feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,316 @@
|
||||
module "auth_approle_backend" {
|
||||
source = "./modules/auth_approle_backend"
|
||||
|
||||
for_each = var.auth_approle_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_approle_role" {
|
||||
source = "./modules/auth_approle_role"
|
||||
|
||||
for_each = var.auth_approle_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
approle_name = each.value.approle_name
|
||||
mount_path = each.value.mount_path
|
||||
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
bind_secret_id = each.value.bind_secret_id
|
||||
secret_id_ttl = each.value.secret_id_ttl
|
||||
token_bound_cidrs = each.value.token_bound_cidrs
|
||||
alias_metadata = each.value.alias_metadata
|
||||
use_deterministic_role_id = each.value.use_deterministic_role_id
|
||||
|
||||
depends_on = [module.auth_approle_backend]
|
||||
}
|
||||
|
||||
module "auth_ldap_backend" {
|
||||
source = "./modules/auth_ldap_backend"
|
||||
|
||||
for_each = var.auth_ldap_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
userdn = each.value.userdn
|
||||
userattr = each.value.userattr
|
||||
upndomain = each.value.upndomain
|
||||
discoverdn = each.value.discoverdn
|
||||
groupdn = each.value.groupdn
|
||||
groupfilter = each.value.groupfilter
|
||||
groupattr = each.value.groupattr
|
||||
alias_metadata = each.value.alias_metadata
|
||||
username_as_alias = each.value.username_as_alias
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_ldap_group" {
|
||||
source = "./modules/auth_ldap_group"
|
||||
|
||||
for_each = var.auth_ldap_group
|
||||
|
||||
groupname = each.value.groupname
|
||||
backend = each.value.backend
|
||||
policies = each.value.policies
|
||||
|
||||
depends_on = [module.auth_ldap_backend]
|
||||
}
|
||||
|
||||
module "auth_kubernetes_backend" {
|
||||
source = "./modules/auth_kubernetes_backend"
|
||||
|
||||
for_each = var.auth_kubernetes_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_iss_validation = each.value.disable_iss_validation
|
||||
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_kubernetes_role" {
|
||||
source = "./modules/auth_kubernetes_role"
|
||||
|
||||
for_each = var.auth_kubernetes_role
|
||||
|
||||
role_name = each.value.role_name
|
||||
backend = each.value.backend
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
depends_on = [module.auth_kubernetes_backend]
|
||||
}
|
||||
|
||||
module "kv_secret_backend" {
|
||||
source = "./modules/kv_secret_backend"
|
||||
|
||||
for_each = var.kv_secret_backend
|
||||
|
||||
path = each.key
|
||||
type = each.value.type
|
||||
description = each.value.description
|
||||
kv_version = each.value.version
|
||||
max_versions = each.value.max_versions
|
||||
}
|
||||
|
||||
module "transit_secret_backend" {
|
||||
source = "./modules/transit_secret_backend"
|
||||
|
||||
for_each = var.transit_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
module "transit_secret_backend_key" {
|
||||
source = "./modules/transit_secret_backend_key"
|
||||
|
||||
for_each = var.transit_secret_backend_key
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
type = each.value.type
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
derived = each.value.derived
|
||||
exportable = each.value.exportable
|
||||
allow_plaintext_backup = each.value.allow_plaintext_backup
|
||||
auto_rotate_period = each.value.auto_rotate_period
|
||||
|
||||
depends_on = [module.transit_secret_backend]
|
||||
}
|
||||
|
||||
module "ssh_secret_backend" {
|
||||
source = "./modules/ssh_secret_backend"
|
||||
|
||||
for_each = var.ssh_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
generate_signing_key = each.value.generate_signing_key
|
||||
key_type = each.value.key_type
|
||||
}
|
||||
|
||||
module "ssh_secret_backend_role" {
|
||||
source = "./modules/ssh_secret_backend_role"
|
||||
|
||||
for_each = var.ssh_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
key_type = each.value.key_type
|
||||
algorithm_signer = each.value.algorithm_signer
|
||||
ttl = each.value.ttl
|
||||
allow_host_certificates = each.value.allow_host_certificates
|
||||
allow_user_certificates = each.value.allow_user_certificates
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
|
||||
depends_on = [module.ssh_secret_backend]
|
||||
}
|
||||
|
||||
module "pki_secret_backend" {
|
||||
source = "./modules/pki_secret_backend"
|
||||
|
||||
for_each = var.pki_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
common_name = each.value.common_name
|
||||
issuer_name = each.value.issuer_name
|
||||
ttl = each.value.ttl
|
||||
format = each.value.format
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
|
||||
module "pki_secret_backend_role" {
|
||||
source = "./modules/pki_secret_backend_role"
|
||||
|
||||
for_each = var.pki_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allow_ip_sans = each.value.allow_ip_sans
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_glob_domains = each.value.allow_glob_domains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
enforce_hostnames = each.value.enforce_hostnames
|
||||
allow_any_name = each.value.allow_any_name
|
||||
max_ttl = each.value.max_ttl
|
||||
key_bits = each.value.key_bits
|
||||
country = each.value.country
|
||||
use_csr_common_name = each.value.use_csr_common_name
|
||||
use_csr_sans = each.value.use_csr_sans
|
||||
|
||||
depends_on = [module.pki_secret_backend]
|
||||
}
|
||||
|
||||
module "consul_secret_backend" {
|
||||
source = "./modules/consul_secret_backend"
|
||||
|
||||
for_each = var.consul_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
address = each.value.address
|
||||
bootstrap = each.value.bootstrap
|
||||
scheme = each.value.scheme
|
||||
ca_cert = each.value.ca_cert
|
||||
client_cert = each.value.client_cert
|
||||
client_key = each.value.client_key
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
module "consul_secret_backend_role" {
|
||||
source = "./modules/consul_secret_backend_role"
|
||||
|
||||
for_each = var.consul_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
consul_roles = each.value.consul_roles
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
local = each.value.local
|
||||
|
||||
depends_on = [module.consul_secret_backend]
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend" {
|
||||
source = "./modules/kubernetes_secret_backend"
|
||||
|
||||
for_each = var.kubernetes_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_local_ca_jwt = each.value.disable_local_ca_jwt
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend_role" {
|
||||
source = "./modules/kubernetes_secret_backend_role"
|
||||
|
||||
for_each = var.kubernetes_secret_backend_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
|
||||
kubernetes_role_type = each.value.kubernetes_role_type
|
||||
extra_labels = each.value.extra_labels
|
||||
|
||||
depends_on = [module.kubernetes_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
for_each = var.policy_rules_map
|
||||
|
||||
policy_name = each.key
|
||||
policy_rules = each.value
|
||||
}
|
||||
|
||||
module "pki_mount_only" {
|
||||
source = "./modules/pki_mount_only"
|
||||
|
||||
for_each = var.pki_mount_only
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
issuer_ref = each.value.issuer_ref
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
|
||||
resource "vault_auth_backend" "approle" {
|
||||
type = "approle"
|
||||
path = var.path
|
||||
|
||||
tune {
|
||||
default_lease_ttl = var.default_lease_ttl
|
||||
max_lease_ttl = var.max_lease_ttl
|
||||
listing_visibility = var.listing_visibility
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
