Call the module as below for the Team tier:
module "gateplane_services" {
source = "github.com/gateplane-io/terraform-gateplane-services-setup?ref=0.1.0"
// replace this with the location of the Vault/OpenBao instance
issuer_host = "vault.example.com:8200"
// The Vault/OpenBao Entity metadata field where the SlackID of each user resides
messenger_entity_metadata = ["slack_id"]
/*
You can explicitly set which users take up the license seats,
or omit to allow everyone in Vault/OpenBao to connect
allowed_entities = [
# Vault/OpenBao Entity IDs:
"c15cfc49-ecb1-4771-9b86-3139d8f37223",
"0b9faf28-e043-45ef-8cc3-9ad83123af20",
...
]
*/
}
output "gateplane_services_output" {
value = module.gateplane_services.full_output
}Additionally set the custom GatePlane WebUI domain for Enterprise tier:
module "gateplane_services" {
source = "github.com/gateplane-io/terraform-gateplane-services-setup?ref=0.1.0"
// replace this with the location of the Vault/OpenBao instance
issuer_host = "vault.example.com:8200"
// The Vault/OpenBao Entity metadata field where the MSTeams of each user resides
messenger_entity_metadata = ["msteams_id"]
// The custom subdomain of the WebUI assigned to the Enterprise
gateplane_webui_domain = "myorg.app.gateplane.io"
}
output "gateplane_services_output" {
value = module.gateplane_services.full_output
}The output will look like below:
{
"net" = {
"audience" = "w7bSkpV5Ndie9q027ziVeO8v90B5ePPE"
"jwks_uri" = "https://vault.example.com:8200/v1/identity/oidc/provider/gateplane/.well-known/keys"
}
"no-net" = {
"audience" = "w7bSkpV5Ndie9q027ziVeO8v90B5ePPE"
"keystore" = "{\"keys\":[{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"30cf4ac4-4052-c9d6-ce84-68d506c39459\",\"kty\":\"RSA\",\"n\":\"zitzVsGyC3pX9IsqDhneWZKmqUP65Hvy6FvzJY1j8UrvHngwMhdPuJlsXITrYh3m_k-zUwaMpMd
TZR9QSA_KxT4fAWp0kQuPD5_ijuUnMx4p9TgsKPL5rAP7i97MnYXSPyQW312IrfnovgLTiQpIQ2I6Sv66LFWrd_udZkOJbVOChK2OIBZiXo2eEbFKtmLIyKhnv8WOUJlDSM8HgpFQ3eJ1zXuwYfyU1HA7HM4DwRajC_42UTQDISgJoDXNUmlaAKEXho0hwBv1OzjRgV2IvN-4mj2HF5
zp7ysh0Gc84FRHDCXcq4V6s0b8RHe4TiZUqsmrVR6gK6EeDy2HP3EksQ\",\"use\":\"sig\"},{\"alg\":\"RS256\",\"e\":\"AQAB\",\"kid\":\"bc7015bf-9c92-75d6-f777-d6eeaee06723\",\"kty\":\"RSA\",\"n\":\"02c9ReStd82MHRx-_ziL8_GMGK70
frBCRB1AXs292pHSCfgxJy4ExIm2WFIRFx-H3ckVhbcbVTpN_pMDGbe-uy9JBF60RFyfj9LgGFJ8cgrPNHGdVNxYPThqJdOJLmyVYwJ6awZZm5CG-c5ke4wMfdiZ2Wbkny1lqL4FeomZ-cNACoSccGfgfGE2wonh78XzWGN7sEyPAZfCM4uEe9HbycZjNXnLRphvvS0HVj5rznrlaZm
NvS0IRx4yehdTGzuD7ltxSIkD6kBC5eTtXf2gjprRSrU_Nuhopp2uKugiztAKoDbELXj4Qn_LnjyL0b-PEKHCDeoysfscaB4mKnbSFw\",\"use\":\"sig\"}]}"
}
"webui" = {
"identity_provider_name" = "gateplane"
"openid_connect_audience" = "w7bSkpV5Ndie9q027ziVeO8v90B5ePPE"
}
}-
The values under
netmust be submitted GatePlane Services if the Vault/OpenBao instance can accept Internet connections -
The values under
no-netmust be submitted in case Vault/OpenBao instance is inaccessible from the Internet, located in an internal network, or is air-gapped. -
[Team tier] The
web-uivalues must be set to the Configuration tab of the GatePlane WebUI (Enterprise users do not need to do that).
