Skip to content
/ terraform-vault-nomad-setup Public

Terraform module to configure a Vault cluster for Nomad workload identities.

License

MPL-2.0 license
5 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hashicorp-modules/terraform-vault-nomad-setup

BranchesTags

Repository files navigation

terraform-vault-nomad-setup

Terraform module that can be used to apply a default sample configuration to a Vault cluster to integrate it with Nomad workload identity JWTs.

Terraform Registry: https://registry.terraform.io/modules/hashicorp-modules/nomad-setup/vault/

Usage

Default sample configuration

This example uses the default sample configuration provided by the module. It allows tasks to access secrets in the path secret/<job namespace>/job ID>/*.

module "vault_setup" {
  source = "hashicorp-modules/nomad-setup/vault"

  nomad_jwks_url = "https://nomad.example.com/.well-known/jwks.json"
}

Custom policy

This example uses a custom policy to limit access to secrets in the path secret/<task name>/* instead of the module's default.

module "vault_setup" {
  source = "hashicorp-modules/nomad-setup/vault"

  nomad_jwks_url = "http://localhost:4646/.well-known/jwks.json"
  policy_names = [
    vault_policy.task_path.name,
  ]
}

resource "vault_policy" "by_nomad_task" {
  name   = "by-nomad-task"
  policy = <<EOT
path "secret/data/{{identity.entity.aliases.${module.vault_setup.auth_backend_accessor}.metadata.nomad_task}}/*" {
  capabilities = ["read"]
}

path "secret/data/{{identity.entity.aliases.${module.vault_setup.auth_backend_accessor}.metadata.nomad_task}}" {
  capabilities = ["read"]
}

path "secret/metadata/{{identity.entity.aliases.${module.vault_setup.auth_backend_accessor}.metadata.nomad_task}}/*" {
  capabilities = ["list"]
}

path "secret/metadata/*" {
  capabilities = ["list"]
}
EOT
}

Vault Namespace

When using Vault Enterprise you can apply the configuration to a different namespace by configuring the vault provider.

provider "vault" {
  # ...
  namespace = "prod"
}

Create different provider aliases to support multiple namespaces.

provider "vault" {
  # ...
}

provider "vault" {
  alias = "prod"
  # ...
  namespace = "prod"
}

module "vault_setup" {
  source = "hashicorp-modules/nomad-setup/vault"
  providers = {
    vault = vault.prod
  }
  # ...
}

About

Terraform module to configure a Vault cluster for Nomad workload identities.

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages