Skip to content

nixys/nxs-vault-app-init

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

nxs-vault-app-init

nxs-vault-app-init

Introduction

nxs-vault-app-init is a Terraform (>= v1.0.0) module for Vault initialization.

Features

  • Create policies
  • Create secrets engines
  • Create auth backends (certs, jwt, oidc, kubernetes, etc)
  • Create jwt/oidc roles and identity groups
  • Generate tls certs and jwt keys in specific directory

Who can use the tool

  • System Administrators
  • DevOps Engineers
  • Developers

Who work with different projects that use Vault.

Quickstart

For use this module you need to installed Terraform package. Set up the nxs-vault-app-init Terraform file, then init, plan and run module:

$ terraform init
$ terraform plan
$ terraform apply

Settings

Variable Required Default value Description
output_files_path true ./files The path to directory where save generated tls certs and jwt keys
vault_addr true Vault address
vault_admin_token true Vault admin token
vault_skip_tls_verify false false Set this to true to disable verification of the Vault server's TLS certificate
policies true List of policies to create
policies.name true Name of the policy
policies.paths true List of paths for secrets engines
policies.capabilities true List of capabilities for policy
secrets_engines true List of secrets engines
secrets_engines.path true Secret engine path
secrets_engines.type true Secret engine type
secrets_engines.options false Secret engine options
auth_backends true List of auth backends
auth_backends.type true Auth backend type. Must not be equal to "kubernetes", "jwt", "oidc". To use cert auth method, "tls_disable" must be false in the Vault configuration. This is because the certificates are sent through TLS communication itself
auth_backends.path false Auth backend path. Default value equal to type
auth_backends.tune false Auth backend tune
jwt_oidc_auth_backend true List of jwt/oidc auth backends. Only one of variable (jwt_oidc_auth_backend.jwks_url, jwt_oidc_auth_backend.oidc_discovery_url, jwt_oidc_auth_backend.jwt_validation_pubkeys) must be set for one backend
jwt_oidc_auth_backend.path true Auth backend path
jwt_oidc_auth_backend.type false jwt Auth backend type
jwt_oidc_auth_backend.oidc_discovery_url false The OIDC Discovery URL, without any .well-known component (base path). Cannot be used in combination with jwt_validation_pubkeys
jwt_oidc_auth_backend.oidc_discovery_ca_pem false The CA certificate or chain of certificates, in PEM format, to use to validate connections to the OIDC Discovery URL. If not set, system certificates are used
jwt_oidc_auth_backend.oidc_client_id false Client ID used for OIDC backends
jwt_oidc_auth_backend.oidc_client_secret false Client Secret used for OIDC backends
jwt_oidc_auth_backend.oidc_response_mode false query The response mode to be used in the OAuth2 request. Allowed values are "query" and "form_post". If using Vault namespaces, and oidc_response_mode is "form_post", then namespace_in_state should be set to "false"
jwt_oidc_auth_backend.oidc_response_types false ["code"] List of response types to request. Allowed values are "code" and "id_token". Note: "id_token" may only be used if oidc_response_mode is set to form_post
jwt_oidc_auth_backend.jwks_url false JWKS URL to use to authenticate signatures. Cannot be used with oidc_discovery_url or jwt_validation_pubkeys
jwt_oidc_auth_backend.jwks_ca_pem false The CA certificate or chain of certificates, in PEM format, to use to validate connections to the JWKS URL. If not set, system certificates are used
jwt_oidc_auth_backend.jwt_validation_pubkeys false A list of PEM-encoded public keys to use to authenticate signatures locally. Cannot be used in combination with oidc_discovery_url
jwt_oidc_auth_backend.bound_issuer false The value against which to match the iss claim in a JWT
jwt_oidc_auth_backend.jwt_supported_algs false Vault 1.1.0 defaults to [RS256] but future or past versions of Vault may differ A list of supported signing algorithms
jwt_oidc_auth_backend.default_role false The default role to use if none is provided during login
jwt_oidc_auth_backend.provider_config false Provider specific handling configuration. All values may be strings, and the provider will convert to the appropriate type when configuring Vault
jwt_oidc_auth_backend.local false Specifies if the auth method is local only
jwt_oidc_auth_backend.namespace_in_state false Pass namespace in the OIDC state parameter instead of as a separate query parameter. With this setting, the allowed redirect URL(s) in Vault and on the provider side should not contain a namespace query parameter. This means only one redirect URL entry needs to be maintained on the OIDC provider side for all vault namespaces that will be authenticating against it. Defaults to true for new configs
jwt_oidc_auth_backend.tune false Auth backend tune
certs_auth_backend true List of certs auth backends
certs_auth_backend.name true Cert name
certs_auth_backend.policies true List of policies
certs_auth_backend.path false cert Certs auth backend path
certs_auth_backend.tls_self_signed_cert true Cert info
certs_auth_backend.tls_self_signed_cert.common_name false Cert common name
certs_auth_backend.tls_self_signed_cert.organization false Cert organization
certs_auth_backend.tls_self_signed_cert.allowed_uses true List of keywords each describing a use that is permitted for the issued certificate
certs_auth_backend.tls_self_signed_cert.convert_to_pkcs12 false false Create or not pkcs12 cert
kubernetes_auth_backends true List of kubernetes auth backends
kubernetes_auth_backends.path false kubernetes Auth backend path
kubernetes_auth_backends.kubernetes_host true Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server
kubernetes_auth_backends.kubernetes_ca_cert false PEM encoded CA cert for use by the TLS client used to talk with the Kubernetes API
kubernetes_auth_backends.token_reviewer_jwt false A service account JWT used to access the TokenReview API to validate other JWTs during login. If not set the JWT used for login will be used to access the API
kubernetes_auth_backends.issuer false JWT issuer
kubernetes_auth_backends.roles false List of roles
kubernetes_auth_backends.roles.role_name true Role name
kubernetes_auth_backends.roles.bound_service_account_names true List of service account names able to access this role. If set to ["*"] all names are allowed, both this and bound_service_account_namespaces can not be "*"
kubernetes_auth_backends.roles.bound_service_account_namespaces true List of namespaces allowed to access this role. If set to ["*"] all namespaces are allowed, both this and bound_service_account_names can not be set to "*"
kubernetes_auth_backends.roles.token_policies false List of policies to encode onto generated tokens
kubernetes_auth_backends.tune false Auth backend tune
vault_tokens true List of vault tokens
vault_tokens.display_name true Token display name
vault_tokens.policies true Token policies
vault_tokens.role_name false The token role name
vault_tokens.renewable false Flag to allow to renew this token
vault_tokens.ttl false The TTL period of this token
vault_tokens.explicit_max_ttl false The explicit max TTL of this token
vault_tokens.period false The period of this token
vault_tokens.renew_min_lease false The minimal lease to renew this token
vault_tokens.renew_increment false The renew increment
vault_token_roles true List of vault token auth backend roles
vault_token_roles.role_name true The name of the role
vault_token_roles.allowed_policies false List of allowed policies for given role
vault_token_roles.disallowed_policies false List of disallowed policies for given role
vault_token_roles.orphan false If true, tokens created against this policy will be orphan tokens
vault_token_roles.renewable false Whether to disable the ability of the token to be renewed past its initial TTL
vault_token_roles.path_suffix false Tokens created against this role will have the given suffix as part of their path in addition to the role name
vault_token_roles.token_period false If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds
vault_token_roles.token_ttl false The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
vault_token_roles.token_max_ttl false The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
vault_token_roles.token_explicit_max_ttl false If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal
jwt_oidc_roles true List of jwt/oidc roles
jwt_oidc_roles.name true Role name
jwt_oidc_roles.path true Auth backend path
jwt_oidc_roles.type false Role type
jwt_oidc_roles.user_claim true The claim to use to uniquely identify the user; this will be used as the name for the Identity entity alias created due to a successful login
