Application configuration management strategies for Vault

I’m curious to know how people are managing the configuration of the Vault service itself. I’ve created a shell script which runs the vault CLI commands (since at least most are idempotent) however this does require me to basically comment out the commands used to create the backends etc. Based on the documentation it seems that using the API is recommended to apply configurations but honestly it seems a little bit clunky - maybe that’s just me though. I’m curious to know how everyone is applying changes and trying to keep configuration in code so it’s reviewable and repeatable and doesn’t end up an undocumented spaghetti.

Shell scripts and the vault cli … checked into git repo.

Thanks, so literally the vault commands within a shell script and then you just run the shell script and it re-applies all the configurations (keeping policies etc in their own directory structure)? That’s what I’ve done now and it works ok.

We use Terraform for this

Same here.

There are a couple things we use scripts for during Vault bootstrap but a majority is Terraform.