Terraform Vault audit device

meraj-kashi · February 15, 2022, 11:39am

Hi folks,

I am trying to active vault audit device with Terraform resource: Terraform Registry

Inside the userdate script, vault directory is created and needed permissions are granted:

sudo mkdir -pm 0755 /var/log/vault
sudo chown -R vault:vault /var/log/vault

Then the Vault audit resource added:

resource "vault_audit" "vault_audit_log" {
  type = "file"

  options = {
    file_path = "/var/log/vault/vault_audit.log"
  }
}

When terraform apply, it promotes the below:

terraform apply
provider.vault.address
URL of the root of the target Vault server.

Enter a value:

I am not sure what it means? and which value I should enter. I tried http://127.0.0.1:8200 and apply command runs successfully. But when I connect to the Vault node, Audit device is not enabled!

vault audit list
No audit devices are enabled.

Could you please support me.

meraj-kashi · February 15, 2022, 12:27pm

More info:
When I put the value empty and enter to continue, get the below errors:

terraform plan
provider.vault.address
URL of the root of the target Vault server.

Enter a value:

╷
│ Error: Invalid provider configuration
│
│ Provider “Terraform Registry” requires explicit configuration. Add a provider block to the root module and configure the provider’s required arguments as described in
│ the provider documentation.
│
╵
╷
│ Error: no vault token found
│
│ with provider[“Terraform Registry”],
│ on line 1:
│ (source code not available)
│

NP: When I remove the vault_audit_device resource, everything works fine!

It seems, I need to provide arguments for Vault provider: Terraform Registry

address - (Required) Origin URL of the Vault server. This is a URL with a scheme, a hostname and a port but with no path. May be set via the VAULT_ADDR environment variable.

token - (Required) Vault token that will be used by Terraform to authenticate. May be set via the VAULT_TOKEN environment variable

Then my question is how I can provide token prior to deploy Vault?

meraj-kashi · February 15, 2022, 9:39pm

I just found the solution.
Vault audit log activation is a change configuration. Configuration should be applied after deployment.
vault_url and token must be provided to apply changes.