Terraform code to enable Vault EGP policy and TOTP MFA

main.tf

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
      version = "3.11.0"
    }
  }
}

provider "vault" {
  address = "http://localhost:18201"
}

locals {
  rep_path = abspath("${path.module}/..")
  mfa_payload = {
    method_id = vault_identity_mfa_totp.totp_mfa.method_id
    entity_id = data.vault_identity_entity.entity.id
  }
}

data "local_file" "sentinel-policy" {
  filename = "${local.rep_path}/sentinel/userpass-password-check.sentinel"
}

data "vault_auth_backend" "userpass" {
  path = "userpass"
}

data "vault_identity_entity" "entity" {
  alias_name           = "tester"
  alias_mount_accessor = data.vault_auth_backend.userpass.accessor
}

resource "vault_egp_policy" "userpass-password-check" {
  name              = "userpass-password-check"
  paths             = ["/auth/userpass/users/*"]
  enforcement_level = "hard-mandatory"
  policy            = data.local_file.sentinel-policy.content
}

resource "vault_identity_mfa_totp" "totp_mfa" {
  issuer    = "Vault"
  algorithm = "SHA256"
  digits    = 6
  key_size  = 30
  period    = 30
}

resource "vault_identity_mfa_login_enforcement" "mfa-enforcement" {
  name = "userpass"
  auth_method_accessors = [
    data.vault_auth_backend.userpass.accessor
  ]
  mfa_method_ids = [
    vault_identity_mfa_totp.totp_mfa.method_id
  ]
}

resource "vault_generic_endpoint" "admin-generate" {
  depends_on     = [vault_identity_mfa_totp.totp_mfa]
  path           = "identity/mfa/method/totp/admin-generate"
  disable_read   = true
  disable_delete = true
  write_fields = ["url"]
  data_json      = jsonencode(local.mfa_payload)
}

output "otpauth_url" {
  value = vault_generic_endpoint.admin-generate.write_data_json
}