error: module.vault_aws.module.vault_server_sg.provider.aws: "region": required field is not set

Error: module.vault_aws.provider.aws: "region": required field is not set

Vagrant file corrections

vault-guides/identity/ssh-ca/vagrant-local

Vagrant file fails on client VM portion because it is calling the vault object instead of the client object
Using sync_hosts to dynamically update hosts file instead of using a static entry

(Best-Practices) Your query returned no results. Please change your search criteria and try again

Hi,
I have this error when I try the best-practices example on AWS (vault-guides/operations/provision-vault/best-practices/terraform-aws)

$ terraform plan
provider.aws.region
  The region where AWS operations will take place. Examples
  are us-east-1, us-west-2, etc.

  Default: us-east-1
  Enter a value:

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.aws_availability_zones.main: Refreshing state...
data.aws_elb_service_account.vault_lb_access_logs: Refreshing state...
data.aws_elb_service_account.consul_lb_access_logs: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_ami.hashistack: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_ami.consul: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_ami.vault: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...

Error: Error refreshing state: 3 error(s) occurred:

* module.vault_aws.data.aws_ami.vault: 1 error(s) occurred:

* module.vault_aws.data.aws_ami.vault: data.aws_ami.vault: Your query returned no results. Please change your search criteria and try again.
* module.network_aws.data.aws_ami.hashistack: 1 error(s) occurred:

* module.network_aws.data.aws_ami.hashistack: data.aws_ami.hashistack: Your query returned no results. Please change your search criteria and try again.
* module.consul_aws.data.aws_ami.consul: 1 error(s) occurred:

* module.consul_aws.data.aws_ami.consul: data.aws_ami.consul: Your query returned no results. Please change your search criteria and try again.

I didn't make any changes, only a '$ git clone', '$ terraform init' and a '$ terraform plan'.

Thank you.

vault + k8s + minikube : adjust verbiage to call out not just HSM autounseal but specific cloud-based HSM offerings.

See subject.

@bensojona

I get "Internal Server Error" for the last step of "Vault Installation to Minikube via Helm"

Hi all,

https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube?in=vault/kubernetes

I have followed the each step but at last, when I run "curl http://localhost:8080", I get "Internal Server Error".
Is there something wrong with the example app?

HELP!

There seems to be issue with variable section and also multi-line syntax

[root@ip-172-31-25-193 terraform-aws]# terraform init
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Reserved argument name in module block

on main.tf line 148, in module "consul_aws":
148: count = var.consul_servers

The name "count" is reserved for use in a future version of Terraform.

Error: Reserved argument name in module block

on main.tf line 199, in module "vault_aws":
199: count = var.vault_servers

The name "count" is reserved for use in a future version of Terraform.

Error: Invalid variable name

on variables.tf line 16, in variable "provider":
16: variable "provider" {

The variable name "provider" is reserved due to its special meaning inside
module blocks.

Error: Invalid multi-line string

on outputs.tf line 29, in output "zREADME":
29:
30:

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.

Error: Invalid multi-line string

on outputs.tf line 30, in output "zREADME":
30:
31:

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.

Error: Invalid multi-line string

on outputs.tf line 31, in output "zREADME":
31:
33:

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.

user vaults

we have trying to implement Vault as our secret manager before connect it on AWS and GCP. after some tests using templates we are facing some problems. how we can create vaults to users whiteout manually interaction? is like, after create some user i want that he have access to their own kv/users/username. we know thats possible for templates access rights but is that possible for auto vault creation? where i can found docs about this?

vault-lambda-extension version supported

Hi all,

I was trying to use lambda-extension with my existing vault server, but getting an error while executing Lambda.
Task timed out after 5.00 seconds
Vault server Version: Vault v1.3.1
Ec2-Role has required permission as mentioned in the blog.

Is it supported by this version? Because as per this
https://learn.hashicorp.com/tutorials/vault/aws-lambda?in=vault/app-integration

vault version is 1.6.0

vault operator init not writing to stdout in minikube container

I'm having a small problem in regard to initializing the Vault.

https://learn.hashicorp.com/tutorials/vault/kubernetes-minikube?in=vault/kubernetes#initialize-and-unseal-vault

The execution of the following command somehow doe snot allow the vault executable to write to stdout inside of the container.

$ kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > cluster-keys.json
E0429 14:43:35.844536   15260 v2.go:151] write /dev/stdout: permission denied

I'm using the official helm chart (generated the k8s manifest files with the "getting started " values) and applied those to a local minikube installation.

it's possible execute bash and see the output inside of the container but sadly not outside which would be nice for automation.

Is operations/aws-kms-unseal/terraform-aws/userdata.tpl missing access_key and secret_key?

According to https://www.vaultproject.io/docs/configuration/seal/awskms it needs access_key and secret_key.

vault-guides/operations/aws-kms-unseal/terraform-aws/userdata.tpl

Lines 97 to 110 in 13f2e3c

    
           cat << EOF > /etc/vault.d/vault.hcl 
        
           storage "file" { 
        
             path = "/opt/vault" 
        
           } 
        
           listener "tcp" { 
        
             address     = "0.0.0.0:8200" 
        
             tls_disable = 1 
        
           } 
        
           seal "awskms" { 
        
             region     = "${aws_region}" 
        
             kms_key_id = "${kms_key}" 
        
           } 
        
           ui=true 
        
           EOF

Provision Vault keeps failing for Best Practice and Quick Start

plans fails with the following error:

module.vault_aws.aws_autoscaling_group.vault: 1 error(s) occurred:
aws_autoscaling_group.vault: "vault-best-practices-vault-2018062807014907740000001520180628070158351300000016": Waiting up to 10m0s: Need at least 3 health
y instances in ELB, have 0. Most recent activity: {
ActivityId: "e5959114-cc76-434d-8879-9655845163f2",
AutoScalingGroupName: "vault-best-practices-vault-2018062807014907740000001520180628070158351300000016",
Cause: "At 2018-06-28T07:01:59Z a user request created an AutoScalingGroup changing the desired capacity from 0 to 3. At 2018-06-28T07:02:12Z an instance
was started in response to a difference between desired and actual capacity, increasing the capacity from 0 to 3.",
Description: "Launching a new EC2 instance: i-0f4c77e6786a974e6",
Details: "{"Subnet ID":"subnet-07602c814038319a7","Availability Zone":"ap-southeast-2a"}",
EndTime: 2018-06-28 07:02:47 +0000 UTC,
Progress: 100,

StartTime: 2018-06-28 07:02:15.184 +0000 UTC,
StatusCode: "Successful"
}

Not able to login with Google OIDC auth

Hi Team,

I tried configuring Google login through OIDC auth

below are the details of the same
#1 Enabled OIDC auth in vault using
vault enable auth oidc

#2 @google Developer Console i have redirect path Configured as.
https://Domain_NAME/ui/vault/auth/oidc/oidc/callback

#3 I have Executed the below command to configure the OIDC auth .
vault write auth/oidc/config \ oidc_discovery_url="https://accounts.google.com" \ oidc_client_id="6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com", \ oidc_client_secret="Lp71KRw83ZCkSptuzULRFPr", \ default_role="gmail"

#4 I have created a policy as demo as
path "/*" { capabilities = ["create", "read", "update", "delete", "list"] }

#5 I have Executed the below command to define a new OIDC role.
vault write auth/oidc/role/gmail \ user_claim="sub" \ bound_audiences=6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com \ allowed_redirect_uris=https://Domain_NAME/ui/vault/auth/oidc/oidc/callback \ policies=demo \ ttl=1h

#6 after configuring these steps when i try to login to vault using OIDC i get an error and there is no option to login with google below is the screenshot of same.

#7 The config and role read as following
`$ vault read auth/oidc/config
Key Value

bound_issuer n/a
default_role gmail
jwks_ca_pem n/a
jwks_url n/a
jwt_supported_algs []
jwt_validation_pubkeys []
oidc_client_id 6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com,
oidc_discovery_ca_pem n/a
oidc_discovery_url https://accounts.google.com`

`vault read auth/oidc/role/gmail
Key Value

allowed_redirect_uris [https://Domain_NAME/ui/vault/auth/oidc/oidc/callback]
bound_audiences [6448059680488-7610vslo9vfqk3m7lc9a9h5cv2qgb9v4.apps.googleusercontent.com]
bound_claims
bound_subject n/a
claim_mappings
clock_skew_leeway 0
expiration_leeway 0
groups_claim n/a
not_before_leeway 0
oidc_scopes
policies [demo]
role_type oidc
token_bound_cidrs []
token_explicit_max_ttl 0s
token_max_ttl 0s
token_no_default_policy false
token_num_uses 0
token_period 0s
token_policies [demo]
token_ttl 1h
token_type default
ttl 1h
user_claim sub
verbose_oidc_logging false
`

kindly let me know where the config went wrong.
As i tried the same set of steps with Keycloak(a different OIDC provider) but landed at the same issue.
Thanks in advance.
:-)

demo custom plugin issues

I'm following this tutorial

https://learn.hashicorp.com/tutorials/vault/plugin-backends?in=vault/app-integration

but when I attempt to write 'Hello World' to the demo mock plugin I get the following error. I'm running vault as a dev instance with the command provide and have set the env vars

[root@vault vault-plugin-secrets-mock]# env | grep VAULT VAULT_TOKEN=root VAULT_ADDR=http://127.0.0.1:8200

`[root@vault vault-plugin-secrets-mock]# vault write mock-secrets/test message="Hello World"
2021-06-10T18:46:19.094-0400 [ERROR] secrets.vault-plugin-secrets-mock.vault-plugin-secrets-mock_772870d9.vault-plugin-secrets-mock.vault-plugin-secrets-mock: plugin tls init:
error=
| error during token unwrap request: Error making API request.
|
| URL: PUT http://127.0.0.1:8200/v1/sys/wrapping/unwrap
| Code: 403. Errors:
|
| * permission denied
timestamp=2021-06-10T18:46:19.094-0400
2021-06-10T18:46:19.095-0400 [ERROR] core: failed to run existence check:
error=
| Unrecognized remote plugin message:
|
| This usually means that the plugin is either invalid or simply
| needs to be recompiled to support the latest protocol.

