{"id":18598,"date":"2020-06-09T07:54:38","date_gmt":"2020-06-09T05:54:38","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=18598"},"modified":"2022-12-02T09:04:22","modified_gmt":"2022-12-02T08:04:22","slug":"terraforming-hashicorp-vault","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/","title":{"rendered":"Using HashiCorp Vault with Terraform"},"content":{"rendered":"<p>In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.<!--more--><\/p>\n<p>If you are mainly interested in code you can directly jump to the <a href=\"https:\/\/github.com\/inovex\/terraforming-vault\">demo on GitHub<\/a>.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#Motivation\" >Motivation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#The-Idea\" >The Idea<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#Implementation\" >Implementation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#Closing-Words\" >Closing Words<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Motivation\"><\/span>Motivation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In a recent project we used <a href=\"https:\/\/www.vaultproject.io\/\">HashiCorp Vault<\/a> as the central secret store for our cluster. This includes:<\/p>\n<ul>\n<li>Creating PKIs for our bare-metal Kubernetes clusters.<\/li>\n<li>Storing secrets such as wildcard certificates and keys for our ingress.<\/li>\n<li>Storing credentials required for interacting with various systems in our deployment.<\/li>\n<li>Creating the roles, policies and app roles that allow our systems to interact with HashiCorp Vault.<\/li>\n<\/ul>\n<p>The initial way for filling our Vault with these was a set of bash scripts that also read various input files for the many kinds of secrets and policies we required. The bash scripts and the config files were both plenty and contained loads of duplicated code.<\/p>\n<p>Those bash scripts only created the Vault mounts and policies, though, actual credentials had to be added manually from our <a href=\"https:\/\/github.com\/gopasspw\/gopass\">gopass<\/a> team password store after running the scripts. With a growing number of clusters and managed credentials this quickly became incomprehensible, unmaintainable and often left remains when renaming secrets, as our tooling didn\u2019t really handle that.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The-Idea\"><\/span>The Idea<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We quickly came up with the solution to use Terraform based on three assumptions:<\/p>\n<ol>\n<li>Terraform code should be more readable than the bash scripts with the various input files we had.<\/li>\n<li>Terraform\u2019s state handling and declarative nature should eliminate the problem of duplicated, unused secrets after refactoring.<\/li>\n<li>Both tools are from HashiCorp so we hoped that they\u2019ll play well together.<\/li>\n<\/ol>\n<p>We validated these assumptions with a quick and dirty Proof of Concept (PoC) and found that the Terraform code is definitely more readable than our previous construct and the provider works well, handling said renamings gracefully.<\/p>\n<p>We also <a href=\"https:\/\/github.com\/TerryHowe\/ansible-modules-hashivault\">tried Ansible<\/a> in another PoC, as it was already used in the installation of our vault instances. While it would have been an improvement over our old setup we found Ansible to be less of a natural fit, as the procedural nature of the hashivault module forced us to encapsulate the logic of renaming and removing configs ourselves.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Implementation\"><\/span>Implementation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now that we were happy with our concept of <em>terraforming Vault<\/em> it was time to implement our whole setup this way. We created a module each for cluster-specific values, which mainly consists of the PKIs and the associated roles and policies, one for the tenant-specific values which were mostly certificates in our case and added global app roles and policies in our main portion of the code.<\/p>\n<p>This means that adding a new cluster in our setup only requires adding the according values to the Terraform variables. For the tenant-specific values we also used <a href=\"https:\/\/github.com\/camptocamp\/terraform-provider-pass\">Terraform Provider Pass<\/a>\u00a0which allowed us to copy the certificates and keys that already exist in our password store to our Vault in the same process. As with the cluster portion, we also only need to add the name of the team to our Terraform variables and everything required is created by our terraform code.<\/p>\n<p>A minimal version of this concept is implemented in <a href=\"https:\/\/github.com\/inovex\/terraforming-vault\">our demo<\/a>. The demo showcases the PKI part of our implementation in a reduced way. It mainly consists of a Terraform module for creating said PKIs, one for each Certificate Authority (CA) as listed in the <a href=\"https:\/\/kubernetes.io\/docs\/setup\/best-practices\/certificates\/#configure-certificates-manually\">kubernetes certificate best practices<\/a>. For each PKI the CA is created alongside a role for Kubernetes master nodes that enables them to issue the certificates they require. This role is then bound to one Vault app role using a policy. The AppRole can be used to log in to Vault and generate a certificate. The demo shows this process for a single certificate. To actually use this module there would also need to be a role for worker nodes and tooling for the nodes to issue these certificates automatically.<\/p>\n<p>One final thing that has to be solved is the storage of the Terraform state. As stated in the <a href=\"https:\/\/www.terraform.io\/docs\/providers\/vault\/index.html\">Terraform Vault provider<\/a> documentation, the <em>tfstate<\/em> files created by <span class=\"lang:default decode:true crayon-inline \">terraform apply<\/span>\u00a0\u00a0<strong>contain secrets<\/strong> that are <strong>written to<\/strong> or <strong>read from Vault<\/strong>. Ideally we would want to automatically apply our latest configs from within a pipeline, but to not leak our secrets this means we need to handle state in one of the following ways:<\/p>\n<ol>\n<li><strong>Throw away the state:<\/strong> This would work when only bootstrapping policies and secrets from our gopass, but would cause our Kubernetes PKIs to create a new CA on every Terraform run. It would also mean that re-namings would, again, cause the old secrets to be left in place.<\/li>\n<li><strong>Keep the state on the runner:<\/strong> When using your own CI runners you can create one only for running this Terraform apply job. This runner would store the state file locally and could be put under special precaution to prevent abuse. This means that losing the runner would mean losing the state.