https://github.com/hashicorp/terraform-gcp-vault-ent-starter
vault operator init
export VAULT_TOKEN=<root token>
vault operator raft list-peers
vault write -f sys/replication/dr/primary/enable
vault write sys/replication/dr/primary/secondary-token id="secondary"
vault write sys/replication/dr/secondary/enable token="<WRAP TOKEN>" ca_file=/opt/vault/tls/vault-ca.pem
vault policy write dr-secondary-promotion - <<EOF
path "sys/replication/dr/secondary/promote" {
capabilities = [ "update" ]
}
# To update the primary to connect
path "sys/replication/dr/secondary/update-primary" {
capabilities = [ "update" ]
}
# Only if using integrated storage (raft) as the storage backend
# To read the current autopilot status
path "sys/storage/raft/autopilot/state" {
capabilities = [ "update" , "read" ]
}
EOF
vault policy list
vault write auth/token/roles/failover-handler allowed_policies=dr-secondary-promotion orphan=true renewable=false token_type=batch
vault token create -role=failover-handler -ttl=8h
vault write sys/replication/dr/secondary/promote dr_operation_token="<batch token>"
vault write -f sys/replication/dr/primary/demote
vault read -format=json sys/replication/dr/status