You need HashiCorp Vault running on production Kubernetes. Manual setup means clicking through AWS console for infrastructure, then separately installing Vault. We automate both layers with Terraform and GitOps, reproducible from day one. We built our entire Vault setup with Terraform modules following the 80% principle: support the most common configurations without overcomplicating for edge cases.

This is part 2 of our 6-part series on production Vault:

‍

Terraform Module Architecture for Vault

Our Terraform Vault infrastructure uses a clean module structure:

modules/
├── vpc/ # Network infrastructure
├── iam/ # Roles and service accounts
├── kms/ # Encryption keys for Vault
├── efs/ # Persistent storage
└── eks/ # Kubernetes clusters

Each module follows the same pattern:

This structure makes complex Vault infrastructure traceable, adaptable, and reproducible. No more snowflake deployments.

‍

Multi-Cluster Terraform Setup

Remember from part 1: we run Vault in a separate tooling cluster. Here's how that translates to Terraform: Tooling Cluster (Vault lives here):

module "eks_tooling" {
source = "../modules/eks"

cluster_name = "tooling-cluster"
instance_types = ["t3.large"] # Stable workloads
min_size = 3
max_size = 6
}

Application cluster:

module "eks_application" {
source = "../modules/eks"

cluster_name = "application-cluster"
instance_types = ["c5.xlarge"] # Compute-optimized
min_size = 3
max_size = 100 # Ready for scaling
}

Same modules, different parameters. FluxCD is also deployed via Terraform using the official Flux Terraform provider to manage both clusters.

This separation enables:

‍

Why Terraform for HashiCorp Vault?

After building this infrastructure, the benefits are clear:

The trade-offs? Sure:

But for Vault infrastructure where security and reproducibility matter, Terraform is the right choice.

‍

The 80% Principle in Practice

We deliberately avoid over-engineering. Our modules support:

‍

We don't support:

‍

This focus keeps modules maintainable and understandable. When you need that 20% edge case, fork the module.

‍

Quick Start

All Terraform Vault infrastructure code is in our repository:

git clone [repository-url]
cd terraform-vault-infrastructure

terraform init
terraform plan -out=tfplan
terraform apply tfplan

Full infrastructure in three commands. That's the power of Infrastructure as Code.

‍

What's Next?

With your clusters built and FluxCD in place, you're ready to deploy Vault. But how do you get secrets to applications without storing them in Git? That's where External Secrets Operator comes in. Continue the series:

‍

• External Secrets Operator: GitOps for Kubernetes Secrets
• Vault Agent vs Secrets Operator vs CSI Provider
• Securing Vault Access with Internal NLB and VPN

Ready to level up your Terraform Vault setup? Whether you need a workshop, want your code validated, or need help implementing changes, our team has done this in production. Contact us to get started.