Vault administrators must manage multiple Vault environments. The test servers get destroyed at the end of each test cycle and a new set of servers must be provisioned for the next test cycle. To automate the Vault server configuration, you are going to use Terraform to provision the following Vault resources.
|namespace||finance||A namespace dedicated to the finance organization|
|namespace||engineering||A namespace dedicated to the engineering organization|
|ACL Policy||admins||Sets policies for the admin team|
|ACL Policy||fpe-client||Sets policies for clients to encode/decode data through transform secrets engine|
|auth method||userpass||Enable and create a user, "student" with
|secrets engine||kv-v2||Enable kv-v2 secrets engine in the
|secrets engine||transform||Enable transform secrets engine at
|transformation||ccn-fpe||Transformation to perform format preserving encryption (FPE) transformation on credit card numbers|
|transformation template||ccn||Define the data format structure for credit card numbers|
|alphabet||numerics||Set of allowed characters|
admins policy must be created in all namespaces:
engineering. The expected admin tasks are the same across the namespaces.
Examine provided Terraform files
Following Terraform files are provided:
main.tfdefines two provider blocks each pointing to a different namespace: finance and engineering. This allows you to leverage multiple namespaces during the Vault configuration
policies.tfcreates admins and eaas-client policies based on the
policies/fpe-client-policy.hclfile respectively. The admins policy gets created in the
engineeringnamespaces. The fpe-client policy gets created in the
auth.tfenables userpass auth method and creates a user,
NOTE: Terraform Vault Provider v2.12.0 or later is required. The details about the transformation, template, alphabet, and role are out of scope for this tutorial. If you are not familiar with Transform secrets engine, go through the Transform Secrets Engine tutorial.
Click on the command (
⮐) will automatically copy it into the terminal and execute it.
VAULT_ADDR environment variable with value.
VAULT_TOKEN environment variable with value,
Execute the following Terraform command to pull the Vault provider plugin.
Execute the following command to calculate what changes will be made based on the terraform file (
plan output reports what resources will be created, changed, or destroyed. Since this is the first time running Terraform against this Vault instance, there is nothing to change or destroy.
Plan: 14 to add, 0 to change, 0 to destroy.
Finally, execute the plan using the
terraform apply command.
terraform apply -auto-approve
After the successful execution, the output should contain the following message:
Apply complete! Resources: 14 added, 0 changed, 0 destroyed.