Vault/OpenBao setup for GatePlane Policy-Gate Plugin
This Terraform module mounts the Policy-Gate Plugin under a Vault/OpenBao path.
It additionally creates two policies that can access the mount, in order to both create and approve AccessRequests.
Finally, it optionally enables these policies to be used by the UI (under app.gateplane.io or different domain).
| Name | Version |
|---|---|
| terraform | >= 1.11.0 |
| null | >= 3.2.4 |
| vault | >= 5.0.0 |
| Name | Version |
|---|---|
| null | 3.2.4 |
| vault | 5.0.0 |
| Name | Type |
|---|---|
| null_resource.reconfigure | resource |
| vault_auth_backend.this | resource |
| vault_generic_endpoint.plugin_config | resource |
| vault_policy.gtkpr | resource |
| vault_policy.target | resource |
| vault_policy.user | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| name | Name of the gate, used in the mount path and generated policies | any |
n/a | yes |
| description | Brief explanation of what access is claimed by this gate | string |
"" |
no |
| enable_ui | Add capabilities for GatePlane UI to the created policies. | bool |
true |
no |
| endpoint_prefix | n/a | string |
"gp" |
no |
| path_prefix | Where under auth/ will the endpoint be mounted |
string |
"gateplane" |
no |
| plugin_name | n/a | string |
"gateplane-policy-gate" |
no |
| plugin_options | Options provided by the plugin, available in plugin documentation. | map |
{} |
no |
| policy_prefix | n/a | string |
"gateplane" |
no |
| protected_path_map | A map of Vault/OpenBao paths to lists of capabilities, to be protected by this gate (e.g.: {"secret/data/mysecret":["read"]}).Mutually exclusive with protected_policies. |
any |
null |
no |
| protected_policies | The Vault/OpenBao policies that will be claimed by this gate. Mutually exclusive with protected_path_map |
any |
null |
no |
| token_lease_ttl | The duration that the protected token will be active (e.g.: 1h). |
string |
"30m" |
no |
| Name | Description |
|---|---|
| mount_path | The Vault/OpenBao path where the plugin has been mounted. |
| policies | The verbatim policies created and referenced in this module. |
| policy_names | The names of the policies created and referenced in this module. |
This project is licensed under the Elastic License v2.
This means:
- ✅ You can use, fork, and modify it for yourself or within your company.
- ✅ You can submit pull requests and redistribute modified versions (with the license attached).
- ❌ You may not sell it, offer it as a paid product, or use it in a hosted service (e.g., SaaS).
- ❌ You may not re-license it under a different license.
In short: You can use and extend the code freely, privately or inside your business - just don’t build a business around it without our permission. This FAQ by Elastic greatly summarizes things.
See the ./LICENSES/Elastic-2.0.txt file for full details.