In order to access Vault over private network you need to have WARP client installed and configured for your Cloudflare for Teams account.
Make sure to Route private 10.0.0.0/8 range through WARP:
- Make sure HTTP traffic filtering is enabled. This lets Cloudflare proxy your private IP ranges to corresponding Cloudflare Tunnels.
- Find
10.0.0.0/8in Split Tunnels entries and delete it
- Replace
YOUR_CREATED_TF_STATE_BUCKET_NAMEin providers.tf - Change required values in vault.auto.tfvars
gcp_project_id = "your-project-id" cloudflare_account_id = "xxxyyy" cloudflare_zone_name = "example.com" - Optionally, adjust optional values in vault.auto.tfvars
- Export Vault root token (alternatively you will be asked to pass it in by Terraform on each command)
export TF_VAR_cloudflare_email= # API key is your Global API key export TF_VAR_cloudflare_api_key=
- Run
terraform init - Run
terraform applyand confirm changes- Terraform will output your endpoints at the end
- Wait, it takes ~10 minutes to fully spin up, endpoints should come up online in the following order:
- SSH Web Terminal
- Vault UI
- Vault WARP
- You are done and your Zero-Trust Vault is up and running
- Continue to configuring the Vault itself