feat/stable-release #1
10
README.md
10
README.md
@ -1,6 +1,12 @@
|
||||
# terraform-vault-tenant
|
||||
|
||||
Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
|
||||
This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams.
|
||||
|
||||
This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define.
|
||||
|
||||
The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix.
|
||||
|
||||
<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
|
||||
### Requirements
|
||||
|
||||
| Name | Version |
|
||||
@ -42,7 +48,7 @@ No modules.
|
||||
|------|-------------|------|---------|:--------:|
|
||||
| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
|
||||
| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> tenant_additional_roles = {<br> devs = {<br> policy_file = "/some/path/to/policy.hcl"<br> }<br> admins = {...}<br> } | <pre>map(object({<br> policy_file = string<br> }))</pre> | `{}` | no |
|
||||
| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
|
||||
| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no |
|
||||
| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
|
||||
| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
|
||||
|
||||
|
@ -1,10 +1,3 @@
|
||||
resource "vault_policy" "extra_policies" {
|
||||
for_each = var.tenant_additional_roles
|
||||
|
||||
name = "${var.tenant_prefix}-${each.key}"
|
||||
policy = file(each.value.policy_file)
|
||||
}
|
||||
|
||||
resource "vault_auth_backend" "approle" {
|
||||
type = "approle"
|
||||
path = "${var.tenant_prefix}-approle"
|
||||
@ -41,3 +34,10 @@ resource "vault_identity_entity" "extra_roles" {
|
||||
prefix = var.tenant_prefix
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_policy" "extra_policies" {
|
||||
for_each = var.tenant_additional_roles
|
||||
|
||||
name = "${var.tenant_prefix}-${each.key}"
|
||||
policy = file(each.value.policy_file)
|
||||
}
|
||||
|
7
policies/tenant-admins.policy.hcl
Normal file
7
policies/tenant-admins.policy.hcl
Normal file
@ -0,0 +1,7 @@
|
||||
path "{{identity.entity.metadata.prefix}}/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
|
||||
path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
@ -20,6 +20,7 @@ variable "tenant_prefix" {
|
||||
|
||||
variable "tenant_admin_policy_file" {
|
||||
type = string
|
||||
default = "./policies/tenant-admins.policy.hcl"
|
||||
description = "The path to the admin policy file for this tenant"
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user