You need HashiCorp Vault running on production Kubernetes. Manual setup means clicking through AWS console for infrastructure, then separately installing Vault. We automate both layers with Terraform and GitOps, reproducible from day one.

We built our entire Vault setup with Terraform modules following the 80% principle: support the most common configurations without overcomplicating for edge cases.

This is part 2 of our 6-part series on production Vault:

1. Production Kubernetes Architecture with HashiCorp Vault 
2. Terraform Infrastructure for HashiCorp Vault on EKS 
3. External Secrets Operator: GitOps for Kubernetes Secrets (coming soon)
4. Dynamic PostgreSQL Credentials with HashiCorp Vault (coming soon)
5. Vault Agent vs Secrets Operator vs CSI Provider (coming soon)
6. Securing Vault Access with Internal NLB and VPN (coming soon)

Terraform Module Architecture for Vault

Our Terraform Vault infrastructure uses a clean module structure:

modules/
├── vpc/        # Network infrastructure
├── iam/        # Roles and service accounts
├── kms/        # Encryption keys for Vault
├── efs/        # Persistent storage
└── eks/        # Kubernetes clusters

Each module follows the same pattern:

• main.tf: Resource definitions
• variables.tf: Input parameters
• outputs.tf: Values for dependent modules

This structure makes complex Vault infrastructure traceable, adaptable, and reproducible. No more snowflake deployments.

Multi-Cluster Terraform Setup

Remember from part 1: we run Vault in a separate tooling cluster. Here’s how that translates to Terraform:

Tooling Cluster (Vault lives here):

module "eks_tooling" {
  source = "../modules/eks"
  
  cluster_name   = "tooling-cluster"
  instance_types = ["t3.large"]  # Stable workloads
  min_size      = 3
  max_size      = 6
}

Application cluster:

module "eks_application" {
  source = "../modules/eks"
  
  cluster_name   = "application-cluster"  
  instance_types = ["c5.xlarge"]  # Compute-optimized
  min_size      = 3
  max_size      = 100  # Ready for scaling
}

Same modules, different parameters. FluxCD is also deployed via Terraform using the official Flux Terraform provider to manage both clusters.

This separation enables:

• Independent scaling and updates
• Isolated security policies
• Different instance types per workload
• Separate lifecycle management

Why Terraform for HashiCorp Vault?

After building this infrastructure, the benefits are clear:

• Version Control: Every change tracked in Git.  Every change tracked in Git. No more “who changed what?” Plus easy rollbacks when things go wrong.
• Reusability: Deploy new environments in minutes, not days.
• Drift Detection: terraform plan shows exactly what’s changed.
• Security Compliance: Consistent tags, policies, and configurations across all resources.

The trade-offs? Sure:

• Learning curve for complex resources
• Cryptic error messages sometimes
• Requires good documentation

But for Vault infrastructure where security and reproducibility matter, Terraform is the right choice.

The 80% Principle in Practice

We deliberately avoid over-engineering. Our modules support:

• ✅ Standard production configurations
• ✅ Common security patterns
• ✅ Typical scaling scenarios

We don’t support:

• ❌ Every possible AWS feature
• ❌ Exotic network topologies
• ❌ One-off customizations

This focus keeps modules maintainable and understandable. When you need that 20% edge case, fork the module.

Quick Start

All Terraform Vault infrastructure code is in our repository:

git clone [repository-url]
cd terraform-vault-infrastructure

terraform init
terraform plan -out=tfplan
terraform apply tfplan

Full infrastructure in three commands. That’s the power of Infrastructure as Code.

What’s Next?

With your clusters built and FluxCD in place, you’re ready to deploy Vault. But how do you get secrets to applications without storing them in Git? That’s where External Secrets Operator comes in.

Continue the series: 

• External Secrets Operator: GitOps for Kubernetes Secrets (coming soon)
• Dynamic PostgreSQL Credentials with HashiCorp Vault (coming soon)
• Vault Agent vs Secrets Operator vs CSI Provider (coming soon)
• Securing Vault Access with Internal NLB and VPN (coming soon)

Ready to level up your Terraform Vault setup? Whether you need a workshop, want your code validated, or need help implementing changes, our team has done this in production. Contact us to get started.