-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add installation docs for Vault from upstream
- Loading branch information
1 parent
5d5f632
commit b5968fe
Showing
6 changed files
with
1,294 additions
and
1 deletion.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
The Vault provider allows Terraform to read from, write to, and configure | ||
[HashiCorp Vault](https://vaultproject.io/). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
The Vault provider allows Terraform to read from, write to, and configure | ||
[HashiCorp Vault](https://vaultproject.io/). | ||
|
||
~> **Important** Interacting with Vault from Terraform causes any secrets | ||
that you read and write to be persisted in both Terraform's state file | ||
*and* in any generated plan files. For any Terraform module that reads or | ||
writes Vault secrets, these files should be treated as sensitive and | ||
protected accordingly. | ||
|
||
This provider serves two pretty-distinct use-cases, which each have their | ||
own security trade-offs and caveats that are covered in the sections that | ||
follow. Consider these carefully before using this provider within your | ||
Terraform configuration. | ||
|
||
-> Visit the [Inject secrets into Terraform using the Vault provider](https://learn.hashicorp.com/tutorials/terraform/secrets-vault?utm_source=WEBSITE&utm_medium=WEB_IO&utm_offer=ARTICLE_PAGE&utm_content=DOCS) Learn tutorial to learn how to use | ||
short-lived credentials from Vault's AWS Secrets Engine to authenticate the | ||
AWS provider. |
25 changes: 25 additions & 0 deletions
25
provider/installation-replaces/using-credentials-desired.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
~> **Important** It is important to ensure that the Vault token | ||
has a long enough `time-to-live` to allow for all Vault resources to | ||
be successfully provisioned. In the case where the `TTL` is insufficient, | ||
you may encounter unexpected permission denied errors. | ||
See [Vault Token TTLs](https://vaultproject.io/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls) | ||
for more details. | ||
|
||
Most Pulumi providers require credentials to interact with a third-party | ||
service that they wrap. This provider allows such credentials to be obtained | ||
from Vault, which means that operators or systems running Pulumi need | ||
only access to a suitably-privileged Vault token in order to temporarily | ||
lease the credentials for other providers. | ||
|
||
To reduce the exposure of secrets, the provider requests a Vault token | ||
with a relatively-short TTL (20 minutes, by default) which in turn means | ||
that where possible Vault will revoke any issued credentials after that | ||
time, but in particular it is unable to retract any static secrets such as | ||
those stored in Vault's "generic" secret backend. | ||
|
||
The requested token TTL can be controlled by the `max_lease_ttl_seconds` | ||
provider argument described below. | ||
|
||
Except as otherwise noted, the resources that read secrets from Vault | ||
are designed such that they require only the *read* capability on the relevant | ||
resources. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
~> **Important** It is important to ensure that the Vault token | ||
has a long enough `time-to-live` to allow for all Vault resources to | ||
be successfully provisioned. In the case where the `TTL` is insufficient, | ||
you may encounter unexpected permission denied errors. | ||
See [Vault Token TTLs](https://developer.hashicorp.com/vault/docs/concepts/tokens#token-time-to-live-periodic-tokens-and-explicit-max-ttls) | ||
for more details. | ||
|
||
Most Terraform providers require credentials to interact with a third-party | ||
service that they wrap. This provider allows such credentials to be obtained | ||
from Vault, which means that operators or systems running Terraform need | ||
only access to a suitably-privileged Vault token in order to temporarily | ||
lease the credentials for other providers. | ||
|
||
Currently, Terraform has no mechanism to redact or protect secrets that | ||
are returned via data sources, so secrets read via this provider will be | ||
persisted into the Terraform state, into any plan files, and in some cases | ||
in the console output produced while planning and applying. These artifacts | ||
must therefore all be protected accordingly. | ||
|
||
To reduce the exposure of such secrets, the provider requests a Vault token | ||
with a relatively-short TTL (20 minutes, by default) which in turn means | ||
that where possible Vault will revoke any issued credentials after that | ||
time, but in particular it is unable to retract any static secrets such as | ||
those stored in Vault's "generic" secret backend. | ||
|
||
The requested token TTL can be controlled by the `max_lease_ttl_seconds` | ||
provider argument described below. It is important to consider that Terraform | ||
reads from data sources during the `plan` phase and writes the result into | ||
the plan. Thus, a subsequent `apply` will likely fail if it is run after the | ||
intermediate token has expired, due to the revocation of the secrets that | ||
are stored in the plan. | ||
|
||
Except as otherwise noted, the resources that read secrets from Vault | ||
are designed such that they require only the *read* capability on the relevant | ||
resources. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters