Vault/OpenBao setup for GatePlane Policy-Gate Plugin
This Terraform module mounts the Policy-Gate Plugin under a Vault/OpenBao path.
It additionally creates two policies that can access the mount, in order to both create and approve AccessRequests.
Finally, it optionally enables these policies to be used by the UI (under app.gateplane.io or different domain).
| Name | Version |
|---|---|
| terraform | >= 1.11.0 |
| null | >= 3.2.4 |
| vault | >= 4.7.0 |
| Name | Version |
|---|---|
| vault | 4.7.0 |
| Name | Type |
|---|---|
| vault_approle_auth_backend_role.this | resource |
| vault_approle_auth_backend_role_secret_id.this | resource |
| vault_generic_endpoint.plugin_api_vault_config | resource |
| vault_generic_endpoint.plugin_config_access | resource |
| vault_policy.target | resource |
| vault_approle_auth_backend_role_id.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name of the gate, used in the mount path and generated policies. | any |
n/a | yes |
| approle_mount | The Vault/OpenBao AppRole Auth Method mount that the plugin will authenticate against. | string |
"gateplane/approle" |
no |
| approle_policy_name | The name of the Vault/OpenBao Policy to be assigned to the plugin (created by gateplane-setup plugin) |
string |
"gateplane-policy-gate-policy" |
no |
| description | Brief explanation of what access is requested through this gate. | string |
"" |
no |
| endpoint_prefix | TODO: allow a way to set absolute path, no parameterization | string |
"gp" |
no |
| lease_max_ttl | The duration that the protected token will be active (e.g.: "1h"). |
string |
"1h" |
no |
| lease_ttl | The duration that the protected token will be active (e.g.: "30m"). |
string |
"30m" |
no |
| path_prefix | The endpoint where the plugin will be mounted. | string |
"gateplane" |
no |
| plugin_name | The name of the plugin to mount (e.g: gateplane-policy-gate). |
string |
"gateplane-policy-gate" |
no |
| plugin_options | Base options provided by the plugin to the /config endpoint, available in plugin documentation. |
map |
{} |
no |
| policy_prefix | The prefix used for the Policy created by protected_path_map variable. |
string |
"gateplane" |
no |
| protected_path_map | A map of Vault/OpenBao paths to lists of capabilities, to be protected by this gate (e.g.: {"secret/data/mysecret":["read"]}).Mutually exclusive with protected_policies. |
any |
null |
no |
| protected_policies | The Vault/OpenBao policies that will be claimed by this gate. Mutually exclusive with protected_path_map |
any |
null |
no |
| vault_addr_local | The URL used by the Vault/OpenBao plugin (running alongside Vault/OpenBao) to access the API. Can be the one used by the Vault Provider or a local URL. | string |
"http://127.0.0.1:8200" |
no |
| Name | Description |
|---|---|
| mount_path | The Vault/OpenBao path where the plugin has been mounted. |
| paths | The map of paths supported by this plugin. |
| policies | The verbatim policies created and referenced in this module. |
| policy_names | The names of the policies created and referenced in this module. |
This project is licensed under the Elastic License v2.
This means:
- ✅ You can use, fork, and modify it for yourself or within your company.
- ✅ You can submit pull requests and redistribute modified versions (with the license attached).
- ❌ You may not sell it, offer it as a paid product, or use it in a hosted service (e.g., SaaS).
- ❌ You may not re-license it under a different license.
In short: You can use and extend the code freely, privately or inside your business - just don’t build a business around it without our permission. This FAQ by Elastic greatly summarizes things.
See the ./LICENSES/Elastic-2.0.txt file for full details.