Question: How would you manage vault configuration in a CI/CD pipeline? every example/tutorial I see shows how to write a single simple policy with a single command. ie.
vault policy write my-policy ./my-policy.hcl
..but my company’s vault github repo has dozens of .hcl files in multiple subdirectories:
/vault /identities /roles app1.yml app2.yml /teams app1.yml app2.yml; /policies /program /app1 app1.hcl /app2 app2.hcl
There’s this whole structure, but I have no idea how a github action, or jenkins pipeline handles it. Does it recursively go through every file in the directory? Can you ask vault to search an entire directory for .hcl policies? Are there any examples or github repos out there that show such a setup?
We manager our vault roles through terraform, like with https://github.com/transcend-io/terraform-vault-role/blob/master/main.tf (not a super generally usable module, but it gets the idea across)
Terraform module to create Vault Roles accessible by AWS IAM Role ARNs - terraform-vault-role/main.tf at master · transcend-io/terraform-vault-role
I see - so by adding a separate resource in any number of .tf files, the
terraform plan/apply will automatically pick up the vault roles.
So the CI/CD is simply as if it’s any other terraform workspace