Once a Vault server is started, initialized and unsealed, the next step is to perform initial setup which typically includes:
- Create ACL policies to control access to Vault
- Enable auth methods for people or system to authenticate with Vault
- Enable secrets engines
You may have multiple Vault environments: Dev, QA, Staging, Production, etc. Instead of manually repeating the same setups against multiple environments, you can leverage Terraform to codify it. Terraform is a Infrastructure as Code tool which enables you to build, change and configure your infrastructure.
First, login with root token.
Click on the command (
⮐) will automatically copy it into the terminal and execute it.
vault login root
main.tf file to review its content. Refer to the Terraform documentation as necessary. The
main.tf creates the following:
trainingpolicy file (
- Create a
trainingpolicy based on the policy file
- Create a user named,
- Enable Key/Value v2 secrets engine at
- Enable Transit secrets engine at
- Create a new encryption key named,
Execute the following command to list existing policies:
vault policy list
The built-in policies,
root are the only policies listed.
Similarly, list the currently enabled auth methods as well as secrets engine:
vault auth list vault secrets list
token auth method is the only auth method currently enabled. The list of secrets engines does not display neither
First, set the
VAULT_TOKEN environment variable with value,
NOTE: Terraform reads the
VAULT_TOKENenvironment variables to connect to your target Vault server/cluster.
Execute the following Terraform command to pull the Vault provider plugin.
Execute the following command to calculate what changes will be made based on the terraform file (
plan output reports what resources will be created, changed, or destroyed. Since this is the first time running Terraform against this Vault instance, there is nothing to change or destroy.
Plan: 6 to add, 0 to change, 0 to destroy.
Finally, execute the plan using the
terraform apply command.
terraform apply -auto-approve
After the successful execution, the output should contain the following message:
Apply complete! Resources: 6 added, 0 changed, 0 destroyed.
NOTE: To apply the same configuration to another Vault server/cluster, simply update the
VAULT_TOKENvalues to point to the desired target server/cluster.