Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add vault azure secret backend role #493

Conversation

petems
Copy link
Contributor

@petems petems commented Aug 7, 2019

Now #481 is merged, now lets create the role for azure secrets! 😄

This one's a bit trickier to test, as it requires real subscription information...

So for the test you'll require the following environment variables:

ARM_TENANT_ID
ARM_CLIENT_ID
ARM_CLIENT_SECRET
ARM_RESOURCE_GROUP

The resource group you can create with the CLI, or use an existing one if needed:

az group create --name 'azure-vault-tf-testing' && export ARM_RESOURCE_GROUP="azure-vault-tf-testing"

So, you'll need to create a service principal, then enable the permissions to create new accounts from that account, which is only possible with Powershell 😭 (so you have to do it from the Azure Cloud Shell)

Doc to do that: https://www.terraform.io/docs/providers/azuread/auth/service_principal_configuration.html

@petems
Copy link
Contributor Author

petems commented Aug 7, 2019

From my personal testing with my setup:

resource "vault_azure_secret_backend" "azure" {
	subscription_id = "<REDACTED>"
	tenant_id = "<REDACTED>"
	client_id = "<REDACTED>"
	client_secret = "<REDACTED>"
}

resource "vault_azure_secret_backend_role" "test" {
  backend                     = "${vault_azure_secret_backend.azure.path}"
  role                        = "test"
  ttl                         = 300
	max_ttl                   = 600
	description				  = "Test for Vault Provider"

	azure_roles {
    role_name = "Reader"
    scope =  "/subscriptions/<REDACTED>/resourceGroups/psouter-vault-secret-azure-backend"
  }
}
$ 2019-08-07T22:23:09.490+0100 [INFO]  core: successful mount: namespace= path=azure/ type=azure
$ vault list azure/roles
Keys
----
test
$ vault read azure/creds/test
Key                Value
---                -----
lease_id           azure/creds/test/[...]
[...]

@petems
Copy link
Contributor Author

petems commented Aug 7, 2019

To remind myself, the full CLI command I ran was:

envchain azure ENV ARM_RESOURCE_GROUP=psouter-vault-secret-azure-backend TF_ACC=1 go test -timeout 30s github.com/terraform-providers/terraform-provider-vault/vault -run '^(TestAzureSecretBackendRole)$' -v

@petems petems force-pushed the add_vault_azure_secret_backend_role branch from 3934938 to 1a66a6a Compare August 7, 2019 21:36
@tyrannosaurus-becks tyrannosaurus-becks self-assigned this Aug 8, 2019
Copy link
Contributor

@tyrannosaurus-becks tyrannosaurus-becks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks fantastic! Just a couple minor tweaks needed with the Description and path, and it'll be good to go.

vault/provider.go Outdated Show resolved Hide resolved
vault/resource_azure_secret_backend_role.go Show resolved Hide resolved
vault/resource_azure_secret_backend_role.go Show resolved Hide resolved
vault/resource_azure_secret_backend_role.go Show resolved Hide resolved
@petems petems force-pushed the add_vault_azure_secret_backend_role branch from 5f052dd to a70e8cf Compare August 9, 2019 15:50
Copy link
Contributor

@tyrannosaurus-becks tyrannosaurus-becks left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🌈 Thank you!

@tyrannosaurus-becks tyrannosaurus-becks merged commit 334bb0c into hashicorp:master Aug 9, 2019
dandandy pushed a commit to dandandy/terraform-provider-vault that referenced this pull request Jun 17, 2021
…ackend_role

Add vault azure secret backend role
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants