-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} | map(object({
policy_file = string
}))
| `{}` | no |
+| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
+| [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+
+### Outputs
+
+No outputs.
+
diff --git a/admin_approle.tf b/admin_approle.tf
new file mode 100644
index 0000000..1c11833
--- /dev/null
+++ b/admin_approle.tf
@@ -0,0 +1,26 @@
+resource "vault_approle_auth_backend_role" "tenant_admin" {
+ backend = var.global_approle_mount
+ role_name = "${var.tenant_name}-admin"
+ token_policies = ["default", "${vault_policy.tenant_admin.name}"]
+}
+
+resource "random_uuid" "tenant_admin_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
+ backend = var.global_approle_mount
+ role_name = vault_approle_auth_backend_role.tenant_admin.role_name
+ secret_id = random_uuid.tenant_admin_secret_id.result
+}
+
+resource "vault_identity_entity" "tenant_admin" {
+ name = "${each.value.prefix}-admin"
+ metadata = {
+ tenant = var.tenant_name
+ prefix = var.tenant_prefix
+ }
+}
+
+resource "vault_policy" "tenant_admin" {
+ name = "${var.tenant_name}-admin"
+ policy = file(var.tenant_admin_policy_file)
+}
diff --git a/extra_policies.tf b/extra_policies.tf
new file mode 100644
index 0000000..634f8c1
--- /dev/null
+++ b/extra_policies.tf
@@ -0,0 +1,43 @@
+resource "vault_policy" "extra_policies" {
+ for_each = var.tenant_additional_roles
+
+ name = "${var.tenant_prefix}-${each.key}"
+ policy = file(each.value.policy_file)
+}
+
+resource "vault_auth_backend" "approle" {
+ type = "approle"
+ path = "${var.tenant_prefix}-approle"
+ tune {
+ default_lease_ttl = "3600s"
+ max_lease_ttl = "14400s"
+ }
+}
+
+resource "vault_approle_auth_backend_role" "extra_roles" {
+ for_each = var.tenant_additional_roles
+
+ backend = vault_auth_backend.approle.path
+ role_name = each.key
+ token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+}
+
+resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+
+resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
+ for_each = var.tenant_additional_roles
+
+ backend = vault_auth_backend.approle.path
+ role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
+ secret_id = random_uuid.extra_roles_secret_id[each.key].result
+}
+
+resource "vault_identity_entity" "extra_roles" {
+ for_each = var.tenant_additional_roles
+
+ name = "${var.tenant_prefix}-${each.key}"
+ metadata = {
+ tenant = var.tenant_name
+ prefix = var.tenant_prefix
+ }
+}
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..08e0a47
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,11 @@
+terraform {
+ required_version = ">= 1.0.0"
+ required_providers {
+ vault = {
+ source = "hashicorp/vault"
+ }
+ random = {
+ source = "hashicorp/random"
+ }
+ }
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..90cd9cb
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,42 @@
+variable "global_approle_mount" {
+ type = string
+ default = "approle"
+ description = "The mount path for the global AppRole authentication method"
+}
+
+variable "tenant_name" {
+ type = string
+ description = "The name of the tenant you want to create"
+ validation {
+ condition = can(regex("^[-a-zA-Z0-9_]*$", var.tenant_name))
+ error_message = "The tenant name must only contain alphanumeric characters, dashes, and underscores."
+ }
+}
+
+variable "tenant_prefix" {
+ type = string
+ description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
+}
+
+variable "tenant_admin_policy_file" {
+ type = string
+ description = "The path to the admin policy file for this tenant"
+}
+
+variable "tenant_additional_roles" {
+ type = map(object({
+ policy_file = string
+ }))
+ default = {}
+ description = <-approle) including all the roles declared in this variable.
+ The variable should look like:
+ tenant_additional_roles = {
+ devs = {
+ policy_file = "/some/path/to/policy.hcl"
+ }
+ admins = {...}
+ }
+ EOT
+}