Install using Vault Terraform provider

Question

Install using Vault Terraform provider

AdrienFromToulouse opened this issue 4 years ago · 2 comments

AdrienFromToulouse commented 4 years ago

HI there,

Many thx for your plugin!

Because I spent quite some time to figure out how to configure the plugin using the Vault Terraform provider I was thinking that giving a working example would help others.
The Terraform documentation is not quite clear on how to register and use plugins.

Prerequisites

You still need to download the binary, for instance

mkdir -vp /etc/vault/plugins
cd /etc/vault/plugins && wget -O- https://github.com/sethvargo/vault-secrets-gen/releases/download/v0.0.6/vault-secrets-gen_0.0.6_linux_amd64.tgz | tar xzf -

You still need to configure the plugin_directory in the vault config file e.g: plugin_directory = "/etc/vault/plugins"

Terraform

Register the plugin

Thanks to a vault_generic_endpoint the plugin can be successfully registered

resource "vault_generic_endpoint" "secrets-gen" {
  disable_read         = false
  disable_delete      = true
  path                       = "sys/plugins/catalog/secret/vault-secrets-gen"
  ignore_absent_fields = true

  data_json = <<EOT
{
  "sha_256": "2f0d4821813da8b0989ed5645be1d1d92c4eaca13e83d0eb6b12be17d967cc77",
  "command": "vault-secrets-gen"
}
EOT
}

Use the plugin

Thanks to vault_mount, a new secret engine using the vault-secrets-gen can be setup

resource "vault_mount" "secret-gen" {
  path        = "gen"
  type        = "secret/vault-secrets-gen"
  description = "vault-secrets-gen"
}

Policies

The final easy part is the policy creation

resource "vault_policy" "foo_bar_baz" {
  name = "foo-bar-baz"

  policy = <<EOT
path "gen/password" {
  capabilities = ["create", "update"]
}
path "gen/passphrase" {
  capabilities = ["create", "update"]
}
EOT
}

@sethvargo would you agree to put that in the README (I can do a PR), or do you prefer to keep that under the form of an issue?

Cheers,

Answer 1 · 2020-08-20T00:27:19.000Z

This issue is stale because it has been open for 14 days with no
activity. It will automatically close after 7 more days of inactivity.

Answer 2 · 2020-09-11T00:27:58.000Z

This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.