diff --git a/auth_approle_certmanager.tf b/auth_approle_certmanager.tf index cfd8191..bcc6e14 100644 --- a/auth_approle_certmanager.tf +++ b/auth_approle_certmanager.tf @@ -1,7 +1,7 @@ resource "vault_approle_auth_backend_role" "certmanager" { role_name = "certmanager" bind_secret_id = false - token_policies = ["certmanager"] + token_policies = ["pki_int/certmanager"] token_ttl = 30 token_max_ttl = 30 token_bound_cidrs = [ diff --git a/auth_approle_incus_cluster.tf b/auth_approle_incus_cluster.tf index da3c2a0..548ff88 100644 --- a/auth_approle_incus_cluster.tf +++ b/auth_approle_incus_cluster.tf @@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "incus_cluster" { bind_secret_id = false token_policies = [ "default_access", - "incus-cluster-join-tokens" + "kv/service/incus/incus-cluster-join-tokens" ] token_ttl = 60 token_max_ttl = 120 diff --git a/auth_approle_packer_builder.tf b/auth_approle_packer_builder.tf index 3ef441c..7095183 100644 --- a/auth_approle_packer_builder.tf +++ b/auth_approle_packer_builder.tf @@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "packer_builder" { bind_secret_id = false token_policies = [ "default_access", - "packer_builder", + "kv/service/packer/packer_builder", ] token_ttl = 300 # builds can take a few minutes token_max_ttl = 600 diff --git a/auth_approle_puppetapi.tf b/auth_approle_puppetapi.tf index 60d204d..1b67c85 100644 --- a/auth_approle_puppetapi.tf +++ b/auth_approle_puppetapi.tf @@ -1,7 +1,7 @@ resource "vault_approle_auth_backend_role" "puppetapi" { role_name = "puppetapi" bind_secret_id = false - token_policies = ["puppetapi_read_tokens"] + token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"] token_ttl = 30 token_max_ttl = 30 token_bound_cidrs = [ diff --git a/auth_approle_rundeck-role.tf b/auth_approle_rundeck-role.tf index daa972f..35d3c0e 100644 --- a/auth_approle_rundeck-role.tf +++ b/auth_approle_rundeck-role.tf @@ -1,7 +1,7 @@ resource "vault_approle_auth_backend_role" "rundeck-role" { role_name = "rundeck-role" bind_secret_id = true - token_policies = ["rundeck"] + token_policies = ["rundeck/rundeck"] token_ttl = 1 * 3600 token_max_ttl = 4 * 3600 token_bound_cidrs = ["198.18.13.59/32"] diff --git a/auth_approle_sshsign-host-role.tf b/auth_approle_sshsign-host-role.tf index 8d7aacc..090b961 100644 --- a/auth_approle_sshsign-host-role.tf +++ b/auth_approle_sshsign-host-role.tf @@ -1,7 +1,7 @@ resource "vault_approle_auth_backend_role" "sshsign-host-role" { role_name = "sshsign-host-role" bind_secret_id = false - token_policies = ["sshsign-host-policy"] + token_policies = ["ssh-host-signer/sshsign-host-policy"] token_ttl = 30 token_max_ttl = 30 token_bound_cidrs = [ diff --git a/auth_approle_sshsigner.tf b/auth_approle_sshsigner.tf index ba6509c..af32e62 100644 --- a/auth_approle_sshsigner.tf +++ b/auth_approle_sshsigner.tf @@ -2,7 +2,7 @@ resource "vault_approle_auth_backend_role" "sshsigner" { role_name = "sshsigner" bind_secret_id = false token_policies = [ - "sshsigner", + "ssh-host-signer/sshsigner", "sshca_signhost" ] token_ttl = 30 diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf index 80d5f7c..fae226d 100644 --- a/auth_approle_terraform_incus.tf +++ b/auth_approle_terraform_incus.tf @@ -3,8 +3,8 @@ resource "vault_approle_auth_backend_role" "terraform_incus" { bind_secret_id = false token_policies = [ "default_access", - "incus", - "terraform_puppet_cert", + "kv/service/terraform/incus", + "kv/service/puppet/certificates/terraform_puppet_cert", ] token_ttl = 60 token_max_ttl = 120 diff --git a/auth_approle_terraform_nomad.tf b/auth_approle_terraform_nomad.tf index 050e0b9..8d8aa9d 100644 --- a/auth_approle_terraform_nomad.tf +++ b/auth_approle_terraform_nomad.tf @@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "terraform_nomad" { bind_secret_id = false token_policies = [ "default_access", - "nomad", + "kv/service/terraform/nomad", ] token_ttl = 60 token_max_ttl = 120 diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf index a5faf47..f554e74 100644 --- a/auth_approle_tf_vault.tf +++ b/auth_approle_tf_vault.tf @@ -3,22 +3,23 @@ resource "vault_approle_auth_backend_role" "tf_vault" { bind_secret_id = false token_policies = [ "default_access", - "auth_token_create", - "auth_token_self", - "auth_token_roles_admin", - "approle_role_admin", - "approle_role_login", + "auth/token/auth_token_create", + "auth/token/auth_token_self", + "auth/token/auth_token_roles_admin", + "auth/approle/approle_role_admin", + "auth/approle/approle_role_login", "approle_token_create", - "k8s_pki_roles_admin", - "ldap_admin", - "pki_int_roles_admin", - "pki_root_roles_admin", - "ssh-host-signer_roles_admin", + "auth/kubernetes/k8s_auth_admin", + "k8s/k8s_pki_roles_admin", + "auth/ldap/ldap_admin", + "pki_int/pki_int_roles_admin", + "pki_root/pki_root_roles_admin", + "ssh-host-signer/ssh-host-signer_roles_admin", "sshca_roles_admin", - "svc_vault_read", - "sys_auth_admin", - "sys_mounts_admin", - "sys_policy_admin", + "kv/service/glauth/services/svc_vault_read", + "sys/sys_auth_admin", + "sys/sys_mounts_admin", + "sys/sys_policy_admin", ] token_ttl = 60 token_max_ttl = 120 diff --git a/policies.tf b/policies.tf index 8479aad..2c20a35 100644 --- a/policies.tf +++ b/policies.tf @@ -4,6 +4,7 @@ locals { "policies", "policies/sys", "policies/auth/approle", + "policies/auth/kubernetes", "policies/auth/ldap", "policies/auth/token", "policies/k8s", @@ -25,9 +26,9 @@ locals { locals { policy_files = flatten([ for path in local.policy_directories : [ - for policy in fileset(path, "*.hcl") : { - name = trim(replace(policy, ".hcl", ""), "/") - path = "${path}/${policy}" + for f in fileset(path, "*.hcl") : { + name = trimsuffix(trimprefix("${path}/${f}", "policies/"), ".hcl") + path = "${path}/${f}" } ] ]) @@ -35,8 +36,8 @@ locals { # Define Vault policies for all listed directories resource "vault_policy" "policies" { - for_each = { for policy in local.policy_files : policy.name => policy } + for_each = { for p in local.policy_files : p.name => p } - name = each.value.name + name = each.key policy = file(each.value.path) }