All kinds of small fixes!

Merge pull request #89 from repping/master

Bump AWS provider to >=5 version and fix development example

Less clunkyness, more resilient.

Improvements:

• Multiple NAT gateways are created to ensure an AZ failure does not impact the deployment.

Deprecated:

• vault_vpc_cidr_block_start has been replaced by vault_cidr_block. This changes requires a MAJOR release.

New:

• The variable vault_cidr_block (default: 172.16.0.0/16) is now used instead of vault_vpc_cidr_block_start (default: 172.16).

Health checking changes

Fixes:

• The health-check script was overly complicated and now uses a much simpler mechanism.
• Documentation: images were misaligned.

Improvements:

• Validation is split, so the error-message makes more sense.
• Description of variables improved.

Autopilot upgrade support

Added:

• The raft parameter autopilot_upgrade_version is now set. To use this: spin up a cluster, initialise, change the vault_version to a newer version, double the amount of machines in the ASG manually, see that the new machines are used, and scale back down to the original size.

Changed:

• Checking the vault_version is done differently now.
• Updated the default vault_version.

Add "http_(read|write)_timeout" variables

Added:

• Two new variables (vault_http_read_timeout and vault_http_write_timeout, both default "30s") are available.

Changed:

• FMT.

More relaxed health checking.

Improvements:

• Health check script now retries, making it less aggressive.
• Newest version of Vault is now used by default.
• Template files have been moved to the templates directory.
• Long blobs of text have been moved out of *.tf files.
• Permissions to resources are more specific.
• terraform fmt ran.

Bastion access and CloudWatch improvements.

Improvements

• The labels used in CloudWatch are more accurate.
• CloudWatch example has more documentation.

Fixes

• Bastion host always has access to the listener on the load balancer.
• An empty item in the security groups caused loss of idempotence.

Not public.

Fixes:

• The health_check_type has been improved to prefer ELB, but fall back on EC2.
• When the var.vault_aws_lb_availability is "internal" don't make the public security group and it's rules.
• Typo: choosse -> choose.
• If the bastion host has no public IP (vault_bastion_public_ip), it will get no internet security group rule.
• License date updated.

Changes:

• Retention of cloud watch data is 7 days.
• CloudWatch alarms now have a bit of time to cleanup.
• Switched to name_prefix instead of random.
• KMS keys are deleted after 7 days.
• Only add public security group to the aws_launch_template when it exists.

Telemetry and pre-conditions.

Changes:

• Telemetry is more thought out, thanks @repping for your great work on figuring this out.
• 2 preconditions have been added. It's getting used to, but seems valuable.

Collaboration!

Changes:

• Moved some HEREDOC to separate files for easier maintainability. Thanks @joe-rua
• IAM is more specific. Was *.

Fixed:

• Ansible code becomes usable.
• Much stronger health-check script. Thanks @repping