Better Vault Policies With Terraform Locals
May 6, 2018
Terraform
Vault
Instead of manually crafting policies for Vault in Terraform using HEREDOCs, you can write HCL, in locals and encode the policies in JSON like so.
Before:
resource "vault_policy" "app_secrets_read" {
name = "app_read"
policy = <<EOT
path "secret/my_app" {
policy = "read"
}
EOT
}
After:
locals {
app_read_policy = {
path "secret/my_app" {
policy = "read"
}
}
}
resource "vault_policy" "app_secrets_read" {
name = "app_read"
policy = "${jsonencode(local.app_read_policy)}"
}