feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,60 @@
|
||||
include "root" {
|
||||
path = find_in_parent_folders("root.hcl")
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "config" {
|
||||
path = "${get_repo_root()}/config/config.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "policies" {
|
||||
path = "${get_repo_root()}/policies/policies.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
locals {
|
||||
# Extract country and region from path
|
||||
path_parts = split("/", dirname(get_terragrunt_dir()))
|
||||
country = basename(dirname(get_terragrunt_dir())) # "au"
|
||||
region = basename(get_terragrunt_dir()) # "syd1"
|
||||
|
||||
# Include configuration from config.hcl
|
||||
config = include.config.locals.config
|
||||
|
||||
# Include policies from policies.hcl
|
||||
policies = include.policies.locals
|
||||
}
|
||||
|
||||
terraform {
|
||||
source = "../../../modules/vault_cluster"
|
||||
}
|
||||
|
||||
inputs = {
|
||||
country = local.country
|
||||
region = local.region
|
||||
|
||||
# Pass configuration maps to vault_cluster module
|
||||
auth_approle_backend = local.config.auth_approle_backend
|
||||
auth_approle_role = local.config.auth_approle_role
|
||||
auth_ldap_backend = local.config.auth_ldap_backend
|
||||
auth_ldap_group = local.config.auth_ldap_group
|
||||
auth_kubernetes_backend = local.config.auth_kubernetes_backend
|
||||
auth_kubernetes_role = local.config.auth_kubernetes_role
|
||||
kv_secret_backend = local.config.kv_secret_backend
|
||||
transit_secret_backend = local.config.transit_secret_backend
|
||||
transit_secret_backend_key = local.config.transit_secret_backend_key
|
||||
ssh_secret_backend = local.config.ssh_secret_backend
|
||||
ssh_secret_backend_role = local.config.ssh_secret_backend_role
|
||||
pki_secret_backend = local.config.pki_secret_backend
|
||||
pki_secret_backend_role = local.config.pki_secret_backend_role
|
||||
consul_secret_backend = local.config.consul_secret_backend
|
||||
consul_secret_backend_role = local.config.consul_secret_backend_role
|
||||
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
||||
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
||||
pki_mount_only = local.config.pki_mount_only
|
||||
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
policy_rules_map = local.policies.policy_rules_map
|
||||
}
|
||||
@@ -0,0 +1,44 @@
|
||||
# Generate root backend.tf
|
||||
generate "backend" {
|
||||
path = "backend.tf"
|
||||
if_exists = "overwrite"
|
||||
contents = <<EOF
|
||||
#-------------------------------------------
|
||||
# locals
|
||||
#-------------------------------------------
|
||||
locals {
|
||||
vault_addr = "https://vault.service.consul:8200"
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------
|
||||
# Configure this provider through the environment variables:
|
||||
# - VAULT_ADDR
|
||||
# - VAULT_TOKEN
|
||||
#-----------------------------------------------------------------------------
|
||||
provider "vault" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Use remote state file and encrypt it since your state files may contains
|
||||
# sensitive data.
|
||||
# export CONSUL_HTTP_TOKEN=<your-token>
|
||||
#------------------------------------------------------------------------------
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
path = "infra/terraform/vault/${path_relative_to_include()}/state"
|
||||
scheme = "https"
|
||||
lock = true
|
||||
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
}
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
}
|
||||
Reference in New Issue
Block a user