search

hashicorp / terraform-provider-vault

Terraform Vault provider
https://www.terraform.io/docs/providers/vault/
Mozilla Public License 2.0
458 stars 540 forks source link

add policies to an existing ldap group? #790

Open tony-kerz opened 4 years ago

tony-kerz commented 4 years ago

Terraform Version

v0.12.26

Affected Resource(s)

vault_ldap_auth_backend_group

Terraform Configuration Files

resource "vault_ldap_auth_backend_group" "write" {
  groupname = var.tenant
  policies  = [vault_policy.write.name]
  backend   = data.vault_auth_backend.ldap.path
}

Expected Behavior

so, i think this is an enhancement request.

i have a situation where i am running some code to setup an environment in vault (e.g. workspace can equal dev, test or prod)

when i run against dev, things work great, i associate an ldap group, e.g. my-group with certain policy, to a kv instance, e.g. kv/my-group/dev.

at some point later, i run against test, and my code replaces the existing policy on the group with one aligned to a diff kv instance, e.g. kv/my-group/test.

what i really want to happen is to add the policy to the existing list of policies on the group, but i can't see a way to accomplish that. perhaps some data resource that i could use to lookup the existing policies for a group and then add the current one to the existing list?

one workaround that i can think of is to always have a different ldap group for each environment (e.g. my-group-dev, my-group-test, my-group-prod, etc) and then i will never be working with an existing group with potentially existing policies, but wondering if either:

  1. there is already some way to accomplish this that isn't obvious to me, or
  2. this is a reasonable enhancement request

best, tony.

ssttgg commented 4 years ago

For what it's worth I have a similar requirement, did you manage to find a workaround?

I can't see an easy one, ultimately an LDAP group and the associated policies are modeled as one entity by the vault API, as opposed to a list of {groupname, policy} tuples - so the vault provider is limited in what it can do. The usual rules on terraform composition and shared resources now apply, i.e. you need to manage the group policies outside of the environment workspaces.

tony-kerz commented 4 years ago

i'm currently just using different ldap groups for different environments. it works, but it isn't exactly the way i wanted it to 🤷

leptitchriss commented 2 years ago

We are looking for this functionality as well.

Given the implementation, it may be tricky to implement this, perhaps additional resources that mimic a policy attachment as we see in many AWS provider resources.

In our use-case, our team wants to use Terraform to manage resources within our Vault instances/namespaces (provided by an external, dedicated team). As part of the onboarding process, these come pre-configured with LDAP/OIDC auths and some default policies (allowing administrative permissions within the scope of the namespace). As we create new secret engines and policies for the various services we manage, we'd like to be able to append the policies we manage ourselves to these pre-existing groups/roles (automatically with Terraform, instead of doing it by hand whenever something changes).

diogoserrano commented 2 years ago

Hi everyone, I bumped into this situation and found that this provider has this resource: https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_policies

This allows to define a group with external policies and declaring an external policy in terraform which will add a policy instead of overwriting the current group policies.