output "backend" {
|
||||
description = "The created auth backend"
|
||||
value = vault_auth_backend.approle
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the AppRole auth backend"
|
||||
type = string
|
||||
default = "approle"
|
||||
}
|
||||
|
||||
variable "listing_visibility" {
|
||||
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
|
||||
type = string
|
||||
default = null
|
||||
validation {
|
||||
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
|
||||
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
|
||||
}
|
||||
}
|
||||
|
||||
variable "default_lease_ttl" {
|
||||
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl" {
|
||||
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,36 @@
|
||||
|
||||
# Expected keys in KV secret for salt: salt
|
||||
data "vault_kv_secret_v2" "salt_config" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.mount_path}"
|
||||
}
|
||||
|
||||
# Expected keys in KV secret for role_id: role_id (when use_deterministic_role_id = false)
|
||||
data "vault_kv_secret_v2" "role_config" {
|
||||
count = var.use_deterministic_role_id ? 0 : 1
|
||||
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/auth_approle_role/${var.mount_path}/${var.approle_name}"
|
||||
}
|
||||
|
||||
locals {
|
||||
salt = data.vault_kv_secret_v2.salt_config.data["salt"]
|
||||
role_id_input = "${local.salt}-${var.approle_name}-${var.mount_path}"
|
||||
deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
|
||||
|
||||
# Use deterministic role-id by default, or read from KV if specified
|
||||
role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
|
||||
}
|
||||
|
||||
resource "vault_approle_auth_backend_role" "role" {
|
||||
backend = var.mount_path
|
||||
role_name = var.approle_name
|
||||
role_id = local.role_id
|
||||
token_policies = var.token_policies
|
||||
token_ttl = var.token_ttl
|
||||
token_max_ttl = var.token_max_ttl
|
||||
bind_secret_id = var.bind_secret_id
|
||||
secret_id_ttl = var.secret_id_ttl
|
||||
token_bound_cidrs = var.token_bound_cidrs
|
||||
alias_metadata = var.alias_metadata
|
||||
}
|
||||
@@ -0,0 +1,68 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
|
||||
variable "approle_name" {
|
||||
description = "Name of the AppRole role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "mount_path" {
|
||||
description = "Mount path of the AppRole auth backend"
|
||||
type = string
|
||||
default = "approle"
|
||||
}
|
||||
|
||||
variable "token_policies" {
|
||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "token_ttl" {
|
||||
description = "The TTL period of tokens issued using this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "token_max_ttl" {
|
||||
description = "The maximum TTL period of tokens issued using this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "bind_secret_id" {
|
||||
description = "Whether or not to require secret_id to be presented when logging in using this AppRole"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "secret_id_ttl" {
|
||||
description = "The TTL period of SecretIDs generated against this AppRole"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "token_bound_cidrs" {
|
||||
description = "List of CIDR blocks that can authenticate using this role"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "alias_metadata" {
|
||||
description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "use_deterministic_role_id" {
|
||||
description = "Whether to use deterministic role-id generation (true) or read pre-generated role-id from KV (false)"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
@@ -0,0 +1,25 @@
|
||||
# Expected keys in KV secret: kubernetes_ca_cert, token_reviewer_jwt
|
||||
data "vault_kv_secret_v2" "auth_backend_config" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
|
||||
}
|
||||
|
||||
resource "vault_auth_backend" "kubernetes" {
|
||||
type = "kubernetes"
|
||||
path = var.path
|
||||
|
||||
tune {
|
||||
default_lease_ttl = var.default_lease_ttl
|
||||
max_lease_ttl = var.max_lease_ttl
|
||||
listing_visibility = var.listing_visibility
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_config" "config" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
kubernetes_host = var.kubernetes_host
|
||||
kubernetes_ca_cert = data.vault_kv_secret_v2.auth_backend_config.data["kubernetes_ca_cert"]
|
||||
token_reviewer_jwt = data.vault_kv_secret_v2.auth_backend_config.data["token_reviewer_jwt"]
|
||||
disable_iss_validation = var.disable_iss_validation
|
||||
use_annotations_as_alias_metadata = var.use_annotations_as_alias_metadata
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the Kubernetes auth backend"
|
||||
type = string
|
||||
default = "kubernetes"
|
||||
}
|
||||
|
||||
variable "disable_iss_validation" {
|
||||
description = "Disable JWT issuer validation"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "use_annotations_as_alias_metadata" {
|
||||
description = "Use annotations as alias metadata"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
|
||||
variable "listing_visibility" {
|
||||
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
|
||||
type = string
|
||||
default = null
|
||||
validation {
|
||||
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
|
||||
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
|
||||
}
|
||||
}
|
||||
|
||||
variable "default_lease_ttl" {
|
||||
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl" {
|
||||
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "kubernetes_host" {
|
||||
description = "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server"
|
||||
type = string
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
resource "vault_kubernetes_auth_backend_role" "role" {
|
||||
backend = var.backend
|
||||
role_name = var.role_name
|
||||
bound_service_account_names = var.bound_service_account_names
|
||||
bound_service_account_namespaces = var.bound_service_account_namespaces
|
||||
token_ttl = var.token_ttl
|
||||
token_policies = var.token_policies
|
||||
audience = var.audience
|
||||
}
|
||||
@@ -0,0 +1,36 @@
|
||||
variable "backend" {
|
||||
description = "The unique path of the Kubernetes auth backend to configure"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "role_name" {
|
||||
description = "The name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "bound_service_account_names" {
|
||||
description = "List of service account names able to access this role"
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "bound_service_account_namespaces" {
|
||||
description = "List of namespaces allowed to access this role"
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "token_ttl" {
|
||||
description = "The TTL period of tokens issued using this role, in seconds"
|
||||
type = number
|
||||
default = 3600
|
||||
}
|
||||
|
||||
variable "token_policies" {
|
||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "audience" {
|
||||
description = "Audience claim to verify in the JWT"
|
||||
type = string
|
||||
default = "vault"
|
||||
}
|
||||
@@ -0,0 +1,27 @@
|
||||
# Expected keys in KV secret: url, binddn, bindpass
|
||||
data "vault_kv_secret_v2" "auth_backend_config" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
|
||||
}
|
||||
|
||||
resource "vault_ldap_auth_backend" "ldap" {
|
||||
path = var.path
|
||||
url = data.vault_kv_secret_v2.auth_backend_config.data["url"]
|
||||
userdn = var.userdn
|
||||
userattr = var.userattr
|
||||
upndomain = var.upndomain
|
||||
discoverdn = var.discoverdn
|
||||
groupdn = var.groupdn
|
||||
groupfilter = var.groupfilter
|
||||
