Skip to content

Instantly share code, notes, and snippets.

@nicklhw

nicklhw/main.tf

Last active August 8, 2023 20:17
Show Gist options
  • Save nicklhw/a2a0a8a284af45168e85b3c63cf25392 to your computer and use it in GitHub Desktop.
Save nicklhw/a2a0a8a284af45168e85b3c63cf25392 to your computer and use it in GitHub Desktop.
Download ZIP
Terraform code to enable Vault EGP policy and TOTP MFA
Raw
main.tf
terraform {
required_providers {
vault = {
source = "hashicorp/vault"
version = "3.11.0"
}
}
}
provider "vault" {
address = "http://localhost:18201"
}
locals {
rep_path = abspath("${path.module}/..")
mfa_payload = {
method_id = vault_identity_mfa_totp.totp_mfa.method_id
entity_id = data.vault_identity_entity.entity.id
}
}
data "local_file" "sentinel-policy" {
filename = "${local.rep_path}/sentinel/userpass-password-check.sentinel"
}
data "vault_auth_backend" "userpass" {
path = "userpass"
}
data "vault_identity_entity" "entity" {
alias_name = "tester"
alias_mount_accessor = data.vault_auth_backend.userpass.accessor
}
resource "vault_egp_policy" "userpass-password-check" {
name = "userpass-password-check"
paths = ["/auth/userpass/users/*"]
enforcement_level = "hard-mandatory"
policy = data.local_file.sentinel-policy.content
}
resource "vault_identity_mfa_totp" "totp_mfa" {
issuer = "Vault"
algorithm = "SHA256"
digits = 6
key_size = 30
period = 30
}
resource "vault_identity_mfa_login_enforcement" "mfa-enforcement" {
name = "userpass"
auth_method_accessors = [
data.vault_auth_backend.userpass.accessor
]
mfa_method_ids = [
vault_identity_mfa_totp.totp_mfa.method_id
]
}
resource "vault_generic_endpoint" "admin-generate" {
depends_on = [vault_identity_mfa_totp.totp_mfa]
path = "identity/mfa/method/totp/admin-generate"
disable_read = true
disable_delete = true
write_fields = ["url"]
data_json = jsonencode(local.mfa_payload)
}
output "otpauth_url" {
value = vault_generic_endpoint.admin-generate.write_data_json
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment