fvoges · July 13, 2022 11:32
diff --git a/app_namespace.tf b/app_namespace.tf
 locals {
  app_ns           = "app1"
  member_group_ids = []
 }

 resource "vault_namespace" "default" {
  path = local.app_ns
 }

 provider "vault" {
  alias     = "app_ns"
  namespace = local.app_ns
 }

 resource "vault_mount" "kvv2" {
  path        = "secret"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount"
  namespace   = local.app_ns
 }

 resource "vault_kv_secret_backend_v2" "config" {
  mount        = vault_mount.kvv2.path
  max_versions = 5
  provider     = vault.app_ns # thies resource doesn't support the namespace argument yet (provider v3.7.0)
 }

 data "vault_policy_document" "app1_secrets" {
  rule {
    path         = format("%s/secret/*", local.app_ns)
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "allow all on secrets"
  }
 }

 resource "vault_policy" "app1_secrets" {
  name   = "example_policy"
  policy = data.vault_policy_document.app1_secrets.hcl
 }

 resource "vault_identity_group" "internal" {
  name                       = local.app_ns
  type                       = "internal"
  external_member_entity_ids = false
  member_group_ids           = local.member_group_ids
  policies                   = vault_policy.app1_secrets.name
 }

diff --git a/providers.tf b/providers.tf
 terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = ">= 3.7.0, < 4.0.0"
    }
  }
 }
	locals {
	app_ns = "app1"
	member_group_ids = []
	}

	resource "vault_namespace" "default" {
	path = local.app_ns
	}

	provider "vault" {
	alias = "app_ns"
	namespace = local.app_ns
	}

	resource "vault_mount" "kvv2" {
	path = "secret"
	type = "kv"
	options = { version = "2" }
	description = "KV Version 2 secret engine mount"
	namespace = local.app_ns
	}

	resource "vault_kv_secret_backend_v2" "config" {
	mount = vault_mount.kvv2.path
	max_versions = 5
	provider = vault.app_ns # thies resource doesn't support the namespace argument yet (provider v3.7.0)
	}

	data "vault_policy_document" "app1_secrets" {
	rule {
	path = format("%s/secret/*", local.app_ns)
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "allow all on secrets"
	}
	}

	resource "vault_policy" "app1_secrets" {
	name = "example_policy"
	policy = data.vault_policy_document.app1_secrets.hcl
	}

	resource "vault_identity_group" "internal" {
	name = local.app_ns
	type = "internal"
	external_member_entity_ids = false
	member_group_ids = local.member_group_ids
	policies = vault_policy.app1_secrets.name
	}
	terraform {
	required_providers {
	vault = {
	source = "hashicorp/vault"
	version = ">= 3.7.0, < 4.0.0"
	}
	}
	}