Have a `post` and `pre` custom script.

[robertdebock]

It looks like the current variable vault_custom_script_s3_url is not executed on the nodes, it does create a policy however.

[robertdebock]

vault_custom_script_s3_url is used, in the templates/user_data_vault.sh.tpl. (Was not gripping that file, my bad...)

This script is run quite soon after deployment, that's good news.

That leaves some logic to be conditional. Think of:

• Using satellite (or some other self-hosted repo) over HashiCorps repo.
• Not being able to download Amazon's ca. (AmazonRootCA1.pem).
• And future customisations.

Maybe the user_data template should be fully configureable, with a risk of breaking Vault. There are quite some decisions done in user_data that are "mandatory" to make Vault work in this type of deployment.

So far it's just 2 changes, that may be solved with 2 variable switches like vault_use_hashicorp_repository and vault_amazon_ca.

vault_amazon_ca would replace the wget/curl done on the host now and inject the ca file, not a bad plan anyway.

[robertdebock]

The Amazon CA can be hosted on S3, where the instances can download it.
The repository (HashiCorp by default) can be made configurable. This allows a Satellite repo, making the instances not depend on internet access.