Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/joatmon08/terraform-vault-postgres-nia
Consul-Terraform-Sync compatible module for synchronizing Consul service to Vault database secrets engine
https://github.com/joatmon08/terraform-vault-postgres-nia
Last synced: 25 days ago
JSON representation
Consul-Terraform-Sync compatible module for synchronizing Consul service to Vault database secrets engine
- Host: GitHub
- URL: https://github.com/joatmon08/terraform-vault-postgres-nia
- Owner: joatmon08
- License: mpl-2.0
- Created: 2022-06-03T17:29:13.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2022-06-07T12:53:48.000Z (over 2 years ago)
- Last Synced: 2024-10-27T06:53:26.867Z (2 months ago)
- Language: HCL
- Homepage: https://registry.terraform.io/modules/joatmon08/postgres-nia/vault
- Size: 10.7 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# terraform-vault-database-nia
Consul-Terraform-Sync compatible module for synchronizing Consul service to the
[PostgreSQL database secrets engine](https://www.vaultproject.io/docs/secrets/databases/postgresql)
for Vault.
> Note: This scopes the creation of a single database service to unique secrets engine path.
> Mapping the database service to its own secrets engine path ensures that you can scope
> Vault roles and authentication to the specific credential you need.
This module configures:
- Database secrets engine backend
- Database secrets engine connection
- Database secrets engine role
- (Optional) Kubernetes authentication method role
You can separately configure a different authentication method.
## Requirements
| Name | Version |
|------|---------|
| [vault](#requirement\_vault) | >= 3.6.0 |
## Providers
| Name | Version |
|------|---------|
| [vault](#provider\_vault) | 3.6.0 |
## Modules
No modules.
## Resources
| Name | Type |
|------|------|
| [vault_database_secret_backend_connection.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/database_secret_backend_connection) | resource |
| [vault_database_secret_backend_role.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/database_secret_backend_role) | resource |
| [vault_kubernetes_auth_backend_role.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/kubernetes_auth_backend_role) | resource |
| [vault_mount.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/mount) | resource |
| [vault_policy.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy_document.postgres](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/policy_document) | data source |
## Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [additional\_connection\_string\_arguments](#input\_additional\_connection\_string\_arguments) | Additional connection string arguments for database connection in Vault | `string` | `"sslmode=disable"` | no |
| [allowed\_roles](#input\_allowed\_roles) | List of allowed roles for database connection in Vault | `list(string)` |
[
"*"
]
| no |
| [bound\_service\_account\_names](#input\_bound\_service\_account\_names) | If set, set up Kubernetes auth method with specific service accounts. | `list(string)` | `[]` | no |
| [bound\_service\_account\_namespaces](#input\_bound\_service\_account\_namespaces) | If set, set up Kubernetes auth method with specific namespaces. | `list(string)` | `[]` | no |
| [creation\_statements](#input\_creation\_statements) | List of creation statements to create user in PostgreSQL | `list(string)` | [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
]
| no |
| [database\_path](#input\_database\_path) | Path to database secrets engine in Vault | `string` | `"database"` | no |
| [default\_ttl](#input\_default\_ttl) | Default TTL for database credentials | `number` | `3600` | no |
| [max\_ttl](#input\_max\_ttl) | Max TTL for database credentials | `number` | `3600` | no |
| [name](#input\_name) | Name of database connection and role to configure in Vault | `string` | n/a | yes |
| [postgres\_database\_name](#input\_postgres\_database\_name) | Database to access for PostgreSQL | `string` | n/a | yes |
| [postgres\_password](#input\_postgres\_password) | Administrative password for PostgreSQL | `string` | n/a | yes |
| [postgres\_username](#input\_postgres\_username) | Administrative username for PostgreSQL | `string` | n/a | yes |
| [revocation\_statements](#input\_revocation\_statements) | List of revocation statements to create user in PostgreSQL | `list(string)` | [
"ALTER ROLE \"{{name}}\" NOLOGIN;"
]
| no |
| [role\_name](#input\_role\_name) | Name of role to configure in Vault if not the same as database connection. | `string` | `""` | no |
| [services](#input\_services) | Consul services monitored by Consul-Terraform-Sync | map(
object({
id = string
name = string
kind = string
address = string
port = number
meta = map(string)
tags = list(string)
namespace = string
status = string
node = string
node_id = string
node_address = string
node_datacenter = string
node_tagged_addresses = map(string)
node_meta = map(string)
cts_user_defined_meta = map(string)
})
)
| n/a | yes |
| [vault\_kubernetes\_auth\_path](#input\_vault\_kubernetes\_auth\_path) | If set, set up Kubernetes auth method. | `string` | `""` | no |
## Outputs
| Name | Description |
|------|-------------|
| [vault\_mount\_path](#output\_vault\_mount\_path) | n/a |
| [vault\_policy](#output\_vault\_policy) | n/a |
| [vault\_role](#output\_vault\_role) | n/a |