feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,189 @@
|
||||
# =============================================================================
|
||||
# VAULT MODULE CONFIGURATION SYSTEM
|
||||
# =============================================================================
|
||||
#
|
||||
# This file automatically discovers and organizes YAML configuration files
|
||||
# for Vault modules, creating structured configuration maps for Terraform.
|
||||
#
|
||||
# HOW IT WORKS:
|
||||
# 1. Scans all subdirectories for *.yaml files
|
||||
# 2. Groups files by module type based on directory structure
|
||||
# 3. Creates unique resource keys to prevent naming conflicts
|
||||
# 4. Adds computed fields like name, backend, etc. from file paths
|
||||
#
|
||||
# DIRECTORY STRUCTURE:
|
||||
# config/
|
||||
# ├── auth_approle_role/
|
||||
# │ └── approle/
|
||||
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
|
||||
# │ └── myapp.yaml # Creates key: "approle/myapp"
|
||||
# ├── auth_kubernetes_role/
|
||||
# │ └── k8s/au/syd1/
|
||||
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
|
||||
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
|
||||
# └── kv_secret_backend/
|
||||
# ├── kv.yaml # Creates key: "kv"
|
||||
# └── secrets.yaml # Creates key: "secrets"
|
||||
#
|
||||
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
|
||||
# ```yaml
|
||||
# token_ttl: 3600
|
||||
# token_max_ttl: 7200
|
||||
# bind_secret_id: true
|
||||
# token_bound_cidrs:
|
||||
# - "10.0.0.0/8"
|
||||
# ```
|
||||
#
|
||||
# This becomes:
|
||||
# ```hcl
|
||||
# auth_approle_role = {
|
||||
# "approle/myapp" = {
|
||||
# approle_name = "myapp" # Auto-computed from filename
|
||||
# mount_path = "approle" # Auto-computed from directory
|
||||
# token_ttl = 3600 # From YAML content
|
||||
# token_max_ttl = 7200 # From YAML content
|
||||
# bind_secret_id = true # From YAML content
|
||||
# token_bound_cidrs = ["10.0.0.0/8"]
|
||||
# }
|
||||
# }
|
||||
# ```
|
||||
#
|
||||
# KEY NAMING PATTERNS:
|
||||
# - Simple backends: filename only (e.g., "kv", "transit")
|
||||
# - Role-based resources: full path without extension (e.g., "approle/myapp")
|
||||
# - This ensures uniqueness when multiple backends have similar role names
|
||||
#
|
||||
# GENERATED OUTPUTS:
|
||||
# - config.auth_approle_backend, config.auth_approle_role, etc.
|
||||
# - Each module gets its own map with properly structured configuration
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
locals {
|
||||
# Find all YAML files in subdirectories
|
||||
config_files = fileset(".", "**/*.yaml")
|
||||
|
||||
# Create a flat map of all files with their content
|
||||
all_configs = {
|
||||
for file_path in local.config_files :
|
||||
file_path => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
# Group by module directory (first part of path)
|
||||
config = {
|
||||
auth_approle_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_approle_backend/")
|
||||
}
|
||||
auth_approle_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
|
||||
approle_name = trimsuffix(basename(file_path), ".yaml")
|
||||
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_approle_role/")
|
||||
}
|
||||
auth_ldap_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_ldap_backend/")
|
||||
}
|
||||
auth_ldap_group = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
|
||||
groupname = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_ldap_group/")
|
||||
}
|
||||
auth_kubernetes_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "auth_kubernetes_backend/")
|
||||
}
|
||||
auth_kubernetes_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
|
||||
role_name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "auth_kubernetes_role/")
|
||||
}
|
||||
kv_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "kv_secret_backend/")
|
||||
}
|
||||
transit_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "transit_secret_backend/")
|
||||
}
|
||||
transit_secret_backend_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "transit_secret_backend_key/")
|
||||
}
|
||||
ssh_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "ssh_secret_backend/")
|
||||
}
|
||||
ssh_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "ssh_secret_backend_role/")
|
||||
}
|
||||
pki_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "pki_secret_backend/")
|
||||
}
|
||||
pki_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "pki_secret_backend_role/")
|
||||
}
|
||||
kubernetes_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "kubernetes_secret_backend/")
|
||||
}
|
||||
kubernetes_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "kubernetes_secret_backend_role/")
|
||||
}
|
||||
consul_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "consul_secret_backend/")
|
||||
}
|
||||
consul_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "consul_secret_backend_role/")
|
||||
}
|
||||
pki_mount_only = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "pki_mount_only/")
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user