Skip to content
/ vault-backend Public

A Terraform HTTP backend that stores the state in a Vault secret.

License

Apache-2.0 license
4 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gherynos/vault-backend

1 Branch12 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

gherynosgherynos
Updated dependencies
Jan 6, 2025
27d67fc · Jan 6, 2025

History

26 Commits
.github/workflows
.github/workflows
Feb 14, 2024
server
server
Jul 29, 2024
store
store
Jan 22, 2021
vault
vault
Jan 8, 2024
.gitignore
.gitignore
Jul 29, 2024
.markdownlint.json
.markdownlint.json
Dec 29, 2020
.pre-commit-config.yaml
.pre-commit-config.yaml
Apr 16, 2024
Dockerfile
Dockerfile
Feb 14, 2024
LICENSE
LICENSE
Dec 28, 2020
README.md
README.md
Feb 14, 2024
go.mod
go.mod
Jan 6, 2025
go.sum
go.sum
Jan 6, 2025
main.go
main.go
Dec 28, 2020

Repository files navigation

Vault Backend

pre-commit build release go-report-card

A Terraform HTTP backend that stores the state in a Vault secret.

The server supports locking and leverages the versioning capabilities of Vault by creating a new secret version when creating/updating the state.

Terraform config

The server authenticates to Vault using AppRole, with role_id and secret_id passed respectively as the username and password in the configuration:

terraform {
  backend "http" {
    address = "http://localhost:8080/state/<STATE_NAME>"
    lock_address = "http://localhost:8080/state/<STATE_NAME>"
    unlock_address = "http://localhost:8080/state/<STATE_NAME>"

    username = "<VAULT_ROLE_ID>"
    password = "<VAULT_SECRET_ID>"
  }
}

or directly with a token:

terraform {
  backend "http" {
    address = "http://localhost:8080/state/<STATE_NAME>"
    lock_address = "http://localhost:8080/state/<STATE_NAME>"
    unlock_address = "http://localhost:8080/state/<STATE_NAME>"

    username = "TOKEN"
    password = "<TOKEN_VALUE>"
  }
}

where <STATE_NAME> is an arbitrary value used to distinguish the backends.

With the above configuration, Terraform connects to a vault-backend server running locally on port 8080 when loading/storing/locking the state, and the server manages the following secrets in Vault:

  • /<VAULT_STORE>/<VAULT_PREFIX>/<STATE_NAME>
  • /<VAULT_STORE>/<VAULT_PREFIX>/<STATE_NAME>-lock

the latter gets created when a lock is acquired and deleted when released.

Vault Backend config

The following environment variables can be set to change the configuration:

  • VAULT_URL (default http://localhost:8200) the URL of the Vault server
  • VAULT_PREFIX (default vbk) the prefix used when storing the secrets
  • VAULT_STORE (default secret) the store path used when storing secrets
  • LISTEN_ADDRESS (default 0.0.0.0:8080) the listening address and port
  • TLS_CRT and TLS_KEY to set the path of the TLS certificate and key files
  • DEBUG to enable verbose logging

Vault policy

The policy associated to the AppRole used by the server needs to grant access to the secrets.

I.e., for a <STATE_NAME> set as cloud-services and the default VAULT_PREFIX and VAULT_STORE:

path "secret/data/vbk/cloud-services"
{
  capabilities = ["create", "read", "update"]
}

path "secret/data/vbk/cloud-services-lock"
{
  capabilities = ["create", "read", "update"]
}

path "secret/metadata/vbk/cloud-services-lock"
{
  capabilities = ["delete"]
}

Docker

The Docker images for Vault Backend are available here: https://hub.docker.com/r/gherynos/vault-backend

Example execution command:

docker run -d -p 8080:8080 -e VAULT_URL=https://some.vault.address:8200 gherynos/vault-backend

Author

GitHub @gherynos

License

Vault Backend is licensed under the Apache License, Version 2.0.

About

A Terraform HTTP backend that stores the state in a Vault secret.

Topics

golang vault terraform

Resources

Readme

License

Apache-2.0 license
Activity

Stars

4 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases 12

v1.0.3 Latest
Jan 6, 2025
+ 11 releases

Contributors 2

Languages