jwt_oidc_roles.bound_claims false If set, a map of claims to values to match against. A claim's value must be a string, which may contain one value or multiple comma-separated values, e.g. "red" or "red,green,blue"
jwt_oidc_roles.bound_audiences false List of aud claims to match against. Any match is sufficient
jwt_oidc_roles.bound_subject false If set, requires that the sub claim matches this value
jwt_oidc_roles.bound_claims_type false How to interpret values in the claims/values map (bound_claims): can be either string (exact match) or glob (wildcard match). Requires Vault 1.4.0 or above
jwt_oidc_roles.claim_mappings false If set, a map of claims (keys) to be copied to specified metadata fields (values)
jwt_oidc_roles.oidc_scopes false If set, a list of OIDC scopes to be used with an OIDC role. The standard scope "openid" is automatically included and need not be specified
jwt_oidc_roles.groups_claim false The claim to use to uniquely identify the set of groups to which the user belongs; this will be used as the names for the Identity group aliases created due to a successful login. The claim value must be a list of strings
jwt_oidc_roles.allowed_redirect_uris false The list of allowed values for redirect_uri during OIDC logins. Required for OIDC roles
jwt_oidc_roles.clock_skew_leeway false 60 The amount of leeway to add to all claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles
jwt_oidc_roles.expiration_leeway false 60 The amount of leeway to add to expiration (exp) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles
jwt_oidc_roles.not_before_leeway false 60 The amount of leeway to add to not before (nbf) claims to account for clock skew, in seconds. Defaults to 60 seconds if set to 0 and can be disabled if set to -1. Only applicable with "jwt" roles
jwt_oidc_roles.verbose_oidc_logging false Log received OIDC tokens and claims when debug-level logging is active. Not recommended in production since sensitive information may be present in OIDC responses
jwt_oidc_roles.token_ttl false The incremental lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
jwt_oidc_roles.token_max_ttl false The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time
jwt_oidc_roles.token_period false If set, indicates that the token generated using this role should never expire. The token should be renewed within the duration specified by this value. At each renewal, the token's TTL will be set to the value of this field. Specified in seconds
jwt_oidc_roles.token_policies false List of policies to encode onto generated tokens. Depending on the auth method, this list may be supplemented by user/group/other values
jwt_oidc_roles.token_bound_cidrs false List of CIDR blocks; if set, specifies blocks of IP addresses which can authenticate successfully, and ties the resulting token to these blocks as well
jwt_oidc_roles.token_explicit_max_ttl false If set, will encode an explicit max TTL onto the token in number of seconds. This is a hard cap even if token_ttl and token_max_ttl would otherwise allow a renewal
jwt_oidc_roles.token_no_default_policy false If set, the default policy will not be set on generated tokens; otherwise it will be added to the policies set in token_policies
jwt_oidc_roles.token_num_uses false The period, if any, in number of seconds to set on the token
jwt_oidc_roles.token_type false The type of token that should be generated. Can be service, batch, or default to use the mount's tuned default (which unless changed will be service tokens). For token store roles, there are two additional possibilities: default-service and default-batch which specify the type to return unless the client requests a different type at generation time
identity_groups true List of identity groups
identity_groups.group_id true Identity group name
identity_groups.type false internal Type of the group, internal or external
identity_groups.policies false A list of policies to apply to the group
identity_groups.mount_type true Vault auth backend type
identity_groups.mount_path true Vault auth backend path
identity_groups.metadata false A map of additional metadata to associate with the group

Example

Usage example located in this directory.

Roadmap

Following features are already in backlog for our development team and will be released soon:

  • Add LDAP auth backend

Feedback

For support and feedback please contact me:

License

nxs-vault-app-init is released under the Apache License 2.0.