Managing Vault configurations at scale


I have a Vault deployment fully automated with Terraform (infra and Vault configs). I’m trying to scale the usage of Vault in my organisation and I’m finding it very challenging. Everything is done in Terreform, so, everytime I need to whitelist an IAM role or a k8s service account for auth purposes I need to open a PR. This will be unmanageable if we want to scale with hundreds of k8s clusters for example. Things I considered already:

1. A k8s operator to put configs self service as much as possible.

This would alleviate partially, although I have more use cases than k8s. Also, the auth whitelisting can’t be self service for security reasons, so that problem would not be solved.

2. GitOps approach.

Have my configs written in YAML and use a cdktf project to load the YAML config and generate TF code to be deployed. Still exploring this, although I’m not sure cdktf is mature enough for production.

Besides these two approaches, I’m completely out of ideas. Any thoughts?