After using this module, send the output field full_output to [email protected].
The output of this module consists of Public keys and non-sensitive information only.
This Terraform module enables a Vault/OpenBao instance to use GatePlane Services
-
It creates an OIDC Identity Provider (IdP) supporting Proof Key for Code Exchange (PKCE) in Vault/OpenBao
-
Creates a Client App for the created IdP (named
gateplane) and generates its keys -
Creates a
messenger_optionsscope providing to the GatePlane Services the relevant Vault/OpenBao Entity Metadata for the messenger application used (used by the Notification service) -
Provides the JSON Web Key Sets (JWKS) and its URI, as well as the OIDC Audience (or client ID), needed to enable Team or Enterprise tier of GatePlane Services.
No requirements.
| Name | Version |
|---|---|
| vault | 5.2.1 |
| Name | Type |
|---|---|
| vault_identity_oidc_client.this | resource |
| vault_identity_oidc_key.this | resource |
| vault_identity_oidc_provider.this | resource |
| vault_identity_oidc_scope.messenger_options | resource |
| vault_identity_oidc_scope.profile | resource |
| vault_identity_oidc_openid_config.this | data source |
| vault_identity_oidc_public_keys.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| issuer_host | The domain and port of the Vault/OpenBao instance (e.g: vault.example.com:8200). This will be used as a part of the iss JWT claim |
any |
n/a | yes |
| allowed_entities | A list of Vault/OpenBao Entity IDs that will be allowed to use GatePlane Services. This can be explicitly set to control the seats of the GatePlane Services tier | list |
[ |
no |
| gateplane_webui_domain | The domain of GatePlane WebUI instance. To be accepted as a valid Redirect URI by the created IdP Client. | string |
"app.gateplane.io" |
no |
| https_enabled | Whether HTTPS is enabled in this Vault/OpenBao endpoint. Used for testing (default true) |
bool |
true |
no |
| jwt_duration_minutes | Active period for the issued JWT tokens in minutes (default 4 hours) | number |
240 |
no |
| key_rotation_days | Rotation period for JSON Web Key Sets (JWKS) in days | number |
90 |
no |
| messenger_entity_metadata | Vault/OpenBao Entity metadata field to be set in the messenger_options scope, used by GatePlane Services pinging in Notifications (e.g: ["slack_id"]) |
list |
[] |
no |
| oidc_provider_name | The name of the IdP created in Vault/OpenBao | string |
"gateplane" |
no |
| Name | Description |
|---|---|
| full_output | n/a |
| services_idp_details | Provide these values to GatePlane Services in case Vault/OpenBao instance cannot accept traffic from the Internet (e.g: air-gapped environments, internal networks) |
| services_jwks_uri | Provide this value to GatePlane Services in case Vault/OpenBao instance can accept traffic from the Internet |
| webui_configuration | The values to provide in GatePlane WebUI.openid_connect_audience for OpenID Connect Audienceidentity_provider_name for Identity Provider Name |
This project is licensed under the Elastic License v2.
This means:
- ✅ You can use, fork, and modify it for yourself or within your company.
- ✅ You can submit pull requests and redistribute modified versions (with the license attached).
- ❌ You may not sell it, offer it as a paid product, or use it in a hosted service (e.g., SaaS).
- ❌ You may not re-license it under a different license.
In short: You can use and extend the code freely, privately or inside your business - just don’t build a business around it without our permission. This FAQ by Elastic greatly summarizes things.
See the ./LICENSES/Elastic-2.0.txt file for full details.