-
Notifications
You must be signed in to change notification settings - Fork 546
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add vault azure secret backend role #493
Add vault azure secret backend role #493
Conversation
From my personal testing with my setup: resource "vault_azure_secret_backend" "azure" {
subscription_id = "<REDACTED>"
tenant_id = "<REDACTED>"
client_id = "<REDACTED>"
client_secret = "<REDACTED>"
}
resource "vault_azure_secret_backend_role" "test" {
backend = "${vault_azure_secret_backend.azure.path}"
role = "test"
ttl = 300
max_ttl = 600
description = "Test for Vault Provider"
azure_roles {
role_name = "Reader"
scope = "/subscriptions/<REDACTED>/resourceGroups/psouter-vault-secret-azure-backend"
}
}
|
To remind myself, the full CLI command I ran was:
|
3934938
to
1a66a6a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks fantastic! Just a couple minor tweaks needed with the Description and path, and it'll be good to go.
Co-Authored-By: Becca Petrin <[email protected]>
5f052dd
to
a70e8cf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🌈 Thank you!
…ackend_role Add vault azure secret backend role
Now #481 is merged, now lets create the role for azure secrets! 😄
This one's a bit trickier to test, as it requires real subscription information...
So for the test you'll require the following environment variables:
ARM_TENANT_ID
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_RESOURCE_GROUP
The resource group you can create with the CLI, or use an existing one if needed:
az group create --name 'azure-vault-tf-testing' && export ARM_RESOURCE_GROUP="azure-vault-tf-testing"
So, you'll need to create a service principal, then enable the permissions to create new accounts from that account, which is only possible with Powershell 😭 (so you have to do it from the Azure Cloud Shell)
Doc to do that: https://www.terraform.io/docs/providers/azuread/auth/service_principal_configuration.html