Update template name, CHANGELOG, form

CHANGELOG.md

@@ -1,3 +1,10 @@
+## v3.1.1
+
+- Vault v1.2.1
+- Add `SYS_ADMIN` capability to all containers
+- Update all templates filenames and template filename references
+- Update documentation
+
 ## v3.1.0
 
 - Vault v1.2.0

README.md

@@ -381,7 +381,7 @@ Number of Vault custom containers
 
 Specify an alternative configuration file template in `black_lion/templates/custom`
 
-- Default: `vault_config_custom.tpl`
+- Default: `vault_config_custom.hcl`
 
 #### TF_VAR_use_consul_oss
 
@@ -551,6 +551,22 @@ consuls0.node.consul.   0   IN  TXT "consul-network-segment="
 
 Given the intended use cases for this project, the working solution that results when Vaultron is formed is essentially a blank canvas that emphasizes immediate unhindered usability over security.
 
+#### Docker Container / OS
+
+To better facilitate requirements, advanced troubleshooting, and debugging, the following capabilities are added:
+
+- Vault containers:
+  - `IPC_LOCK`
+  - `NET_ADMIN`
+  - `SYS_ADMIN`
+  - `SYS_PTRACE`
+  - `SYSLOG`
+- Consul containers:
+  - `NET_ADMIN`
+  - `SYS_ADMIN`
+  - `SYS_PTRACE`
+  - `SYSLOG`
+
 #### Consul ACLs by Default
 
 > **Consul ACLs with a **default allow policy** are enabled for Vaultron v1.8.0 (using Vault v0.9.5/Consul v1.0.6) and beyond**
@@ -662,6 +678,10 @@ $ export TF_VAR_vault_oss_instance_count=0 \
 
 > **NOTE**: When using custom binaries in this way the binary must be for Linux/AMD64 as that is the platform for the containers, also Vaultron ignores the value of `TF_VAR_vault_version` since the binary itself determines the version so keep that in mind as well.
 
+One disadvantage of the current custom binary scheme is that it chooses a simplest approach to introducing the `vault` binary by changing the path from which `vault` is executed. This breaks the preferred dedicated user model such that the process is executed by the _root_ user instead of the _vault_ user, so please keep this in mind when using custom binaries.
+
+All OSS containers do execute _vault_ as the _vault_ user.
+
 ## Basic Troubleshooting Questions
 
 ### I can access the Consul UI but it states that there are no services to show

black_lion/main.tf

@@ -77,7 +77,7 @@ resource "docker_image" "vault" {
 data "template_file" "vault_config" {
   count = var.vault_oss_instance_count
   template = file(
-    "${path.module}/templates/oss/vault_config_${var.vault_version}.tpl",
+    "${path.module}/templates/oss/vault_config_${var.vault_version}.hcl",
   )
 
   vars = {
@@ -122,7 +122,7 @@ data "template_file" "vault_tls_key" {
 # -----------------------------------------------------------------------
 
 data "template_file" "telemetry_config" {
-  template = file("${path.module}/templates/extras/vault_telemetry.tpl")
+  template = file("${path.module}/templates/extras/vault_telemetry.hcl")
 
   vars = {
     statsd_ip = var.statsd_ip
@@ -153,7 +153,7 @@ resource "docker_container" "vault_oss_server" {
   must_run = true
 
   capabilities {
-    add = ["IPC_LOCK", "NET_ADMIN", "SYS_PTRACE"]
+    add = ["IPC_LOCK", "NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG", "SYS_RAWIO"]
   }
 
   networks_advanced {
@@ -285,7 +285,7 @@ resource "docker_container" "vault_custom_server" {
   must_run = true
 
   capabilities {
-    add = ["IPC_LOCK", "NET_ADMIN", "SYS_PTRACE"]
+    add = ["IPC_LOCK", "NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG"]
   }
 