groupattr = var.groupattr
|
||||
binddn = data.vault_kv_secret_v2.auth_backend_config.data["binddn"]
|
||||
bindpass = data.vault_kv_secret_v2.auth_backend_config.data["bindpass"]
|
||||
alias_metadata = var.alias_metadata
|
||||
username_as_alias = var.username_as_alias
|
||||
|
||||
tune {
|
||||
default_lease_ttl = var.default_lease_ttl
|
||||
max_lease_ttl = var.max_lease_ttl
|
||||
listing_visibility = var.listing_visibility
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,91 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the LDAP auth backend"
|
||||
type = string
|
||||
default = "ldap"
|
||||
}
|
||||
|
||||
variable "userdn" {
|
||||
description = "Base DN under which to perform user search"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "userattr" {
|
||||
description = "Attribute on user objects matching the username"
|
||||
type = string
|
||||
default = "uid"
|
||||
}
|
||||
|
||||
variable "upndomain" {
|
||||
description = "UPN domain for users"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "discoverdn" {
|
||||
description = "Use anonymous bind to discover the bind DN of a user"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "groupdn" {
|
||||
description = "Base DN under which to perform group search"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "groupfilter" {
|
||||
description = "Go template for querying group membership"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "groupattr" {
|
||||
description = "LDAP attribute to follow on objects returned by groupfilter"
|
||||
type = string
|
||||
default = "cn"
|
||||
}
|
||||
|
||||
|
||||
variable "listing_visibility" {
|
||||
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
|
||||
type = string
|
||||
default = null
|
||||
validation {
|
||||
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
|
||||
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
|
||||
}
|
||||
}
|
||||
|
||||
variable "default_lease_ttl" {
|
||||
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl" {
|
||||
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "alias_metadata" {
|
||||
description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "username_as_alias" {
|
||||
description = "Force the auth method to use the username passed by the user as the alias name"
|
||||
type = bool
|
||||
default = true
|
||||
}
|
||||
@@ -0,0 +1,5 @@
|
||||
resource "vault_ldap_auth_backend_group" "group" {
|
||||
groupname = var.groupname
|
||||
policies = var.policies
|
||||
backend = var.backend
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
variable "groupname" {
|
||||
description = "Name of the LDAP group"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "policies" {
|
||||
description = "List of policies to assign to the LDAP group"
|
||||
type = list(string)
|
||||
}
|
||||
|
||||
variable "backend" {
|
||||
description = "Path of the LDAP auth backend"
|
||||
type = string
|
||||
}
|
||||
@@ -0,0 +1,21 @@
|
||||
# Expected keys in KV secret: token (if not bootstrapping)
|
||||
data "vault_kv_secret_v2" "secret_backend_config" {
|
||||
count = var.bootstrap ? 0 : 1
|
||||
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
|
||||
}
|
||||
|
||||
resource "vault_consul_secret_backend" "consul" {
|
||||
path = var.path
|
||||
description = var.description
|
||||
address = var.address
|
||||
token = var.bootstrap ? null : data.vault_kv_secret_v2.secret_backend_config[0].data["token"]
|
||||
bootstrap = var.bootstrap
|
||||
scheme = var.scheme
|
||||
ca_cert = var.ca_cert
|
||||
client_cert = var.client_cert
|
||||
client_key = var.client_key
|
||||
default_lease_ttl_seconds = var.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
@@ -0,0 +1,67 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the Consul secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "address" {
|
||||
description = "The address of the Consul instance"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "bootstrap" {
|
||||
description = "Whether to bootstrap the Consul backend"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "scheme" {
|
||||
description = "The scheme to use when connecting to Consul"
|
||||
type = string
|
||||
default = "https"
|
||||
}
|
||||
|
||||
variable "ca_cert" {
|
||||
description = "CA certificate for TLS verification"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "client_cert" {
|
||||
description = "Client certificate for TLS authentication"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "client_key" {
|
||||
description = "Client key for TLS authentication"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_lease_ttl_seconds" {
|
||||
description = "Default lease TTL in seconds"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum lease TTL in seconds"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
resource "vault_consul_secret_backend_role" "role" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
consul_roles = var.consul_roles
|
||||
ttl = var.ttl
|
||||
max_ttl = var.max_ttl
|
||||
local = var.local
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
variable "backend" {
|
||||
description = "The unique path where the Consul backend is mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "The name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
|
||||
variable "consul_roles" {
|
||||
description = "List of Consul roles to attach to tokens"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
|
||||
variable "ttl" {
|
||||
description = "TTL for generated tokens"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_ttl" {
|
||||
description = "Maximum TTL for generated tokens"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "local" {
|
||||
description = "Whether tokens should be local to the datacenter"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
# Expected keys in KV secret: service_account_jwt, kubernetes_ca_cert
|
||||
data "vault_kv_secret_v2" "secret_backend_config" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend" "kubernetes" {
|
||||
path = var.path
|
||||
description = var.description
|
||||
default_lease_ttl_seconds = var.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
kubernetes_host = var.kubernetes_host
|
||||
kubernetes_ca_cert = data.vault_kv_secret_v2.secret_backend_config.data["kubernetes_ca_cert"]
|
||||
service_account_jwt = data.vault_kv_secret_v2.secret_backend_config.data["service_account_jwt"]
|
||||
disable_local_ca_jwt = var.disable_local_ca_jwt
|
||||
}
|
||||
@@ -0,0 +1,43 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the Kubernetes secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_lease_ttl_seconds" {
|
||||
description = "Default lease TTL in seconds"
|
||||
type = number
|
||||
default = 600
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum lease TTL in seconds"
|
||||
type = number
|
||||
default = 86400
|
||||
}
|
||||
|
||||
variable "kubernetes_host" {
|
||||
description = "The Kubernetes API server URL"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "disable_local_ca_jwt" {
|
||||
description = "Whether to disable local CA JWT validation"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
locals {
|
||||
# Auto-generate role rules path: resources/secret_backend/{backend_path}/roles/{role_name}.yaml
|
||||
role_rules_file = "resources/secret_backend/${var.backend}/roles/${var.name}.yaml"
|
||||
|
||||
# Auto-generate extra labels based on country/region and role name
|
||||
auto_labels = merge(var.extra_labels, {
|
||||
vault-region = "${var.country}-${var.region}"
|
||||
vault-role = var.name
|
||||
})
