Multi Kubernetes clusters authentication and Multi AWS accounts assumed_role
and Generating IAM Users
for CI/CD purpose on the top of pre-existing Vault!
- USERPASS (UI)
- OIDC (UI)
- AWS
- JWT (GitLab, GitHub)
- KUBERNETES
- KV-V2
- AWS
THIS MODULE DOWNSIDE IS ALL SECRETS VALUES WOULD BE INSIDE TERRAFORM.TFVARS
THAT AIN'T PRETTY GOOD AND REALLY HARD MANAGING SECRETS IN LARGE SCALE! (WELL.... WHATEVER... YOU KNOW VERY WELL WHAT YOU DOING!)
Name | Version |
---|---|
terraform | >= v1.6.5 |
vault | >= 4.2.0 |
Name | Version |
---|---|
vault | >= 4.2.0 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
access_key | AWS Assumed Role access key | string |
"ACCESS_KEY" |
no |
access_key_user | AWS Access Key with necessary permissions | string |
"ACCESS_KEY" |
no |
auth_backend_role | Role that will be used by Vault authenticating AWS | map(object({ |
{ |
no |
auth_backend_role_user | If enabled, This Role that will be used by Vault authenticating and performing necessary actions | map(object({ |
{ |
no |
aws_auth_path | AWS Authentication Methods path | string |
"aws" |
no |
aws_auth_path_user | AWS IAM user Authentication Methods path | string |
"account_b" |
no |
aws_secret_path | AWS Secret Engine path for Assumed Role | string |
"aws" |
no |
aws_secret_path_user | AWS Secret engine path for IAM User | string |
"account_b" |
no |
bound_issuer | The value against which to match the iss claim in a JWT | string |
"gitlab.com" |
no |
create_auth_backend_role | Enable STS role or not for Vault | bool |
false |
no |
create_auth_backend_role_user | Enable STS role or not on Vault | bool |
false |
no |
create_aws_auth_backend | Enable AWS Auth method or not | bool |
n/a | yes |
create_aws_auth_backend_user | Enable AWS Auth method or not | bool |
n/a | yes |
create_aws_secret_backend | Enable AWS Secret Method or not for Vault | bool |
false |
no |
create_aws_secret_backend_user | Vault Enable AWS Secret Method or not | bool |
false |
no |
create_gh_acc_role | Enable Account Role for GitHub JWT Auth Method | bool |
n/a | yes |
create_gh_secret_role | For GHA, Enable Secrets JWT Auth Method Role or not | bool |
n/a | yes |
create_gl_acc_role | Enable Account Role for GitHub JWT Auth Method | bool |
n/a | yes |
create_gl_secret_role | For GitLab, Enable Secrets JWT Auth Method Role or not | bool |
n/a | yes |
create_k8s | Enable Kubernetes Auth Method or not | bool |
n/a | yes |
create_kv_engine | Enable KV version 2 secret engine | bool |
n/a | yes |
create_kv_v2 | Create KV Version 2 Secrets | bool |
n/a | yes |
create_policy | Enable Vault policy or not | bool |
n/a | yes |
create_secret_backend_role | Enable a role on an AWS Secret Method or not for Vault | bool |
false |
no |
create_secret_backend_role_user | Enable a role on an AWS Secret Method for Vault | bool |
false |
no |
create_userpass | Authenticate Vault with Username/Password | bool |
n/a | yes |
credential_type | AWS STS Assumed Role type | string |
"assumed_role" |
no |
credential_type_user | AWS IAM User type | string |
"iam_user" |
no |
default_ttl_aws | Default Time To Live for Assumed role | string |
1800 |
no |
default_ttl_gh_jwt | Default Time To Live | string |
"1h" |
no |
default_ttl_gl_jwt | Default Time To Live | string |
"1h" |
no |
default_ttl_user | Default Time To Live for AWS temporary account | number |
2700 |
no |
delete_version_after | Old secrets version will be deleted after this seconds (7 days) | number |
604800 |
no |
enabled_gh_jwt_backend | Enable GitHub JWT Auth Method or not | bool |
n/a | yes |
enabled_gl_jwt_backend | Enable GitLab JWT Auth Method or not | bool |
n/a | yes |
enabled_oidc_backend | Enable OIDC Auth Method or not | bool |
