Terraform-在Hashicorp保管库中启用OIDC命名空间

发布于 2025-01-31 12:12:25 字数 822 浏览 4 评论 0原文

我能够使用以下Terraform资源块在Hashicorp Vault root名称空间上提供OIDC Auth方法。

resource "vault_jwt_auth_backend" "oidc" {
    description = "Azure Authentication with OIDC"
    oidc_discovery_url      = "https://login.microsoftonline.com/${var.tenant_id}/v2.0"
    path                    = "oidc"
    type                    = "oidc"
    oidc_client_id          = var.client_id
    oidc_client_secret      = var.client_secret
    default_role            = "reader"
    provider_config = {
        provider = "azure"
        fetch_groups = true
        fetch_user_info = true
        groups_recurse_max_depth = 1
    }
}

问题是，在此实例中的OIDC Auth方法在根名称空间上启用。我想做的是在儿童名称空间上启用它，这在使用如下所示的保管库时可能是可能的。

vault auth enable -namespace=education/training oidc

是否可以在Terraform中做类似的事情？

原文

I am able to provision an OIDC auth method on a HashiCorp vault Root namespace, using the below Terraform resource block.

resource "vault_jwt_auth_backend" "oidc" {
    description = "Azure Authentication with OIDC"
    oidc_discovery_url      = "https://login.microsoftonline.com/${var.tenant_id}/v2.0"
    path                    = "oidc"
    type                    = "oidc"
    oidc_client_id          = var.client_id
    oidc_client_secret      = var.client_secret
    default_role            = "reader"
    provider_config = {
        provider = "azure"
        fetch_groups = true
        fetch_user_info = true
        groups_recurse_max_depth = 1
    }
}

Problem is, the OIDC auth method in this instance gets enabled on the Root namespace. What I would however like to do is enable it on a child namespace, which is possible when using the Vault CLI as depicted below.

vault auth enable -namespace=education/training oidc

Is it possible to do something similar in Terraform?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

陌伤浅笑 2025-02-07 12:12:25

我能够通过第一个Terraform导入/创建名称空间来创建它：

resource "vault_namespace" "child_namespace" {
path      = "child_namespace"
}

考虑到上一个示例，在我的provider.tf file.tf文件（或环境变量）中，我的root lameapce

我后来称为路径在资源块中，新创建的儿童名称空间：（

使用同一示例）

resource "vault_jwt_auth_backend" "oidc" {
description = "Azure Authentication with OIDC"
oidc_discovery_url      = "https://login.microsoftonline.com/${var.tenant_id}/v2.0"
path                    = "oidc"
type                    = "oidc"
oidc_client_id          = var.client_id
oidc_client_secret      = var.client_secret
*namespace             = vault_namespace.child_namespace.path*
default_role            = "reader"
provider_config = {
    provider = "azure"
    fetch_groups = true
    fetch_user_info = true
    groups_recurse_max_depth = 1
}
}

有关更多信息检查：使用Terraform的codify对金库企业的管理

I was able to create that by first terraform importing/creating the namespace with:

resource "vault_namespace" "child_namespace" {
path      = "child_namespace"
}

Take into account that in the case of the previous example my root namesapce was declared in my provider.tf file (or environmental variable)

I later called the path of the newly created child namespace in the resource block for the auth method:

(Using your same example)

resource "vault_jwt_auth_backend" "oidc" {
description = "Azure Authentication with OIDC"
oidc_discovery_url      = "https://login.microsoftonline.com/${var.tenant_id}/v2.0"
path                    = "oidc"
type                    = "oidc"
oidc_client_id          = var.client_id
oidc_client_secret      = var.client_secret
*namespace             = vault_namespace.child_namespace.path*
default_role            = "reader"
provider_config = {
    provider = "azure"
    fetch_groups = true
    fetch_user_info = true
    groups_recurse_max_depth = 1
}
}

For more information check: Codify Management of Vault Enterprise Using Terraform

回复收藏 0 原文

~没有更多了~