secmgmt
0opsops/secmgmt/vault
Terraform module to manage HashiCorp Vault Secrets!
Managing HashiCorp Vault Secrets with Terraform Multi Kubernetes clusters authentication and Multi AWS accounts assumed_role and Generating IAM Users for CI/CD purpose on the top of pre-existing Vault! Just like this! Auth Methods - USERPASS (UI) - OIDC (UI) - AWS - JWT (GitLab, GitHub) - KUBERNETES Secrets Engines - KV-V2 - AWS THIS MODULE DOWNSIDE IS ALL SECRETS VALUES WOULD BE INSIDE TERRAFORM.TFVARS THAT AIN'T PRETTY GOOD AND REALLY HARD MANAGING SECRETS IN LARGE SCALE! (WELL.... WHATEVER... YOU KNOW VERY WELL WHAT YOU DOING!) ________________________________________________________________ Requirements | Name | Version | |------|---------| | terraform | >= v1.6.5 | | vault | >= 4.2.0 | Providers | Name | Version | |------|---------| | vault | >= 4.2.0 | Modules No modules. Resources |
| Name | Type | Description | Default |
|---|---|---|---|
| create_kv_engine | bool | Enable KV version 2 secret engine | |
| create_kv_v2 | bool | Create KV Version 2 Secrets | |
| create_userpass | bool | Authenticate Vault with Username/Password | |
| enabled_gl_jwt_backend | bool | Enable GitLab JWT Auth Method or not | |
| create_gh_acc_role | bool | Enable Account Role for GitHub JWT Auth Method | |
| create_aws_auth_backend_user | bool | Enable AWS Auth method or not | |
| create_gh_secret_role | bool | For GHA, Enable Secrets JWT Auth Method Role or not | |
| create_policy | bool | Enable Vault policy or not | |
| create_gl_secret_role | bool | For GitLab, Enable Secrets JWT Auth Method Role or not | |
| region_user | string | Region that Vault residing | "us-east-1" |
| auth_backend_role_user | map(object({ account_id = | If enabled, This Role that will be used by Vault authenticating and performing n | {
"key": {
"account_id": 134567890 |
| aws_auth_path | string | AWS Authentication Methods path | "aws" |
| auth_backend_role | map(object({ account_id = | Role that will be used by Vault authenticating AWS | {
"key": {
"account_id": 123456789 |
| secret_backend_role | map(object({ name = s | Create and use STS Assumed Role by Vault performing necessary actions respective | {
"key": {
"name": "aws",
"rol |
| default_ttl_gl_jwt | string | Default Time To Live | "1h" |
| max_ttl_gl_jwt | string | Maximum Time To Live | "2h" |
| gl_acc_bound_claims | map(object({ role_name | JWT/OIDC auth Method role for AWS Account in a Vault server | {
"key": {
"bound_claims": {
|
| gh_secret_token_policies | list(string) | Secrets policy name | [
"default"
] |
| gl_secret_bound_claims | map(object({ role_name | JWT/OIDC auth Method role for Secrets values in a Vault server | {
"key": {
"bound_claims": {
|
| k8s_config | map(object({ backend | Kubernetes Auth Backend configuration | {
"dev-k8s": {
"backend": "dev-k8s |
| kv_v2_path | string | KV-V2 secret engine path | "infra" |
| delete_version_after | number | Old secrets version will be deleted after this seconds (7 days) | 604800 |
| max_ttl_aws | string | Maximum Time To Live for Assumed role | 3600 |
| aws_secret_path | string | AWS Secret Engine path for Assumed Role | "aws" |
| gh_acc_bound_aud | list(string) | URL of the repository owner, eg: `https://github.com/OWNER`, such as the organiz | [
""
] |
| oidc_auth_path | map(object({ oidc_path | OIDC mount path | {
"gmail": {
"oidc_client_id": "12 |
| credential_type | string | AWS STS Assumed Role type | "assumed_role" |
| access_key_user | string | AWS Access Key with necessary permissions | "ACCESS_KEY" |
| gl_jwt_token_type | string | `service` token or `batch` token? Default is `service` token | "service" |
| … and 10 more inputs | |||
HashiCorp Vault Add-on for AWS EKS
Terraform module to deploy Consul, Nomad, Vault onto Scaleway
Terraform module to provision an S3 bucket for HashiCorp Vault secrets storage,
Hashicorp Vault HA cluster on AWS based on Raft Consensus Algorithm