feat: major restructuring in migration to terragrunt

- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
This commit is contained in:
2026-01-04 23:31:42 +11:00
parent bd112181f5
commit 8070b6f66b
245 changed files with 3943 additions and 985 deletions
+60
View File
@@ -0,0 +1,60 @@
include "root" {
path = find_in_parent_folders("root.hcl")
expose = true
}
include "config" {
path = "${get_repo_root()}/config/config.hcl"
expose = true
}
include "policies" {
path = "${get_repo_root()}/policies/policies.hcl"
expose = true
}
locals {
# Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir()))
country = basename(dirname(get_terragrunt_dir())) # "au"
region = basename(get_terragrunt_dir()) # "syd1"
# Include configuration from config.hcl
config = include.config.locals.config
# Include policies from policies.hcl
policies = include.policies.locals
}
terraform {
source = "../../../modules/vault_cluster"
}
inputs = {
country = local.country
region = local.region
# Pass configuration maps to vault_cluster module
auth_approle_backend = local.config.auth_approle_backend
auth_approle_role = local.config.auth_approle_role
auth_ldap_backend = local.config.auth_ldap_backend
auth_ldap_group = local.config.auth_ldap_group
auth_kubernetes_backend = local.config.auth_kubernetes_backend
auth_kubernetes_role = local.config.auth_kubernetes_role
kv_secret_backend = local.config.kv_secret_backend
transit_secret_backend = local.config.transit_secret_backend
transit_secret_backend_key = local.config.transit_secret_backend_key
ssh_secret_backend = local.config.ssh_secret_backend
ssh_secret_backend_role = local.config.ssh_secret_backend_role
pki_secret_backend = local.config.pki_secret_backend
pki_secret_backend_role = local.config.pki_secret_backend_role
consul_secret_backend = local.config.consul_secret_backend
consul_secret_backend_role = local.config.consul_secret_backend_role
kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map
}
+44
View File
@@ -0,0 +1,44 @@
# Generate root backend.tf
generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
#-------------------------------------------
# locals
#-------------------------------------------
locals {
vault_addr = "https://vault.service.consul:8200"
}
#-----------------------------------------------------------------------------
# Configure this provider through the environment variables:
# - VAULT_ADDR
# - VAULT_TOKEN
#-----------------------------------------------------------------------------
provider "vault" {
address = local.vault_addr
}
#------------------------------------------------------------------------------
# Use remote state file and encrypt it since your state files may contains
# sensitive data.
# export CONSUL_HTTP_TOKEN=<your-token>
#------------------------------------------------------------------------------
terraform {
backend "consul" {
address = "https://consul.service.consul"
path = "infra/terraform/vault/${path_relative_to_include()}/state"
scheme = "https"
lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
}
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
}
}
EOF
}