# terraform-vault-tenant This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams. This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define. The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix. ### Requirements | Name | Version | |------|---------| | [terraform](#requirement_terraform) | >= 1.0.0 | | [random](#requirement_random) | ~> 3.6.2 | | [vault](#requirement_vault) | ~> 4.2.0 | ### Providers | Name | Version | |------|---------| | [random](#provider_random) | ~> 3.6.2 | | [vault](#provider_vault) | ~> 4.2.0 | ### Modules No modules. ### Resources | Name | Type | |------|------| | [random_uuid.extra_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource | | [random_uuid.root_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource | | [vault_approle_auth_backend_role.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource | | [vault_approle_auth_backend_role.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource | | [vault_approle_auth_backend_role_secret_id.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource | | [vault_approle_auth_backend_role_secret_id.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource | | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource | | [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource | | [vault_identity_entity.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource | | [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource | | [vault_identity_entity_alias.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource | | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource | | [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | | [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | ### Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} |
map(object({
policy_file = string
}))
| `{}` | no | | [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes | | [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes | | [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no | ### Outputs | Name | Description | |------|-------------| | [approle_mount](#output_approle_mount) | The approle mount for the tenant | | [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names | | [extra_roles](#output_extra_roles) | The tenant extra approle roles | | [root_policy](#output_root_policy) | The tenant root policy name | | [root_role](#output_root_role) | The tenant root approle role |