# Burrow OpenBao Control Plane This OpenTofu stack manages non-secret infrastructure around `vault.burrow.net`. It may manage: - Google KMS seal-wrapping keys for OpenBao - the OpenBao `age/` KV v2 mount used for migrated runtime secrets - OpenBao policies and Authentik OIDC roles - AppRole auth scaffolding for machine consumers It must not manage: - secret values - root tokens - AppRole SecretIDs - release-signing key material ## Run ```sh Scripts/openbao-tofu.sh init -backend-config=backend.hcl Scripts/openbao-tofu.sh plan -var-file=terraform.tfvars ``` For local syntax work: ```sh Scripts/openbao-tofu.sh init -backend=false Scripts/openbao-tofu.sh validate ``` The Vault/OpenBao provider reads `VAULT_TOKEN` from the environment. Keep `manage_openbao_config = false` until `vault.burrow.net` is initialized and an operator token is available out of band.