Install using Vault Terraform provider
AdrienFromToulouse opened this issue · 2 comments
HI there,
Many thx for your plugin!
Because I spent quite some time to figure out how to configure the plugin using the Vault Terraform provider I was thinking that giving a working example would help others.
The Terraform documentation is not quite clear on how to register and use plugins.
Prerequisites
- You still need to download the binary, for instance
mkdir -vp /etc/vault/plugins
cd /etc/vault/plugins && wget -O- https://github.com/sethvargo/vault-secrets-gen/releases/download/v0.0.6/vault-secrets-gen_0.0.6_linux_amd64.tgz | tar xzf -
- You still need to configure the
plugin_directory
in the vault config file e.g:plugin_directory = "/etc/vault/plugins"
Terraform
Register the plugin
Thanks to a vault_generic_endpoint
the plugin can be successfully registered
resource "vault_generic_endpoint" "secrets-gen" {
disable_read = false
disable_delete = true
path = "sys/plugins/catalog/secret/vault-secrets-gen"
ignore_absent_fields = true
data_json = <<EOT
{
"sha_256": "2f0d4821813da8b0989ed5645be1d1d92c4eaca13e83d0eb6b12be17d967cc77",
"command": "vault-secrets-gen"
}
EOT
}
Use the plugin
Thanks to vault_mount
, a new secret engine using the vault-secrets-gen
can be setup
resource "vault_mount" "secret-gen" {
path = "gen"
type = "secret/vault-secrets-gen"
description = "vault-secrets-gen"
}
Policies
The final easy part is the policy creation
resource "vault_policy" "foo_bar_baz" {
name = "foo-bar-baz"
policy = <<EOT
path "gen/password" {
capabilities = ["create", "update"]
}
path "gen/passphrase" {
capabilities = ["create", "update"]
}
EOT
}
@sethvargo would you agree to put that in the README (I can do a PR), or do you prefer to keep that under the form of an issue?
Cheers,
This issue is stale because it has been open for 14 days with no
activity. It will automatically close after 7 more days of inactivity.
This issue has been automatically locked since there has not been any
recent activity after it was closed. Please open a new issue for
related bugs.