   networks_advanced {

black_lion/templates/oss/vault_config_1.2.1.hcl

@@ -0,0 +1,56 @@
+# Vault OSS v1.2.1
+
+# -----------------------------------------------------------------------
+# Global configuration
+# -----------------------------------------------------------------------
+
+api_addr     = "${api_addr}"
+cluster_name     = "${cluster_name}"
+cluster_address  = "${cluster_address}"
+log_level        = "${log_level}"
+ui               = true
+plugin_directory = "/vault/plugins"
+
+# Default TTLs
+default_lease_ttl = "50000h" # 2083 days
+max_lease_ttl     = "50000h" # 2083 days
+
+# -----------------------------------------------------------------------
+# Listener configuration
+# -----------------------------------------------------------------------
+
+listener "tcp" {
+  address                  = "${address}"
+  tls_cert_file            = "/etc/ssl/certs/vault-server.crt"
+  tls_key_file             = "/etc/ssl/vault-server.key"
+  tls_disable_client_certs = "true"
+}
+
+# -----------------------------------------------------------------------
+# Storage configuration
+# -----------------------------------------------------------------------
+
+storage "consul" {
+  address            = "${consul_address}:8500"
+  scheme             = "https"
+  tls_ca_file        = "/etc/ssl/certs/ca.pem"
+  token              = "b4c0ffee-3b77-04af-36d6-738b697872e6"
+  path               = "vault/"
+  disable_clustering = "${disable_clustering}"
+  service_tags       = "${service_tags}"
+}
+
+# -----------------------------------------------------------------------
+# Optional cloud seal configuration
+# -----------------------------------------------------------------------
+
+# GCPKMS
+
+# -----------------------------------------------------------------------
+# Enable Prometheus metrics by default
+# -----------------------------------------------------------------------
+
+telemetry {
+  prometheus_retention_time = "30s"
+  disable_hostname          = false
+}

examples/telemetry/README.md

@@ -63,7 +63,7 @@ Note that the *admin* user password is set to "vaultron" in the example, and som
 
