In this post we are going to look at how we can use terraform to create and update your vault configurations. I am using GCP for my resources.

Setup remote backend end.

In this step we are creating a service account which has storage.admin permission for the bucket where you store your terraform. Following is granting permission via terraform. If you don’t have terraform configure with GCP, you can create the SA manually and grant the storage.admin permission for your bucket where you plan to store the terraform state.

    resource "google_storage_bucket_iam_binding" "binding" {
        bucket = "your-bucket-name"
        role        = "roles/storage.admin"
        members = [
        "serviceAccount:[email protected]",
        ]
    }

Add your SA path to the back end

In this step we are downloading service account json and give the path to the credential file

    terraform {
      backend "gcs" {
        bucket = "your-bucket-name"
        prefix = "dev-gcp-vault-provisioner"
        project = "<project-name>"
        credentials = "/path/to/my-zyz-service-account.json"
      }
    }

Configure vault

In order to communicate with vault and create secrets, first we need to get a token. Therefore, we will create a new role with following policies.

Create tf-provisioner policy

We will login to vault cluster and create the following role. We use this role to generate a token to be used by terraform.

    vault policy write tf-provisioner provisioner-policy.hcl

provisioner-policy.hcl

    # Manage auth methods broadly across Vault
    path "auth/*"
    {
      capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }

    # Create, update, and delete auth methods
    path "sys/auth/*"
    {
      capabilities = ["create", "update", "delete", "sudo"]
    }

    # List auth methods
    path "sys/auth"
    {
      capabilities = ["read"]
    }

    # List existing policies
    path "sys/policies/acl"
    {
      capabilities = ["list"]
    }

    # Create and manage ACL policies via API & UI
    path "sys/policies/acl/*"
    {
      capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    }

    # List, create, update, and delete key/value secrets
    path "secret/*"
    {
      capabilities = ["create", "read", "update", "delete", "list"]
    }

Create a token from above created role

    vault token create -policy="tf-provisioner" -period="4380h"  -ttl="4380h"

Configure terraform with vault

We will login to the machine where we perform terraform and write the token into a file named “vault-token” and will give the path. In addition to that we need to provide the ca.crt of the vault cluster too. Instead of above you can provide above values as env variable

address = VAULT_ADDR

token = VAULT_TOKEN

ca_cert_file = VAULT_CACERT

    provider "vault" {
     address = "https://<vault-server-address>"
     token = "${file("./vault-token")}"
     ca_cert_file="./ca.crt"
    }

Now you can use terraform to write and configure your vault cluster.

You can find the source code here: