Skip to content

Latest commit

 

History

History

vault-users

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
groups.tf
groups.tf
 
 
policies.tf
policies.tf
 
 
users.tf
users.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

Requirements

Name Version
vault ~> 3

Providers

Name Version
vault ~> 3

Modules

No modules.

Resources

Name Type
vault_auth_backend.password_auth_method resource
vault_generic_endpoint.user_pw_login resource
vault_identity_entity.user_entity resource
vault_identity_entity_alias.user_alias resource
vault_identity_entity_policies.user_policies resource
vault_identity_group.vault_groups resource
vault_policy.change_pw resource
vault_policy.kv_lister resource
vault_policy.kv_reader resource
vault_policy.kv_writer resource
vault_policy.operator resource
vault_policy.personal resource
vault_policy_document.change_pw data source
vault_policy_document.kv_lister data source
vault_policy_document.kv_reader data source
vault_policy_document.kv_writer data source
vault_policy_document.operator data source
vault_policy_document.personal data source

Inputs

Name Description Type Default Required
groups A list of objects representing a vault user group, defining a role
and permissions.

Concerned resources:
- vault_identity_group		 
list(object({
    type     = string
    policies = list(string)
    name     = string
    metadata = map(string)
  }))
 
[
  {
    "metadata": {
      "name": "operators",
      "version": "1"
    },
    "name": "operators",
    "policies": [
      "operator"
    ],
    "type": "internal"
  },
  {
    "metadata": {
      "name": "users",
      "version": "1"
    },
    "name": "users",
    "policies": [
      "user"
    ],
    "type": "internal"
  }
]
 no
kv_secret_backend n/a 
object({
    path        = string
    type        = string
    description = string
    # options     = set(object({}))
  })
 n/a yes
users A list of objects representing a composite vault user entity, defining a role
and login.

The alias property is used to have a proper handle for each distinct entity.
It must be unique.

The policies property contains a map that defines how a specific vault policy
gets applied to the session.

The password property is the initial login password of a user. The password
can be self rotated via the policy change-pw. Changes in this property do not
cause a state change for terraforms livecycle.

The metadata property hold arbitrary map of data, that we can use for auditing
purposes e.g.

Validations are done for password format and user alias uniqueness.

Concerned resources:
- vault_generic_endpoint
- vault_identity_entity
- vault_identity_entity_policies
- vault_identity_entity_alias
- vault_identity_group		 
list(object({
    alias = string
    identity = object({
      external_policies = bool
      exclusive         = bool
    })
    policies = object({
      from_auth   = list(string)
      from_entity = list(string)
      from_groups = list(string)
    })
    metadata = map(string)
  }))
 
[
  {
    "alias": "test-user",
    "identity": {
      "exclusive": false,
      "external_policies": true
    },
    "metadata": {
      "Email": "[email protected]",
      "FullName": "Max Musterman",
      "Role": "operator"
    },
    "otc": {
      "groups": [],
      "roles": []
    },
    "policies": {
      "from_auth": [
        "change-pw"
      ],
      "from_entity": [
        "personal"
      ],
      "from_groups": [
        "users",
        "operators"
      ]
    }
  }
]
 no

Outputs

Name Description
created_users n/a
vault_groups n/a