n/a | yes |
gh_acc_bound_aud | URL of the repository owner, eg: https://github.com/OWNER , such as the organization that owns the repository. This is the only claim that can be customized |
list(string) |
[ |
no |
gh_acc_bound_claims | https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token | map(object({ |
{ |
no |
gh_acc_bound_sub | Defines the subject claim that is to be validated by the cloud provider | string |
"" |
no |
gh_acc_token_policies | Vault policy name to attach on AWS Auth Method Role | list(string) |
[ |
no |
gh_jwt_path | GitHub JWT Authentication path | string |
"jwt-gh" |
no |
gh_jwt_token_type | service token or batch token? Default is service token |
string |
"service" |
no |
gh_secret_bound_aud | URL of the repository owner, eg: https://github.com/OWNER , such as the organization that owns the repository. This is the only claim that can be customized |
list(string) |
[ |
no |
gh_secret_bound_claims | JWT/OIDC auth Method role for Secrets values in a Vault server | map(object({ |
{ |
no |
gh_secret_bound_sub | Defines the subject claim that is to be validated by the cloud provider | string |
"" |
no |
gh_secret_token_policies | Secrets policy name | list(string) |
[ |
no |
gl_acc_bound_claims | JWT/OIDC auth Method role for AWS Account in a Vault server | map(object({ |
{ |
no |
gl_acc_token_policies | Vault policy name to attach on AWS Auth Method Role | list(string) |
[ |
no |
gl_jwt_path | GitLab JWT Authentication path | string |
"jwt-gl" |
no |
gl_jwt_token_type | service token or batch token? Default is service token |
string |
"service" |
no |
gl_secret_bound_claims | JWT/OIDC auth Method role for Secrets values in a Vault server | map(object({ |
{ |
no |
gl_secret_token_policies | Secrets policy name | list(string) |
[ |
no |
k8s_config | Kubernetes Auth Backend configuration | map(object({ |
{ |
no |
k8s_path | Kubernetes Authentication path (Support multi clusters with different paths) | map(object({ |
{ |
no |
k8s_role | Kubernetes role to authenticate Vault | map(object({ |
{ |
no |
kv_v2 | Key/Value store | map(object({ |
{ |
no |
kv_v2_description | Just a description | string |
"Mount path of KV-V2 secret engine" |
no |
kv_v2_path | KV-V2 secret engine path | string |
"infra" |
no |
max_ttl_aws | Maximum Time To Live for Assumed role | string |
3600 |
no |
max_ttl_gh_jwt | Maximum Time To Live | string |
"2h" |
no |
max_ttl_gl_jwt | Maximum Time To Live | string |
"2h" |
no |
max_ttl_user | Maximum Time To Live for AWS temporary account | number |
3600 |
no |
max_versions | Maximum versions of the secrets | number |
100 |
no |
oidc_alias | Name of the OIDC group alias | map(object({ |
{ |
no |
oidc_auth_path | OIDC mount path | map(object({ |
{ |
no |
oidc_backend_role | OIDC role to login to Vault | map(object({ |
{ |
no |
oidc_identity_group | n/a | map(object({ |
{ |
no |
region | Region that Vault residing | string |
"us-east-1" |
no |
region_user | Region that Vault residing | string |
"us-east-1" |
no |
secret_backend_role | Create and use STS Assumed Role by Vault performing necessary actions respectively | map(object({ |
{ |
no |
secret_backend_role_user | IAM User with defined IAM permission policy respectively | map(object({ |
{ |
no |
secret_key | AWS Assumed Role User secret key | string |
"SECRET_KEY" |
no |
secret_key_user | AWS Secret Key with necessary permissions | string |
"SECRET_KEY" |
no |
userpass_path | Mount path for Userpass auth method |
string |
"userpass" |
no |
users_path | The full logical path with username suffix |
map(object({ |
{ |
no |
vault_policy | Policy to read secret by path | map(object({ |
{ |
no |
No outputs.