Managing HashiCorp Vault Secrets with Terraform

Multi Kubernetes clusters authentication and Multi AWS accounts assumed_role and Generating IAM Users for CI/CD purpose on the top of pre-existing Vault!

Just like this!

Auth Methods

• USERPASS (UI)
• OIDC (UI)
• AWS
• JWT (GitLab, GitHub)
• KUBERNETES

Secrets Engines

• KV-V2
• AWS

THIS MODULE DOWNSIDE IS ALL SECRETS VALUES WOULD BE INSIDE TERRAFORM.TFVARS THAT AIN'T PRETTY GOOD AND REALLY HARD MANAGING SECRETS IN LARGE SCALE! (WELL.... WHATEVER... YOU KNOW VERY WELL WHAT YOU DOING!)

---

Requirements

Name	Version
terraform	>= v1.6.5
vault	>= 4.2.0

Providers

Name	Version
vault	>= 4.2.0

Modules

No modules.

Resources

Name	Type
vault_auth_backend.kubernetes	resource
vault_auth_backend.this	resource
vault_auth_backend.user	resource
vault_auth_backend.userpass	resource
vault_aws_auth_backend_sts_role.this	resource
vault_aws_auth_backend_sts_role.user	resource
vault_aws_secret_backend.this	resource
vault_aws_secret_backend.user	resource
vault_aws_secret_backend_role.this	resource
vault_aws_secret_backend_role.user	resource
vault_generic_endpoint.users	resource
vault_identity_group.oidc	resource
vault_identity_group_alias.oidc	resource
vault_jwt_auth_backend.gh	resource
vault_jwt_auth_backend.oidc	resource
vault_jwt_auth_backend.this	resource
vault_jwt_auth_backend_role.account	resource
vault_jwt_auth_backend_role.actions	resource
vault_jwt_auth_backend_role.actions_sec	resource
vault_jwt_auth_backend_role.oidc	resource
vault_jwt_auth_backend_role.secret	resource
vault_kubernetes_auth_backend_config.kubernetes	resource
vault_kubernetes_auth_backend_role.kubernetes	resource
vault_kv_secret_v2.this	resource
vault_mount.this	resource
vault_policy.this	resource

Inputs

Name	Description	Type	Default	Required
access_key	AWS Assumed Role access key	string	"ACCESS_KEY"	no
access_key_user	AWS Access Key with necessary permissions	string	"ACCESS_KEY"	no
auth_backend_role	Role that will be used by Vault authenticating AWS	map(object({ account_id = number sts_role = string }))	{ "key": { "account_id": 123456789012, "sts_role": "arn:aws:iam::123456789012:role/ROLE_NAME" } }	no
auth_backend_role_user	If enabled, This Role that will be used by Vault authenticating and performing necessary actions	map(object({ account_id = number sts_role = string }))	{ "key": { "account_id": 13456789012, "sts_role": "value" } }	no
aws_auth_path	AWS Authentication Methods path	string	"aws"	no
aws_auth_path_user	AWS IAM user Authentication Methods path	string	"account_b"	no
aws_secret_path	AWS Secret Engine path for Assumed Role	string	"aws"	no
aws_secret_path_user	AWS Secret engine path for IAM User	string	"account_b"	no
bound_issuer	The value against which to match the iss claim in a JWT	string	"gitlab.com"	no
create_auth_backend_role	Enable STS role or not for Vault	bool	false	no
create_auth_backend_role_user	Enable STS role or not on Vault	bool	false	no
create_aws_auth_backend	Enable AWS Auth method or not	bool	n/a	yes
create_aws_auth_backend_user	Enable AWS Auth method or not	bool	n/a	yes
create_aws_secret_backend	Enable AWS Secret Method or not for Vault	bool	false	no
create_aws_secret_backend_user	Vault Enable AWS Secret Method or not	bool	false	no
create_gh_acc_role	Enable Account Role for GitHub JWT Auth Method	bool	n/a	yes
create_gh_secret_role	For GHA, Enable Secrets JWT Auth Method Role or not	bool	n/a	yes
create_gl_acc_role	Enable Account Role for GitHub JWT Auth Method	bool	n/a	yes
create_gl_secret_role	For GitLab, Enable Secrets JWT Auth Method Role or not	bool	n/a	yes
create_k8s	Enable Kubernetes Auth Method or not	bool	n/a	yes
create_kv_engine	Enable KV version 2 secret engine	bool	n/a	yes
create_kv_v2	Create KV Version 2 Secrets	bool	n/a	yes
create_policy	Enable Vault policy or not	bool	n/a	yes
create_secret_backend_role	Enable a role on an AWS Secret Method or not for Vault	bool	false	no
create_secret_backend_role_user	Enable a role on an AWS Secret Method for Vault	bool	false	no
create_userpass	Authenticate Vault with Username/Password	bool	n/a	yes
credential_type	AWS STS Assumed Role type	string	"assumed_role"	no
credential_type_user	AWS IAM User type	string	"iam_user"	no
default_ttl_aws	Default Time To Live for Assumed role	string	1800	no
default_ttl_gh_jwt	Default Time To Live	string	"1h"	no
default_ttl_gl_jwt	Default Time To Live	string	"1h"	no
default_ttl_user	Default Time To Live for AWS temporary account	number	2700	no
delete_version_after	Old secrets version will be deleted after this seconds (7 days)	number	604800	no
enabled_gh_jwt_backend	Enable GitHub JWT Auth Method or not	bool	n/a	yes
enabled_gl_jwt_backend	Enable GitLab JWT Auth Method or not	bool	n/a	yes
enabled_oidc_backend	Enable OIDC Auth Method or not	bool	n/a	yes
gh_acc_bound_aud	URL of the repository owner, eg: https://github.com/OWNER, such as the organization that owns the repository. This is the only claim that can be customized	list(string)	[ "" ]	no
gh_acc_bound_claims	https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token	map(object({ role_name = string bound_claims = optional(map(string)) token_ttl = number token_max_ttl = number }))	{ "key1": { "bound_claims": { "": "" }, "role_name": "value", "token_max_ttl": 600, "token_ttl": 300 } }	no
gh_acc_bound_sub	Defines the subject claim that is to be validated by the cloud provider	string	""	no
gh_acc_token_policies	Vault policy name to attach on AWS Auth Method Role	list(string)	[ "default" ]	no
gh_jwt_path	GitHub JWT Authentication path	string	"jwt-gh"	no
gh_jwt_token_type	service token or batch token? Default is service token	string	"service"	no
gh_secret_bound_aud	URL of the repository owner, eg: https://github.com/OWNER, such as the organization that owns the repository. This is the only claim that can be customized	list(string)	[ "" ]	no
gh_secret_bound_claims	JWT/OIDC auth Method role for Secrets values in a Vault server	map(object({ role_name = string bound_claims = optional(map(string)) token_ttl = number token_max_ttl = number }))	{ "key": { "bound_claims": { "": "" }, "role_name": "value", "token_max_ttl": 7200, "token_ttl": 3600 } }	no
gh_secret_bound_sub	Defines the subject claim that is to be validated by the cloud provider	string	""	no
gh_secret_token_policies	Secrets policy name	list(string)	[ "default" ]	no
gl_acc_bound_claims	JWT/OIDC auth Method role for AWS Account in a Vault server	map(object({ role_name = string bound_claims = map(string) bound_claims_type = string }))	{ "key": { "bound_claims": { "project_id": "12312312", "ref": "main,develop", "ref_type": "branch" }, "bound_claims_type": "glob", "role_name": "ROLE_NAME" } }	no
gl_acc_token_policies	Vault policy name to attach on AWS Auth Method Role	list(string)	[ "account_b" ]	no
gl_jwt_path	GitLab JWT Authentication path	string	"jwt-gl"	no
gl_jwt_token_type	service token or batch token? Default is service token	string	"service"	no
gl_secret_bound_claims	JWT/OIDC auth Method role for Secrets values in a Vault server	map(object({ role_name = string bound_claims = map(string) }))	{ "key": { "bound_claims": { "project_id": "123123", "ref": "main,develop", "ref_type": "branch" }, "role_name": "reader-role" } }	no
gl_secret_token_policies	Secrets policy name	list(string)	[ "read-acc_b_creds" ]	no
k8s_config	Kubernetes Auth Backend configuration	map(object({ backend = string kubernetes_host = string kubernetes_ca_cert = string token_reviewer_jwt = string issuer = string }))	{ "dev-k8s": { "backend": "dev-k8s", "issuer": "https://kubernetes.default.svc.cluster.local", "kubernetes_ca_cert": "-----BEGIN CERTIFICATE-----\nASDFQWERQWERASDFASDQ@#RDFADFASDF\n-----END CERTIFICATE-----", "kubernetes_host": "https://K8S_HOST_ADDR:6443", "token_reviewer_jwt": "eyJhbGciOiJSUzI1NiIJASiadura56tIsImtpZCI6InRreml3.ASDFASOIDJFASDKLFLASDF" } }	no
k8s_path	Kubernetes Authentication path (Support multi clusters with different paths)	map(object({ path = string }))	{ "dev-k8s": { "path": "dev-k8s" } }	no
k8s_role	Kubernetes role to authenticate Vault	map(object({ role_name = string backend = string bound_service_account_names = list(string) bound_service_account_namespaces = list(string) token_policies = list(string) token_ttl_k8s = number }))	{ "dev-k8s": { "backend": "dev-k8s", "bound_service_account_names": [ "dev-k8s" ], "bound_service_account_namespaces": [ "default" ], "role_name": "dev-k8s", "token_policies": [ "default" ], "token_ttl_k8s": 3600 } }	no
kv_v2	Key/Value store	map(object({ sub_path = string disable_read = bool delete_all_versions = bool data_json = any }))	{ "key1": { "data_json": " {\n "key1": "value1"\n }\n", "delete_all_versions": true, "disable_read": false, "sub_path": "path1" }, "key2": { "data_json": " {\n "key2": "value2"\n }\n", "delete_all_versions": true, "disable_read": false, "sub_path": "path2" } }	no
kv_v2_description	Just a description	string	"Mount path of KV-V2 secret engine"	no
kv_v2_path	KV-V2 secret engine path	string	"infra"	no
max_ttl_aws	Maximum Time To Live for Assumed role	string	3600	no
max_ttl_gh_jwt	Maximum Time To Live	string	"2h"	no
max_ttl_gl_jwt	Maximum Time To Live	string	"2h"	no
max_ttl_user	Maximum Time To Live for AWS temporary account	number	3600	no
max_versions	Maximum versions of the secrets	number	100	no
oidc_alias	Name of the OIDC group alias	map(object({ group_alias_name = string }))	{ "gmail": { "group_alias_name": "gmail" } }	no
oidc_auth_path	OIDC mount path	map(object({ oidc_path = string oidc_role = string oidc_discovery_url = string oidc_client_id = string oidc_client_sec = string }))	{ "gmail": { "oidc_client_id": "123456789012-5k3hfs5kvc1h82kjkar895ir6118io4bra8q.apps.googleusercontent.com", "oidc_client_sec": "ASDFDF-xRG_MCY1Ulkr8Ke0cBU87yr_XDKR", "oidc_discovery_url": "https://accounts.google.com", "oidc_path": "oidc", "oidc_role": "gmail" } }	no
oidc_backend_role	OIDC role to login to Vault	map(object({ oidc_role_name = string oidc_user_claim = string oidc_token_type = string oidc_scopes = list(string) allowed_redirect_uris = list(string) oidc_token_policies = list(string) }))	{ "gmail": { "allowed_redirect_uris": [ "http://127.0.0.1:8250/oidc/callback", "http://127.0.0.1:8200/ui/vault/auth/oidc/oidc/callback" ], "oidc_role_name": "gmail", "oidc_scopes": [ "openid", "email" ], "oidc_token_policies": [ "reader" ], "oidc_token_type": "service", "oidc_user_claim": "email" } }	no
oidc_identity_group	n/a	map(object({ oidc_identity_group_name = string oidc_identity_type = string oidc_identity_group_policies = list(string) tags = map(string) }))	{ "gmail": { "oidc_identity_group_name": "gmail", "oidc_identity_group_policies": [ "reader" ], "oidc_identity_type": "external", "tags": { "Organization": "OSS" } } }	no
region	Region that Vault residing	string	"us-east-1"	no
region_user	Region that Vault residing	string	"us-east-1"	no
secret_backend_role	Create and use STS Assumed Role by Vault performing necessary actions respectively	map(object({ name = string role_arns = list(string) }))	{ "key": { "name": "aws", "role_arns": [ "arn:aws:iam::123456789012:role/ROLE_NAME" ] } }	no
secret_backend_role_user	IAM User with defined IAM permission policy respectively	map(object({ name = string policy_document = any }))	{ "key": { "name": "value", "policy_document": {} } }	no
secret_key	AWS Assumed Role User secret key	string	"SECRET_KEY"	no
secret_key_user	AWS Secret Key with necessary permissions	string	"SECRET_KEY"	no
userpass_path	Mount path for Userpass auth method	string	"userpass"	no
users_path	The full logical path with username suffix	map(object({ path = string data_json = any }))	{ "user1": { "data_json": " {\n "policies": ["POLICY"],\n "password": "PASSWORD"\n }\n", "path": "auth/userpass/users/USERNAME" } }	no
vault_policy	Policy to read secret by path	map(object({ name = string policy = any }))	{ "key1": { "name": "reader", "policy": " ## Policy for only reading secrets in this path\n path "tfvars/data/*"\n {\n capabilities = ["read"]\n }\n" } }	no

Outputs

No outputs.