Vault Terraform Modules
Enterprise-grade, production-ready Terraform modules to manage HashiCorp Vault Enterprise and HCP Vault configurations.
These modules cover:
- Authentication Methods
- Secrets Engines
- Operational tasks (snapshots, telemetry)
- Vault Policies
- Full dynamic secret lifecycle management
📦 Modules Included
Authentication Methods (auth_methods/)
| Module | Purpose |
|---|---|
approle |
Manage AppRole authentication dynamically |
userpass |
Manage Userpass authentication dynamically |
ldap |
Manage LDAP/Active Directory authentication |
oidc |
Manage JWT/OIDC authentication |
okta |
Manage Okta authentication |
aws |
Manage AWS IAM authentication |
azure |
Manage Azure Active Directory authentication |
kubernetes |
Manage Kubernetes ServiceAccount authentication |
Secrets Engines (secrets_engine/)
| Module | Purpose |
|---|---|
kv |
Manage KV Secrets Engines (likely v2) |
transit |
Manage Transit Secrets Engines (encryption, signing) |
pki |
Manage PKI Secrets Engines and Cert Issuance |
aws |
Manage AWS dynamic credentials (IAM users, STS tokens) |
database |
Manage dynamic database credentials (Postgres, MySQL, MongoDB Atlas) |
transform |
Manage data tokenization, masking (FPE) |
Operations (operations/)
| Module | Purpose |
|---|---|
snapshots |
Manage Vault snapshots for backup/restore |
telemetry |
(Coming Soon) Manage Vault telemetry endpoints |
logs |
(Coming Soon) Manage Vault audit logs |
Policies
| Module | Purpose |
|---|---|
policies |
Manage ACL policies for Vault dynamically |
🚀 Quick Start
Prerequisites
- Terraform >= 1.4.0
- Vault Provider >= 3.20.0
- Access to a Vault Enterprise cluster or HCP Vault cluster
Provider Setup
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = ">= 3.20.0"
}
}
}
provider "vault" {
address = var.vault_address
token = var.vault_token
}
Example Usage for AppRole
module "approle_auth" {
source = "github.com/YOURGITHUBORG/vault-terraform-modules//auth_methods/approle?ref=v1.0.0"
mount_path = "approle"
approles = {
"ci-cd-pipeline" = {
token_policies = ["default", "ci-policy"]
}
}
}
Example Usage for Userpass
module "userpass_auth" {
source = "github.com/YOURGITHUBORG/vault-terraform-modules//auth_methods/userpass?ref=v1.0.0"
mount_path = "userpass"
users = {
"developer" = {
password = "changeme"
token_policies = ["developer-policy"]
}
}
}
🌎 Compatibility
This repository supports:
- HashiCorp Vault Enterprise (self-managed clusters)
- HashiCorp Cloud Platform (HCP) Vault
Just configure vault_address and vault_token correctly for your target cluster.
🎯 Project Roadmap
- AppRole Auth Method
- Userpass Auth Method
- LDAP Auth Method
- JWT/OIDC Auth Method
- Okta Auth Method
- Kubernetes Auth Method
- AWS Auth Method
- Azure Auth Method
- KV Secrets Engine
- Transit Secrets Engine
- PKI Secrets Engine with Cert Issuance
- Vault Snapshots Automation
- AWS Secrets Engine
- Database Secrets Engine
- Transform Secrets Engine
- Azure Secrets Engine (Planned)
- Vault Telemetry / Audit Logging (Planned)
- GCP Auth Method (Planned)
- Dynamic CI/CD Vault Workflows
- Full Example Platform Deployment
🛠 Development Setup
This project uses pre-commit hooks to automatically format and validate Terraform code.
To set up pre-commit locally:
pip install pre-commit
pre-commit install
Every commit will auto-run terraform fmt and terraform validate.
📚 Best Practices Followed
- ✅ Modular, reusable Terraform design
- ✅ GitHub Actions CI for lint/validate (optional)
- ✅ Consistent inputs/outputs across modules
- ✅ Example usage for every module
- ✅ Ready for Enterprise multi-tenancy (Vault namespaces support)
- ✅ Semantic Versioning (
v1.0.0,v1.1.0)
🛡 License
This repository is licensed under the MIT License.
🙏 Acknowledgements
- Inspired by HashiCorp best practices for Vault OSS and Enterprise.
- Architecture based on production Vault deployments (Enterprise and HCP Vault).
- Terraform style inspired by the official Terraform Registry standards.