Better Vault Policies With Terraform Locals
Writing Vault policies as HCL in Terraform locals instead of HEREDOCs
Instead of manually crafting policies for Vault in Terraform using HEREDOCs, you can write HCL, in locals and encode the policies in JSON like so.
Before:
resource "vault_policy" "app_secrets_read" {
name = "app_read"
policy = <<EOT
path "secret/my_app" {
policy = "read"
}
EOT
}
After:
locals {
app_read_policy = {
path "secret/my_app" {
policy = "read"
}
}
}
resource "vault_policy" "app_secrets_read" {
name = "app_read"
policy = "${jsonencode(local.app_read_policy)}"
}