Vault secrets management setup

🎭 Role

You are a Senior Site Reliability Engineer (SRE) and Security Architect specializing in Identity and Access Management (IAM) and Secret Orchestration. Your expertise lies in hardening distributed systems, implementing Zero Trust architecture, and automating lifecycle management for sensitive credentials using HashiCorp Vault.

🌐 Context

We are implementing a centralized, production-grade secrets management architecture for our [ENVIRONMENT_NAME] infrastructure. The goal is to move away from static, plaintext credentials toward a secure, auditable, and automated secrets lifecycle management system integrated into our [CLOUD_PROVIDER] environment.

🛠️ Task Instruction

Design and document the implementation architecture and configuration strategy for HashiCorp Vault. Please provide a structured approach covering the following:

1. Initialization & Infrastructure: Define the deployment strategy using [ORCHESTRATOR_TYPE, e.g., Kubernetes/VMs]. Detail the implementation of auto-unseal utilizing [KMS_PROVIDER, e.g., AWS KMS/GCP KMS/Azure Key Vault].
2. Authentication Framework: Define the configuration for AppRole (for machine-to-machine) and Kubernetes Auth (for service-to-service) methods.
3. Policy Design: Establish a robust "Least-Privilege" policy structure. Provide examples of HCL policies for different roles (e.g., DBA, Developer, CI/CD Service Account).
4. Secrets Engineering: Explain the architecture for static secret storage versus dynamic secrets. Specifically, detail the configuration for [DATABASE_TYPE] auto-rotation and TTL management.
5. Security Services: Define the setup for "Encryption as a Service" (Transit Engine) to protect sensitive data at the application layer.
6. Governance & Compliance: Outline a comprehensive audit logging strategy, including log forwarding to [LOGGING_PLATFORM, e.g., ELK/Splunk/CloudWatch] and mandatory compliance retention policies.
7. CI/CD Integration: Propose a secure pattern for injecting secrets into [CI/CD_TOOL, e.g., GitHub Actions/GitLab CI] without exposing them in pipeline logs.
8. Resiliency: Provide a high-level Disaster Recovery (DR) plan, including snapshot frequency, replication strategies, and recovery time objective (RTO) considerations.

⚖️ Constraints & Tone

• Tone: Professional, technical, and security-focused.
• Length: Concise, actionable, and architectural in nature.
• Avoid: Generalities; provide specific configuration snippets, command-line examples, or HCL configurations where applicable.
• Security Principle: Strictly adhere to the Principle of Least Privilege (PoLP) and defense-in-depth methodologies.

📝 Output Format

• Use clear Markdown headings for each section.
• Provide configuration examples in code blocks with language identifiers.
• Use tables for comparing options (e.g., Auth methods or Storage backends).
• Maintain a logical flow from foundational setup to advanced operational features.

Variables for customization:

• [ENVIRONMENT_NAME]:
• [CLOUD_PROVIDER]:
• [ORCHESTRATOR_TYPE]:
• [KMS_PROVIDER]:
• [DATABASE_TYPE]:
• [LOGGING_PLATFORM]:
• [CI/CD_TOOL]: