Analysis of HashiCorp's Official Vault CloudFormation

1. vault goes to /usr/bin

2. vault config in /etc/vault.d/vault.hcl. Note by default tls_disable is false,i.e., https is turned on by default

backend "consul" {
  address = "127.0.0.1:8500"
  path    = "vault/"
}

listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

Note that the consul address is local, because it is talking to the local consul agent, as per recommendation of Hashicorp

1. Systemd config in /etc/systemd/system/vault.service

[Unit]
Description=Vault
Requires=network-online.target
After=network-online.target

[Service]
Restart=on-failure
ExecStart=/usr/bin/vault server -config /etc/vault.d/vault.hcl
ExecReload=/bin/kill -HUP $MAINPID
KillSignal=SIGTERM

[Install]
WantedBy=multi-user.target

1. Note that this template has no autoscaling group/launch configuration setup.

2. It also has config and setup for consul client. The configuration layout is exactly same as the consul quickstart

3. Although vault requires unseal on each restart, there is no script in the template to handle that. That means unsealing, and making sure # of alive instances > 1 is completely manual