This directory contains Terraform instructions that prepare the Vault for usage with the Raft Backup Agent. The Terraform code:
- Adds a snapshot policy
- Configures AppRole authentication
- Adds the AppRole role for snapshots with the snapshot policy from (1)
- Retrieves roleid and secretid and updates the values in Ansible vars
These steps are derived from the description of the backup approach.
The Terraform configuration assumes that the following Ansible var files should atomatically updated in step (4) above:
Description | Terraform Variable forming the Ansible Path | Variable Default Value |
---|---|---|
The path of the roleid Ansible variable | ${ansible_play_dir}/vars/${ansible_vars_file_role_id} |
../ansible/raft-backup-roleid.yml |
The path of the secretid Ansible variable | ${ansible_play_dir}/vars/${ansible_vars_file_secret_id} |
../ansible/raft-backup-secretid.yml |
The location of the password file for Ansible Vault | ansible_vault_id |
../ansible/vault-pass |
Notes:
- The secretid (sensitive) is encrypted with the Ansible Vault password defined in
ansible_vault_id
. - Any other variable in the file
variables.tf
is used "internally", i.e., has no effect on the outputs of the module which could be processed by Ansible afterwards.
# review the variables
$ cat terraform.tfvars
# configure access credentials, see also
# https://www.terraform.io/docs/providers/vault/index.html
$ export VAULT_ADDR=http://127.0.0.1:8200
$ export VAULT_TOKEN=root
# initialize and apply the Vault configuration
$ terraform init
$ terraform plan
$ terraform apply
To reveal the roleid
and (sensitive) secretid
of the current configuration use:
$ terraform output approle_role_id
$ terraform output approle_secret_id
After initialization, existing AppRole configuration can be imported into the terraform state with:
# Adjust $APPROLE_PATH to match the existing Vault configuration (remote).
# Have a look at `vault auth list` to retrieve the path of an exisiting AppRole backend
APPROLE_PATH=custom_approle
terraform import vault_auth_backend.approle $APPROLE_PATH
# Verify the import
$ terraform state list
vault_auth_backend.approle
# Execute a plan to see the diff
$ terraform plan -target=vault_auth_backend.approle
# vault_auth_backend.approle will be updated in-place
~ resource "vault_auth_backend" "approle" {
accessor = "auth_approle_e53052a8"
default_lease_ttl_seconds = 0
id = "custom_approle"
local = false
max_lease_ttl_seconds = 0
path = "custom_approle"
+ tune = (known after apply)
type = "approle"
}
# Copy/paste the diff to the `terraform.tf` file,
# to replace the existing backend configuration
#
# ./terraform.tf excerpt
#
# AppRole backend
resource "vault_auth_backend" "approle" {
local = false
path = "custom_approle"
tune = []
type = "approle"
}
# Update the ./terraform.tf file until the plan on the resource
# shows that the existing config file matches the current remote state
terraform import vault_auth_backend.approle $APPROLE_PATH
# Proceed similarly with any other resources for import, e.g., the AppRole role
ROLE_PATH=auth/approle/role/existing-snapshot-approle-role
terraform import vault_approle_auth_backend_role.example $ROLE_PATH
See also: https://www.terraform.io/docs/providers/vault/r/approle_auth_backend_role.html#import
For importing other resources, have a look at the import instructions of the respective resources upstream: