secrets-engines
devops-rob/secrets-engines/vault
Terraform Module
HCL
VAULT
A Terraform module to enable and configure HashiCorp Vault Secrets Engines
Install
module "secrets-engines" {
source = "devops-rob/secrets-engines/vault"
version = "0.1.2"
}
README
Terraform Module: Vault Secrets Engine A Terraform module to enable and configure Vault secrets engines. Overview  This module supports the following Vault Secrets Engines: - AWS - Azure - GCP - Consul - Transit - Database - PKI - SSH - RabbitMQ Requirements This module requires Terraform version 0.13.0 or newer and an accessible Vault instance. The Vault token used by Terraform will need the following Vault policy: `` shell script path "sys/mount*" { capabilities = ["create","read","update","delete","list"] } ` Usage `shell script module "secrets_engines" { source = "github.com/devops-rob/terraform-vault-secrets-engines" secrets_engines = [ "aws", "consul" ] # AWS config aws_backend_role_name = "test" aws_iam_groups = ["test"] # Consul config consul_token =
Inputs (50)
| Name | Type | Description | Default |
|---|---|---|---|
| hana_root_rotation_statements | list(string) | A list of database statements to be executed to rotate the root user's credentia | |
| mysql_allowed_roles | list(string) | A list of roles that are allowed to use this connection. | |
| mysql_root_rotation_statements | list(string) | A list of database statements to be executed to rotate the root user's credentia | |
| ssh_key_id_format | string | Specifies a custom format for the key id of a signed certificate. | |
| azure_app_id | string | Application Object ID for an existing service principal that will be used instea | |
| cassandra_pem_bundle | string | Concatenated PEM blocks configuring the certificate chain. | |
| mssql_allowed_roles | list(string) | A list of roles that are allowed to use this connection. | |
| gcp_credentials | string | The GCP service account credentials in JSON format. | |
| gcp_project | string | Name of the GCP project that this roleset's service account will belong to. | |
| rabbitmq_username | string | Username for RabbitMQ instance. | |
| ssh_cidr_list | string | The comma-separated string of CIDR blocks for which this role is applicable. | |
| aws_policy_arns | list(string) | List of AWS managed policy ARNs. The behavior depends on the credential type. Wi | |
| elasticsearch_allowed_roles | list(string) | A list of roles that are allowed to use this connection. | |
| cassandra_seal_wrapping | bool | Enable seal wrapping for the DB secrets engine for cassandra. | true |
| hana_max_idle_connections | number | The maximum number of idle connections to maintain. | 360 |
| rabbitmq_default_ttl | number | Default TTL for RabbitMQ. | 3600 |
| rabbitmq_configure_permissions | string | List of resources to grant configure permissions to. | "" |
| max_lease | number | Maximum lease for all secrets engines | 3600 |
| cassandra_insecure_tls | bool | Whether to skip verification of the server certificate when using TLS. | true |
| pki_backend_maps | list(object({ path | A list of PKI objects. | [] |
| postgresql_external_entropy_access | bool | Boolean flag that can be explicitly set to true to enable the secrets engine to | true |
| ssh_allow_subdomains | bool | Specifies if host certificates that are requested are allowed to be subdomains o | true |
| azure_environment | string | The Azure cloud environment to use. | "AzurePublicCloud" |
| postgresql_seal_wrapping | bool | Enable seal wrapping for the DB secrets engine for postgresql. | true |
| rabbitmq_uri | string | Connection URI for RabbitMQ instance | "http://localhost:15672" |
| default_lease | number | Default lease for all secrets engines | 3600 |
| seal_wrap | bool | Enable seal wrapping for secrets engines | true |
| elasticsearch_seal_wrapping | bool | Enable seal wrapping for the DB secrets engine for elasticsearch. | true |
| hana_verify_connection | bool | Whether the connection should be verified on initial configuration or not. | false |
| mongodb_max_connection_lifetime | number | The maximum number of seconds to keep a connection alive for. | 360 |
| mssql_max_open_connections | number | The maximum number of open connections to use. | 360 |
| mysql_path | string | Vault path where the Database secrets engine for mysql will be mounted. | "mysql" |
| external_entropy_access | bool | Boolean flag that can be explicitly set to true to enable the secrets engine to | false |
| … and 10 more inputs | |||
Outputs (10)
gcp_role_set_service_account_emailcassandra_mount_accessormongodb_mount_accessormssql_mount_accessorpostgresql_mount_accessorelasticsearch_mount_accessorssh_mount_accessorhana_mount_accessormysql_mount_accessororacle_mount_accessorResources (21)
vault_aws_secret_backendvault_aws_secret_backend_rolevault_azure_secret_backendvault_azure_secret_backend_rolevault_consul_secret_backendvault_consul_secret_backend_rolevault_database_secret_backend_connectionvault_database_secret_backend_rolevault_database_secret_backend_static_rolevault_gcp_secret_backendvault_gcp_secret_rolesetvault_mountvault_pki_secret_backend_config_cavault_pki_secret_backend_config_urlsvault_pki_secret_backend_rolevault_rabbitmq_secret_backendvault_rabbitmq_secret_backend_rolevault_ssh_secret_backend_cavault_ssh_secret_backend_rolevault_transit_secret_backend_keyvault_transit_secret_cache_config
Details
FrameworkTerraform Module
LanguageHCL
Version0.1.2
Cloud VAULT
★ Stars6
Forks3
Total downloads798
Inputs50
Outputs10
Resources21
Examples12
LicenseApache-2.0
Namespacedevops-rob
Updated