Codify Vault Enterprise management with Terraform
Personas
The scenario described in this tutorial introduces the following personas:
admin
is the organization-level administratorstudent
is a user allowed to write data to a path in vault
Challenge
A manual system administration can become a challenge as the scale of infrastructure increases. Often, an organization must manage multiple Vault environments (development, testing, staging, production, etc.). Keeping up with the increasing management demand soon becomes a challenge without some sort of automation.
Solution
One of the pillars behind the Tao of Hashicorp is automation through codification.
HashiCorp Terraform is an infrastructure as code which enables the operation team to codify the Vault configuration tasks such as the creation of policies. Automation through codification allows operators to increase their productivity, move quicker, promote repeatable processes, and reduce human error.
This tutorial demonstrates techniques for creating Vault policies and configurations using Terraform Vault Provider.
Prerequisites
- Terraform installed
- Vault Enterprise 1.4 or later
Enterprise Only
This tutorial creates namespaces which require Vault Enterprise Standard license.
If you are running open-source Vault, see the Codify Management of Vault Using Terraform tutorial.
Scenario introduction
Vault administrators must manage multiple Vault environments. The test servers get destroyed at the end of each test cycle and a new set of servers must be provisioned for the next test cycle. To automate the Vault server configuration, you are going to use Terraform to provision the following Vault resources.
Type | Name | Description |
---|---|---|
namespace | finance | A namespace dedicated to the finance organization |
namespace | engineering | A namespace dedicated to the engineering organization |
namespace | education | A namespace dedicated to the education organization |
namespace | training | A child-namespace under education dedicated to the training team |
namespace | vault_cloud | A child-namespace under education/training dedicated to the vault_cloud team |
namespace | engineering | A child-namespace under education/training dedicated to the boundary team |
ACL Policy | admins | Sets policies for the admin team |
ACL Policy | fpe-client | Sets policies for clients to encode/decode data through transform secrets engine |
auth method | userpass | Enable and create a user, "student" with admins and fpe-client policies |
auth method | approle | Enable approle auth method in the education/training and create a test-role role |
secrets engine | kv-v2 | Enable kv-v2 secrets engine in the finance namespace |
secrets engine | transform | Enable transform secrets engine at transform |
transformation | ccn-fpe | Transformation to perform format preserving encryption (FPE) transformation on credit card numbers |
transformation template | ccn | Define the data format structure for credit card numbers |
alphabet | numerics | Set of allowed characters |
The admins
policy must be created in all namespaces: root
, finance
, and
engineering
. The expected admin tasks are the same across the namespaces.
Note
Transform secrets engine requires Vault Enterprise Advanced Data Protection (ADP) license.
The following steps are demonstrated:
Examine the Terraform files
Clone or download the demo assets from the hashicorp/learn-vault-codify GitHub repository to perform the steps described in this tutorial.
Change the working directory to
learn-vault-codify/enterprise
.The directory contains Terraform files to configure Vault.
Review main.tf
Open the main.tf
file in your preferred text editor to examine its content.
1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667
To create a education/training
namespace, use the namespace
parameter to
point the vault_namespace.education.path
parent namespace.
It is strongly recommended to specify the target server specific
information
using environment variables (e.g. VAULT_ADDR
, VAULT_TOKEN
); that is
what you are going to do in this tutorial.
Note
If you are not familiar with Vault Enterprise namespace, refer to the Secure Multi-Tenancy with Namespaces tutorial.
Review policies.tf
Open the policies.tf
file and examine the
vault_policy
resources. It uses the provider
parameter to specify the target namespace to
create the policies.
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556
Review auth.tf
Open the auth.tf
file.
- Line 4 through 6 enables
userpass
auth method. - Line 9 through 20 creates a user, "student" with
admins
andfpe-client
policies attached. The password is set to "changeme". - Line 25 through 29 enables
approle
auth method. - Line 32 through 38 creates a
test-role
role.
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526272829303132333435363738
Review secrets.tf
Open the secrets.tf
file.
- Line 5 through 10 enables kv-v2 secretes engine in the
finance
namespace. - Line 19 through 53 defines a new alphabet, template, transformation, and a role.
- Line 59 through 69 tests the FPE transformation configured.
1 2 3 4 5 6 7 8 9 10111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970
Note
The details about the transformation, template, alphabet, and role are out of scope for this tutorial. If you are not familiar with Transform secrets engine, read the Transform Secrets Engine tutorial.
Run Terraform to configure Vault
Optional: Start a Vault server in development mode with
root
as the root token if you don't have one running already.Set the client token in the
VAULT_TOKEN
environment variable.If the token is different, be sure to set it to the correct token value that has permissions to create policies, enable secrets engines, and enable auth methods.
Set the target Vault server address in the
VAULT_ADDR
environment variable if it's not done so already.If you are connecting to a remote Vault server, be sure to set the
VAULT_ADDR
value to the correct target Vault API address.Initialize Terraform to pull Vault provider plugin.
This downloads the Vault plugin. When it completes, it displays a message,
Terraform has been successfully initialized!
Execute the
apply
command to configure Vault.This displays the actions to be performed by Terraform.
When prompted, enter
yes
to accept the plan and proceed with Vault configuration.Once completed, the output similar to the following displays.
Verify the configuration
List the existing namespaces.
List the nested namespaces.
List namespaces under
training
.Verify that policies were created.
Verify that
admins
policy was created under thefinance
namespace.Similarly, verify that
admins
policy was created under theengineering
namespace.Verify that
admins
policy was created under theeducation
namespace.Verify that
admins
policy was created under theeducation/training
namespace.Verify that
admins
policy was created under theeducation/training/vault_cloud
namespace.Verify that
admins
policy was created under theeducation/training/boundary
namespace.Verify that kv-v2 secrets engine is enabled in the
finance
namespace.Verify the transformation secrets engine configuration for credit card numbers.
List existing transformations.
Read the
ccn-fpe
transformation details.List existing transformation templates.
Read the
ccn
transformation template definition.Now, verify that you can log in with
userpass
auth method using the username, "student" and password, "changeme".The generated token has
admins
andfpe-client
policies attached. Now, take a look at thefpe-client
policy definition.The
fpe-client
policy permits update operation against thetransform/encode/*
andtransform/decode/*
paths.The student user should be able to perform format-preserving encryption (FPE) transformation.
Verify that you can decode the encoded value.
Successfully returns the original credit card number.
Verify that
approle
auth method is enabled in theeducation/training
namespace.Verify that
test-role
exists.
Clean up
When you are done exploring, you can undo the configuration made by Terraform.
Make sure that
VAULT_TOKEN
andVAULT_ADDR
environment variables are set.Destroy the Vault resources created by Terraform.
Remove the terraform state files.
Unset the
VAULT_TOKEN
andVAULT_ADDR
environment variables.
Note
To learn more about Terraform, visit Learn Terraform.
Next steps
Treat your Terraform files like any other code and manage them through a version control system such as GitHub. You may integrate it with your favorite CI/CD tool (Jenkins, Travis CI, Circle CI, etc.), always review and test the configuration.
Travis CI example:
You can test your Terraform files against a development server that runs locally, or use a Docker image of Vault.
Summary
In this guide you learned a technique for creating Vault policies and configurations using the Terraform Vault Provider. For more information, see the help and reference section.
Help and Reference
- Terraform Vault Provider documentation page
- Terraform Provider GitHub repository
- Learn Terraform
- Multi-tenancy with Namespaces
Tip
Terraform users can leverage the Vault's dynamic secrets engine to generate short-live cloud credentials when provisioning cloud resources. Inject secrets into Terraform using the Vault provider tutorial demonstrates the use of AWS secrets engine to manage AWS IAM credentials used by Terraform.