diff --git a/.woodpecker/pre-commit.yaml b/.woodpecker/pre-commit.yaml new file mode 100644 index 0000000..4bde44d --- /dev/null +++ b/.woodpecker/pre-commit.yaml @@ -0,0 +1,9 @@ +when: + - event: pull_request + +steps: + - name: pre-commit + image: git.unkin.net/unkin/almalinux9-base:latest + commands: + - dnf install uv opentofu terragrunt tflint -y + - uvx pre-commit run --all-files diff --git a/modules/vault_cluster/.tflint.hcl b/modules/vault_cluster/.tflint.hcl new file mode 100644 index 0000000..98d5731 --- /dev/null +++ b/modules/vault_cluster/.tflint.hcl @@ -0,0 +1,11 @@ +rule "terraform_required_providers" { + enabled = false +} + +rule "terraform_required_version" { + enabled = false +} + +rule "terraform_unused_declarations" { + enabled = false +} diff --git a/modules/vault_cluster/main.tf b/modules/vault_cluster/main.tf index 6f00018..230d977 100644 --- a/modules/vault_cluster/main.tf +++ b/modules/vault_cluster/main.tf @@ -3,8 +3,6 @@ module "auth_approle_backend" { for_each = var.auth_approle_backend - country = var.country - region = var.region path = each.key listing_visibility = each.value.listing_visibility default_lease_ttl = each.value.default_lease_ttl @@ -186,7 +184,6 @@ module "pki_secret_backend" { crl_distribution_points = each.value.crl_distribution_points ocsp_servers = each.value.ocsp_servers enable_templating = each.value.enable_templating - default_issuer_ref = each.value.default_issuer_ref default_follows_latest_issuer = each.value.default_follows_latest_issuer crl_expiry = each.value.crl_expiry crl_disable = each.value.crl_disable @@ -266,12 +263,11 @@ module "consul_secret_backend_role" { for_each = var.consul_secret_backend_role - name = each.value.name - backend = each.value.backend - consul_roles = each.value.consul_roles - ttl = each.value.ttl - max_ttl = each.value.max_ttl - local = each.value.local + name = each.value.name + backend = each.value.backend + ttl = each.value.ttl + max_ttl = each.value.max_ttl + local = each.value.local depends_on = [module.consul_secret_backend, module.consul_acl_management] } @@ -324,7 +320,6 @@ module "pki_mount_only" { path = each.key description = each.value.description max_lease_ttl_seconds = each.value.max_lease_ttl_seconds - issuer_ref = each.value.issuer_ref issuing_certificates = each.value.issuing_certificates crl_distribution_points = each.value.crl_distribution_points ocsp_servers = each.value.ocsp_servers diff --git a/modules/vault_cluster/modules/auth_approle_backend/main.tf b/modules/vault_cluster/modules/auth_approle_backend/main.tf index 09a072d..79fa6f0 100644 --- a/modules/vault_cluster/modules/auth_approle_backend/main.tf +++ b/modules/vault_cluster/modules/auth_approle_backend/main.tf @@ -8,4 +8,4 @@ resource "vault_auth_backend" "approle" { max_lease_ttl = var.max_lease_ttl listing_visibility = var.listing_visibility } -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/auth_approle_backend/terraform.tf b/modules/vault_cluster/modules/auth_approle_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_approle_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_approle_backend/variables.tf b/modules/vault_cluster/modules/auth_approle_backend/variables.tf index a575230..f113844 100644 --- a/modules/vault_cluster/modules/auth_approle_backend/variables.tf +++ b/modules/vault_cluster/modules/auth_approle_backend/variables.tf @@ -1,13 +1,3 @@ -variable "country" { - description = "Country identifier" - type = string -} - -variable "region" { - description = "Region identifier" - type = string -} - variable "path" { description = "Mount path of the AppRole auth backend" type = string @@ -34,4 +24,4 @@ variable "max_lease_ttl" { description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string" type = string default = null -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/auth_approle_role/main.tf b/modules/vault_cluster/modules/auth_approle_role/main.tf index f4617bd..f3365a4 100644 --- a/modules/vault_cluster/modules/auth_approle_role/main.tf +++ b/modules/vault_cluster/modules/auth_approle_role/main.tf @@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" { locals { salt = data.vault_kv_secret_v2.salt_config.data["salt"] role_id_input = "${local.salt}-${var.approle_name}-${var.mount_path}" - deterministic_role_id = uuidv5("dns", "${local.role_id_input}") + deterministic_role_id = uuidv5("dns", local.role_id_input) # Use deterministic role-id by default, or read from KV if specified role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"] diff --git a/modules/vault_cluster/modules/auth_approle_role/terraform.tf b/modules/vault_cluster/modules/auth_approle_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_approle_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf b/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_kubernetes_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf b/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_kubernetes_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf b/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_ldap_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/auth_ldap_group/terraform.tf b/modules/vault_cluster/modules/auth_ldap_group/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/auth_ldap_group/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl b/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl index 8f9177e..3657e1d 100644 --- a/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl +++ b/modules/vault_cluster/modules/consul_acl_management/.tflint.hcl @@ -4,4 +4,4 @@ rule "terraform_required_providers" { rule "terraform_required_version" { enabled = false -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/consul_acl_management/terraform.tf b/modules/vault_cluster/modules/consul_acl_management/terraform.tf new file mode 100644 index 0000000..3aa5b98 --- /dev/null +++ b/modules/vault_cluster/modules/consul_acl_management/terraform.tf @@ -0,0 +1,13 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + consul = { + source = "hashicorp/consul" + version = "2.23.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_secret_backend/terraform.tf b/modules/vault_cluster/modules/consul_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/consul_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/consul_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf b/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf index 519ab74..7ba04cb 100644 --- a/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf +++ b/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf @@ -9,12 +9,6 @@ variable "name" { } -variable "consul_roles" { - description = "List of Consul roles to attach to tokens" - type = list(string) - default = [] -} - variable "ttl" { description = "TTL for generated tokens" diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf b/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kubernetes_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kubernetes_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/kv_secret_backend/terraform.tf b/modules/vault_cluster/modules/kv_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/kv_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_mount_only/main.tf b/modules/vault_cluster/modules/pki_mount_only/main.tf index 4f3e409..ce383cc 100644 --- a/modules/vault_cluster/modules/pki_mount_only/main.tf +++ b/modules/vault_cluster/modules/pki_mount_only/main.tf @@ -5,11 +5,6 @@ resource "vault_mount" "pki" { max_lease_ttl_seconds = var.max_lease_ttl_seconds } -data "vault_pki_secret_backend_issuer" "issuer" { - backend = vault_mount.pki.path - issuer_ref = var.issuer_ref -} - resource "vault_pki_secret_backend_config_urls" "config_urls" { backend = vault_mount.pki.path @@ -35,4 +30,4 @@ resource "vault_pki_secret_backend_crl_config" "crl" { auto_rebuild = var.auto_rebuild enable_delta = var.enable_delta delta_rebuild_interval = var.delta_rebuild_interval -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/pki_mount_only/terraform.tf b/modules/vault_cluster/modules/pki_mount_only/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_mount_only/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_mount_only/variables.tf b/modules/vault_cluster/modules/pki_mount_only/variables.tf index 823132e..8006969 100644 --- a/modules/vault_cluster/modules/pki_mount_only/variables.tf +++ b/modules/vault_cluster/modules/pki_mount_only/variables.tf @@ -13,11 +13,6 @@ variable "max_lease_ttl_seconds" { type = number } -variable "issuer_ref" { - description = "Reference to the PKI issuer (default, or issuer ID/name)" - type = string - default = "default" -} variable "issuing_certificates" { description = "List of URLs for issuing certificates" @@ -89,4 +84,4 @@ variable "delta_rebuild_interval" { description = "Delta CRL rebuild interval" type = string default = null -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/pki_secret_backend/terraform.tf b/modules/vault_cluster/modules/pki_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/pki_secret_backend/variables.tf b/modules/vault_cluster/modules/pki_secret_backend/variables.tf index 1844d01..d2d7ef1 100644 --- a/modules/vault_cluster/modules/pki_secret_backend/variables.tf +++ b/modules/vault_cluster/modules/pki_secret_backend/variables.tf @@ -61,12 +61,6 @@ variable "enable_templating" { default = false } -variable "default_issuer_ref" { - description = "Reference to the default issuer" - type = string - default = null -} - variable "default_follows_latest_issuer" { description = "Whether the default issuer should follow the latest issuer" type = bool @@ -107,4 +101,4 @@ variable "delta_rebuild_interval" { description = "Delta CRL rebuild interval" type = string default = null -} \ No newline at end of file +} diff --git a/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/pki_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf b/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/ssh_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf b/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/ssh_secret_backend_role/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/transit_secret_backend/terraform.tf b/modules/vault_cluster/modules/transit_secret_backend/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/transit_secret_backend/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf b/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/transit_secret_backend_key/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/modules/vault_policy/terraform.tf b/modules/vault_cluster/modules/vault_policy/terraform.tf new file mode 100644 index 0000000..ce22437 --- /dev/null +++ b/modules/vault_cluster/modules/vault_policy/terraform.tf @@ -0,0 +1,9 @@ +terraform { + required_version = ">= 1.10" + required_providers { + vault = { + source = "hashicorp/vault" + version = "5.6.0" + } + } +} diff --git a/modules/vault_cluster/variables.tf b/modules/vault_cluster/variables.tf index d9b03fc..7e06cbe 100644 --- a/modules/vault_cluster/variables.tf +++ b/modules/vault_cluster/variables.tf @@ -166,7 +166,6 @@ variable "pki_secret_backend" { crl_distribution_points = optional(list(string), []) ocsp_servers = optional(list(string), []) enable_templating = optional(bool, false) - default_issuer_ref = optional(string) default_follows_latest_issuer = optional(bool, false) crl_expiry = optional(string, "72h") crl_disable = optional(bool, false) @@ -204,7 +203,6 @@ variable "pki_mount_only" { type = map(object({ description = optional(string) max_lease_ttl_seconds = optional(number, 315360000) - issuer_ref = optional(string, "default") issuing_certificates = optional(list(string), []) crl_distribution_points = optional(list(string), []) ocsp_servers = optional(list(string), [])