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend_role" "role" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
allowed_kubernetes_namespaces = var.allowed_kubernetes_namespaces
|
||||
kubernetes_role_type = var.kubernetes_role_type
|
||||
generated_role_rules = file("${path.module}/../../../../../../../../${local.role_rules_file}")
|
||||
extra_labels = local.auto_labels
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "backend" {
|
||||
description = "The unique path where the Kubernetes backend is mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "The name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "allowed_kubernetes_namespaces" {
|
||||
description = "List of allowed Kubernetes namespaces"
|
||||
type = list(string)
|
||||
default = ["*"]
|
||||
}
|
||||
|
||||
variable "kubernetes_role_type" {
|
||||
description = "Type of Kubernetes role (Role or ClusterRole)"
|
||||
type = string
|
||||
default = "Role"
|
||||
}
|
||||
|
||||
variable "extra_labels" {
|
||||
description = "Additional labels to apply to generated Kubernetes objects"
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
resource "vault_mount" "kv" {
|
||||
path = var.path
|
||||
type = "kv"
|
||||
description = var.description
|
||||
|
||||
options = {
|
||||
version = var.kv_version
|
||||
type = var.type
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_kv_secret_backend_v2" "config" {
|
||||
count = var.type == "kv-v2" && var.max_versions != null ? 1 : 0
|
||||
|
||||
mount = vault_mount.kv.path
|
||||
max_versions = var.max_versions
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the KV secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "type" {
|
||||
description = "Type of the secrets engine"
|
||||
type = string
|
||||
default = "kv-v2"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "kv_version" {
|
||||
description = "KV secrets engine version"
|
||||
type = string
|
||||
default = "2"
|
||||
}
|
||||
|
||||
variable "max_versions" {
|
||||
description = "Maximum number of versions to keep per key"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,38 @@
|
||||
resource "vault_mount" "pki" {
|
||||
path = var.path
|
||||
type = "pki"
|
||||
description = var.description
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
data "vault_pki_secret_backend_issuer" "issuer" {
|
||||
backend = vault_mount.pki.path
|
||||
issuer_ref = var.issuer_ref
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_config_urls" "config_urls" {
|
||||
backend = vault_mount.pki.path
|
||||
|
||||
issuing_certificates = var.issuing_certificates
|
||||
crl_distribution_points = var.crl_distribution_points
|
||||
ocsp_servers = var.ocsp_servers
|
||||
enable_templating = var.enable_templating
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_config_issuers" "issuers" {
|
||||
count = var.default_issuer_ref != null ? 1 : 0
|
||||
|
||||
backend = vault_mount.pki.path
|
||||
default = var.default_issuer_ref
|
||||
default_follows_latest_issuer = var.default_follows_latest_issuer
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_crl_config" "crl" {
|
||||
backend = vault_mount.pki.path
|
||||
expiry = var.crl_expiry
|
||||
disable = var.crl_disable
|
||||
ocsp_disable = var.ocsp_disable
|
||||
auto_rebuild = var.auto_rebuild
|
||||
enable_delta = var.enable_delta
|
||||
delta_rebuild_interval = var.delta_rebuild_interval
|
||||
}
|
||||
@@ -0,0 +1,92 @@
|
||||
variable "path" {
|
||||
description = "Path where the PKI backend will be mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Description of the PKI mount"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum possible lease duration for tokens and secrets in seconds"
|
||||
type = number
|
||||
}
|
||||
|
||||
variable "issuer_ref" {
|
||||
description = "Reference to the PKI issuer (default, or issuer ID/name)"
|
||||
type = string
|
||||
default = "default"
|
||||
}
|
||||
|
||||
variable "issuing_certificates" {
|
||||
description = "List of URLs for issuing certificates"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "crl_distribution_points" {
|
||||
description = "List of URLs for CRL distribution points"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "ocsp_servers" {
|
||||
description = "List of OCSP server URLs"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "enable_templating" {
|
||||
description = "Whether to enable URL templating"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "default_issuer_ref" {
|
||||
description = "Default issuer reference"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_follows_latest_issuer" {
|
||||
description = "Whether the default issuer follows the latest issuer"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "crl_expiry" {
|
||||
description = "CRL expiry time"
|
||||
type = string
|
||||
default = "72h"
|
||||
}
|
||||
|
||||
variable "crl_disable" {
|
||||
description = "Whether to disable CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "ocsp_disable" {
|
||||
description = "Whether to disable OCSP"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "auto_rebuild" {
|
||||
description = "Whether to enable auto rebuild of CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enable_delta" {
|
||||
description = "Whether to enable delta CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "delta_rebuild_interval" {
|
||||
description = "Delta CRL rebuild interval"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,54 @@
|
||||
resource "vault_mount" "pki" {
|
||||
path = var.path
|
||||
type = "pki"
|
||||
description = var.description
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_root_cert" "root_cert" {
|
||||
backend = vault_mount.pki.path
|
||||
common_name = var.common_name
|
||||
issuer_name = var.issuer_name
|
||||
ttl = var.ttl
|
||||
format = var.format
|
||||
type = "internal"
|
||||
}
|
||||
|
||||
data "vault_pki_secret_backend_issuer" "issuer" {
|
||||
backend = vault_mount.pki.path
|
||||
issuer_ref = vault_pki_secret_backend_root_cert.root_cert.issuer_id
|
||||
|
||||
depends_on = [vault_pki_secret_backend_root_cert.root_cert]
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_config_urls" "urls" {
|
||||
backend = vault_mount.pki.path
|
||||
|
||||
issuing_certificates = var.issuing_certificates
|
||||
crl_distribution_points = var.crl_distribution_points
|
||||
ocsp_servers = var.ocsp_servers
|
||||
enable_templating = var.enable_templating
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_config_issuers" "issuers" {
|
||||
backend = vault_mount.pki.path
|
||||
default = data.vault_pki_secret_backend_issuer.issuer.issuer_id
|
||||
default_follows_latest_issuer = var.default_follows_latest_issuer
|
||||
|
||||
depends_on = [
|
||||
vault_pki_secret_backend_root_cert.root_cert,
|
||||
data.vault_pki_secret_backend_issuer.issuer
|
||||
]
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_crl_config" "crl" {
|
||||
backend = vault_mount.pki.path
|
||||
expiry = var.crl_expiry
|
||||
disable = var.crl_disable
|
||||
ocsp_disable = var.ocsp_disable
|
||||
auto_rebuild = var.auto_rebuild
|
||||
enable_delta = var.enable_delta
|
||||
delta_rebuild_interval = var.delta_rebuild_interval
|
||||
|
||||
depends_on = [vault_pki_secret_backend_root_cert.root_cert]
|
||||
}
|
||||
@@ -0,0 +1,110 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the PKI secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum lease TTL in seconds"
|
||||
type = number
|
||||
default = 315360000 # 87600 * 3600
|
||||
}
|
||||
|
||||
variable "common_name" {
|
||||
description = "Common name for the root certificate"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "issuer_name" {
