Skip to content

ednz-cloud/terraform-vault-tenant

Repository files navigation

terraform-vault-tenant

This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams.

This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define.

The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix.

Requirements

Name Version
terraform >= 1.0.0
random ~> 3.6.2
vault ~> 4.2.0

Providers

Name Version
random ~> 3.6.2
vault ~> 4.2.0

Modules

No modules.

Resources

Name Type
random_uuid.extra_secret_id resource
random_uuid.root_secret_id resource
vault_approle_auth_backend_role.extra resource
vault_approle_auth_backend_role.root resource
vault_approle_auth_backend_role_secret_id.extra resource
vault_approle_auth_backend_role_secret_id.root resource
vault_auth_backend.approle resource
vault_identity_entity.extra resource
vault_identity_entity.root resource
vault_identity_entity_alias.extra resource
vault_identity_entity_alias.root resource
vault_identity_group.this resource
vault_policy.extra resource
vault_policy.root resource
vault_policy_document.root data source

Inputs

Name Description Type Default Required
additional_roles A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = file("path/to/policy.hcl")
admins = data.vault_policy_document.admins.hcl
}
map(string) {} no
name The name of the tenant you want to create string n/a yes
prefix The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) string n/a yes
root_policy_extra_rules A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs
map(
object({
path = string
capabilities = list(string)
description = optional(string)
required_parameters = optional(list(string))
allowed_parameter = optional(map(list(any)))
denied_parameter = optional(map(list(any)))
min_wrapping_ttl = optional(number)
max_wrapping_ttl = optional(number)
})
)
{} no

Outputs

Name Description
approle_mount The approle mount for the tenant
extra_role_policies The tenant extra role policy names
extra_roles The tenant extra approle roles
root_policy The tenant root policy name
root_role The tenant root approle role