Difficulty: beginner
Estimated Time: 5 minutes

Vault logo

One of the pillars behind the Tao of Hashicorp is automation through codification.

HashiCorp Terraform is an infrastructure as code which enables the operation team to codify the Vault configuration tasks such as the creation of policies. Automation through codification allows operators to increase their productivity, move quicker, promote repeatable processes, and reduce human error.

This tutorial demonstrates techniques for creating Vault policies and configurations using Terraform Vault Provider.

This tutorial focuses on codifying the Vault server configuration using Terraform. To deploy a Vault cluster using Terraform, refer to the Provision a Best Practices Vault Cluster in AWS.

This scenario runs Vault Enterprise version.

Important Note: Without a license, Vault Enterprise server will be sealed after 30 minutes. In other words, you have 30 free minutes to explorer the Enterprise features. To explore Vault Enterprise further, you can sign up for a free 30-day trial.

This scenario gave you a quick introduction to the Terraform Vault plugin.

Terraform is an Infrastructure as Code tool, so treat your Terraform files as your code. This means that you can now automate the Vault cluster management process by plug it into your preferred CI/CD tool such as CircleCI.

For example, git commit triggers the CircleCI to spin up a Docker image running Vault in development mode, and execute the Terraform against it. If the Vault configuration was successful, you can roll it out to the staging cluster, etc. Otherwise, fix the Terraform files and repeat the process.

This significantly reduces human errors as well as inconsistencies across Vault environments. Terraform can be your working documentation of any change in the Vault server configuration.

Resources:

[Enterprise] Codify Management of Vault

Step 1 of 3

Configure Vault Enterprise server with namespaces

Scenario introduction

Vault administrators must manage multiple Vault environments. The test servers get destroyed at the end of each test cycle and a new set of servers must be provisioned for the next test cycle. To automate the Vault server configuration, you are going to use Terraform to provision the following Vault resources.

Type Name Description
namespace finance A namespace dedicated to the finance organization
namespace engineering A namespace dedicated to the engineering organization
ACL Policy admins Sets policies for the admin team
ACL Policy fpe-client Sets policies for clients to encode/decode data through transform secrets engine
auth method userpass Enable and create a user, "student" with admins and fpe-client policies
secrets engine kv-v2 Enable kv-v2 secrets engine in the finance namespace
secrets engine transform Enable transform secrets engine at transform
transformation ccn-fpe Transformation to perform format preserving encryption (FPE) transformation on credit card numbers
transformation template ccn Define the data format structure for credit card numbers
alphabet numerics Set of allowed characters

The admins policy must be created in all namespaces: root, finance, and engineering. The expected admin tasks are the same across the namespaces.

Examine provided Terraform files

Following Terraform files are provided:

  • main.tf defines two provider blocks each pointing to a different namespace: finance and engineering. This allows you to leverage multiple namespaces during the Vault configuration

  • policies.tf creates admins and eaas-client policies based on the policies/admin-policy.hcl and policies/fpe-client-policy.hcl file respectively. The admins policy gets created in the root, finance, and engineering namespaces. The fpe-client policy gets created in the root namespace

  • auth.tf enables userpass auth method and creates a user, student with password, changeme

  • secrets.tf enables kv-v2 and transform secrets engines.

NOTE: Terraform Vault Provider v2.12.0 or later is required. The details about the transformation, template, alphabet, and role are out of scope for this tutorial. If you are not familiar with Transform secrets engine, go through the Transform Secrets Engine tutorial.

Run Terraform

Click on the command () will automatically copy it into the terminal and execute it.

Set the VAULT_ADDR environment variable with value.

export VAULT_ADDR="http://127.0.0.1:8200"

Set the VAULT_TOKEN environment variable with value, root.

export VAULT_TOKEN=root

Execute the following Terraform command to pull the Vault provider plugin.

terraform init

Execute the following command to calculate what changes will be made based on the terraform file (main.tf).

terraform plan

The plan output reports what resources will be created, changed, or destroyed. Since this is the first time running Terraform against this Vault instance, there is nothing to change or destroy.

Plan: 14 to add, 0 to change, 0 to destroy.

Finally, execute the plan using the terraform apply command.

terraform apply -auto-approve

After the successful execution, the output should contain the following message:

Apply complete! Resources: 14 added, 0 changed, 0 destroyed.