|
||||
description = "Name for the root CA issuer"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "ttl" {
|
||||
description = "TTL for the root certificate in seconds"
|
||||
type = number
|
||||
default = 315360000 # 87600 * 3600
|
||||
}
|
||||
|
||||
variable "format" {
|
||||
description = "Format for the certificate"
|
||||
type = string
|
||||
default = "pem"
|
||||
}
|
||||
|
||||
variable "issuing_certificates" {
|
||||
description = "List of issuing certificate URLs"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "crl_distribution_points" {
|
||||
description = "List of CRL distribution point URLs"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "ocsp_servers" {
|
||||
description = "List of OCSP server URLs"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "enable_templating" {
|
||||
description = "Whether to enable templating for URL configuration"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "default_issuer_ref" {
|
||||
description = "Reference to the default issuer"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_follows_latest_issuer" {
|
||||
description = "Whether the default issuer should follow the latest issuer"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "crl_expiry" {
|
||||
description = "CRL expiration time"
|
||||
type = string
|
||||
default = "72h"
|
||||
}
|
||||
|
||||
variable "crl_disable" {
|
||||
description = "Whether to disable CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "ocsp_disable" {
|
||||
description = "Whether to disable OCSP"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "auto_rebuild" {
|
||||
description = "Whether to auto-rebuild CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enable_delta" {
|
||||
description = "Whether to enable delta CRL"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "delta_rebuild_interval" {
|
||||
description = "Delta CRL rebuild interval"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
resource "vault_pki_secret_backend_role" "role" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
allow_ip_sans = var.allow_ip_sans
|
||||
allowed_domains = var.allowed_domains
|
||||
allow_subdomains = var.allow_subdomains
|
||||
allow_glob_domains = var.allow_glob_domains
|
||||
allow_bare_domains = var.allow_bare_domains
|
||||
enforce_hostnames = var.enforce_hostnames
|
||||
allow_any_name = var.allow_any_name
|
||||
max_ttl = var.max_ttl
|
||||
key_bits = var.key_bits
|
||||
country = var.country
|
||||
use_csr_common_name = var.use_csr_common_name
|
||||
use_csr_sans = var.use_csr_sans
|
||||
}
|
||||
@@ -0,0 +1,81 @@
|
||||
variable "backend" {
|
||||
description = "The unique path where the PKI backend is mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "The name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "allow_ip_sans" {
|
||||
description = "Whether IP Subject Alternative Names are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allowed_domains" {
|
||||
description = "List of allowed domains for certificates"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "allow_subdomains" {
|
||||
description = "Whether subdomains are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_glob_domains" {
|
||||
description = "Whether glob domains are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_bare_domains" {
|
||||
description = "Whether bare domains are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "enforce_hostnames" {
|
||||
description = "Whether to enforce hostnames"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_any_name" {
|
||||
description = "Whether any name is allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "max_ttl" {
|
||||
description = "Maximum TTL for certificates in seconds"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "key_bits" {
|
||||
description = "Number of bits for the key"
|
||||
type = number
|
||||
default = 4096
|
||||
}
|
||||
|
||||
variable "country" {
|
||||
description = "List of countries for certificate subject"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
variable "use_csr_common_name" {
|
||||
description = "Whether to use CSR common name"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "use_csr_sans" {
|
||||
description = "Whether to use CSR Subject Alternative Names"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
resource "vault_mount" "ssh" {
|
||||
path = var.path
|
||||
type = "ssh"
|
||||
description = var.description
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
|
||||
count = var.generate_signing_key != null ? 1 : 0
|
||||
|
||||
backend = vault_mount.ssh.path
|
||||
generate_signing_key = var.generate_signing_key
|
||||
key_type = var.key_type
|
||||
}
|
||||
@@ -0,0 +1,28 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the SSH secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum lease TTL in seconds"
|
||||
type = number
|
||||
default = 315360000 # 87600 * 3600
|
||||
}
|
||||
|
||||
variable "generate_signing_key" {
|
||||
description = "Whether to generate a signing key for the CA"
|
||||
type = bool
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "key_type" {
|
||||
description = "Type of key to generate for the CA"
|
||||
type = string
|
||||
default = "ssh-rsa"
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
resource "vault_ssh_secret_backend_role" "role" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
key_type = var.key_type
|
||||
algorithm_signer = var.algorithm_signer
|
||||
ttl = var.ttl
|
||||
allow_host_certificates = var.allow_host_certificates
|
||||
allow_user_certificates = var.allow_user_certificates
|
||||
allowed_domains = var.allowed_domains
|
||||
allow_subdomains = var.allow_subdomains
|
||||
allow_bare_domains = var.allow_bare_domains
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
variable "backend" {
|
||||
description = "The unique path where the SSH backend is mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "The name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "key_type" {
|
||||
description = "The type of key used by this role"
|
||||
type = string
|
||||
default = "ca"
|
||||
}
|
||||
|
||||
variable "algorithm_signer" {
|
||||
description = "Algorithm used to sign certificates"
|
||||
type = string
|
||||
default = "rsa-sha2-256"
|
||||
}
|
||||
|
||||
variable "ttl" {
|
||||
description = "TTL for certificates issued by this role"
|
||||
type = number
|
||||
default = 315360000 # 87600 * 3600
|
||||
}
|
||||
|
||||
variable "allow_host_certificates" {
|
||||
description = "Whether this role can issue host certificates"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_user_certificates" {
|
||||
description = "Whether this role can issue user certificates"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allowed_domains" {
|
||||
description = "List of allowed domains for certificates"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "allow_subdomains" {
|
||||
description = "Whether subdomains are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_bare_domains" {
|
||||
description = "Whether bare domains are allowed"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
resource "vault_mount" "transit" {
|
||||
path = var.path
|
||||
type = "transit"
|
||||
description = var.description
|
||||
default_lease_ttl_seconds = var.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
@@ -0,0 +1,22 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the transit secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "default_lease_ttl_seconds" {
|
||||
description = "Default lease TTL in seconds"
|
||||
type = number
|
||||
default = 3600
|
||||
}
|
||||
|
||||
variable "max_lease_ttl_seconds" {
|
||||
description = "Maximum lease TTL in seconds"
|
||||
type = number
|
||||
default = 86400
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
resource "vault_transit_secret_backend_key" "key" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
type = var.type
|
||||
deletion_allowed = var.deletion_allowed
|
||||
derived = var.derived
|
||||
exportable = var.exportable
|
||||
allow_plaintext_backup = var.allow_plaintext_backup
|
||||
auto_rotate_period = var.auto_rotate_period
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
variable "backend" {
|
||||
description = "The unique path where the transit backend is mounted"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "The name of the encryption key"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "type" {
|
||||
description = "The type of key to create"
|
||||
type = string
|
||||
default = "aes256-gcm96"
|
||||
}
|
||||
|
||||
variable "deletion_allowed" {
|
||||
description = "Whether the key is allowed to be deleted"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "derived" {
|
||||
description = "Whether the key supports key derivation"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "exportable" {
|
||||
description = "Whether the key is exportable"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "allow_plaintext_backup" {
|
||||
description = "Whether the key supports plaintext backup"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "auto_rotate_period" {
|
||||
description = "Period for automatic key rotation"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
locals {
|
||||
policy_hcl = join("\n", [
|
||||
for rule in var.policy_rules :
|
||||
"path \"${rule.path}\" {\n capabilities = ${jsonencode(rule.capabilities)}\n}"
|
||||
])
|
||||
}
|
||||
|
||||
resource "vault_policy" "this" {
|
||||
name = var.policy_name
|
||||
policy = local.policy_hcl
|
||||
}
|
||||
@@ -0,0 +1,12 @@
|
||||
variable "policy_name" {
|
||||
description = "Name of the Vault policy"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "policy_rules" {
|
||||
description = "List of policy rules for this policy"
|
||||
type = list(object({
|
||||
path = string
|
||||
capabilities = list(string)
|
||||
}))
|
||||
}
|
||||
@@ -0,0 +1,427 @@
|
||||
# AppRole Backend
|
||||
moved {
|
||||
from = vault_auth_backend.approle
|
||||
to = module.auth_approle_backend["approle"].vault_auth_backend.approle
|
||||
}
|
||||
|
||||
# AppRole Roles (12 roles)
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.certmanager
|
||||
to = module.auth_approle_role["approle/certmanager"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.incus_cluster
|
||||
to = module.auth_approle_role["approle/incus_cluster"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.packer_builder
|
||||
to = module.auth_approle_role["approle/packer_builder"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.puppetapi
|
||||
to = module.auth_approle_role["approle/puppetapi"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.rpmbuilder
|
||||
to = module.auth_approle_role["approle/rpmbuilder"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.rundeck-role
|
||||
to = module.auth_approle_role["approle/rundeck-role"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.sshsign-host-role
|
||||
to = module.auth_approle_role["approle/sshsign-host-role"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.sshsigner
|
||||
to = module.auth_approle_role["approle/sshsigner"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.terraform_incus
|
||||
to = module.auth_approle_role["approle/terraform_incus"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.terraform_nomad
|
||||
to = module.auth_approle_role["approle/terraform_nomad"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.terraform_repoflow
|
||||
to = module.auth_approle_role["approle/terraform_repoflow"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_approle_auth_backend_role.tf_vault
|
||||
to = module.auth_approle_role["approle/tf_vault"].vault_approle_auth_backend_role.role
|
||||
}
|
||||
|
||||
# LDAP Backend
|
||||
moved {
|
||||
from = vault_ldap_auth_backend.ldap
|
||||
to = module.auth_ldap_backend["ldap"].vault_ldap_auth_backend.ldap
|
||||
}
|
||||
|
||||
# LDAP Groups
|
||||
moved {
|
||||
from = vault_ldap_auth_backend_group.vault_access
|
||||
to = module.auth_ldap_group["ldap/vault_access"].vault_ldap_auth_backend_group.group
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_ldap_auth_backend_group.vault_admin
|
||||
to = module.auth_ldap_group["ldap/vault_admin"].vault_ldap_auth_backend_group.group
|
||||
}
|
||||
|
||||
|
||||
# Kubernetes Secrets
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_secret_backend.kubernetes_au_syd1
|
||||
to = module.kubernetes_secret_backend["kubernetes/au/syd1"].vault_kubernetes_secret_backend.kubernetes
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_secret_backend_role.cluster_admin
|
||||
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_admin"].vault_kubernetes_secret_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_secret_backend_role.cluster_operator
|
||||
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_operator"].vault_kubernetes_secret_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_secret_backend_role.cluster_root
|
||||
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_root"].vault_kubernetes_secret_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_secret_backend_role.media_apps_operator
|
||||
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/media_apps_operator"].vault_kubernetes_secret_backend_role.role
|
||||
}
|
||||
|
||||
# Kubernetes Backend
|
||||
|
||||
moved {
|
||||
from = vault_auth_backend.kubernetes
|
||||
to = module.auth_kubernetes_backend["k8s/au/syd1"].vault_auth_backend.kubernetes
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_config.config
|
||||
to = module.auth_kubernetes_backend["k8s/au/syd1"].vault_kubernetes_auth_backend_config.config
|
||||
}
|
||||
|
||||
# Kubernetes Roles (7 roles)
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.ceph-csi
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/ceph-csi"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.cert_manager_issuer
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/cert_manager_issuer"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.default
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/default"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.externaldns
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/externaldns"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.huntarr-default
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/huntarr-default"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.media-apps
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/media-apps"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_kubernetes_auth_backend_role.repoflow
|
||||
to = module.auth_kubernetes_role["k8s/au/syd1/repoflow"].vault_kubernetes_auth_backend_role.role
|
||||
}
|
||||
|
||||
# KV Backends:
|
||||
moved {
|
||||
from = vault_mount.kv
|
||||
to = module.kv_secret_backend["kv"].vault_mount.kv
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_mount.rundeck
|
||||
to = module.kv_secret_backend["rundeck"].vault_mount.kv
|
||||
}
|
||||
|
||||
# SSH CA:
|
||||
moved {
|
||||
from = vault_mount.sshca
|
||||
to = module.ssh_secret_backend["sshca"].vault_mount.ssh
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_ssh_secret_backend_ca.ssh_ca
