A comprehensive Terraform/OpenTofu module for managing HashiCorp Vault infrastructure and configuration.
- Features
- Prerequisites
- Usage
- Examples
- Requirements
- Providers
- Inputs
- Outputs
- Testing
- Contributing
- Security
- License
- 🔒 Secure Vault configuration management
- 🔑 Secret engine management (KV, Database, PKI, etc.)
- 👥 Authentication method configuration
- 📜 Policy management
- 🔐 Encryption as a Service (Transit)
- 🌐 Multi-namespace support
- 🔄 Automated secret rotation
- 📊 Audit logging configuration
- OpenTofu >= 1.6 or Terraform >= 1.0
- HashiCorp Vault >= 1.12
- Valid Vault authentication credentials
- Appropriate Vault permissions for resource creation
module "vault" {
source = "github.com/your-org/devops-terraform-modules-vault?ref=v1.0.0"
vault_address = "https://vault.example.com"
vault_token = var.vault_token
secret_engines = {
kv = {
path = "secret"
type = "kv-v2"
description = "KV Version 2 secret engine"
}
}
auth_methods = {
approle = {
path = "approle"
type = "approle"
description = "AppRole authentication"
}
}
policies = {
app_policy = {
name = "app-policy"
policy = file("${path.module}/policies/app-policy.hcl")
}
}
}Detailed examples can be found in the examples directory:
- Basic KV Secrets Engine - Simple KV v2 secrets engine setup
- Database Secrets Engine - Dynamic database credentials
- PKI Secrets Engine - Certificate authority and certificate management
- AppRole Authentication - AppRole authentication configuration
- Transit Encryption - Encryption as a service
- Complete Setup - Full Vault configuration example
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| vault | >= 3.20 |
| Name | Version |
|---|---|
| vault | >= 3.20 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| vault_address | The address of the Vault server | string |
n/a | yes |
| vault_token | The Vault authentication token | string |
null |
no |
| vault_namespace | The Vault namespace to use | string |
null |
no |
| secret_engines | Map of secret engines to create | map(object) |
{} |
no |
| auth_methods | Map of authentication methods to configure | map(object) |
{} |
no |
| policies | Map of policies to create | map(object) |
{} |
no |
| audit_devices | Map of audit devices to enable | map(object) |
{} |
no |
| Name | Description |
|---|---|
| secret_engine_paths | Map of created secret engine paths |
| auth_method_paths | Map of configured authentication method paths |
| policy_names | List of created policy names |
This module includes comprehensive tests using OpenTofu/Terraform native testing framework.
tofu testor
terraform testTests are located in the tests directory:
basic.tftest.hcl- Basic functionality testssecret_engines.tftest.hcl- Secret engine testsauth_methods.tftest.hcl- Authentication method testspolicies.tftest.hcl- Policy configuration tests
Contributions are welcome! Please follow these guidelines:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
This project uses several tools to maintain code quality:
- lefthook - Git hooks for pre-commit checks
- tflint - Terraform linting
- tfsec - Security scanning
- checkov - Policy as code validation
- semgrep - Static analysis
- terraform-docs - Documentation generation
Run pre-commit hooks manually:
lefthook run pre-commit- Never commit sensitive information (tokens, passwords, private keys)
- Use Vault's dynamic secrets whenever possible
- Follow the principle of least privilege for policies
- Regularly rotate credentials
- Enable audit logging in production environments
Please report security vulnerabilities to security@example.com
This project is licensed under the MIT License - see the LICENSE file for details.
- Platform Team - @platform-team
- Security Team - @security-team
Made with ❤️ by the Platform Team