abuxton · February 27, 2023 11:00 · abuxton · Feb 27, 2023
diff --git a/terarform_vault_sample.tf b/terarform_vault_sample.tf
 # Create kv-policy with variable for Identity Group ID

 data "vault_policy_document" "group" {
  rule {
    path         = "group-kv/data/training/{{identity.groups.ids.${vault_identity_group.group.id}.name}}/*"
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "allow all on secrets"
  }

  rule {
    path         = "group-kv/metadata/*"
    capabilities = ["list"]
    description  = "allow listing metadata"
  }

 }

 resource "vault_policy" "group-policy" {
  name   = "group-policy"
  policy = data.vault_policy_document.group.hcl
 }

 resource "vault_identity_group" "group" {
  name = "itzbund"
  #policies = [vault_policy.group-policy.name]
  policies = ["group-policy"]
  member_entity_ids = [
    # vault_identity_entity.u1_entity.id,
    # vault_identity_entity.u2_entity.id
  ]
  metadata = {
    region = "berlin"
  }
 }
	# Create kv-policy with variable for Identity Group ID

	data "vault_policy_document" "group" {
	rule {
	path = "group-kv/data/training/{{identity.groups.ids.${vault_identity_group.group.id}.name}}/*"
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "allow all on secrets"
	}

	rule {
	path = "group-kv/metadata/*"
	capabilities = ["list"]
	description = "allow listing metadata"
	}

	}

	resource "vault_policy" "group-policy" {
	name = "group-policy"
	policy = data.vault_policy_document.group.hcl
	}

	resource "vault_identity_group" "group" {
	name = "itzbund"
	#policies = [vault_policy.group-policy.name]
	policies = ["group-policy"]
	member_entity_ids = [
	# vault_identity_entity.u1_entity.id,
	# vault_identity_entity.u2_entity.id
	]
	metadata = {
	region = "berlin"
	}
	}