<\/li>\n<li><strong>Store the state externally:<\/strong> By using a <a href=\"https:\/\/www.terraform.io\/docs\/backends\/types\/index.html\">remote backend<\/a> such as S3, you can store the Terraform state outside the runner. You then only have to secure your remote storage. This has the additional advantage that you can use the same backend configuration to also run Terraform locally.<\/li>\n<\/ol>\n<p>We definitely recommend option 3 where possible, but if the other two work for you they should also be fine.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Closing-Words\"><\/span>Closing Words<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We found terraform to be a good tool for our needs, it helped us improve the structure of our Vault layout code immensely. What experience do you have with filling your Vault with life? What tools did you use? We are interested in your experience and invite you to try our method using terraform.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.<\/p>\n","protected":false},"author":93,"featured_media":18979,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[],"service":[423],"coauthors":[{"id":93,"display_name":"Maximilian Bischoff","user_nicename":"mbischoff"}],"class_list":["post-18598","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","service-kubernetes"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Using HashiCorp Vault with Terraform - inovex GmbH<\/title>\n<meta name=\"description\" content=\"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Using HashiCorp Vault with Terraform - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2020-06-09T05:54:38+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-02T08:04:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Maximilian Bischoff\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Maximilian Bischoff\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"5\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Maximilian Bischoff\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/\"},\"author\":{\"name\":\"Maximilian Bischoff\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\"},\"headline\":\"Using HashiCorp Vault with Terraform\",\"datePublished\":\"2020-06-09T05:54:38+00:00\",\"dateModified\":\"2022-12-02T08:04:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/\"},\"wordCount\":975,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/terraforming-vault.png\",\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/\",\"name\":\"Using HashiCorp Vault with Terraform - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/terraforming-vault.png\",\"datePublished\":\"2020-06-09T05:54:38+00:00\",\"dateModified\":\"2022-12-02T08:04:22+00:00\",\"description\":\"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/terraforming-vault.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2020\\\/06\\\/terraforming-vault.png\",\"width\":1920,\"height\":1080,\"caption\":\"Two astronauts terraforming a planet\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/terraforming-hashicorp-vault\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using HashiCorp Vault with Terraform\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/7237fd7d2332686529c05a68d3bb5e86\",\"name\":\"Maximilian Bischoff\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/04\\\/maxi-bischoff-w-96x96.png\",\"caption\":\"Maximilian Bischoff\"},\"description\":\"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/mbischoff\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using HashiCorp Vault with Terraform - inovex GmbH","description":"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/","og_locale":"de_DE","og_type":"article","og_title":"Using HashiCorp Vault with Terraform - inovex GmbH","og_description":"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.","og_url":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2020-06-09T05:54:38+00:00","article_modified_time":"2022-12-02T08:04:22+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png","type":"image\/png"}],"author":"Maximilian Bischoff","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Maximilian Bischoff","Gesch\u00e4tzte Lesezeit":"5\u00a0Minuten","Written by":"Maximilian Bischoff"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/"},"author":{"name":"Maximilian Bischoff","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86"},"headline":"Using HashiCorp Vault with Terraform","datePublished":"2020-06-09T05:54:38+00:00","dateModified":"2022-12-02T08:04:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/"},"wordCount":975,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png","articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/","url":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/","name":"Using HashiCorp Vault with Terraform - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png","datePublished":"2020-06-09T05:54:38+00:00","dateModified":"2022-12-02T08:04:22+00:00","description":"In this post we will show you how we manage our HashiCorp Vault in a complex environment with many secrets, policies and Private Key Infrastructures (PKIs) using Terraform. Come join us on the journey from barely maintainable bash scripts to terraform and learn from our experience.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2020\/06\/terraforming-vault.png","width":1920,"height":1080,"caption":"Two astronauts terraforming a planet"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/terraforming-hashicorp-vault\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"Using HashiCorp Vault with Terraform"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/7237fd7d2332686529c05a68d3bb5e86","name":"Maximilian Bischoff","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.pnge53c8b418fd0f6a97848f757b9c91dc2","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/04\/maxi-bischoff-w-96x96.png","caption":"Maximilian Bischoff"},"description":"Als Cloud Platform Engineer baut Maximilian Bischoff Infrastruktur f\u00fcr verteilte Applikationen und automatisiert deren Deployment und Operations.","url":"https:\/\/www.inovex.de\/de\/blog\/author\/mbischoff\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/18598","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/93"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=18598"}],"version-history":[{"count":1,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/18598\/revisions"}],"predecessor-version":[{"id":39801,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/18598\/revisions\/39801"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/18979"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=18598"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=18598"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=18598"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=18598"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}