|
||||
to = module.ssh_secret_backend["sshca"].vault_ssh_secret_backend_ca.ssh_ca[0]
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_ssh_secret_backend_role.signhost
|
||||
to = module.ssh_secret_backend_role["sshca/signhost"].vault_ssh_secret_backend_role.role
|
||||
}
|
||||
|
||||
# Transit:
|
||||
moved {
|
||||
from = vault_mount.transit
|
||||
to = module.transit_secret_backend["transit"].vault_mount.transit
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_transit_secret_backend_key.key
|
||||
to = module.transit_secret_backend_key["transit/au-syd1-k8s-vso"].vault_transit_secret_backend_key.key
|
||||
}
|
||||
|
||||
# Policy Migrations
|
||||
moved {
|
||||
from = vault_policy.policies["auth/approle/approle_role_admin"]
|
||||
to = module.vault_policy["auth/approle/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/approle/approle_role_login"]
|
||||
to = module.vault_policy["auth/approle/login"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/kubernetes/k8s_auth_admin"]
|
||||
to = module.vault_policy["auth/k8s/au/syd1/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/ldap/ldap_admin"]
|
||||
to = module.vault_policy["auth/ldap/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/token/auth_token_create"]
|
||||
to = module.vault_policy["auth/token/create"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/token/auth_token_lookup"]
|
||||
to = module.vault_policy["auth/token/lookup"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/token/auth_token_renew"]
|
||||
to = module.vault_policy["auth/token/renew"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/token/auth_token_roles_admin"]
|
||||
to = module.vault_policy["auth/token/roles/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["auth/token/auth_token_self"]
|
||||
to = module.vault_policy["auth/token/self"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["default_access"]
|
||||
to = module.vault_policy["global-root"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kubernetes/au/config_admin"]
|
||||
to = module.vault_policy["kubernetes/au/config_admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/glauth/services/svc_vault_read"]
|
||||
to = module.vault_policy["kv/service/glauth/services/svc_vault/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/incus/incus-cluster-join-tokens"]
|
||||
to = module.vault_policy["kv/service/incus/cluster-join-tokens/crud"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"]
|
||||
to = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"]
|
||||
to = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/kubernetes/au/syd1/externaldns/tsig/read"]
|
||||
to = module.vault_policy["kv/service/kubernetes/au/syd1/externaldns/tsig/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/kubernetes/au/syd1/service_account_jwt/read"]
|
||||
to = module.vault_policy["kv/service/kubernetes/au/syd1/service_account_jwt/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"]
|
||||
to = module.vault_policy["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/media-apps/radarr/read"]
|
||||
to = module.vault_policy["kv/service/media-apps/radarr/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/media-apps/sonarr/read"]
|
||||
to = module.vault_policy["kv/service/media-apps/sonarr/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/packer/packer_builder"]
|
||||
to = module.vault_policy["kv/service/packer/builder/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/puppet/certificates/terraform_puppet_cert"]
|
||||
to = module.vault_policy["kv/service/puppet/certificates/ca/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/puppetapi/puppetapi_read_tokens"]
|
||||
to = module.vault_policy["kv/service/puppetapi/tokens/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/terraform/incus"]
|
||||
to = module.vault_policy["kv/service/terraform/incus"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["kv/service/terraform/nomad"]
|
||||
to = module.vault_policy["kv/service/terraform/nomad"].vault_policy.this
|
||||
}
|
||||
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["rundeck/rundeck"]
|
||||
to = module.vault_policy["rundeck/rundeck"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sshca/sshca_roles_admin"]
|
||||
to = module.vault_policy["sshca/roles/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sshca/sshca_signhost"]
|
||||
to = module.vault_policy["sshca/sign/host"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sys/sys_audit_read"]
|
||||
to = module.vault_policy["sys/audit/read"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sys/sys_auth_admin"]
|
||||
to = module.vault_policy["sys/auth/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sys/sys_mounts_admin"]
|
||||
to = module.vault_policy["sys/mounts/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["sys/sys_policy_admin"]
|
||||
to = module.vault_policy["sys/policy/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["transit/decrypt/au-syd1-k8s-vso"]
|
||||
to = module.vault_policy["transit/decrypt/au-syd1-k8s-vso"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["transit/encrypt/au-syd1-k8s-vso"]
|
||||
to = module.vault_policy["transit/encrypt/au-syd1-k8s-vso"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["transit/keys/admin"]
|
||||
to = module.vault_policy["transit/keys/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
# PKI Mount Only Migrations
|
||||
moved {
|
||||
from = vault_mount.pki_root
|
||||
to = module.pki_mount_only["pki_root"].vault_mount.pki
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_mount.pki_int
|
||||
to = module.pki_mount_only["pki_int"].vault_mount.pki
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_pki_secret_backend_config_urls.pki_root_urls
|
||||
to = module.pki_mount_only["pki_root"].vault_pki_secret_backend_config_urls.config_urls
|
||||
}
|
||||
|
||||
# PKI Role Migrations
|
||||
moved {
|
||||
from = vault_pki_secret_backend_role.pki_root_2024_servers
|
||||
to = module.pki_secret_backend_role["pki_root/2024-servers"].vault_pki_secret_backend_role.role
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_pki_secret_backend_role.servers_default
|
||||
to = module.pki_secret_backend_role["pki_int/servers_default"].vault_pki_secret_backend_role.role
|
||||
}
|
||||
|
||||
# PKI Policy Migrations (keep original names where policies exist)
|
||||
moved {
|
||||
from = vault_policy.policies["pki_int/certmanager"]
|
||||
to = module.vault_policy["pki_int/certmanager"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["pki_int/issue/servers_default"]
|
||||
to = module.vault_policy["pki_int/issue/servers_default"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["pki_int/pki_int_roles_admin"]
|
||||
to = module.vault_policy["pki_int/roles/admin"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["pki_int/sign/servers_default"]
|
||||
to = module.vault_policy["pki_int/sign/servers_default"].vault_policy.this
|
||||
}
|
||||
|
||||
moved {
|
||||
from = vault_policy.policies["pki_root/pki_root_roles_admin"]
|
||||
to = module.vault_policy["pki_root/roles/admin"].vault_policy.this
|
||||
}
|
||||
@@ -0,0 +1,290 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "auth_approle_backend" {
|
||||
description = "Map of AppRole auth backends to create"
|
||||
type = map(object({
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_approle_role" {
|
||||
description = "Map of AppRole roles to create"
|
||||
type = map(object({
|
||||
approle_name = string
|
||||
mount_path = string
|
||||
token_ttl = optional(number)
|
||||
token_max_ttl = optional(number)
|
