Download the hcl configuration using the download button, or if you want to paste the file contents directly into a file, copy the hcl file contents to your clipboard using the copy button.
On your local machine or an instance in the product cluster, export the VAULT_TOKEN and VAULT_ADDR environment variables so hcdiag can query the product.
When querying a Vault cluster remotely, the remote host currently needs the vault binary to pass an initial hcdiag startup check. We are looking to remove this requirement for all hcdiag-ext v0.5.x "API-only" use cases. The remote execution ability removes the need to install anything on the cluster, significantly easing use and reducing concerns around security and change management.
An example Vault policy scoped for hcdiag-ext (hcdiag_vault_policy.hcl) is contained in this release to limit the access hcdiag has within Vault.
For more information about how to configure hcdiag-ext, see the README.
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# Vault Enterprise checks
host {
selects = [":"] # noop to ensure no other default hcdiag host commands are auto-loaded
shell {
run = ":"
}
}
product "vault" {
selects = [
"GET /v1/sys/health",
"GET /v1/sys/storage/raft/autopilot/configuration",
"GET /v1/sys/storage/raft/autopilot/state",
"GET /v1/sys/storage/raft/snapshot-auto/config?list=true"
]
# check health endpoint for version, license.expiry_time, replication_dr_mode
GET {
path = "/v1/sys/health"
}
# check vault usage on vault 1.6+
# check storage autopilot redundancy zones and automated upgrades
GET {
path = "/v1/sys/storage/raft/autopilot/configuration"
}
GET {
path = "/v1/sys/storage/raft/autopilot/state"
}
# check if snapshots are configured
GET {
path = "/v1/sys/storage/raft/snapshot-auto/config?list=true"
}
}