Difficulty: beginner
Estimated Time: 5 minutes

Vault logo

One of the pillars behind the Tao of Hashicorp is automation through codification.

HashiCorp Terraform is an infrastructure as code which enables the operation team to codify the Vault configuration tasks such as the creation of policies. Automation through codification allows operators to increase their productivity, move quicker, promote repeatable processes, and reduce human error.

This tutorial demonstrates techniques for creating Vault policies and configurations using Terraform Vault Provider.

This tutorial focuses on codifying the Vault server configuration using Terraform. To deploy a Vault cluster using Terraform, refer to the Provision a Best Practices Vault Cluster in AWS.

This scenario gave you a quick introduction to the Terraform Vault plugin.

Terraform is an Infrastructure as Code tool, so treat your Terraform files as your code. This means that you can now automate the Vault cluster management process by plug it into your preferred CI/CD tool such as CircleCI.

For example, git commit triggers the CircleCI to spin up a Docker image running Vault in development mode, and execute the Terraform against it. If the Vault configuration was successful, you can roll it out to the staging cluster, etc. Otherwise, fix the Terraform files and repeat the process.

This significantly reduces human errors as well as inconsistencies across Vault environments. Terraform can be your working documentation of any change in the Vault server configuration.


Codify Management of Vault

Step 1 of 3

Configure Vault OSS server

Scenario introduction

Vault administrators must manage multiple Vault environments. The test servers get destroyed at the end of each test cycle and a new set of servers must be provisioned for the next test cycle. To automate the Vault server configuration, you are going to use Terraform to provision the following Vault resources.

Type Name Description
ACL Policy admins Sets policies for the admin team
ACL Policy eaas-client Sets policies for clients to encrypt/decrypt data through transit secrets engine
auth method userpass Enable and create a user, "student" with admins and fpe-client policies
secrets engine kv-v2 Enable kv-v2 secrets engine at kv-v2
secrets engine transit Enable transit secrets engine at transit
encryption key payment Encryption key to encrypt/decrypt data

Examine provided Terraform files

Following Terraform files are provided:

  • main.tf has an empty vault provider block

    Within the file is a vault provider block. You can provide the server connection details inside this block (Vault server address, client tokens, etc.); however, it is strongly recommended to configure those target server specific information using environment variables.

  • policies.tf creates admins based on the policies/admin-policy.hcl file. Similarly, creates eaas-client policy based on the policies/eaas-client-policy.hcl file.

  • auth.tf enables userpass auth method and creates a user, student with password, changeme

  • secrets.tf enables kv-v2 secrets engine as well as transit secrets engine, and create an encryption key named, payment

Run Terraform commands

Click on the command () will automatically copy it into the terminal and execute it.

Set the VAULT_TOKEN environment variable with value, root.

export VAULT_TOKEN=root

Vault server address is stored in the VAULT_ADDR environment variable.


NOTE: Terraform reads the VAULT_ADDR and VAULT_TOKEN environment variables to connect to your target Vault server/cluster.

Execute the following Terraform command to pull the Vault provider plugin.

terraform init

Execute the following command to calculate what changes will be made based on the terraform file (main.tf).

terraform plan

The plan output reports what resources will be created, changed, or destroyed. Since this is the first time running Terraform against this Vault instance, there is nothing to change or destroy.

Plan: 7 to add, 0 to change, 0 to destroy.

The terraform apply command first executes the plan command. Therefore, this step is not necessary; however, very useful when you are working on the Terraform files to verify the actions.

Finally, execute the plan using the terraform apply command.

terraform apply -auto-approve

After the successful execution, the output should contain the following message:

Apply complete! Resources: 7 added, 0 changed, 0 destroyed.

NOTE: To apply the same configuration to another Vault server/cluster, simply update the VAULT_ADDR and VAULT_TOKEN values to point to the desired target server/cluster.