/terraform-vault-tfc-workload-identity

Primary LanguageHCLApache License 2.0Apache-2.0

Vault TFC Workload Identity

Requirements

Name Version
terraform >= 1.3
vault >= 3.7

Providers

Name Version
vault >= 3.7

Modules

No modules.

Resources

Name Type
vault_identity_entity.workspaces resource
vault_identity_entity_alias.workspaces resource
vault_jwt_auth_backend.this resource
vault_jwt_auth_backend_role.roles resource

Inputs

Name Description Type Default Required
auth_description Description of the JWT Auth Backend string "Terraform Cloud" no
auth_token_issuer Token issuer of JWT token string "https://app.terraform.io" no
auth_tune Auth mount tune settings 
object({
    default_lease_ttl            = optional(string)
    max_lease_ttl                = optional(string)
    audit_non_hmac_response_keys = optional(list(string))
    audit_non_hmac_request_keys  = optional(list(string))
    listing_visibility           = optional(string)
    passthrough_request_headers  = optional(list(string))
    allowed_response_headers     = optional(list(string))
    token_type                   = optional(string)
  })
 null no
bound_audiences List of audiences to be allowed for JWT auth roles list(string) 
[
  "tfc.workload.identity"
]
 no
claim_mappings Mapping of claims to metadata map(string) 
{
  "terraform_full_workspace": "terraform_full_workspace",
  "terraform_organization_id": "terraform_organization_id",
  "terraform_organization_name": "terraform_organization_name",
  "terraform_run_id": "terraform_run_id",
  "terraform_run_phase": "terraform_run_phase",
  "terraform_workspace_id": "terraform_workspace_id"
}
 no
enable_identity_management Enable Identity Entity management. This only works if workspace names contains no wildcard bool true no
identity_name_format Identity name format string. The first parameter is the organization, and the second is the workspace name string "tfc-%[1]s-%[2]s-%[3]s" no
namespace Namespace relative to the provider namespace. Vault Enterprise only string null no
path Path to mount the JWT Auth backend string "jwt" no
role_name_format Format string to generate role namess. The first parameter is the organization, and the second is the workspace name string "%[1]s-%[2]s-%[3]s" no
tfc_default_project Name of TFC Default Project string "Default Project" no
tfc_project_support_match The key to use for Terraform Cloud Project matching in the subject key. This is to work around the module not support projects. You should set this to 'Default Project' or '*' string "*" no
token_explicit_max_ttl If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal. number 600 no
token_max_ttl The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. number 600 no
token_policies Default token policies to apply to all roles list(string) [] no
token_ttl The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time. number 600 no
workspaces List of workspaces to provide access to. Use * for wildcard. If wildcard is used, identity management cannot be enabled map(map(list(string))) n/a yes

Outputs

Name Description
auth_mount_accessor Auth mount accessor
workspaces Workspace information