HashiCorp Cloud Platform (HCP) Provider

The HCP provider provides resources to manage HashiCorp Cloud Platform (HCP) resources.

HCP Architecture Diagram

Authenticating with HCP

The HCP provider supports authentication via a Client ID and a Client Secret. The authentication guide describes how to obtain client credentials.

Getting Started

Everything in HashiCorp Cloud Platform (HCP) starts with the HashiCorp Virtual Network (HVN).

HVNs enable you to deploy HashiCorp Cloud products without having to manage the networking details. They give you a simple setup for creating a network on AWS, in the region of your choice, and with the option to specify a CIDR range.

Creating a network peering from your HVN will allow you to connect and launch AWS resources to your HCP account. Peer your Amazon VPC with your HVN to enable resource access. After creating, you will need to accept the peering request and set up your VPC’s security groups and routing table on your AWS account. The Amazon VPC can be managed with the AWS provider.

Once you have an HVN, HCP Consul and HCP Vault enable you to quickly deploy Consul and Vault clusters in AWS across a variety of environments while offloading the operations burden to the SRE experts at HashiCorp.

One final note: with a fully deployed HCP Consul, you need to deploy Consul clients inside of the peered VPC to fully access your Consul features.

// Pin the version
terraform {
  required_providers {
    hcp = {
      source  = "hashicorp/hcp"
      version = "~> 0.89.0"
    }
  }
}

// Configure the provider
provider "hcp" {}

// Use the cloud provider AWS to provision resources that will be connected to HCP
provider "aws" {
  region = var.region
}

// Create an HVN
resource "hcp_hvn" "example_hvn" {
  hvn_id         = "hcp-tf-example-hvn"
  cloud_provider = "aws"
  region         = var.region
  cidr_block     = "172.25.16.0/20"
}

// Create a peering connection between two HVNs
resource "hcp_hvn" "second_example_hvn" {
  hvn_id         = "hcp-tf-second-example-hvn"
  cloud_provider = "aws"
  region         = var.region
  cidr_block     = "172.18.16.0/20"
}

resource "hcp_hvn_peering_connection" "example" {
  hvn_1 = hcp_hvn.example_hvn.self_link
  hvn_2 = hcp_hvn.second_example_hvn.self_link
}

// Create a VPC for the HVN to peer into
resource "aws_vpc" "main" {
  cidr_block = "172.25.0.0/20"
}

data "aws_arn" "main" {
  arn = aws_vpc.main.arn
}

resource "aws_vpc_peering_connection_accepter" "main" {
  vpc_peering_connection_id = hcp_aws_network_peering.example_peering.provider_peering_id
  auto_accept               = true
}

// Create a network peering between the HVN and the AWS VPC
resource "hcp_aws_network_peering" "example" {
  hvn_id          = hcp_hvn.example_hvn.hvn_id
  peering_id      = "hcp-tf-example-peering"
  peer_vpc_id     = aws_vpc.main.id
  peer_account_id = aws_vpc.main.owner_id
  peer_vpc_region = data.aws_arn.main.region
}

// Create an HVN route that targets your HCP network peering and matches your AWS VPC's CIDR block
resource "hcp_hvn_route" "example" {
  hvn_link         = hcp_hvn.hvn.self_link
  hvn_route_id     = "hcp-tf-example-hvn-route"
  destination_cidr = aws_vpc.main.cidr_block
  target_link      = hcp_aws_network_peering.example.self_link
}

// Create a Consul cluster in the same region and cloud provider as the HVN
resource "hcp_consul_cluster" "example" {
  hvn_id     = hcp_hvn.example_hvn.hvn_id
  cluster_id = "hcp-tf-example-consul-cluster"
  tier       = "development"
}

// Create a Vault cluster in the same region and cloud provider as the HVN
resource "hcp_vault_cluster" "example" {
  cluster_id = "hcp-tf-example-vault-cluster"
  hvn_id     = hcp_hvn.example_hvn.hvn_id
}

Schema

Optional

Nested Schema for workload_identity

Required:

For more information about HCP, please review our documentation page.