Put proxy in front of vault

joecorall · joecorall · commit c5bed2f4d469 · 2025-11-19T06:45:20.000-05:00
diff --git a/main.tf b/main.tf
@@ -16,8 +16,9 @@ terraform {
 }
 
 locals {
-  image_name = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)
-  kms_key    = "vault"
+  image_name  = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)
+  vault_proxy = "jcorall/vault-proxy:main"
+  kms_key     = "vault"
 }
 
 ## Create the GSA the Vault CloudRun deployment will run as
@@ -78,6 +79,10 @@ resource "docker_registry_image" "vault" {
   }
 }
 
+data "docker_registry_image" "vault-proxy" {
+  name = local.vault_proxy
+}
+
 ## Create KMS keys
 resource "google_kms_key_ring" "vault-server" {
   name     = "vault-server"
@@ -115,10 +120,16 @@ module "vault" {
   min_instances = 0
   max_instances = 1
   containers = tolist([
+    {
+      name   = "proxy",
+      image  = format("%s@%s", local.vault_proxy, data.docker_registry_image.vault-proxy.sha256_digest)
+      port   = 8080
+      memory = "512Mi"
+      cpu    = "500m"
+    },
     {
       name   = "vault",
       image  = format("%s@%s", local.image_name, docker_registry_image.vault.sha256_digest)
-      port   = 8200
       memory = "2Gi"
       cpu    = "2000m"
     }
@@ -132,10 +143,13 @@ module "vault" {
     {
       name  = "GOOGLE_STORAGE_BUCKET"
       value = google_storage_bucket.vault["data"].name
+    },
+    {
+      name  = "VAULT_PROXY_YAML"
+      value = replace(var.vault_proxy_yaml, "__GCLOUD_PROJECT__", var.project)
     }
   ])
 
-
   depends_on = [google_kms_crypto_key_iam_member.vault, docker_registry_image.vault]
 }
 
diff --git a/variables.tf b/variables.tf
@@ -30,3 +30,25 @@ variable "country" {
   type    = string
   default = "us"
 }
+
+# e.g. https://github.com/libops/vault-proxy/blob/main/config.example.yaml
+variable "vault_proxy_yaml" {
+  type      = string
+  sensitive = true
+  default   = <<EOT
+vault_addr: http://127.0.0.1:8200
+port: 8080
+admin_emails:
+  - joe@libops.io
+  - github@__GCLOUD_PROJECT__.iam.gserviceaccount.com
+  - vault-server@__GCLOUD_PROJECT__.iam.gserviceaccount.com
+public_routes:
+  - /.well-known/
+  - /v1/identity/oidc/
+  - /v1/auth/oidc/
+  - /v1/auth/userpass/
+  # this should always be set, as the docker healthcheck relies on it
+  # the healthcheck checks both the proxy is working and vault is unsealed
+  - /v1/sys/health
+EOT
+}

Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,9 @@ terraform {`
`16`	`16`	`}`
`17`	`17`
`18`	`18`	`locals {`
`19`		`- image_name = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)`
`20`		`- kms_key = "vault"`
	`19`	`+ image_name = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)`
	`20`	`+ vault_proxy = "jcorall/vault-proxy:main"`
	`21`	`+ kms_key = "vault"`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`## Create the GSA the Vault CloudRun deployment will run as`
`@@ -78,6 +79,10 @@ resource "docker_registry_image" "vault" {`
`78`	`79`	`}`
`79`	`80`	`}`
`80`	`81`
	`82`	`+data "docker_registry_image" "vault-proxy" {`
	`83`	`+ name = local.vault_proxy`
	`84`	`+}`
	`85`	`+`
`81`	`86`	`## Create KMS keys`
`82`	`87`	`resource "google_kms_key_ring" "vault-server" {`
`83`	`88`	`name = "vault-server"`
`@@ -115,10 +120,16 @@ module "vault" {`
`115`	`120`	`min_instances = 0`
`116`	`121`	`max_instances = 1`
`117`	`122`	`containers = tolist([`
	`123`	`+ {`
	`124`	`+ name = "proxy",`
	`125`	`+ image = format("%s@%s", local.vault_proxy, data.docker_registry_image.vault-proxy.sha256_digest)`
	`126`	`+ port = 8080`
	`127`	`+ memory = "512Mi"`
	`128`	`+ cpu = "500m"`
	`129`	`+ },`
`118`	`130`	`{`
`119`	`131`	`name = "vault",`
`120`	`132`	`image = format("%s@%s", local.image_name, docker_registry_image.vault.sha256_digest)`
`121`		`- port = 8200`
`122`	`133`	`memory = "2Gi"`
`123`	`134`	`cpu = "2000m"`
`124`	`135`	`}`
`@@ -132,10 +143,13 @@ module "vault" {`
`132`	`143`	`{`
`133`	`144`	`name = "GOOGLE_STORAGE_BUCKET"`
`134`	`145`	`value = google_storage_bucket.vault["data"].name`
	`146`	`+ },`
	`147`	`+ {`
	`148`	`+ name = "VAULT_PROXY_YAML"`
	`149`	`+ value = replace(var.vault_proxy_yaml, "__GCLOUD_PROJECT__", var.project)`
`135`	`150`	`}`
`136`	`151`	`])`
`137`	`152`
`138`		`-`
`139`	`153`	`depends_on = [google_kms_crypto_key_iam_member.vault, docker_registry_image.vault]`
`140`	`154`	`}`
`141`	`155`