#vault (2021-08)

vault Discussions related to Hashicorp Vault

2021-08-09

2021-08-07

2021-08-06

mikesew avatar
mikesew

Question: How would you manage vault configuration in a CI/CD pipeline? every example/tutorial I see shows how to write a single simple policy with a single command. ie.

vault policy write my-policy ./my-policy.hcl

..but my company’s vault github repo has dozens of .hcl files in multiple subdirectories:

/vault
  /identities
    /roles
      app1.yml
      app2.yml
    /teams
      app1.yml
      app2.yml;
  /policies
    /program
      /app1
        app1.hcl
      /app2
        app2.hcl

There’s this whole structure, but I have no idea how a github action, or jenkins pipeline handles it. Does it recursively go through every file in the directory? Can you ask vault to search an entire directory for .hcl policies? Are there any examples or github repos out there that show such a setup?

David avatar
David

We manager our vault roles through terraform, like with https://github.com/transcend-io/terraform-vault-role/blob/master/main.tf (not a super generally usable module, but it gets the idea across)

terraform-vault-role/main.tf at master · transcend-io/terraform-vault-role attachment image

Terraform module to create Vault Roles accessible by AWS IAM Role ARNs - terraform-vault-role/main.tf at master · transcend-io/terraform-vault-role

mikesew avatar
mikesew

I see - so by adding a separate resource in any number of .tf files, the terraform plan/apply will automatically pick up the vault roles. So the CI/CD is simply as if it’s any other terraform workspace

1
    keyboard_arrow_up