Error writing data to mock-secrets/test: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/mock-secrets/test
Code: 500. Errors:

1 error occurred:
- internal error

tls-self-signed-cert repo is not public

Lines 18 and 29 in the f-add-provision-guides branch

https://github.com/hashicorp/vault-guides/blob/f-add-provision-guides/provision/best-practices/terraform-aws/main.tf#L18

Clear that it's not the tls-private-key repo either, given the vars required

Please make that other repo public so it's easy to use.

Raft storage cluster.sh errors

When running operations/raft-storage/local/cluster.sh on a centos7 VM, I hit the following problems:

OSNAME incorrectly identified as macos
cluster.sh uses ifconfig lo0 as the identification method for macos, if that fails it tries ifconfig lo to identify linux. On my VM, both of these "ifconfig" commands are successful so it incorrectly picks up on macos first.
When trying to start vault on 127.0.0.1 via cluster.sh setup vault_1, it errors complaining about mlock not being enabled on the system. I added disable_mlock = true to vault1's config to avoid this error. As this is a demo environment, I didn't consider this a security concern, and the fact disable_mlock is set in the remaining vault nodes' config files, I assume this was accidentally omitted from vault1's config.

operations/onboarding example isn't working out-of-the-box, because of trial license needed

Hi,

I wanted to start with the onboarding example and got stuck with failing vault containers. Since the docker-compose.yml pulls in hashicorp/vault-enterprise:latest it pulls the latest 1.8.x versions, these require a trial license.

I edited docker-compose.yml to pull hashicorp/vault-enterprise:1.7.3_ent and this did the trick to get the onboarding guide running again.

Please, update this guide to reflect the usage of a trial license, thanks!

InvalidKeyPair.NotFound: The key pair 'learn-vault-key' does not exist

While running vault-guides\operations\raft-storage\aws the script fails with

aws_instance.vault-transit: Creating...

Error: Error launching source instance: InvalidKeyPair.NotFound: The key pair 'learn-vault-key' does not exist
        status code: 400, request id: XXXXX-XXXXXXX-XXXXXXX-XXXXXXX

  on main.tf line 26, in resource "aws_instance" "vault-transit":
  26: resource "aws_instance" "vault-transit" {

Documentation should be more explicit in the requirement to create an AWS EC2 Key. Perhaps as a prerequisite step.

{"error":"invalid_request","error_description":"Identity not found"}

Greetings:

Environment:

Terraform v0.11.11
+ provider.azurerm v1.21.0
+ provider.random v2.0.0
+ provider.template v2.0.0```

Problem:

Script azure_auth.sh is exiting with an error:

vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"
Error writing data to auth/azure/login: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/auth/azure/login
Code: 500. Errors:

* oidc: malformed jwt: square/go-jose: compact JWS format must have three parts

Further looking at template I discovered that curl statement is responding with Identity not found

Terraform Template:

...
vault write auth/azure/login role="dev-role" \
  jwt="$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F'  -H Metadata:true -s | jq -r .access_token)" \
  subscription_id="${subscription_id}" \
  resource_group_name="${resource_group_name}" \
  vm_name="${vm_name}"

Generated Script

...

vault write auth/azure/login role="dev-role" jwt="null" subscription_id="XXXXX-XXXX-XXXX-XXXX-XXXXXXXXX" resource_group_name="AK-TEST-0001" vm_name="vault"

So, as you can see, jwt is responding with null.

Let's issue curl manually form the VM instance:

curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com' -H Metadata:true -s

{"error":"invalid_request","error_description":"Identity not found"}

Request: Provide a best practices implementation of vault in AWS with integrated storage.

I'm new to vault. I just wanted to put a request in for visibility on something I'd like to see and learn from, I think it would be really helpful to see a best practices terraform implementation of Vault in AWS using the integrated storage backend. I noticed something similar using Consul for the storage backend, but it's probably overkill for me to get started with it.

learn vault: getting-started/first-secret update

Didn't know where else to put this... on the page:
https://learn.hashicorp.com/vault/getting-started/first-secret

The line:
vault kv get -format=json secret/hello | jq -r .data.data.excited (should be changed to)
vault kv get -format=json secret/hello | jq -r .data.excited

$ vault kv get -format=json secret/hello 
{
  "request_id": "3ed63fdd-4554-195d-cf93-ead1714418ab",
  "lease_id": "",
  "lease_duration": 2764800,
  "renewable": false,
  "data": {
    "excited": "yes",
    "foo": "world"
  },
  "warnings": null
}

$ vault kv get -format=json secret/hello | jq -r .data.excited
yes

Configure OIDC auth using terraform

Hi, apologies if this has been answered in another issue.

I'm attempting to configure vault to enable OIDC login using terraform, however I can't work out where I should be putting the oidc_client_id etc.

I'm following the guide here, but I can't figure out how it lines up with the terraform resources here

If anyone can point me in the right direction I'd really appreciate it.

vault-guides/identity/oidc-auth: What's an JWT token and how to get it?

Hey guys,

Regarding: https://github.com/hashicorp/vault-guides/tree/master/identity/oidc-auth

The guide lacks to explain how and where I should get a JWT token from. Also after trying to replicate the situation in this guide, I'm stuck on the error message: "Authentication failed: role with oidc role_type is not allowed" when trying to login.

What am I missing? This might also be assumed basic knowledge, but it would be helpful if the guide (also at vault's own documentation) would point to that kind of basic knowledge.

Can't wait to hear from you! :-)

Edit: My goal is to translate this knowledge to Gitlab OpenID authentication but it's really a lot to get my head around.

Error: "access_policy.0.object_id" isn't a valid UUID on terraform plan on azure-keyvault-unseal

`Error: "access_policy.0.object_id" isn't a valid UUID (""): uuid string is wrong length

on main.tf line 20, in resource "azurerm_key_vault" "vault":
20: resource "azurerm_key_vault" "vault" {`

Vault AWS Quick-start deployment using SAML/AssumeRole

Hello!

We're evaluating vault and started trying one of the quick star deployments, but we're currently unable to run a clean terraform apply because it doesn't respect the configuration on main.tf' regarding the aws provider required for assume_role`.

Hence, we get an error stating:

Error: Error refreshing state: 2 error(s) occurred:

* module.network_aws.data.aws_availability_zones.main: 1 error(s) occurred:

* module.network_aws.data.aws_availability_zones.main: data.aws_availability_zones.main: Error fetching Availability Zones: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: ----------cleared-----------------
* data.aws_ami.base: 1 error(s) occurred:

* data.aws_ami.base: data.aws_ami.base: UnauthorizedOperation: You are not authorized to perform this operation.
        status code: 403, request id: ----------cleared-----------------

However, if we create a blank main.tf file and configure this as:

provider "aws" {
  region = "eu-west-1"

  assume_role {
    role_arn     = "arn:aws:iam::--------cleared-----------"
  }
}

data "aws_availability_zones" "main" {}

And then run a terraform apply, we're able to make it and properly see an output for the AZs:

data.aws_availability_zones.main: Refreshing state...

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

availability_zones = [
    eu-west-1a,
    eu-west-1b,
    eu-west-1c
]

As a side-effect, also the provider settings such as region and profile are also not respected (maybe related to this issue?), which then we have to resort to env variables such as AWS_REGION to make it work.

Needs adaptation for AWS gov cloud

None of the AMI's referenced here are usable on the AWS gov cloud side. This makes the entire repo unusable in that env. Are there any plans to adapt this for this purpose?

cluster.sh breaks on first run when no vault PID is found

OS: Debian/bullseye

I'm following raft-ha-storage tutorial and found that the ./cluster.sh setup vault_1 command fails because it uses the following line to kill previous vault instances, but it fails if none is found.

ps aux | grep "vault server" | grep -v grep | awk '{print $2}' | xargs kill

The output is:

➜  new_cluster git:(master) ✗ ./cluster.sh setup vault_1
+ ps aux
+ grep 'vault server'
+ grep -v grep
+ xargs kill
+ awk '{print $2}'

Usage:
 kill [options] <pid> [...]

Options:
 <pid> [...]            send signal to every <pid> listed
 -<signal>, -s, --signal <signal>
                        specify the <signal> to be sent
 -l, --list=[<signal>]  list all signal names, or convert one to a name
 -L, --table            list all signal names in a nice table

 -h, --help     display this help and exit
 -V, --version  output version information and exit

For more details see kill(1).

provision/hashistack/vagrant/Vagrantfile: 'vagrant up' doesn't produce a working configuration

Howdy. While many of the steps print messages that resemble success messages, they do not reflect the truth, sadly.

Bringing machine 'default' up with 'virtualbox' provider...
==> default: Importing base box 'bento/centos-7.3'...