||||
bind_secret_id = optional(bool, false)
|
||||
secret_id_ttl = optional(number)
|
||||
token_bound_cidrs = optional(list(string), [])
|
||||
alias_metadata = optional(map(string))
|
||||
use_deterministic_role_id = optional(bool, true)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_ldap_backend" {
|
||||
description = "Map of LDAP auth backends to create"
|
||||
type = map(object({
|
||||
userdn = string
|
||||
userattr = optional(string, "uid")
|
||||
upndomain = optional(string)
|
||||
discoverdn = optional(bool, false)
|
||||
groupdn = optional(string)
|
||||
groupfilter = optional(string)
|
||||
groupattr = optional(string, "cn")
|
||||
alias_metadata = optional(map(string))
|
||||
username_as_alias = optional(bool, true)
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_ldap_group" {
|
||||
description = "Map of LDAP groups to create"
|
||||
type = map(object({
|
||||
groupname = string
|
||||
backend = string
|
||||
policies = list(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_kubernetes_backend" {
|
||||
description = "Map of Kubernetes auth backends to create"
|
||||
type = map(object({
|
||||
kubernetes_host = string
|
||||
disable_iss_validation = optional(bool, true)
|
||||
use_annotations_as_alias_metadata = optional(bool, true)
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_kubernetes_role" {
|
||||
description = "Map of Kubernetes auth roles to create"
|
||||
type = map(object({
|
||||
role_name = string
|
||||
backend = string
|
||||
bound_service_account_names = list(string)
|
||||
bound_service_account_namespaces = list(string)
|
||||
token_ttl = optional(number, 3600)
|
||||
audience = optional(string, "vault")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kv_secret_backend" {
|
||||
description = "Map of KV secret engines to create"
|
||||
type = map(object({
|
||||
type = optional(string, "kv-v2")
|
||||
description = optional(string)
|
||||
version = optional(string, "2")
|
||||
max_versions = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "transit_secret_backend" {
|
||||
description = "Map of Transit secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
default_lease_ttl_seconds = optional(number, 3600)
|
||||
max_lease_ttl_seconds = optional(number, 86400)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "transit_secret_backend_key" {
|
||||
description = "Map of Transit keys to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
type = optional(string, "aes256-gcm96")
|
||||
deletion_allowed = optional(bool, false)
|
||||
derived = optional(bool, false)
|
||||
exportable = optional(bool, false)
|
||||
allow_plaintext_backup = optional(bool, false)
|
||||
auto_rotate_period = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "ssh_secret_backend" {
|
||||
description = "Map of SSH secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
generate_signing_key = optional(bool)
|
||||
key_type = optional(string, "ssh-rsa")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "ssh_secret_backend_role" {
|
||||
description = "Map of SSH roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
key_type = optional(string, "ca")
|
||||
algorithm_signer = optional(string, "rsa-sha2-256")
|
||||
ttl = optional(number, 315360000)
|
||||
allow_host_certificates = optional(bool, false)
|
||||
allow_user_certificates = optional(bool, false)
|
||||
allowed_domains = optional(string)
|
||||
allow_subdomains = optional(bool, false)
|
||||
allow_bare_domains = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_secret_backend" {
|
||||
description = "Map of PKI secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
common_name = string
|
||||
issuer_name = string
|
||||
ttl = optional(number, 315360000)
|
||||
format = optional(string, "pem")
|
||||
issuing_certificates = optional(list(string), [])
|
||||
crl_distribution_points = optional(list(string), [])
|
||||
ocsp_servers = optional(list(string), [])
|
||||
enable_templating = optional(bool, false)
|
||||
default_issuer_ref = optional(string)
|
||||
default_follows_latest_issuer = optional(bool, false)
|
||||
crl_expiry = optional(string, "72h")
|
||||
crl_disable = optional(bool, false)
|
||||
ocsp_disable = optional(bool, false)
|
||||
auto_rebuild = optional(bool, false)
|
||||
enable_delta = optional(bool, false)
|
||||
delta_rebuild_interval = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_secret_backend_role" {
|
||||
description = "Map of PKI roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
allow_ip_sans = optional(bool, false)
|
||||
allowed_domains = optional(list(string), [])
|
||||
allow_subdomains = optional(bool, false)
|
||||
allow_glob_domains = optional(bool, false)
|
||||
allow_bare_domains = optional(bool, false)
|
||||
enforce_hostnames = optional(bool, false)
|
||||
allow_any_name = optional(bool, false)
|
||||
max_ttl = optional(number)
|
||||
key_bits = optional(number, 4096)
|
||||
country = optional(list(string), [])
|
||||
use_csr_common_name = optional(bool, false)
|
||||
use_csr_sans = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_mount_only" {
|
||||
description = "Map of PKI mounts to create (without certificate generation)"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
issuer_ref = optional(string, "default")
|
||||
issuing_certificates = optional(list(string), [])
|
||||
crl_distribution_points = optional(list(string), [])
|
||||
ocsp_servers = optional(list(string), [])
|
||||
enable_templating = optional(bool, false)
|
||||
default_issuer_ref = optional(string)
|
||||
default_follows_latest_issuer = optional(bool, false)
|
||||
crl_expiry = optional(string, "72h")
|
||||
crl_disable = optional(bool, false)
|
||||
ocsp_disable = optional(bool, false)
|
||||
auto_rebuild = optional(bool, false)
|
||||
enable_delta = optional(bool, false)
|
||||
delta_rebuild_interval = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "consul_secret_backend" {
|
||||
description = "Map of Consul secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
address = string
|
||||
bootstrap = optional(bool, false)
|
||||
scheme = optional(string, "https")
|
||||
ca_cert = optional(string)
|
||||
client_cert = optional(string)
|
||||
client_key = optional(string)
|
||||
default_lease_ttl_seconds = optional(number)
|
||||
max_lease_ttl_seconds = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "consul_secret_backend_role" {
|
||||
description = "Map of Consul roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
consul_roles = optional(list(string), [])
|
||||
ttl = optional(number)
|
||||
max_ttl = optional(number)
|
||||
local = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kubernetes_secret_backend" {
|
||||
description = "Map of Kubernetes secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
default_lease_ttl_seconds = optional(number, 600)
|
||||
max_lease_ttl_seconds = optional(number, 86400)
|
||||
kubernetes_host = string
|
||||
disable_local_ca_jwt = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kubernetes_secret_backend_role" {
|
||||
description = "Map of Kubernetes secret backend roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
allowed_kubernetes_namespaces = optional(list(string), ["*"])
|
||||
kubernetes_role_type = optional(string, "Role")
|
||||
extra_labels = optional(map(string), {})
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_rules_map" {
|
||||
description = "Map of policy names to their rules"
|
||||
type = map(list(object({
|
||||
path = string
|
||||
capabilities = list(string)
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
Reference in New Issue
Block a user