 #### Initial Vaultron Configuration
 
-Now, edit the custom configuration for Vaultron, located in `black_lion/templates/vault_config_custom.tpl`, and add a `telemetry` stanza containing the IP address and port for the Graphite container:
+Now, edit the custom configuration for Vaultron, located in `black_lion/templates/vault_config_custom.hcl`, and add a `telemetry` stanza containing the IP address and port for the Graphite container:
 
 ```
 telemetry {

form

@@ -59,7 +59,7 @@ check_existing_vault() {
 # TerraFORM Vaultron!
 check_consul_version() {
   if [ -n "$TF_VAR_consul_version" ]; then
-    USER_CONSUL_CONFIG="./red_lion/templates/oss/consul_oss_server_config_${TF_VAR_consul_version}.tpl";
+    USER_CONSUL_CONFIG="./red_lion/templates/oss/consul_oss_server_config_${TF_VAR_consul_version}.hcl";
     if [ ! -f "$USER_CONSUL_CONFIG" ]; then
        msg alert "Sorry, Vaultron does not support Consul version: ${TF_VAR_consul_version}";
        unset TF_VAR_consul_version;
@@ -70,7 +70,7 @@ check_consul_version() {
 
 check_vault_version() {
   if [ -n "$TF_VAR_vault_version" ]; then
-    USER_VAULT_CONFIG="./black_lion/templates/oss/vault_config_${TF_VAR_vault_version}.tpl";
+    USER_VAULT_CONFIG="./black_lion/templates/oss/vault_config_${TF_VAR_vault_version}.hcl";
     if [ ! -f "$USER_VAULT_CONFIG" ]; then
        msg alert "Sorry, Vaultron does not support Vault version: ${TF_VAR_vault_version}";
        unset TF_VAR_vault_version;

red_lion/main.tf

@@ -84,7 +84,7 @@ data "template_file" "consul_oss_server_common_config" {
   #
   # count    = "${var.consul_oss}"
   template = file(
-    "${path.module}/templates/oss/consul_oss_server_config_${var.consul_version}.tpl",
+    "${path.module}/templates/oss/consul_oss_server_config_${var.consul_version}.hcl",
   )
 
   vars = {
@@ -165,7 +165,7 @@ resource "docker_container" "consuls0" {
   dns_search = ["consul"]
 
   capabilities {
-    add = ["NET_ADMIN", "SYS_PTRACE"]
+    add = ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG"]
   }
 
   networks_advanced {
@@ -293,7 +293,7 @@ resource "docker_container" "consuls1" {
   dns_search = ["consul"]
 
   capabilities {
-    add = ["NET_ADMIN", "SYS_PTRACE"]
+    add = ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG"]
   }
 
   networks_advanced {
@@ -365,7 +365,7 @@ resource "docker_container" "consuls2" {
   dns_search = ["consul"]
 
   capabilities {
-    add = ["NET_ADMIN", "SYS_PTRACE"]
+    add = ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG"]
   }
 
   networks_advanced {
@@ -416,7 +416,7 @@ resource "random_id" "agent_node_id" {
 data "template_file" "consulc_common_config" {
   count = var.consul_oss_instance_count
   template = file(
-    "${path.module}/templates/oss/consul_oss_client_config_${var.consul_version}.tpl",
+    "${path.module}/templates/oss/consul_oss_client_config_${var.consul_version}.hcl",
   )
 
   vars = {
@@ -443,7 +443,7 @@ data "template_file" "consul_client_tls_key" {
   )
 }
 
-# Consul Open Source Clients
+# Consul Open Source Client agents
 
 resource "docker_container" "consul_oss_client" {
   count      = var.consul_oss_instance_count
@@ -465,6 +465,7 @@ resource "docker_container" "consul_oss_client" {
     "agent",
     "-config-dir=/consul/config",
     "-client=0.0.0.0",
+    "-advertise=${format("10.10.42.4%d", count.index)}",
     "-data-dir=/consul/data",
     "-datacenter=${var.datacenter_name}",
     "-join=${docker_container.consuls2.ip_address}",
@@ -479,7 +480,7 @@ resource "docker_container" "consul_oss_client" {
   }
 
   capabilities {
-    add = ["NET_ADMIN", "SYS_PTRACE"]
+    add = ["NET_ADMIN", "SYS_ADMIN", "SYS_PTRACE", "SYSLOG"]
   }
 
   networks_advanced {

vaultron.tf

@@ -12,7 +12,7 @@ terraform {
 
 # Set TF_VAR_vault_version to set this
 variable "vault_version" {
-  default = "1.2.0"
+  default = "1.2.1"
 }
 
 # Set TF_VAR_consul_version to set this
@@ -96,7 +96,7 @@ variable "vault_custom_instance_count" {
 
 # Set TF_VAR_vault_custom_config_template to set this
 variable "vault_custom_config_template" {
-  default = "vault_config_custom.tpl"
+  default = "vault_config_custom.hcl"
 }
 
 // # Set TF_VAR_vault_server_tls_disable to set this

version.txt

@@ -1 +1 @@
-3.1.0
+3.1.1

yellow_lion/main.tf

@@ -105,7 +105,7 @@ resource "docker_image" "grafana" {
 # Grafana configuration
 data "template_file" "grafana_config" {
   count    = var.vaultron_telemetry_count
-  template = file("${path.module}/templates/datasource.yml.tpl")
+  template = file("${path.module}/templates/datasource.yml.hcl")
 
   vars = {
     statsd_ip = element(
@@ -121,7 +121,7 @@ data "template_file" "grafana_config" {
 
 data "template_file" "grafana_dashboard_bootstrap_config" {
   count    = var.vaultron_telemetry_count
-  template = file("${path.module}/templates/dashboard_bootstrap.yml.tpl")
+  template = file("${path.module}/templates/dashboard_bootstrap.yml.hcl")
 }
 
 # -----------------------------------------------------------------------
@@ -130,7 +130,7 @@ data "template_file" "grafana_dashboard_bootstrap_config" {
 
 data "template_file" "grafana_dashboard_config" {
   count    = var.vaultron_telemetry_count
-  template = file("${path.module}/templates/dashboard.json.tpl")
+  template = file("${path.module}/templates/dashboard.json.hcl")
 }
 
 # -----------------------------------------------------------------------