Skip to content

ednz-cloud/terraform-vault-tenant

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

48 Commits
.gitea/workflows
.gitea/workflows
 
 
examples
examples
 
 
modules
modules
 
 
policies
policies
 
 
.cz.toml
.cz.toml
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
auth.tf
auth.tf
 
 
extra_policies.tf
extra_policies.tf
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
root.tf
root.tf
 
 
variables.tf
variables.tf
 
 

Repository files navigation

terraform-vault-tenant

This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams.

This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define.

The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix.

Requirements

Name Version
terraform >= 1.0.0
random ~> 3.6.2
vault ~> 4.2.0

Providers

Name Version
random ~> 3.6.2
vault ~> 4.2.0

Modules

No modules.

Resources

Name Type
random_uuid.extra_secret_id resource
random_uuid.root_secret_id resource
vault_approle_auth_backend_role.extra resource
vault_approle_auth_backend_role.root resource
vault_approle_auth_backend_role_secret_id.extra resource
vault_approle_auth_backend_role_secret_id.root resource
vault_auth_backend.approle resource
vault_identity_entity.extra resource
vault_identity_entity.root resource
vault_identity_entity_alias.extra resource
vault_identity_entity_alias.root resource
vault_identity_group.this resource
vault_policy.extra resource
vault_policy.root resource
vault_policy_document.root data source

Inputs

Name Description Type Default Required
additional_roles A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = file("path/to/policy.hcl")
admins = data.vault_policy_document.admins.hcl
}		 map(string) {} no
name The name of the tenant you want to create string n/a yes
prefix The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) string n/a yes
root_policy_extra_rules A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs 
map(
    object({
      path                = string
      capabilities        = list(string)
      description         = optional(string)
      required_parameters = optional(list(string))
      allowed_parameter   = optional(map(list(any)))
      denied_parameter    = optional(map(list(any)))
      min_wrapping_ttl    = optional(number)
      max_wrapping_ttl    = optional(number)
    })
  )
 {} no

Outputs

Name Description
approle_mount The approle mount for the tenant
extra_role_policies The tenant extra role policy names
extra_roles The tenant extra approle roles
root_policy The tenant root policy name
root_role The tenant root approle role

About

Terraform module to deploy tenant in Hashicorp Vault community version. Mirror from https://git.ednz.fr/terraform-registry/terraform-vault-tenant.

ednz.fr

Topics

vault terraform hashicorp multi-tenancy terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages