Open psibi opened 5 years ago
I'd like to make the following changes before merging:
vault-iam
a modulevtest
in arn:aws:iam::${data.aws_caller_identity.current.account_id}:user/vtest-*
with a variable that defaults to vault
vault-s3-private
example to use the vault-iam
moduleaws
provider from the vault-aws-backend
modulevault_aws_secret_backend
resource and use a make target (this resource would include admin secrets in Terraform's state file)@ketzacoatl On further thought, I think we should remove the entire vault-aws-backend
module itself from terraform (because we don't want admin secret in Terraform's state file and just having vault_aws_secret_backend_role
resource isn't useful).
Also, I don't think it is useful for us to make vault-s3-private
use vault-iam
module, because they are not dependent. Only the running vault server's secret engine needs the access keys from the vault-iam
module. No other output from vault-iam
is actually needed for it in vault-s3-private
. I think the right way for us to proceed would be:
vault-iam
module. This step will create access keys which has to exposed via environment variables by us manully for the next step.vault-aws-backend
module). This step will require proper environment variable for access keys to be present for it to work.What do you think ?
Yes, that sounds good.
I would comment though, that if there are no secrets, and we can do it in Terraform, we ought to. Some of the vault configuration can be done in Terraform and doesn't include secrets. Those should stay in Terraform. IDK if that is relevant to the vault-aws-backend
module, I haven't reviewed the code in a few days.
@psibi are these updates WIP or is it ok to have one of our engineers make those updates?
name: Pull request template about: Make a PR to terraform-aws-foundation
Please include the following in your PR:
Please also note that these are not hard requirements, but merely serve to define what maintainers are looking for in PR's. Including these will more likely lead to your PR being reviewed and accepted.
modules
this would entail example code for how to use the module or some explanation in the module readme.