Vault Baseline Configuration

audit.tf

resource "vault_audit" "file" {
  type        = "file"
  description = "Vault Audit to File"

  options = {
    file_path = "/var/log/vault_audit.log"
    format    = "json"
    mode      = "0000"
    prefix    = "vault"
  }
}

resource "vault_audit" "syslog" {
  type        = "syslog"
  description = "Vault Audit to syslog"

  options = {
    tag      = "vault"
    facility = "AUTH"
    format   = "json"
    prefix   = "vault"
  }
}

raft_autopilot.tf

#https://developer.hashicorp.com/vault/api-docs/system/storage/raftautopilot#set-configuration
#https://developer.hashicorp.com/vault/tutorials/raft/raft-autopilot#autopilot-configuration

resource "vault_raft_autopilot" "default" {
  cleanup_dead_servers               = true
  dead_server_last_contact_threshold = "10s"
  last_contact_threshold             = "10s"
  max_trailing_logs                  = 1000
  min_quorum                         = 3
  server_stabilization_time          = "10s"
}

raft_snapshot.tf

resource "vault_raft_snapshot_agent_config" "local" {
  name             = "local"
  interval_seconds = 86400
  retain           = 7
  path_prefix      = "/opt/vault/snapshots/"
  storage_type     = "local"
  local_max_space = 10000000
}

#AWS
data "aws_region" "default" {}

resource "vault_raft_snapshot_agent_config" "aws" {
  name             = "s3"
  interval_seconds = 86400
  retain           = 7
  path_prefix      = "/vault/snapshots/"
  storage_type     = "aws-s3"
  aws_s3_bucket         = "vault_snapshots"
  aws_s3_region         = data.aws_region.default.name
}