�[KProgress: 30%
�[KProgress: 50%
�[KProgress: 70%
�[KProgress: 90%
�[K==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'bento/centos-7.3' is up to date...
==> default: Setting the name of the VM: vagrant_default_1520466252650_95728
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Running 'pre-boot' VM customizations...
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
    default: SSH address: 127.0.0.1:2222
    default: SSH username: vagrant
    default: SSH auth method: private key
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
    default: Warning: Connection reset. Retrying...
    default: Warning: Remote connection disconnect. Retrying...
==> default: Machine booted and ready!
==> default: Checking for guest additions in VM...
    default: The guest additions on this VM do not match the installed version of
    default: VirtualBox! In most cases this is fine, but in rare cases it can
    default: prevent things such as shared folders from working properly. If you see
    default: shared folder errors, please make sure the guest additions within the
    default: virtual machine match the version of VirtualBox you have installed on
    default: your host and reload your VM.
    default: 
    default: Guest Additions Version: 5.1.24
    default: VirtualBox Version: 5.2
==> default: Setting hostname...
==> default: Mounting shared folders...
    default: /vagrant => /home/jesse/work_gits/vault/vault-guides/provision/hashistack/vagrant
==> default: Running provisioner: shell...
    default: Running: inline script
==> default: Running provisioner: file...
==> default: Running provisioner: file...
==> default: Running provisioner: file...
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-ctfyp0.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:44:42 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:44:42'
    default: + echo '2018/03/07 23:44:42 /tmp/vagrant-shell: Running'
    default: + logger 'Installing jq'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:44:42 /tmp/vagrant-shell: Installing jq
    default: + DT='2018/03/07 23:44:42'
    default: + echo '2018/03/07 23:44:42 /tmp/vagrant-shell: Installing jq'
    default: + sudo curl --silent -Lo /bin/jq https://github.com/stedolan/jq/releases/download/jq-1.5/jq-linux64
    default: + sudo chmod +x /bin/jq
    default: + logger 'Setting timezone to UTC'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:44:44 /tmp/vagrant-shell: Setting timezone to UTC
    default: + DT='2018/03/07 23:44:44'
    default: + echo '2018/03/07 23:44:44 /tmp/vagrant-shell: Setting timezone to UTC'
    default: + sudo timedatectl set-timezone UTC
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'RHEL/CentOS system detected'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:44:44 /tmp/vagrant-shell: RHEL/CentOS system detected
    default: + DT='2018/03/07 23:44:44'
    default: + echo '2018/03/07 23:44:44 /tmp/vagrant-shell: RHEL/CentOS system detected'
    default: + logger 'Performing updates and installing prerequisites'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:44:44 /tmp/vagrant-shell: Performing updates and installing prerequisites
    default: + DT='2018/03/07 23:44:44'
    default: + echo '2018/03/07 23:44:44 /tmp/vagrant-shell: Performing updates and installing prerequisites'
    default: + sudo yum-config-manager --enable rhui-REGION-rhel-server-releases-optional
    default: sudo: yum-config-manager: command not found
    default: + sudo yum-config-manager --enable rhui-REGION-rhel-server-supplementary
    default: sudo: yum-config-manager: command not found
    default: + sudo yum-config-manager --enable rhui-REGION-rhel-server-extras
    default: sudo: yum-config-manager: command not found
    default: + sudo yum -y check-update
    default: Loaded plugins: fastestmirror
    default: Determining fastest mirrors
    default:  * base: mirror.steadfast.net
    default:  * extras: mirrors.sorengard.com
    default:  * updates: mirror.trouble-free.net
    default: 
    default: NetworkManager.x86_64                 1:1.8.0-11.el7_4                 updates  
    default: NetworkManager-libnm.x86_64           1:1.8.0-11.el7_4                 updates  
    default: NetworkManager-team.x86_64            1:1.8.0-11.el7_4                 updates  
    default: NetworkManager-tui.x86_64             1:1.8.0-11.el7_4                 updates  
    default: NetworkManager-wifi.x86_64            1:1.8.0-11.el7_4                 updates  
    default: alsa-lib.x86_64                       1.1.3-3.el7                      base     
    default: audit.x86_64                          2.7.6-3.el7                      base     
    default: audit-libs.x86_64                     2.7.6-3.el7                      base     
    default: audit-libs-python.x86_64              2.7.6-3.el7                      base     
    default: authconfig.x86_64                     6.2.8-30.el7                     base     
    default: bash.x86_64                           4.2.46-29.el7_4                  updates  
    default: bind-libs-lite.x86_64                 32:9.9.4-51.el7_4.2              updates  
    default: bind-license.noarch                   32:9.9.4-51.el7_4.2              updates  
    default: binutils.x86_64                       2.25.1-32.base.el7_4.2           updates  
    default: biosdevname.x86_64                    0.7.2-2.el7                      base     
    default: btrfs-progs.x86_64                    4.9.1-1.el7                      base     
    default: ca-certificates.noarch                2017.2.14-71.el7                 base     
    default: centos-release.x86_64                 7-4.1708.el7.centos              base     
    default: chkconfig.x86_64                      1.7.4-1.el7                      base     
    default: chrony.x86_64                         3.1-2.el7.centos                 base     
    default: cpio.x86_64                           2.11-25.el7_4                    updates  
    default: cronie.x86_64                         1.4.11-17.el7                    base     
    default: cronie-anacron.x86_64                 1.4.11-17.el7                    base     
    default: cryptsetup-libs.x86_64                1.7.4-3.el7_4.1                  updates  
    default: curl.x86_64                           7.29.0-42.el7_4.1                updates  
    default: cyrus-sasl-lib.x86_64                 2.1.26-21.el7                    base     
    default: device-mapper.x86_64                  7:1.02.140-8.el7                 base     
    default: device-mapper-event.x86_64            7:1.02.140-8.el7                 base     
    default: device-mapper-event-libs.x86_64       7:1.02.140-8.el7                 base     
    default: device-mapper-libs.x86_64             7:1.02.140-8.el7                 base     
    default: device-mapper-persistent-data.x86_64  0.7.0-0.1.rc6.el7_4.1            updates  
    default: dhclient.x86_64                       12:4.2.5-58.el7.centos.1         updates  
    default: dhcp-common.x86_64                    12:4.2.5-58.el7.centos.1         updates  
    default: dhcp-libs.x86_64                      12:4.2.5-58.el7.centos.1         updates  
    default: dmidecode.x86_64                      1:3.0-5.el7                      base     
    default: dnsmasq.x86_64                        2.76-2.el7_4.2                   updates  
    default: dracut.x86_64                         033-502.el7_4.1                  updates  
    default: dracut-config-rescue.x86_64           033-502.el7_4.1                  updates  
    default: dracut-network.x86_64                 033-502.el7_4.1                  updates  
    default: e2fsprogs.x86_64                      1.42.9-10.el7                    base     
    default: e2fsprogs-libs.x86_64                 1.42.9-10.el7                    base     
    default: elfutils-libelf.x86_64                0.168-8.el7                      base     
    default: elfutils-libs.x86_64                  0.168-8.el7                      base     
    default: ethtool.x86_64                        2:4.8-1.el7                      base     
    default: expat.x86_64                          2.1.0-10.el7_3                   base     
    default: fipscheck.x86_64                      1.4.1-6.el7                      base     
    default: fipscheck-lib.x86_64                  1.4.1-6.el7                      base     
    default: firewalld.noarch                      0.4.4.4-6.el7                    base     
    default: firewalld-filesystem.noarch           0.4.4.4-6.el7                    base     
    default: freetype.x86_64                       2.4.11-15.el7                    base     
    default: gawk.x86_64                           4.0.2-4.el7_3.1                  base     
    default: gettext.x86_64                        0.19.8.1-2.el7                   base     
    default: gettext-libs.x86_64                   0.19.8.1-2.el7                   base     
    default: glib-networking.x86_64                2.50.0-1.el7                     base     
    default: glib2.x86_64                          2.50.3-3.el7                     base     
    default: glibc.x86_64                          2.17-196.el7_4.2                 updates  
    default: glibc-common.x86_64                   2.17-196.el7_4.2                 updates  
    default: gmp.x86_64                            1:6.0.0-15.el7                   base     
    default: gnutls.x86_64                         3.3.26-9.el7                     base     
    default: gobject-introspection.x86_64          1.50.0-1.el7                     base     
    default: grep.x86_64                           2.20-3.el7                       base     
    default: grub2.x86_64                          1:2.02-0.65.el7.centos.2         updates  
    default: grub2-tools.x86_64                    1:2.02-0.65.el7.centos.2         updates  
    default: grubby.x86_64                         8.28-23.el7                      base     
    default: gsettings-desktop-schemas.x86_64      3.22.0-1.el7                     base     
    default: gssproxy.x86_64                       0.7.0-4.el7                      base     
    default: gzip.x86_64                           1.5-9.el7                        base     
    default: hwdata.x86_64                         0.252-8.6.el7                    base     
    default: initscripts.x86_64                    9.49.39-1.el7_4.1                updates  
    default: iproute.x86_64                        3.10.0-87.el7                    base     
    default: iprutils.x86_64                       2.4.14.1-1.el7                   base     
    default: ipset.x86_64                          6.29-1.el7                       base     
    default: ipset-libs.x86_64                     6.29-1.el7                       base     
    default: iptables.x86_64                       1.4.21-18.2.el7_4                updates  
    default: iputils.x86_64                        20160308-10.el7                  base     
    default: irqbalance.x86_64                     3:1.0.7-10.el7                   base     
    default: iwl7265-firmware.noarch               22.0.7.0-58.el7_4                updates  
    default: jansson.x86_64                        2.10-1.el7                       base     
    default: kbd.x86_64                            1.15.5-13.el7                    base     
    default: kbd-legacy.noarch                     1.15.5-13.el7                    base     
    default: kbd-misc.noarch                       1.15.5-13.el7                    base     
    default: kernel.x86_64                         3.10.0-693.17.1.el7              updates  
    default: kernel-tools.x86_64                   3.10.0-693.17.1.el7              updates  
    default: kernel-tools-libs.x86_64              3.10.0-693.17.1.el7              updates  
