Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for lazily authenticating to Vault #2049

Merged
merged 7 commits into from
Nov 8, 2023
Merged

Add support for lazily authenticating to Vault #2049

merged 7 commits into from
Nov 8, 2023

Conversation

benashz
Copy link
Contributor

@benashz benashz commented Oct 11, 2023
edited
Loading

Previously TFVP would authenticate to Vault during the provider configuration phase. Some of the negative side-effects of this approach are:

  • failure when the provider configuration was derived from some other TF resource's computed value.
  • no possibility to provision a new Vault instance within the same TF code base
  • the vault token's lifetime was needlessly shortened

With this PR we can now do something like the following, which provisions a Vault docker instance with a dynamic host port which is used as the vault.address. Previously this would fail since Vault was not yet available for provisioning:

terraform {
  required_providers {
    docker = {
      source = "kreuzwerker/docker"
    }
  }
}

provider "docker" {
  host = "unix:///var/run/docker.sock"
}

provider "vault" {
  address = "http://localhost:${docker_container.vault.ports[0].external}"
}

# Lazily create a Vault Transit mount
resource "vault_mount" "lazy" {
  path = "lazy-login"
  type = "transit"
}

resource "docker_container" "vault" {
  image      = docker_image.vault.image_id
  name       = random_pet.vault.id
  privileged = true
  env = [
    "VAULT_DEV_ROOT_TOKEN_ID=${var.vault_token}",
    "VAULT_ADDR=http://localhost:8200",
    "VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200",
  ]
  ports {
    internal = 8200
  }
}

# Pulls the vault image
resource "docker_image" "vault" {
  name         = "hashicorp/vault:latest"
  keep_locally = true
}

resource "random_pet" "vault" {}

Closes #1198
Closes #1907
Closes #666

@benashz benashz mentioned this pull request Oct 12, 2023
Closed
@benashz benashz marked this pull request as ready for review October 12, 2023 16:15
vinay-gopalan
vinay-gopalan approved these changes Oct 12, 2023
View reviewed changes
Copy link
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you for adding this in! The PR looks great and should be good to get in once the OIDC test fix makes it in 🎉 🙏🏼

@benashz benashz modified the milestones: 3.22.0, 3.23.0 Oct 19, 2023
@tmatilai tmatilai mentioned this pull request Oct 31, 2023
Closed
@benashz benashz merged commit bcccae7 into main Nov 8, 2023
11 checks passed
@benashz benashz deleted the VAULT-14089/support-lazy-auth branch November 8, 2023 15:49
@zanecodes zanecodes mentioned this pull request Nov 8, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

@fairclothjm fairclothjm fairclothjm approved these changes

Assignees
No one assigned
Labels
size/L
Projects
None yet
Milestone
3.23.0
3 participants
@benashz @fairclothjm @vinay-gopalan