-
Notifications
You must be signed in to change notification settings - Fork 540
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support setting namespace per resource (#1305)
This change adds support for configuring namespaces at the resource or data source level. All namespace directives are applied relative to the provider's configured namespace. This new approach allows for namespace'd resources to be created without having to pass a namespace specific provider, although that method is still fully supported.
- Loading branch information
Showing
373 changed files
with
4,328 additions
and
1,467 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
### Public Evaluation: Enhanced Vault namespace support | ||
|
||
This directory contains sample Terraform code which demonstrates an enhanced way | ||
of provisioning resources under Vault namespaces. It assumes the following: | ||
|
||
- Terraform is installed | ||
- The provider development requirements are satisfied *see the top level README.md for more info* | ||
- Root access to a Vault Enterprise server | ||
|
||
#### Setup Terraform to use a local build of the Vault provider | ||
|
||
> **warning**: backup your `~/.terraformrc` before running this command: | ||
```shell | ||
cat > ~/.terraformrc <<HERE | ||
provider_installation { | ||
dev_overrides { | ||
"hashicorp/vault" = "$HOME/.terraform.d/plugins" | ||
} | ||
# For all other providers, install them directly from their origin provider | ||
# registries as normal. If you omit this, Terraform will _only_ use | ||
# the dev_overrides block, and so no other providers will be available. | ||
direct {} | ||
} | ||
HERE | ||
``` | ||
|
||
Then execute the `dev` make target from the project root. | ||
```shell | ||
make dev | ||
``` | ||
|
||
Now Terraform is set up to use the `dev` provider build instead of the provider | ||
from the HashiCorp registry. | ||
|
||
#### The basic example | ||
|
||
Provision a generic KV secret in multiple namespaces using a single `provider{}` block. | ||
|
||
Ensure that the `VAULT_TOKEN` and `VAULT_ADDR` environment variables are properly set, | ||
or an alternative auth method is configured. | ||
|
||
*from the repo root*: | ||
|
||
Apply the example | ||
```shell | ||
pushd eval/namespace-enhancements/examples/basic/. | ||
terraform init | ||
terraform apply | ||
terraform output -json | ||
popd | ||
``` | ||
|
||
Destroy the example | ||
```shell | ||
pushd eval/namespace-enhancements/examples/basic/. | ||
terraform destroy | ||
popd | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
# single provider block | ||
provider "vault" {} | ||
|
||
locals { | ||
# provide namespaces as a set | ||
namespaces = toset(var.namespaces) | ||
} | ||
|
||
resource "vault_namespace" "demo" { | ||
# leverage the for_each meta-argument | ||
for_each = local.namespaces | ||
path = each.key | ||
} | ||
|
||
resource "vault_mount" "demo" { | ||
for_each = local.namespaces | ||
namespace = vault_namespace.demo[each.key].path | ||
path = "secretsv1" | ||
type = "kv" | ||
options = { | ||
version = "1" | ||
} | ||
} | ||
|
||
resource "vault_generic_secret" "demo" { | ||
for_each = local.namespaces | ||
# Support namespace at the level of the resource and data source | ||
namespace = vault_mount.demo[each.key].namespace | ||
path = "${vault_mount.demo[each.key].path}/secret" | ||
data_json = jsonencode( | ||
{ | ||
"baz" = "qux" | ||
} | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
output "mount_path" { | ||
value = values(vault_mount.demo)[*].path | ||
} | ||
|
||
output "secret_data" { | ||
sensitive = true | ||
value = values(vault_generic_secret.demo)[*].data | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
variable "namespaces" { | ||
default = [ | ||
"ns-1", | ||
"ns-2", | ||
"ns-3", | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.