This assumes the following has already been done.

• Hashicorp Vault has been installed
• Hashicorp Vault has been initialized
• Hashicorp Vault has been unsealed
• You have logged into the vault

This also assumes you have setup and configured Terraform for Hashicorp Vault. If not, check out my article FreeKB - Hashicorp Vault - Getting Started with Terraform.

Policies list what can and cannot be done. For example, to allow or not allow a user to create a secret.

A role contains one or more policies. Let's say you have enabled approle.

• Enable approle authentication using REST API
• Enable approle authentication using the vault auth enable command

Let's say you have the following files in the /usr/local/terraform/hashicorp_vault directory on your Terraform server. 

├── provider.tf
├── required_providers.tf
├── token.txt
├── vault_approle_auth_backend_role_secret_id.tf

required_providers.tf will almost always have this.

terraform {
  required_providers {
    vault = {
      source  = "hashicorp/vault"
    }
  }
}

And let's say provider.tf has the following. In this example, the token in token.txt will be used to authenticate to Hashicorp Vault.

provider "vault" {
  address = "https://vault.example.net:8200"
  auth_login_token_file {
    filename = "token.txt"
  }
}

If you have already created approle but Terraform state doesn't have approle you'll first want to import approle.

terraform import vault_auth_backend.approle approle

Something like this should be displayed.

vault_auth_backend.approle: Importing from ID "approle"...
vault_auth_backend.approle: Import prepared!
  Prepared vault_auth_backend for import
vault_auth_backend.approle: Refreshing state... [id=approle]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

And let's say vault_approle_auth_backend_role_secret_id.tf has the following. This will create a role named "my-role" with the "default" policy.

resource "vault_auth_backend" "approle" {
  type = "approle"
}

resource "vault_approle_auth_backend_role" "my-role" {
  backend         = vault_auth_backend.approle.path
  role_name       = "my-role"
  token_policies  = ["default"]
}

resource "vault_approle_auth_backend_role_secret_id" "id" {
  backend   = vault_auth_backend.approle.path
  role_name = vault_approle_auth_backend_role.my-role.role_name
}

Use terraform plan to see if you are able to authenticate to Hashicorp Vault using the token in token.txt.

terraform plan

If the role has not yet been created, something like this should be displayed.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # vault_approle_auth_backend_role.example will be created
  + resource "vault_approle_auth_backend_role" "my-role" {
      + backend        = (known after apply)
      + bind_secret_id = true
      + id             = (known after apply)
      + role_id        = (known after apply)
      + role_name      = "my-role"
      + token_policies = [
          + "default",
          + "dev",
          + "prod",
        ]
      + token_type     = "default"
    }

  # vault_approle_auth_backend_role_secret_id.id will be created
  + resource "vault_approle_auth_backend_role_secret_id" "id" {
      + accessor          = (known after apply)
      + backend           = (known after apply)
      + id                = (known after apply)
      + role_name         = "my-role"
      + secret_id         = (sensitive value)
      + wrapping_accessor = (known after apply)
      + wrapping_token    = (sensitive value)
    }

  # vault_auth_backend.approle will be created
  + resource "vault_auth_backend" "approle" {
      + accessor        = (known after apply)
      + disable_remount = false
      + id              = (known after apply)
      + path            = (known after apply)
      + tune            = (known after apply)
      + type            = "approle"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

And then use the terraform apply command to create the role.

terraform apply

Something like this should be displayed.

vault_auth_backend.approle: Modifying... [id=approle]
vault_auth_backend.approle: Modifications complete after 0s [id=approle]
vault_approle_auth_backend_role.foo-role: Creating...
vault_approle_auth_backend_role.foo-role: Creation complete after 0s [id=auth/approle/role/my-role]
vault_approle_auth_backend_role_secret_id.id: Creating...
vault_approle_auth_backend_role_secret_id.id: Creation complete after 0s [id=backend=approle::role=my-role::accessor=b802c8ae-8b70-7ec9-049b-0de977216d09]

Your terraform.tfstate file should contain the role_id and secret_id, something like this.

{
  "resources": [
    {

      "type": "vault_approle_auth_backend_role",
      "name": "my-role",

      "instances": [
        {
          "attributes": {
            "role_id": "ea5870f3-0d8b-1d6d-a24f-f7b59f73571e"

          }
        }
      ]
    },
    {
      "type": "vault_approle_auth_backend_role_secret_id",
      "instances": [
        {
          "attributes": {
            "secret_id": "2e1a4c4c-f6dc-9ce1-beb4-94b90728b32b"
          }
        }
      ]
    }
  ]
}