search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
457 stars 536 forks source link

Provide support for policy_attachment resource #1318

Open faseyiks opened 2 years ago

faseyiks commented 2 years ago

Is your feature request related to a problem? Please describe. Currently, policies have to be statically attached (optionally) to configured backend roles. Example is as below (some resource attributes are removed for conciseness

resource "vault_cert_auth_backend_role" "cert" {
    name           = "foo"    
    backend        = vault_auth_backend.cert.path
    allowed_names  = ["foo.example.org", "baz.example.org"]    
    token_policies = ["foo"]
}

In this case, we have to also go ahead and create the policy foo as below

resource "vault_policy" "foo" {
  name = "foo"
  policy = <<EOT
path "secret/foo" {
  capabilities = ["update"]
}
EOT
}

In a dynamic environment, this often becomes tenuous and when binding to policies to roles that are dynamically configured. It often creates some difficulties to attach a single policy to multiple roles that are attached to multiple backends.

Describe the solution you'd like To resolve this problem, it is proposed to add a new resource vault_.policy_attachment

resource "vault_.policy_attachment" "foo-attach" {
  name       = "foo-attachment"
  policy      = [vault_policy.foo.name]
  roles      = [vault_cert_auth_backend_role.foo.name]
  backends    = [optional list]
}

Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.

Explain any additional use-cases If there are any use-cases that would help us understand the use/need/value please share them as they can help us decide on acceptance and prioritization.

Additional context Add any other context or screenshots about the feature request here.

fairclothjm commented 5 months ago

@faseyiks Hello, sorry for the long delay in a response here! We would like to better understand this feature request.

In a dynamic environment, this often becomes tenuous and when binding to policies to roles that are dynamically configured. It often creates some difficulties to attach a single policy to multiple roles that are attached to multiple backends.

Could you please provide more information in regards to this comment? What specifically is tenuous and difficult about setting the policy on the role resource itself?

Can you please describe what you expect the relationship to be between the backend and role fields on the proposed vault_policy_attachment resource?