    default: kexec-tools.x86_64                    2.0.14-17.2.el7                  updates  
    default: kmod.x86_64                           20-15.el7_4.7                    updates  
    default: kmod-libs.x86_64                      20-15.el7_4.7                    updates  
    default: kpartx.x86_64                         0.4.9-111.el7_4.2                updates  
    default: krb5-libs.x86_64                      1.15.1-8.el7                     base     
    default: libblkid.x86_64                       2.23.2-43.el7_4.2                updates  
    default: libcap.x86_64                         2.22-9.el7                       base     
    default: libcgroup.x86_64                      0.41-13.el7                      base     
    default: libcom_err.x86_64                     1.42.9-10.el7                    base     
    default: libcroco.x86_64                       0.6.11-1.el7                     base     
    default: libcurl.x86_64                        7.29.0-42.el7_4.1                updates  
    default: libdb.x86_64                          5.3.21-21.el7_4                  updates  
    default: libdb-utils.x86_64                    5.3.21-21.el7_4                  updates  
    default: libdrm.x86_64                         2.4.74-1.el7                     base     
    default: libgcc.x86_64                         4.8.5-16.el7_4.1                 updates  
    default: libgcrypt.x86_64                      1.5.3-14.el7                     base     
    default: libgomp.x86_64                        4.8.5-16.el7_4.1                 updates  
    default: libgudev1.x86_64                      219-42.el7_4.7                   updates  
    default: libmount.x86_64                       2.23.2-43.el7_4.2                updates  
    default: libnetfilter_conntrack.x86_64         1.0.6-1.el7_3                    base     
    default: libnfsidmap.x86_64                    0.25-17.el7                      base     
    default: libnl3.x86_64                         3.2.28-4.el7                     base     
    default: libnl3-cli.x86_64                     3.2.28-4.el7                     base     
    default: libpcap.x86_64                        14:1.5.3-9.el7                   base     
    default: libpciaccess.x86_64                   0.13.4-3.1.el7_4                 updates  
    default: libselinux.x86_64                     2.5-11.el7                       base     
    default: libselinux-python.x86_64              2.5-11.el7                       base     
    default: libselinux-utils.x86_64               2.5-11.el7                       base     
    default: libsemanage.x86_64                    2.5-8.el7                        base     
    default: libsemanage-python.x86_64             2.5-8.el7                        base     
    default: libsoup.x86_64                        2.56.0-4.el7_4                   updates  
    default: libss.x86_64                          1.42.9-10.el7                    base     
    default: libstdc++.x86_64                      4.8.5-16.el7_4.1                 updates  
    default: libtalloc.x86_64                      2.1.9-1.el7                      base     
    default: libtasn1.x86_64                       4.10-1.el7                       base     
    default: libteam.x86_64                        1.25-5.el7                       base     
    default: libtevent.x86_64                      0.9.31-1.el7                     base     
    default: libtirpc.x86_64                       0.2.4-0.10.el7                   base     
    default: libuuid.x86_64                        2.23.2-43.el7_4.2                updates  
    default: linux-firmware.noarch                 20170606-58.gitc990aae.el7_4     updates  
    default: logrotate.x86_64                      3.8.6-14.el7                     base     
    default: lsscsi.x86_64                         0.27-6.el7                       base     
    default: lvm2.x86_64                           7:2.02.171-8.el7                 base     
    default: lvm2-libs.x86_64                      7:2.02.171-8.el7                 base     
    default: mariadb-libs.x86_64                   1:5.5.56-2.el7                   base     
    default: microcode_ctl.x86_64                  2:2.1-22.5.el7_4                 updates  
    default: ncurses.x86_64                        5.9-14.20130511.el7_4            updates  
    default: ncurses-base.noarch                   5.9-14.20130511.el7_4            updates  
    default: ncurses-libs.x86_64                   5.9-14.20130511.el7_4            updates  
    default: net-tools.x86_64                      2.0-0.22.20131004git.el7         base     
    default: nfs-utils.x86_64                      1:1.3.0-0.48.el7_4.1             updates  
    default: nspr.x86_64                           4.13.1-1.0.el7_3                 base     
    default: nss.x86_64                            3.28.4-15.el7_4                  updates  
    default: nss-softokn.x86_64                    3.28.3-8.el7_4                   updates  
    default: nss-softokn-freebl.x86_64             3.28.3-8.el7_4                   updates  
    default: nss-sysinit.x86_64                    3.28.4-15.el7_4                  updates  
    default: nss-tools.x86_64                      3.28.4-15.el7_4                  updates  
    default: nss-util.x86_64                       3.28.4-3.el7                     base     
    default: openldap.x86_64                       2.4.44-5.el7                     base     
    default: openssh.x86_64                        7.4p1-13.el7_4                   updates  
    default: openssh-clients.x86_64                7.4p1-13.el7_4                   updates  
    default: openssh-server.x86_64                 7.4p1-13.el7_4                   updates  
    default: openssl.x86_64                        1:1.0.2k-8.el7                   base     
    default: openssl-libs.x86_64                   1:1.0.2k-8.el7                   base     
    default: p11-kit.x86_64                        0.23.5-3.el7                     base     
    default: p11-kit-trust.x86_64                  0.23.5-3.el7                     base     
    default: pciutils.x86_64                       3.5.1-2.el7                      base     
    default: pciutils-libs.x86_64                  3.5.1-2.el7       
    default:                base     
    default: pcre.x86_64                           8.32-17.el7                      base     
    default: perl.x86_64                           4:5.16.3-292.el7                 base     
    default: perl-Pod-Escapes.noarch               1:1.04-292.el7                   base     
    default: perl-libs.x86_64                      4:5.16.3-292.el7                 base     
    default: perl-macros.x86_64                    4:5.16.3-292.el7                 base     
    default: plymouth.x86_64                       0.8.9-0.28.20140113.el7.centos   base     
    default: plymouth-core-libs.x86_64             0.8.9-0.28.20140113.el7.centos   base     
    default: plymouth-scripts.x86_64               0.8.9-0.28.20140113.el7.centos   base     
    default: policycoreutils.x86_64                2.5-17.1.el7                     base     
    default: policycoreutils-devel.x86_64          2.5-17.1.el7                     base     
    default: policycoreutils-python.x86_64         2.5-17.1.el7                     base     
    default: polkit.x86_64                         0.112-12.el7_3                   base     
    default: procps-ng.x86_64                      3.3.10-16.el7                    base     
    default: python.x86_64                         2.7.5-58.el7                     base     
    default: python-firewall.noarch                0.4.4.4-6.el7                    base     
    default: python-libs.x86_64                    2.7.5-58.el7                     base     
    default: python-perf.x86_64                    3.10.0-693.17.1.el7              updates  
    default: python-pyudev.noarch                  0.15-9.el7                       base     
    default: readline.x86_64                       6.2-10.el7                       base     
    default: rpcbind.x86_64                        0.2.0-42.el7                     base     
    default: rpm.x86_64                            4.11.3-25.el7                    base     
    default: rpm-build-libs.x86_64                 4.11.3-25.el7                    base     
    default: rpm-libs.x86_64                       4.11.3-25.el7                    base     
    default: rpm-python.x86_64                     4.11.3-25.el7                    base     
    default: rsyslog.x86_64                        8.24.0-12.el7                    base     
    default: selinux-policy.noarch                 3.13.1-166.el7_4.7               updates  
    default: selinux-policy-devel.noarch           3.13.1-166.el7_4.7               updates  
    default: selinux-policy-targeted.noarch        3.13.1-166.el7_4.7               updates  
    default: shared-mime-info.x86_64               1.8-3.el7                        base     
    default: sudo.x86_64                           1.8.19p2-11.el7_4                updates  
    default: systemd.x86_64                        219-42.el7_4.7                   updates  
    default: systemd-libs.x86_64                   219-42.el7_4.7                   updates  
    default: systemd-sysv.x86_64                   219-42.el7_4.7                   updates  
    default: tar.x86_64                            2:1.26-32.el7                    base     
    default: teamd.x86_64                          1.25-5.el7                       base     
    default: trousers.x86_64                       0.3.14-2.el7                     base     
    default: tuned.noarch                          2.8.0-5.el7_4.2                  updates  
    default: tzdata.noarch                         2018c-1.el7                      updates  
    default: util-linux.x86_64                     2.23.2-43.el7_4.2                updates  
    default: vim-minimal.x86_64                    2:7.4.160-2.el7                  base     
    default: virt-what.x86_64                      1.13-10.el7                      base     
    default: wget.x86_64                           1.14-15.el7_4.1                  updates  
    default: wpa_supplicant.x86_64                 1:2.6-5.el7_4.1                  updates  
    default: xfsprogs.x86_64                       4.5.0-12.el7                     base     
    default: yum.noarch                            3.4.3-154.el7.centos.1           updates  
    default: yum-plugin-fastestmirror.noarch       1.1.31-42.el7                    base     
    default: Obsoleting Packages
    default: NetworkManager.x86_64                 1:1.8.0-11.el7_4                 updates  
    default:     NetworkManager.x86_64             1:1.4.0-12.el7                   @anaconda
    default: NetworkManager-ppp.x86_64             1:1.8.0-11.el7_4                 updates  
    default:     NetworkManager.x86_64             1:1.4.0-12.el7                   @anaconda
    default: g
    default: rub2.x86_64                          1:2.02-0.65.el7.centos.2         updates  
    default:     grub2.x86_64                      1:2.02-0.44.el7.centos           @anaconda
    default: grub2-tools.x86_64                    1:2.02-0.65.el7.centos.2         updates  
    default:     grub2-tools.x86_64                1:2.02-0.44.el7.centos           @anaconda
    default: grub2-tools-efi.x86_64                1:2.02-0.64.el7.centos           base     
    default:     grub2-tools.x86_64                1:2.02-0.44.el7.centos           @anaconda
    default: grub2-tools-extra.x86_64              1:2.02-0.65.el7.centos.2         updates  
    default:     grub2-tools.x86_64                1:2.02-0.44.el7.centos           @anaconda
    default: grub2-tools-minimal.x86_64            1:2.02-0.65.el7.centos.2         updates  
    default:     grub2-tools.x86_64                1:2.02-0.44.el7.centos           @anaconda
    default: python-gobject-base.x86_64            3.22.0-1.el7_4.1                 updates  
    default:     pygobject3-base.x86_64            3.14.0-3.el7                     @anaconda
    default: rdma-core.i686                        13-7.el7                         base     
    default:     rdma.noarch                       7.3_4.7_rc2-5.el7                @anaconda
    default: rdma-core.x86_64                      13-7.el7                         base     
    default:     rdma.noarch                       7.3_4.7_rc2-5.el7                @anaconda
    default: + sudo yum install -q -y wget unzip bind-utils ruby rubygems ntp
    default: Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
    default: Public key for bind-license-9.9.4-51.el7_4.2.noarch.rpm is not installed
    default: warning: /var/cache/yum/x86_64/7/updates/packages/bind-license-9.9.4-51.el7_4.2.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
    default: Public key for autogen-libopts-5.18-5.el7.x86_64.rpm is not installed
    default: Importing GPG key 0xF4A80EB5:
    default:  Userid     : "CentOS-7 Key (CentOS 7 Official Signing Key) <[email protected]>"
    default:  Fingerprint: 6341 ab27 53d7 8a78 a7c2 7bb1 24c6 a8a7 f4a8 0eb5
    default:  Package    : centos-release-7-3.1611.el7.centos.x86_64 (@anaconda)
    default:  From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    default: + sudo systemctl start ntpd.service
    default: + sudo systemctl enable ntpd.service
    default: Created symlink from /etc/systemd/system/multi-user.target.wants/ntpd.service to /usr/lib/systemd/system/ntpd.service.
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:00 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:00'
    default: + echo '2018/03/07 23:45:00 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-3chq.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:00 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:00'
    default: + echo '2018/03/07 23:45:00 /tmp/vagrant-shell: Running'
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'RHEL/CentOS system detected'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:00 /tmp/vagrant-shell: RHEL/CentOS system detected
    default: + DT='2018/03/07 23:45:00'
    default: + echo '2018/03/07 23:45:00 /tmp/vagrant-shell: RHEL/CentOS system detected'
    default: + logger 'Performing updates and installing prerequisites'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:00 /tmp/vagrant-shell: Performing updates and installing prerequisites
    default: + DT='2018/03/07 23:45:00'
    default: + echo '2018/03/07 23:45:00 /tmp/vagrant-shell: Performing updates and installing prerequisites'
    default: + curl --silent -O https://bootstrap.pypa.io/get-pip.py
    default: + sudo python get-pip.py
    default: Collecting pip
    default:   Downloading pip-9.0.1-py2.py3-none-any.whl (1.3MB)
    default: Collecting setuptools
    default:   Downloading setuptools-38.5.2-py2.py3-none-any.whl (490kB)
    default: Collecting wheel
    default:   Downloading wheel-0.30.0-py2.py3-none-any.whl (49kB)
    default: Installing collected packages: pip, setuptools, wheel
    default: Successfully installed pip-9.0.1 setuptools-38.5.2 wheel-0.30.0
    default: + sudo pip install awscli
    default: Collecting awscli
    default:   Downloading awscli-1.14.51-py2.py3-none-any.whl (1.2MB)
    default: Collecting s3transfer<0.2.0,>=0.1.12 (from awscli)
    default:   Downloading s3transfer-0.1.13-py2.py3-none-any.whl (59kB)
    default: Collecting botocore==1.9.4 (from awscli)
    default:   Downloading botocore-1.9.4-py2.py3-none-any.whl (4.1MB)
    default: Collecting rsa<=3.5.0,>=3.1.2 (from awscli)
    default:   Downloading rsa-3.4.2-py2.py3-none-any.whl (46kB)
    default: Collecting docutils>=0.10 (from awscli)
    default:   Downloading docutils-0.14-py2-none-any.whl (543kB)
    default: Collecting colorama<=0.3.7,>=0.2.5 (from awscli)
    default:   Downloading colorama-0.3.7-py2.py3-none-any.whl
    default: Collecting PyYAML<=3.12,>=3.10 (from awscli)
    default:   Downloading PyYAML-3.12.tar.gz (253kB)
    default: Collecting futures<4.0.0,>=2.2.0; python_version == "2.6" or python_version == "2.7" (from s3transfer<0.2.0,>=0.1.12->awscli)
    default:   Downloading futures-3.2.0-py2-none-any.whl
    default: Collecting python-dateutil<3.0.0,>=2.1 (from botocore==1.9.4->awscli)
    default:   Downloading python_dateutil-2.6.1-py2.py3-none-any.whl (194kB)
    default: Collecting jmespath<1.0.0,>=0.7.1 (from botocore==1.9.4->awscli)
    default:   Downloading jmespath-0.9.3-py2.py3-none-any.whl
    default: Collecting pyasn1>=0.1.3 (from rsa<=3.5.0,>=3.1.2->awscli)
    default:   Downloading pyasn1-0.4.2-py2.py3-none-any.whl (71kB)
    default: Collecting six>=1.5 (from python-dateutil<3.0.0,>=2.1->botocore==1.9.4->awscli)
    default:   Downloading six-1.11.0-py2.py3-none-any.whl
    default: Building wheels for collected packages: PyYAML
    default:   Running setup.py bdist_wheel for PyYAML: started
    default:   Running setup.py bdist_wheel for PyYAML: finished with status 'done'
    default:   Stored in directory: /root/.cache/pip/wheels/2c/f7/79/13f3a12cd723892437c0cfbde1230ab4d82947ff7b3839a4fc
    default: Successfully built PyYAML
    default: Installing collected packages: six, python-dateutil, jmespath, docutils, botocore, futures, s3transfer, pyasn1, rsa, colorama, PyYAML, awscli
    default: Successfully installed PyYAML-3.12 awscli-1.14.51 botocore-1.9.4 colorama-0.3.7 docutils-0.14 futures-3.2.0 jmespath-0.9.3 pyasn1-0.4.2 python-dateutil-2.6.1 rsa-3.4.2 s3transfer-0.1.13 six-1.11.0
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:12 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:12'
    default: + echo '2018/03/07 23:45:12 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-w6f8p9.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:12 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:12'
    default: + echo '2018/03/07 23:45:12 /tmp/vagrant-shell: Running'
    default: + USER=consul
    default: + COMMENT='Hashicorp consul user'
    default: + GROUP=consul
    default: + HOME=/srv/consul
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'Setting up user consul for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:12 /tmp/vagrant-shell: Setting up user consul for RHEL/CentOS
    default: + DT='2018/03/07 23:45:12'
    default: + echo '2018/03/07 23:45:12 /tmp/vagrant-shell: Setting up user consul for RHEL/CentOS'
    default: + user_rhel
    default: + sudo /usr/sbin/groupadd --force --system consul
    default: + getent passwd consul
    default: + sudo /usr/sbin/adduser --system --gid consul --home /srv/consul --no-create-home --comment 'Hashicorp consul user' --shell /bin/false consul
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:12 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:12'
    default: + echo '2018/03/07 23:45:12 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-1xkbbnc.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Running'
    default: + USER=nomad
    default: + COMMENT='Hashicorp nomad user'
    default: + GROUP=nomad
    default: + HOME=/srv/nomad
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'Setting up user nomad for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Setting up user nomad for RHEL/CentOS
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Setting up user nomad for RHEL/CentOS'
    default: + user_rhel
    default: + sudo /usr/sbin/groupadd --force --system nomad
    default: + getent passwd nomad
    default: + sudo /usr/sbin/adduser --system --gid nomad --home /srv/nomad --no-create-home --comment 'Hashicorp nomad user' --shell /bin/false nomad
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-q9jb6k.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Running'
    default: + USER=vault
    default: + COMMENT='Hashicorp vault user'
    default: + GROUP=vault
    default: + HOME=/srv/vault
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'Setting up user vault for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Setting up user vault for RHEL/CentOS
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Setting up user vault for RHEL/CentOS'
    default: + user_rhel
    default: + sudo /usr/sbin/groupadd --force --system vault
    default: + getent passwd vault
    default: + sudo /usr/sbin/adduser --system --gid vault --home /srv/vault --no-create-home --comment 'Hashicorp vault user' --shell /bin/false vault
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:13 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:13'
    default: + echo '2018/03/07 23:45:13 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-p6u0u2.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:14 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:14'
    default: + echo '2018/03/07 23:45:14 /tmp/vagrant-shell: Running'
    default: + CONSUL_VERSION=1.0.0
    default: + CONSUL_ZIP=consul_1.0.0_linux_amd64.zip
    default: + CONSUL_URL=https://releases.hashicorp.com/consul/1.0.0/consul_1.0.0_linux_amd64.zip
    default: + logger 'Downloading consul 1.0.0'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:14 /tmp/vagrant-shell: Downloading consul 1.0.0
    default: + DT='2018/03/07 23:45:14'
    default: + echo '2018/03/07 23:45:14 /tmp/vagrant-shell: Downloading consul 1.0.0'
    default: + curl --silent --output /tmp/consul_1.0.0_linux_amd64.zip https://releases.hashicorp.com/consul/1.0.0/consul_1.0.0_linux_amd64.zip
    default: + logger 'Installing consul'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:17 /tmp/vagrant-shell: Installing consul
    default: + DT='2018/03/07 23:45:17'
    default: + echo '2018/03/07 23:45:17 /tmp/vagrant-shell: Installing consul'
    default: + sudo unzip -o /tmp/consul_1.0.0_linux_amd64.zip -d /usr/local/bin/
    default: Archive:  /tmp/consul_1.0.0_linux_amd64.zip
    default:   inflating: /usr/local/bin/consul   
    default: + sudo chmod 0755 /usr/local/bin/consul
    default: + sudo chown consul:consul /usr/local/bin/consul
    default: + sudo mkdir -pm 0755 /etc/consul.d
    default: + sudo mkdir -pm 0755 /opt/consul/data
    default: ++ /usr/local/bin/consul --version
    default: + logger '/usr/local/bin/consul --version: Consul v1.0.0
    default: Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:17 /tmp/vagrant-shell: /usr/local/bin/consul --version: Consul v1.0.0
    default: Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)
    default: + DT='2018/03/07 23:45:17'
    default: + echo '2018/03/07 23:45:17 /tmp/vagrant-shell: /usr/local/bin/consul --version: Consul v1.0.0
    default: Protocol 2 spoken by default, understands 2 to 3 (agent will automatically use protocol >2 when speaking to compatible agents)'
    default: + logger 'Configuring consul 1.0.0'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:17 /tmp/vagrant-shell: Configuring consul 1.0.0
    default: + DT='2018/03/07 23:45:17'
    default: + echo '2018/03/07 23:45:17 /tmp/vagrant-shell: Configuring consul 1.0.0'
    default: + sudo cp '/tmp/consul/config/*' /etc/consul.d/
    default: cp: cannot stat ‘/tmp/consul/config/*’: No such file or directory
    default: + sudo chown -R consul:consul /etc/consul.d /opt/consul
    default: + sudo chmod -R 0644 '/etc/consul.d/*'
    default: chmod: cannot access ‘/etc/consul.d/*’: No such file or directory
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + logger 'Installing dnsmasq'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:17 /tmp/vagrant-shell: Installing dnsmasq
    default: + DT='2018/03/07 23:45:17'
    default: + echo '2018/03/07 23:45:17 /tmp/vagrant-shell: Installing dnsmasq'
    default: + sudo yum install -q -y dnsmasq
    default: Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
    default: + logger 'Configuring dnsmasq to forward .consul requests to consul port 8600'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:18 /tmp/vagrant-shell: Configuring dnsmasq to forward .consul requests to consul port 8600
    default: + DT='2018/03/07 23:45:18'
    default: + echo '2018/03/07 23:45:18 /tmp/vagrant-shell: Configuring dnsmasq to forward .consul requests to consul port 8600'
    default: + sudo sh -c 'echo "server=/consul/127.0.0.1#8600" >> /etc/dnsmasq.d/consul'
    default: + sudo systemctl enable dnsmasq
    default: Created symlink from /etc/systemd/system/multi-user.target.wants/dnsmasq.service to /usr/lib/systemd/system/dnsmasq.service.
    default: + sudo systemctl restart dnsmasq
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-6te85o.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Running'
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + SYSTEMD_DIR=/etc/systemd/system
    default: + logger 'Installing consul systemd service for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Installing consul systemd service for RHEL/CentOS
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Installing consul systemd service for RHEL/CentOS'
    default: + sudo cp /tmp/consul/init/systemd/consul.service /etc/systemd/system
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul.service’: No such file or directory
    default: + sudo chmod 0664 /etc/systemd/system/consul.service
    default: chmod: cannot access ‘/etc/systemd/system/consul.service’: No such file or directory
    default: + sudo systemctl enable consul
    default: Failed to execute operation: No such file or directory
    default: + sudo systemctl start consul
    default: Failed to start consul.service: Unit not found.
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-rf5h4u.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Running'
    default: + VAULT_VERSION=0.8.3
    default: + VAULT_ZIP=vault_0.8.3_linux_amd64.zip
    default: + VAULT_URL=https://releases.hashicorp.com/vault/0.8.3/vault_0.8.3_linux_amd64.zip
    default: + logger 'Downloading vault 0.8.3'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:19 /tmp/vagrant-shell: Downloading vault 0.8.3
    default: + DT='2018/03/07 23:45:19'
    default: + echo '2018/03/07 23:45:19 /tmp/vagrant-shell: Downloading vault 0.8.3'
    default: + curl --silent --output /tmp/vault_0.8.3_linux_amd64.zip https://releases.hashicorp.com/vault/0.8.3/vault_0.8.3_linux_amd64.zip
    default: + logger 'Installing vault'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:24 /tmp/vagrant-shell: Installing vault
    default: + DT='2018/03/07 23:45:24'
    default: + echo '2018/03/07 23:45:24 /tmp/vagrant-shell: Installing vault'
    default: + sudo unzip -o /tmp/vault_0.8.3_linux_amd64.zip -d /usr/local/bin/
    default: Archive:  /tmp/vault_0.8.3_linux_amd64.zip
    default:   inflating: /usr/local/bin/vault    
    default: + sudo chmod 0755 /usr/local/bin/vault
    default: + sudo chown vault:vault /usr/local/bin/vault
    default: + sudo mkdir -pm 0755 /etc/vault.d
    default: + sudo mkdir -pm 0755 /etc/ssl/vault
    default: ++ /usr/local/bin/vault --version
    default: + logger '/usr/local/bin/vault --version: Vault v0.8.3 ('\''6b29fb2b7f70ed538ee2b3c057335d706b6d4e36'\'')'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:24 /tmp/vagrant-shell: /usr/local/bin/vault --version: Vault v0.8.3 ('6b29fb2b7f70ed538ee2b3c057335d706b6d4e36')
    default: + DT='2018/03/07 23:45:24'
    default: + echo '2018/03/07 23:45:24 /tmp/vagrant-shell: /usr/local/bin/vault --version: Vault v0.8.3 ('\''6b29fb2b7f70ed538ee2b3c057335d706b6d4e36'\'')'
    default: + logger 'Configuring vault 0.8.3'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:24 /tmp/vagrant-shell: Configuring vault 0.8.3
    default: + DT='2018/03/07 23:45:24'
    default: + echo '2018/03/07 23:45:24 /tmp/vagrant-shell: Configuring vault 0.8.3'
    default: + sudo cp '/tmp/vault/config/*' /etc/vault.d
    default: cp: cannot stat ‘/tmp/vault/config/*’: No such file or directory
    default: + sudo chown -R vault:vault /etc/vault.d /etc/ssl/vault
    default: + sudo chmod -R 0644 '/etc/vault.d/*'
    default: chmod: cannot access ‘/etc/vault.d/*’: No such file or directory
    default: + echo 'export VAULT_ADDR=http://127.0.0.1:8200'
    default: + sudo tee /etc/profile.d/vault.sh
    default: export VAULT_ADDR=http://127.0.0.1:8200
    default: + logger 'Granting mlock syscall to vault binary'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:24 /tmp/vagrant-shell: Granting mlock syscall to vault binary
    default: + DT='2018/03/07 23:45:24'
    default: + echo '2018/03/07 23:45:24 /tmp/vagrant-shell: Granting mlock syscall to vault binary'
    default: + sudo setcap cap_ipc_lock=+ep /usr/local/bin/vault
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:24 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:24'
    default: + echo '2018/03/07 23:45:24 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-1pj33rz.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:25 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:25'
    default: + echo '2018/03/07 23:45:25 /tmp/vagrant-shell: Running'
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + SYSTEMD_DIR=/etc/systemd/system
    default: + logger 'Installing systemd services for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:25 /tmp/vagrant-shell: Installing systemd services for RHEL/CentOS
    default: + DT='2018/03/07 23:45:25'
    default: + echo '2018/03/07 23:45:25 /tmp/vagrant-shell: Installing systemd services for RHEL/CentOS'
    default: + sudo cp /tmp/vault/init/systemd/vault.service /etc/systemd/system
    default: cp: cannot stat ‘/tmp/vault/init/systemd/vault.service’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.service /etc/systemd/system
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.service’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.target /etc/systemd/system
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.target’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.sh /usr/bin/consul-online.sh
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.sh’: No such file or directory
    default: + sudo chmod 0664 '/etc/systemd/system/vault*' '/etc/systemd/system/consul*'
    default: chmod: cannot access ‘/etc/systemd/system/vault*’: No such file or directory
    default: chmod: cannot access ‘/etc/systemd/system/consul*’: No such file or directory
    default: + sudo systemctl enable consul
    default: Failed to execute operation: No such file or directory
    default: + sudo systemctl start consul
    default: Failed to start consul.service: Unit not found.
    default: + sudo systemctl enable vault
    default: Failed to execute operation: No such file or directory
    default: + sudo systemctl start vault
    default: Failed to start vault.service: Unit not found.
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:25 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:25'
    default: + echo '2018/03/07 23:45:25 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-ne0cei.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:25 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:25'
    default: + echo '2018/03/07 23:45:25 /tmp/vagrant-shell: Running'
    default: + NOMAD_VERSION=0.7.0
    default: + NOMAD_ZIP=nomad_0.7.0_linux_amd64.zip
    default: + NOMAD_URL=https://releases.hashicorp.com/nomad/0.7.0/nomad_0.7.0_linux_amd64.zip
    default: + logger 'Downloading nomad 0.7.0'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:25 /tmp/vagrant-shell: Downloading nomad 0.7.0
    default: + DT='2018/03/07 23:45:25'
    default: + echo '2018/03/07 23:45:25 /tmp/vagrant-shell: Downloading nomad 0.7.0'
    default: + curl --silent --output /tmp/nomad_0.7.0_linux_amd64.zip https://releases.hashicorp.com/nomad/0.7.0/nomad_0.7.0_linux_amd64.zip
    default: + logger 'Installing nomad'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:28 /tmp/vagrant-shell: Installing nomad
    default: + DT='2018/03/07 23:45:28'
    default: + echo '2018/03/07 23:45:28 /tmp/vagrant-shell: Installing nomad'
    default: + sudo unzip -o /tmp/nomad_0.7.0_linux_amd64.zip -d /usr/local/bin/
    default: Archive:  /tmp/nomad_0.7.0_linux_amd64.zip
    default:   inflating: /usr/local/bin/nomad    
    default: + sudo chmod 0755 /usr/local/bin/nomad
    default: + sudo chown root:root /usr/local/bin/nomad
    default: + sudo mkdir -pm 0755 /etc/nomad.d
    default: + sudo mkdir -pm 0755 /opt/nomad/data
    default: ++ /usr/local/bin/nomad --version
    default: Nomad v0.7.0
    default: + logger '/usr/local/bin/nomad --version: '
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: /usr/local/bin/nomad --version: 
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: /usr/local/bin/nomad --version: '
    default: + logger 'Configuring nomad 0.7.0'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: Configuring nomad 0.7.0
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: Configuring nomad 0.7.0'
    default: + sudo cp '/tmp/nomad/config/*' /etc/nomad.d/
    default: cp: cannot stat ‘/tmp/nomad/config/*’: No such file or directory
    default: + sudo chown -R root:root /etc/nomad.d /opt/nomad
    default: + sudo chmod -R 0644 '/etc/nomad.d/*'
    default: chmod: cannot access ‘/etc/nomad.d/*’: No such file or directory
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: Complete'
==> default: Running provisioner: shell...
    default: Running: /tmp/vagrant-shell20180307-2073-1la2o30.sh
    default: + logger Running
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: Running
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: Running'
    default: ++ which yum
    default: + YUM=/bin/yum
    default: ++ which apt-get
    default: + APT_GET=
    default: + [[ ! -z /bin/yum ]]
    default: + SYSTEMD_DIR=/etc/systemd/system
    default: + logger 'Installing systemd services for RHEL/CentOS'
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: Installing systemd services for RHEL/CentOS
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: Installing systemd services for RHEL/CentOS'
    default: + sudo cp /tmp/nomad/init/systemd/nomad.service /etc/systemd/system
    default: cp: cannot stat ‘/tmp/nomad/init/systemd/nomad.service’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.service /etc/systemd/system
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.service’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.target /etc/systemd/system
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.target’: No such file or directory
    default: + sudo cp /tmp/consul/init/systemd/consul-online.sh /usr/bin/consul-online.sh
    default: cp: cannot stat ‘/tmp/consul/init/systemd/consul-online.sh’: No such file or directory
    default: + sudo chmod 0664 '/etc/systemd/system/nomad*' '/etc/systemd/system/consul*'
    default: chmod: cannot access ‘/etc/systemd/system/nomad*’: No such file or directory
    default: chmod: cannot access ‘/etc/systemd/system/consul*’: No such file or directory
    default: + sudo systemctl enable consul
    default: Failed to execute operation: No such file or directory
    default: + sudo systemctl start consul
    default: Failed to start consul.service: Unit not found.
    default: + sudo systemctl enable nomad
    default: Failed to execute operation: No such file or directory
    default: + sudo systemctl start nomad
    default: Failed to start nomad.service: Unit not found.
    default: + logger Complete
    default: ++ date '+%Y/%m/%d %H:%M:%S'
    default: 2018/03/07 23:45:29 /tmp/vagrant-shell: Complete
    default: + DT='2018/03/07 23:45:29'
    default: + echo '2018/03/07 23:45:29 /tmp/vagrant-shell: Complete'

