Difficulty: beginner
Estimated Time: 5 minutes

Logo

Many organizations leverage Terraform to spin up a Vault cluster. Once a cluster is up and running, Vault admin would have to perform some initial setups before other teams and applications can start interacting with Vault (e.g. enable and configure auth methods, create base policies, enable K/V secrets engine). Terraform is a powerful tool such that those initial setups can be done by Terraform and the task becomes repeatable.

In this tutorial, you are going to explorer how you can codify the Vault configuration using Terraform:

  • Use Terraform file to configure Vault
  • Verify the Configuration

This scenario gave you a quick introduction to the Terraform Vault plugin.

Terraform is an Infrastructure as Code tool, so treat your Terraform files as your code. This means that you can now automate the Vault cluster management process by plug it into your preferred CI/CD tool such as CircleCI.

For example, git commit triggers the CircleCI to spin up a Docker image running Vault in development mode, and execute the Terraform against it. If the Vault configuration was successful, you can roll it out to the staging cluster, etc. Otherwise, fix the Terraform files and repeat the process.

This significantly reduces human errors as well as inconsistencies across Vault environments. Terraform can be your working documentation of any change in the Vault server configuration.

Resources:

Codify Management of Vault

Step 1 of 3

Codified Vault Configuration

Once a Vault server is started, initialized and unsealed, the next step is to perform initial setup which typically includes:

  • Create ACL policies to control access to Vault
  • Enable auth methods for people or system to authenticate with Vault
  • Enable secrets engines

You may have multiple Vault environments: Dev, QA, Staging, Production, etc. Instead of manually repeating the same setups against multiple environments, you can leverage Terraform to codify it. Terraform is a Infrastructure as Code tool which enables you to build, change and configure your infrastructure.

First, login with root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

Open the main.tf file to review its content. Refer to the Terraform documentation as necessary. The main.tf creates the following:

  1. training policy file (training.hcl)
  2. Create a training policy based on the policy file
  3. Enable userpass auth method
  4. Create a user named, student with password changeme with training policy attached
  5. Enable Key/Value v2 secrets engine at kv-v2 path
  6. Enable Transit secrets engine at transit path
  7. Create a new encryption key named, payment

Execute the following command to list existing policies:

vault policy list

The built-in policies, default and root are the only policies listed.

Similarly, list the currently enabled auth methods as well as secrets engine:

vault auth list
vault secrets list

The token auth method is the only auth method currently enabled. The list of secrets engines does not display neither kv-v2 or transit paths.


Run Terraform

First, set the VAULT_TOKEN environment variable with value, root.

export VAULT_TOKEN=root

NOTE: Terraform reads the VAULT_ADDR and VAULT_TOKEN environment variables to connect to your target Vault server/cluster.

Execute the following Terraform command to pull the Vault provider plugin.

terraform init

Execute the following command to calculate what changes will be made based on the terraform file (main.tf).

terraform plan

The plan output reports what resources will be created, changed, or destroyed. Since this is the first time running Terraform against this Vault instance, there is nothing to change or destroy.

Plan: 6 to add, 0 to change, 0 to destroy.

Finally, execute the plan using the terraform apply command.

terraform apply -auto-approve

After the successful execution, the output should contain the following message:

Apply complete! Resources: 6 added, 0 changed, 0 destroyed.

NOTE: To apply the same configuration to another Vault server/cluster, simply update the VAULT_ADDR and VAULT_TOKEN values to point to the desired target server/cluster.