Skip to content

GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

82 Commits
.github
.github
 
 
docs
docs
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
PRCHECKLIST
PRCHECKLIST
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
providers.tf
providers.tf
 
 
vault_policy.tf
vault_policy.tf
 
 

Repository files navigation

terraform-module-kubernetes-hashicorp-vault-configuration

This terraform module is to help you configure a vault cluster for use with OIDC Authentication and KV Secrets Engine Version 2. This module is part of the opionated GlueOps Platform. If you came here directly then you should probably visit https://github.com/glueops/admiral as that is the starting point.

Prerequisites

  • You need an unsealed vault cluster.
  • You need an OIDC client secret that matches what you defined in your deployment of the Platform helm chart (dex.vault.client_secret)
  • You need a connection to the vault cluster using kubctl port forwarding.
  • You need to ignore self-signed SSL errors
  • A json file called ../vault_access.json needs to exist relative to the usage of this configuration module. If you ran the vault-initialization properly this file will have been created then.

For more details see: https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration/wiki

Example usage of module

module "configure_vault_cluster" {
  source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration.git"
  oidc_client_secret       = "yuS5eWskhW1ifc8R1ffgU+RARS3XM4TCKLEVO9rcXAA="
  captain_domain           = "nonprod.antoniostacos.onglueops.rocks"
  org_team_policy_mappings = [
    {
      oidc_groups = ["GlueOps:vault_super_admins"]
      policy_name = "editor"
    },
    {
      oidc_groups = ["GlueOps:vault_super_admins", "glueops-rocks:developers"]
      policy_name = "reader"
    }
  ]
}

policy_names

policy_name description
reader read all secrets
editor read/write/delete/update all secrets

Requirements

No requirements.

Providers

Name Version
aws n/a
vault n/a

Modules

No modules.

Resources

Name Type
vault_auth_backend.kubernetes resource
vault_jwt_auth_backend.default resource
vault_jwt_auth_backend_role.default resource
vault_kubernetes_auth_backend_config.config resource
vault_kubernetes_auth_backend_role.env_roles resource
vault_kubernetes_auth_backend_role.vault_backup resource
vault_mount.secrets_kvv2 resource
vault_policy.admin resource
vault_policy.editor resource
vault_policy.reader resource
vault_policy.super_admin resource
vault_policy.vault_backup resource
aws_s3_object.vault_access data source

Inputs

Name Description Type Default Required
aws_access_key n/a string n/a yes
aws_region n/a string n/a yes
aws_s3_bucket_name The name of the S3 bucket to create for the tenant. string n/a yes
aws_s3_key_vault_secret_file The full key path to the s3 bucket file that contains the vault access information. Do not include S3://BUCKET_NAME/ in the path. string n/a yes
aws_secret_key n/a string n/a yes
captain_domain Captain Domain for the cluster string n/a yes
oidc_client_secret This is the dex client secret for the 'vault' ClientID string n/a yes
org_team_policy_mappings Each OIDC group should be in the format of GITHUB_ORG_NAME:GITHUB_TEAM_NAME and the policy name should be either 'reader' or 'editor' 
list(object({
    policy_name = string
    oidc_groups = list(string)
  }))
 
[
  {
    "oidc_groups": [
      "example-org:team1",
      "example-org:team2"
    ],
    "policy_name": "reader"
  },
  {
    "oidc_groups": [
      "example-org:team1",
      "example-org:team3"
    ],
    "policy_name": "editor"
  }
]
 no

Outputs

No outputs.

About

No description or website provided.

Topics

glueops-platform

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases 15

v0.10.1 Latest
Jan 22, 2025
+ 14 releases

Packages

No packages published

Contributors 8

Languages