Any advice? I like what this project seems to be aiming for - be a practice space for Vault, with batteries included! :)

Define account_file_path

Good day! I'm trying to get this guide up and running, but having some issues on my end.

One question I have is, what is the account_file_path?

As mentioned in the gcp-readme, I need to provide a .json file for my project. What is the file and where can I get it?

gcloud-project = "my-project"
account_file_path = "/usr/gcp/my-project.json"  # <----- what is this?

Initially, I thought this was the service account .json file, but I'm trying to use the terraform file to create the service account.

Any help is appreciated, thanks!

Vault Guide: AppRole with Terraform & Chef expects Terraform 0.11

This guide was written for Terraform 0.11: https://learn.hashicorp.com/vault/identity-access-management/iam-approle-trusted-entities

identity/vault-chef-approle/terraform-aws/mgmt-node

GCP KMS service account grant issue

Hello! Trying to follow this guide faced with the following issue

Terraform will perform the following actions:

  # google_kms_key_ring_iam_binding.vault_iam_kms_binding will be created
  + resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {
      + etag        = (known after apply)
      + id          = (known after apply)
      + key_ring_id = "idyllic-mantis-299418/global/test1"
      + members     = [
          + "serviceAccount:[email protected]",
        ]
      + role        = "roles/owner"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes 

google_kms_key_ring_iam_binding.vault_iam_kms_binding: Creating...

Error: Error applying IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": Error setting IAM policy for KMS KeyRing "projects/idyllic-mantis-299418/locations/global/keyRings/test1": googleapi: Error 403: Permission 'cloudkms.keyRings.setIamPolicy' denied on resource 'projects/idyllic-mantis-299418/locations/global/keyRings/test1' (or it may not exist)., forbidden

  on main.tf line 93, in resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding":
  93: resource "google_kms_key_ring_iam_binding" "vault_iam_kms_binding" {

Keyring and key are exist, so granted owner role to service account manually. But I can't figure out why terraform can't deal with it, do you have any ideas?

Vault is not installed properly in aws-kms-unseal/terraform-aws

The userdata script fails to install vault properly. When I ssh into the server and enter commands which vault and which unzip both come back as empty. I do see the vault.zip file downloaded.

As a workaround, modifying the userdata.tpl to have unzip install in a separate line worked:

apt-get install -y unzip 
apt-get install -y libtool libltdl-dev #these installs are unsuccessful

How can I use template.source instead of contents in case of ConfigMap ?

My application is already having application.yml
I am trying to use application.yml as the consul template itself. I think it would be easy migration to the vault.
I declared new configmap as follows with consul hcl file as follows

"template" = {
"source" = "/etc/configforvault/app-resources.yml"
"destination" = "/vault/secrets/db-creds"
}
When I deploy the application in k8s it gives following error

2020-08-31T14:08:02.517Z [ERROR] template.server: template server failed to create: error="failed to read template: >open /etc/configforvault/app-resources.yml: no such file or directory"
2020-08-31T14:08:02.517Z [INFO] template.server: template server stopped
2020-08-31T14:08:02.525Z [INFO] auth.handler: authentication successful, sending token to sinks

I have tried creating /etc/configforvault/app-resources.yml in vault-0, vault-agent-injector-XXXXX and inside application container too, but still getting the same error.
Can someone help me here? I am using Kubernetes and vault

Error: Error refreshing state

This seems to have happened before, but I just got these errors (I had to downgrade to 0.11.14 thanks to issues mentioned elsewhere). Seems to be a duplicate of an error on another repo: #130

terraform apply

data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_ami.consul: Refreshing state...
data.aws_elb_service_account.consul_lb_access_logs: Refreshing state...
data.aws_elb_service_account.vault_lb_access_logs: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_ami.vault: Refreshing state...
data.aws_availability_zones.main: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_iam_policy_document.consul: Refreshing state...
data.aws_ami.hashistack: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...
data.aws_iam_policy_document.assume_role: Refreshing state...

Error: Error refreshing state: 3 errors occurred:
* module.network_aws.data.aws_ami.hashistack: 1 error occurred:
* module.network_aws.data.aws_ami.hashistack: data.aws_ami.hashistack: Your query returned no results. Please change your search criteria and try again.

* module.vault_aws.data.aws_ami.vault: 1 error occurred:
* module.vault_aws.data.aws_ami.vault: data.aws_ami.vault: Your query returned no results. Please change your search criteria and try again.


* module.consul_aws.data.aws_ami.consul: 1 error occurred:
* module.consul_aws.data.aws_ami.consul: data.aws_ami.consul: Your query returned no results. Please change your search criteria and try again.

Please document required vagrant addons

Foreword: I am not experienced with vagrant. I want to learn how to use Vault to manage SSH keys. The official documentation lead me to the vagrant-local tutorial on this repository.

Steps to reproduce, using a fresh vagrant installation:

vault-guides/identity/ssh-ca/vagrant-local$ vagrant up
Bringing machine 'vault' up with 'virtualbox' provider...
Bringing machine 'client' up with 'virtualbox' provider...
==> vault: Box 'bento/centos-7.6' could not be found. Attempting to find and install...
    vault: Box Provider: virtualbox
    vault: Box Version: 201812.27.0
==> vault: Loading metadata for box 'bento/centos-7.6'
    vault: URL: https://vagrantcloud.com/bento/centos-7.6
==> vault: Adding box 'bento/centos-7.6' (v201812.27.0) for provider: virtualbox
    vault: Downloading: https://vagrantcloud.com/bento/boxes/centos-7.6/versions/201812.27.0/providers/virtualbox.box
Download redirected to host: vagrantcloud-files-production.s3.amazonaws.com
==> vault: Successfully added box 'bento/centos-7.6' (v201812.27.0) for 'virtualbox'!
There are errors in the configuration of this machine. Please fix
the following errors and try again:

vm:
* The 'hosts' provisioner could not be found.

