Demo to create a namespace in Vault, add policy/secret engine all using Terraform.
Feedback and additions welcome.
Note ~> Namespaces in Vault require Vault Enterprise.
Using Terraform and the Vault provider, we want to create a namespace on an existing Vault cluster and add some usual bits to it, like policy, engine for secrets, rate limits, and auth.
We'll start with:
- Create root-level policy and read-only audit user,
audit_user/changeme(root-namespace.tf) - Create namespaces (main.tf)
- You can set
allow-subnamespacesto allow or disallow the namespace admin ability to create nested namespaces
- You can set
- Define policies to allow a namespace-admin and a secrets-manager persona (modules/bootstrap-namespace/bootstrap_policies.tf)
- Build up namespaces (modules/bootstrap-namespace/main.tf)
- Create namespace
- Create admin-policy
- Create secrets-manager-policy
- Create tokens for each (yes, this isn't good practice but makes testing easier)
- Create secrets mounts (based on variable secrets_to_mount)
- Create auth mounts (based on variable auths_to_mount)
- Create userpass auth and
user1/changemelogin
- Ensure terraform >= 0.13 is in your path
- Define your Vault address and Vault token in variables, vault_addr and vault_token (either in local.auto.tfvars, or your TFE/TFC variables)
$ terraform planand check it out$ terraform applyif you like what you see- Get the tokens created for each policy in each namespace with:
$ terraform state pull | jq '.resources[] | select(.type == "vault_token") | .instances[0].attributes'
Sample local.auth.tfvars
vault_addr = "https://yourvault.company.com:8200"
vault_token = "your-token-here"
secrets_to_mount = ["kv","kv-v2","pki","transit"]
auths_to_mount = ["userpass","aws"]