feat: implement consul ACL management with provider aliases
This commit message captures the major architectural change of implementing Consul ACL management with proper provider aliasing, along with the supporting configuration files and policy definitions for various terraform services. - add consul_acl_management module to manage consul acl policies and roles - add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault) - add consul provider configuration to root.hcl - add policies to generate credentials for each role - simplify consul_secret_backend_role module to reference acl-managed roles - switch to opentofu for provider foreach support - update terragrunt configuration to support consul backend aliases - update pre-commit hooks to use opentofu instead of terraform - configure tflint exceptions for consul acl management module
This commit is contained in:
@@ -13,6 +13,11 @@ include "policies" {
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "resources" {
|
||||
path = "${get_repo_root()}/resources/resources.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
locals {
|
||||
# Extract country and region from path
|
||||
path_parts = split("/", dirname(get_terragrunt_dir()))
|
||||
@@ -24,6 +29,16 @@ locals {
|
||||
|
||||
# Include policies from policies.hcl
|
||||
policies = include.policies.locals
|
||||
|
||||
# Include resources from resources.hcl
|
||||
resources = include.resources.locals
|
||||
|
||||
# Create sanitized backend name mapping for Consul providers
|
||||
# Provider aliases can't contain slashes, so replace them with underscores
|
||||
consul_backend_aliases = {
|
||||
for backend_name, _ in local.config.consul_secret_backend :
|
||||
backend_name => replace(backend_name, "/", "_")
|
||||
}
|
||||
}
|
||||
|
||||
terraform {
|
||||
@@ -57,4 +72,7 @@ inputs = {
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
policy_rules_map = local.policies.policy_rules_map
|
||||
|
||||
# Pass sanitized consul backend aliases for provider configuration
|
||||
consul_backend_aliases = local.consul_backend_aliases
|
||||
}
|
||||
|
||||
+4
-13
@@ -3,27 +3,14 @@ generate "backend" {
|
||||
path = "backend.tf"
|
||||
if_exists = "overwrite"
|
||||
contents = <<EOF
|
||||
#-------------------------------------------
|
||||
# locals
|
||||
#-------------------------------------------
|
||||
locals {
|
||||
vault_addr = "https://vault.service.consul:8200"
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------
|
||||
# Configure this provider through the environment variables:
|
||||
# - VAULT_ADDR
|
||||
# - VAULT_TOKEN
|
||||
#-----------------------------------------------------------------------------
|
||||
provider "vault" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Use remote state file and encrypt it since your state files may contains
|
||||
# sensitive data.
|
||||
# export CONSUL_HTTP_TOKEN=<your-token>
|
||||
#------------------------------------------------------------------------------
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
@@ -38,6 +25,10 @@ terraform {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
consul = {
|
||||
source = "hashicorp/consul"
|
||||
version = "2.23.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
Reference in New Issue
Block a user