The HCP provider provides resources to manage HashiCorp Cloud Platform (HCP) resources.
The HCP provider supports authentication via a Client ID and a Client Secret. The authentication guide describes how to obtain client credentials.
Everything in HashiCorp Cloud Platform (HCP) starts with the HashiCorp Virtual Network (HVN).
HVNs enable you to deploy HashiCorp Cloud products without having to manage the networking details. They give you a simple setup for creating a network on AWS, in the region of your choice, and with the option to specify a CIDR range.
Creating a network peering from your HVN will allow you to connect and launch AWS resources to your HCP account. Peer your Amazon VPC with your HVN to enable resource access. After creating, you will need to accept the peering request and set up your VPC’s security groups and routing table on your AWS account. The Amazon VPC can be managed with the AWS provider.
Once you have an HVN, HCP Consul and HCP Vault enable you to quickly deploy Consul and Vault clusters in AWS across a variety of environments while offloading the operations burden to the SRE experts at HashiCorp.
One final note: with a fully deployed HCP Consul, you need to deploy Consul clients inside of the peered VPC to fully access your Consul features.
// Pin the version
terraform {
required_providers {
hcp = {
source = "hashicorp/hcp"
version = "~> 0.89.0"
}
}
}
// Configure the provider
provider "hcp" {}
// Use the cloud provider AWS to provision resources that will be connected to HCP
provider "aws" {
region = var.region
}
// Create an HVN
resource "hcp_hvn" "example_hvn" {
hvn_id = "hcp-tf-example-hvn"
cloud_provider = "aws"
region = var.region
cidr_block = "172.25.16.0/20"
}
// Create a peering connection between two HVNs
resource "hcp_hvn" "second_example_hvn" {
hvn_id = "hcp-tf-second-example-hvn"
cloud_provider = "aws"
region = var.region
cidr_block = "172.18.16.0/20"
}
resource "hcp_hvn_peering_connection" "example" {
hvn_1 = hcp_hvn.example_hvn.self_link
hvn_2 = hcp_hvn.second_example_hvn.self_link
}
// Create a VPC for the HVN to peer into
resource "aws_vpc" "main" {
cidr_block = "172.25.0.0/20"
}
data "aws_arn" "main" {
arn = aws_vpc.main.arn
}
resource "aws_vpc_peering_connection_accepter" "main" {
vpc_peering_connection_id = hcp_aws_network_peering.example_peering.provider_peering_id
auto_accept = true
}
// Create a network peering between the HVN and the AWS VPC
resource "hcp_aws_network_peering" "example" {
hvn_id = hcp_hvn.example_hvn.hvn_id
peering_id = "hcp-tf-example-peering"
peer_vpc_id = aws_vpc.main.id
peer_account_id = aws_vpc.main.owner_id
peer_vpc_region = data.aws_arn.main.region
}
// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
resource "hcp_hvn_route" "example" {
hvn_link = hcp_hvn.hvn.self_link
hvn_route_id = "hcp-tf-example-hvn-route"
destination_cidr = aws_vpc.main.cidr_block
target_link = hcp_aws_network_peering.example.self_link
}
// Create a Consul cluster in the same region and cloud provider as the HVN
resource "hcp_consul_cluster" "example" {
hvn_id = hcp_hvn.example_hvn.hvn_id
cluster_id = "hcp-tf-example-consul-cluster"
tier = "development"
}
// Create a Vault cluster in the same region and cloud provider as the HVN
resource "hcp_vault_cluster" "example" {
cluster_id = "hcp-tf-example-vault-cluster"
hvn_id = hcp_hvn.example_hvn.hvn_id
}
client_id
(String) The OAuth2 Client ID for API operations.client_secret
(String) The OAuth2 Client Secret for API operations.credential_file
(String) The path to an HCP credential file to use to authenticate the provider to HCP. You can alternatively set the HCP_CRED_FILE environment variable to point at a credential file as well. Using a credential file allows you to authenticate the provider as a service principal via client credentials or dynamically based on Workload Identity Federation.project_id
(String) The default project in which resources should be created.workload_identity
(Block List) Allows authenticating the provider by exchanging the OAuth 2.0 access token or OpenID Connect token specified in the token_file
for a HCP service principal using Workload Identity Federation. (see below for nested schema)workload_identity
Required:
resource_name
(String) The resource_name of the Workload Identity Provider to exchange the token with.token_file
(String) The path to a file containing a JWT token retrieved from an OpenID Connect (OIDC) or OAuth2 provider.
For more information about HCP, please review our documentation page.