IaC Bazaar
Get started
Multi-cloud & platform-agnosticPlan-validated

Vault Policies & Auth

Vault policies, auth backends, and secret engine configuration as code.

terraformSecurity & Secrets#multi

Compare Secrets & Key Management across clouds →

vault-policiesterraform v1.7

Verification

Plan-validated

Passed: module logic verified on a mocked plan — inputs, validation rules, conditional creation and outputs resolve (no real provider, no cloud).

Conformance

  • Static validation (fmt · validate · tflint)
  • No applicable security policies for this provider
  • Plan tests (mocked: validation rules · outputs)

Provenance

  • SHA-256 checksum
  • Signature (pending)

Functional

  • Live test pending (no cloud run yet)

Last verified 2026-06-28 · how we verify

Documentation

vault-policies

Status: static-validated, live-test pending. Ships under live-test quarantine — Vault provisioning is verified with fmt, validate, and tflint, but the apply → verify → destroy lane against a real Vault is not yet wired up (a local dev-mode Vault container is the planned live-test lane).

Vault policies, auth methods, and secret engines as code in one composable module. Works with Terraform and OpenTofu (>= 1.6), hashicorp/vault provider >= 5.0, < 6.0. Three maps — policies, auth_backends, secret_engines — describe a Vault tenant's Day-1 access surface, and a single module call brings it up against an already-running Vault (self-hosted or HCP Vault Dedicated).

Secure defaults

  • Deny-by-default by construction. Vault grants nothing unless a policy names a path, so a least-privilege posture is the natural one. The example policies scope each consumer to exactly one path prefix.
  • Auth methods stay unlisted. tune.listing_visibility defaults to hidden, so enabled methods are not advertised on the unauthenticated UI/CLI surface unless you explicitly opt into unauth.
  • No secrets in code. The module configures Vault structure only; it never writes secret material. Provider auth (VAULT_ADDR/VAULT_TOKEN) is supplied by the environment, never hardcoded.
  • Per-mount hardening available. seal_wrap, lease ceilings, and audit_non_hmac_* keys are exposed per secret engine for engines that store especially sensitive material.
  • Reserved names rejected. Policy names are validated against ^[a-zA-Z0-9_./-]+$ and the reserved root/default policies are refused.

Requirements

  • Terraform or OpenTofu >= 1.6
  • hashicorp/vault >= 5.0, < 6.0
  • A reachable, unsealed Vault and a token with privileges to manage sys/policies/acl, sys/auth, and sys/mounts

Verification

Static-validated (fmt, validate, tflint). Live apply/verify/destroy testing against a real Vault is pending the dev-mode Vault live-test lane — see catalog status.

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).

Usage code & full reference unlock after purchase

The complete copy-paste usage, the full input/output reference, and operational notes ship with your licence — shown here and bundled in the download.

  • Usage
  • Inputs
  • Outputs
  • Notes