Deploy `/etc/vault.d/vault.env` to enable AWS KMS.

cookbooks/vault/setup.rb

@@ -9,6 +9,16 @@ template '/etc/vault.d/vault.hcl' do
   notifies :restart, 'service[vault]'
 end
 
+encrypted_remote_file '/etc/vault.d/vault.env' do
+  owner 'vault'
+  group 'vault'
+  mode '600'
+  source   'files/etc/vault.d/vault.env'
+  password ENV['ITAMAE_PASSWORD']
+
+  notifies :restart, 'service[vault]'
+end
+
 directory '/etc/vault.d/policies' do
   owner 'vault'
   group 'vault'