Better Vault Policies With Terraform Locals

May 6, 2018
Terraform Vault

Instead of manually crafting policies for Vault in Terraform using HEREDOCs, you can write HCL, in locals and encode the policies in JSON like so.

Before:

resource "vault_policy" "app_secrets_read" {
  name = "app_read"

  policy = <<EOT
    path "secret/my_app" {
      policy = "read"
    }
  EOT
}

After:

locals {
  app_read_policy =  {
    path "secret/my_app" {
      policy = "read"
    }
  }
}

resource "vault_policy" "app_secrets_read" {
  name = "app_read"

  policy = "${jsonencode(local.app_read_policy)}"
}

Read more