I've solved the problem (I think) by running vagrant plugin install vagrant-hosts && vagrant provision.
Please document any required vagrant plugins (are there more?) in the tutorial's readme file.

vault + k8s + minikube : Enterprise versus OSS Vault in the context of k8s guide...

Vault Enterprise is not strictly required for the k8s guide except that Auto Unseal is an Enterprise feature. The verbiage in the guide should be adjusted to make that more clear.

@bensojona

The example "Provision a Best Practices Vault Cluster in AWS" cannot terraform init

I'm wondering if this:
https://github.com/hashicorp/vault-guides/tree/master/operations/provision-vault/best-practices/terraform-aws
or this is a better place to start:
https://github.com/hashicorp/terraform-aws-vault

Apart form the upgrade to .12 being needed, it looks like a few variables names are being used that aren't allowed now, like 'provider'.

Warning: Skipping backend initialization pending configuration upgrade

The root module configuration contains errors that may be fixed by running the
configuration upgrade tool, so Terraform is skipping backend initialization.
See below for more information.


Warning: Quoted type constraints are deprecated

  on variables.tf line 17, in variable "vpc_cidrs_public":
  17:   type    = "list"

Terraform 0.11 and earlier required type constraints to be given in quotes,
but that form is now deprecated and will be removed in a future version of
Terraform. To silence this warning, remove the quotes around "list" and write
list(string) instead to explicitly indicate that the list elements are
strings.

(and 6 more similar warnings elsewhere)


Error: Reserved argument name in module block

  on main.tf line 141, in module "consul_aws":
 141:   count            = "${var.consul_servers}"

The name "count" is reserved for use in a future version of Terraform.


Error: Reserved argument name in module block

  on main.tf line 187, in module "vault_aws":
 187:   count            = "${var.vault_servers}"

The name "count" is reserved for use in a future version of Terraform.


Error: Invalid multi-line string

  on outputs.tf line 13, in output "zREADME":
  13: 
  14: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Unterminated template string

  on outputs.tf line 13, in output "zREADME":
  13: 
  14: 

No closing marker was found for the string.


Error: Invalid multi-line string

  on outputs.tf line 14, in output "zREADME":
  14: 
  15: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 15, in output "zREADME":
  15: 
  16: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 16, in output "zREADME":
  16: 
  17: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 17, in output "zREADME":
  17: 
  19: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 19, in output "zREADME":
  19: 
  20: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 20, in output "zREADME":
  20: 
  22: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 22, in output "zREADME":
  22: 
  23: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 23, in output "zREADME":
  23: 
  25: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 25, in output "zREADME":
  25: 
  26: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 26, in output "zREADME":
  26: 
  28: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 28, in output "zREADME":
  28: 
  29: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 29, in output "zREADME":
  29: 
  30: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 30, in output "zREADME":
  30: 
  31: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 31, in output "zREADME":
  31: 
  33: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 33, in output "zREADME":
  33: 
  34: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 34, in output "zREADME":
  34: 
  35: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 35, in output "zREADME":
  35: 
  36: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid multi-line string

  on outputs.tf line 36, in output "zREADME":
  36: 
  37: 

Quoted strings may not be split over multiple lines. To produce a multi-line
string, either use the \n escape to represent a newline character or use the
"heredoc" multi-line template syntax.


Error: Invalid variable name

  on variables.tf line 7, in variable "provider":
   7: variable "provider"          { default = "aws" }

The variable name "provider" is reserved due to its special meaning inside
module blocks.


Terraform has initialized, but configuration upgrades may be needed.

Terraform found syntax errors in the configuration that prevented full
initialization. If you've recently upgraded to Terraform v0.12, this may be
because your configuration uses syntax constructs that are no longer valid,
and so must be updated before full initialization is possible.

Terraform has installed the required providers to support the configuration
upgrade process. To begin upgrading your configuration, run the following:
    terraform 0.12upgrade

To see the full set of errors that led to this message, run:
    terraform validate
user@MacBookPro13 terraform-aws %

Increase the lenght of Consul random id to 32

Currently, the Consul random id is set to 16 bytes.
https://github.com/hashicorp/vault-guides/blob/master/operations/provision-vault/best-practices/terraform-aws/main.tf
(search for consul_encrypt)

In the Consul documentation, they recommend to use 32 bytes.
https://www.consul.io/docs/agent/options.html
(search for -encrypt)

Remove insenstive language like "blacklist", "whitelist", "master", and "slave"

There are no references to "blacklist".

We'll want to rename https://github.com/hashicorp/vault-guides/blob/master/governance/sentinel/egp-okta-user-whitelist.sentinel to egp-okta-user-allowlist.sentinel and change reference to it in https://github.com/hashicorp/vault-guides/blob/master/governance/sentinel/README.md to remove "whitelist".

We'll want to change variable names in https://github.com/hashicorp/vault-guides/blob/master/secrets/spring-cloud-vault/kubernetes/terraform/variables.tf and their use in https://github.com/hashicorp/vault-guides/blob/master/secrets/spring-cloud-vault/kubernetes/terraform/main.tf to remove "master"

If possible, make changes in https://github.com/hashicorp/vault-guides/blob/master/shared/vault/scripts/vault-k8s-helm.sh to remove "master"

"master" is used in https://github.com/hashicorp/vault-guides/blob/master/identity/vault-agent-k8s-demo/terraform-gcp/main.tf, but this is because that is what the Terraform google_container_cluster resource uses.

remove "master" from https://github.com/hashicorp/vault-guides/blob/master/identity/vault-agent-k8s-demo/terraform-gcp/README.md which refers to "Kubernetes master". It is in a comment, so could be removed.

https://github.com/hashicorp/vault-guides/blob/master/operations/raft-storage/aws/main.tf refers to "master key" but only in a comment, so it could be removed.

https://github.com/hashicorp/vault-guides/blob/master/operations/aws-kms-unseal-ha/terraform/README.md and https://github.com/hashicorp/vault-guides/blob/master/governance/audit/README.md refer to Vault's "master key" in text.

azure-keyvault-unseal appears to be broken?

I'm trying to stand up my first Vault instance on Azure.

I see there's a Vault Azure autounseal guide using Terraform; seems like a good way to go. (Cool! 🎉 )

So I've tried to carefully follow the directions but am experiencing an error.

Expected:
When correct values are pasted into terraform.tfvars, terraform plan should succeed
Actual:
terraform plan has an error

Repro steps:

Run az login and logon to Azure
Now runaz ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/MY_SUBSCRIPTION_ID".
Got a bunch of values back
Copy your ssh pubkey, and from the console output the tenant id, client ('app') id, client secret ('password'), and subscription id and pasted them into a file named terraform.tfvars, copied from terraform.tfvars.example per the instructions.
Run terraform init, for me it said

* provider.azurerm: version = "~> 1.30"
* provider.random: version = "~> 2.1"
* provider.template: version = "~> 2.1"

Runterraform plan, for me it fails.

$ terraform plan
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

data.azurerm_client_config.current: Refreshing state...

------------------------------------------------------------------------

Error: "access_policy.0.object_id" is an invalid UUUID: uuid: UUID string too short: 

  on main.tf line 20, in resource "azurerm_key_vault" "vault":
  20: resource "azurerm_key_vault" "vault" {

The corresponding line looks like this:
object_id = data.azurerm_client_config.current.service_principal_object_id
What's a UUUID? (with 3 'U's. Only seen the kind with 2 'U's before)

Not sure what to do next, any hints appreciated!

macOS 10.14.5
$ terraform -v
Terraform v0.12.2

provider.azurerm v1.30.1
provider.random v2.1.2
provider.template v2.1.2

Please upgrade essential guides to terraform 0.12 (vault terraform-aws)

I tried upgrading the vault provisioning guide for aws using terraform 0.12upgrade

Still getting errors:

Upgrade complete!

The configuration files were upgraded successfully. Use your version control
system to review the proposed changes, make any necessary adjustments, and
then commit.

➜  terraform-aws git:(master) ✗ terraform init       
There are some problems with the configuration, described below.

The Terraform configuration must be valid before initialization so that
Terraform can determine which modules and providers need to be installed.

Error: Reserved argument name in module block

  on main.tf line 157, in module "consul_aws":
 157:   count            = var.consul_servers

The name "count" is reserved for use in a future version of Terraform.


Error: Reserved argument name in module block

  on main.tf line 208, in module "vault_aws":
 208:   count            = var.vault_servers

The name "count" is reserved for use in a future version of Terraform.


Error: Invalid variable name

  on variables.tf line 16, in variable "provider":
  16: variable "provider" {

The variable name "provider" is reserved due to its special meaning inside
module blocks.

	issuing_certificates="$PUBLIC_VAULT_ADDR/v1/venafi/ca" \
	crl_distribution_points="$PUBLIC_VAULT_ADDR/v1/venafi/crl"

	cat << EOF > /etc/vault.d/vault.hcl
	storage "file" {
	path = "/opt/vault"
	}
	listener "tcp" {
	address = "0.0.0.0:8200"
	tls_disable = 1
	}
	seal "awskms" {
	region = "${aws_region}"
	kms_key_id = "${kms_key}"
	}
	ui=true
	EOF

hashicorp / vault-guides Goto Github PK

vault-guides's Introduction

Vault-Guides

Operations

Secrets

Identity

Encryption

Assets

gitignore.tf Files

Contributing

vault-guides's People

Contributors

Stargazers

Watchers

Forkers

vault-guides's Issues

k logs exampleapp-8d69ff48d-nc4zp

terraform apply

Recommend Projects

Recommend Topics

Recommend Org

`gitignore.tf` Files