terraform-vault-tenant/README.md
Bertrand Lanson 47f53a2a20
All checks were successful
development / Check commit compliance (push) Successful in 4s
pull-requests-open / Check commit compliance (pull_request) Successful in 5s
fix: remove duplicate resource
2024-05-26 16:24:57 +02:00

5.0 KiB

terraform-vault-tenant

This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams.

This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define.

The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix.

Requirements

Name Version
terraform >= 1.0.0
random ~> 3.6.2
vault ~> 4.2.0

Providers

Name Version
random ~> 3.6.2
vault ~> 4.2.0

Modules

No modules.

Resources

Name Type
random_uuid.extra_roles_secret_id resource
random_uuid.tenant_admin_secret_id resource
vault_approle_auth_backend_role.extra_roles resource
vault_approle_auth_backend_role.tenant_admin resource
vault_approle_auth_backend_role_secret_id.extra_roles resource
vault_approle_auth_backend_role_secret_id.tenant_admin resource
vault_auth_backend.approle resource
vault_identity_entity.extra_roles resource
vault_identity_group.this resource
vault_identity_group_alias.this resource
vault_policy.extra_policies resource
vault_policy.tenant_admin resource

Inputs

Name Description Type Default Required
global_approle_mount The mount path for the global AppRole authentication method string "approle" no
tenant_additional_roles A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
}
map(object({
policy_file = string
}))
{} no
tenant_admin_policy_file The path to the admin policy file for this tenant string null no
tenant_name The name of the tenant you want to create string n/a yes
tenant_prefix The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) string n/a yes

Outputs

Name Description
extra_role_policies The tenant extra role policy names
extra_roles The tenant extra approle roles
tenant_admin_policy The tenant admin policy name
tenant_admin_role The tenant admin approle role