GithubHelp home page GithubHelp logo

gherynos / vault-backend Goto Github PK

View Code? Open in Web Editor NEW
3.0 3.0 3.0 57 KB

A Terraform HTTP backend that stores the state in a Vault secret.

License: Apache License 2.0

Go 98.90% Dockerfile 1.10%
terraform vault golang

vault-backend's Introduction

Vault Backend

pre-commit build release go-report-card

A Terraform HTTP backend that stores the state in a Vault secret.

The server supports locking and leverages the versioning capabilities of Vault by creating a new secret version when creating/updating the state.

Terraform config

The server authenticates to Vault using AppRole, with role_id and secret_id passed respectively as the username and password in the configuration:

terraform {
  backend "http" {
    address = "http://localhost:8080/state/<STATE_NAME>"
    lock_address = "http://localhost:8080/state/<STATE_NAME>"
    unlock_address = "http://localhost:8080/state/<STATE_NAME>"

    username = "<VAULT_ROLE_ID>"
    password = "<VAULT_SECRET_ID>"
  }
}

or directly with a token:

terraform {
  backend "http" {
    address = "http://localhost:8080/state/<STATE_NAME>"
    lock_address = "http://localhost:8080/state/<STATE_NAME>"
    unlock_address = "http://localhost:8080/state/<STATE_NAME>"

    username = "TOKEN"
    password = "<TOKEN_VALUE>"
  }
}

where <STATE_NAME> is an arbitrary value used to distinguish the backends.

With the above configuration, Terraform connects to a vault-backend server running locally on port 8080 when loading/storing/locking the state, and the server manages the following secrets in Vault:

  • /<VAULT_STORE>/<VAULT_PREFIX>/<STATE_NAME>
  • /<VAULT_STORE>/<VAULT_PREFIX>/<STATE_NAME>-lock

the latter gets created when a lock is acquired and deleted when released.

Vault Backend config

The following environment variables can be set to change the configuration:

  • VAULT_URL (default http://localhost:8200) the URL of the Vault server
  • VAULT_PREFIX (default vbk) the prefix used when storing the secrets
  • VAULT_STORE (default secret) the store path used when storing secrets
  • LISTEN_ADDRESS (default 0.0.0.0:8080) the listening address and port
  • TLS_CRT and TLS_KEY to set the path of the TLS certificate and key files
  • DEBUG to enable verbose logging

Vault policy

The policy associated to the AppRole used by the server needs to grant access to the secrets.

I.e., for a <STATE_NAME> set as cloud-services and the default VAULT_PREFIX and VAULT_STORE:

path "secret/data/vbk/cloud-services"
{
  capabilities = ["create", "read", "update"]
}

path "secret/data/vbk/cloud-services-lock"
{
  capabilities = ["create", "read", "update"]
}

path "secret/metadata/vbk/cloud-services-lock"
{
  capabilities = ["delete"]
}

Docker

The Docker images for Vault Backend are available here: https://hub.docker.com/r/gherynos/vault-backend

Example execution command:

docker run -d -p 8080:8080 -e VAULT_URL=https://some.vault.address:8200 gherynos/vault-backend

Author

GitHub @gherynos

License

Vault Backend is licensed under the Apache License, Version 2.0.

vault-backend's People

Contributors

gherynos avatar manveru avatar

Stargazers

avatar avatar avatar

Watchers

avatar avatar avatar

Forkers

manveru bridgecrew-perf4 jsp-hashicorp

vault-backend's Issues

Configurable KV location

First of all, thanks a lot for this project, it's a shame this isn't a part of terraform yet.

May I suggest though to make the location of the KV store, which is hardcoded to secret, configurable just like the VAULT_PREFIX? I'd be happy to make a PR for this, if you're not opposed to the idea.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.