Open tony-kerz opened 4 years ago
For what it's worth I have a similar requirement, did you manage to find a workaround?
I can't see an easy one, ultimately an LDAP group and the associated policies are modeled as one entity by the vault API, as opposed to a list of {groupname, policy} tuples - so the vault provider is limited in what it can do. The usual rules on terraform composition and shared resources now apply, i.e. you need to manage the group policies outside of the environment workspaces.
i'm currently just using different ldap groups for different environments. it works, but it isn't exactly the way i wanted it to 🤷
We are looking for this functionality as well.
Given the implementation, it may be tricky to implement this, perhaps additional resources that mimic a policy attachment
as we see in many AWS provider resources.
In our use-case, our team wants to use Terraform to manage resources within our Vault instances/namespaces (provided by an external, dedicated team). As part of the onboarding process, these come pre-configured with LDAP/OIDC auths and some default policies (allowing administrative permissions within the scope of the namespace). As we create new secret engines and policies for the various services we manage, we'd like to be able to append the policies we manage ourselves to these pre-existing groups/roles (automatically with Terraform, instead of doing it by hand whenever something changes).
Hi everyone, I bumped into this situation and found that this provider has this resource: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_policies
This allows to define a group with external policies and declaring an external policy in terraform which will add a policy instead of overwriting the current group policies.
Terraform Version
v0.12.26
Affected Resource(s)
vault_ldap_auth_backend_group
Terraform Configuration Files
Expected Behavior
so, i think this is an enhancement request.
i have a situation where i am running some code to setup an environment in vault (e.g. workspace can equal
dev
,test
orprod
)when i run against
dev
, things work great, i associate an ldap group, e.g.my-group
with certain policy, to a kv instance, e.g.kv/my-group/dev
.at some point later, i run against
test
, and my code replaces the existing policy on the group with one aligned to a diff kv instance, e.g.kv/my-group/test
.what i really want to happen is to add the policy to the existing list of policies on the group, but i can't see a way to accomplish that. perhaps some
data
resource that i could use to lookup the existing policies for a group and then add the current one to the existing list?one workaround that i can think of is to always have a different ldap group for each environment (e.g.
my-group-dev
,my-group-test
,my-group-prod
, etc) and then i will never be working with an existing group with potentially existing policies, but wondering if either:best, tony.