feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,316 @@
|
||||
module "auth_approle_backend" {
|
||||
source = "./modules/auth_approle_backend"
|
||||
|
||||
for_each = var.auth_approle_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_approle_role" {
|
||||
source = "./modules/auth_approle_role"
|
||||
|
||||
for_each = var.auth_approle_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
approle_name = each.value.approle_name
|
||||
mount_path = each.value.mount_path
|
||||
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
bind_secret_id = each.value.bind_secret_id
|
||||
secret_id_ttl = each.value.secret_id_ttl
|
||||
token_bound_cidrs = each.value.token_bound_cidrs
|
||||
alias_metadata = each.value.alias_metadata
|
||||
use_deterministic_role_id = each.value.use_deterministic_role_id
|
||||
|
||||
depends_on = [module.auth_approle_backend]
|
||||
}
|
||||
|
||||
module "auth_ldap_backend" {
|
||||
source = "./modules/auth_ldap_backend"
|
||||
|
||||
for_each = var.auth_ldap_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
userdn = each.value.userdn
|
||||
userattr = each.value.userattr
|
||||
upndomain = each.value.upndomain
|
||||
discoverdn = each.value.discoverdn
|
||||
groupdn = each.value.groupdn
|
||||
groupfilter = each.value.groupfilter
|
||||
groupattr = each.value.groupattr
|
||||
alias_metadata = each.value.alias_metadata
|
||||
username_as_alias = each.value.username_as_alias
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_ldap_group" {
|
||||
source = "./modules/auth_ldap_group"
|
||||
|
||||
for_each = var.auth_ldap_group
|
||||
|
||||
groupname = each.value.groupname
|
||||
backend = each.value.backend
|
||||
policies = each.value.policies
|
||||
|
||||
depends_on = [module.auth_ldap_backend]
|
||||
}
|
||||
|
||||
module "auth_kubernetes_backend" {
|
||||
source = "./modules/auth_kubernetes_backend"
|
||||
|
||||
for_each = var.auth_kubernetes_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_iss_validation = each.value.disable_iss_validation
|
||||
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_kubernetes_role" {
|
||||
source = "./modules/auth_kubernetes_role"
|
||||
|
||||
for_each = var.auth_kubernetes_role
|
||||
|
||||
role_name = each.value.role_name
|
||||
backend = each.value.backend
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
depends_on = [module.auth_kubernetes_backend]
|
||||
}
|
||||
|
||||
module "kv_secret_backend" {
|
||||
source = "./modules/kv_secret_backend"
|
||||
|
||||
for_each = var.kv_secret_backend
|
||||
|
||||
path = each.key
|
||||
type = each.value.type
|
||||
description = each.value.description
|
||||
kv_version = each.value.version
|
||||
max_versions = each.value.max_versions
|
||||
}
|
||||
|
||||
module "transit_secret_backend" {
|
||||
source = "./modules/transit_secret_backend"
|
||||
|
||||
for_each = var.transit_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
module "transit_secret_backend_key" {
|
||||
source = "./modules/transit_secret_backend_key"
|
||||
|
||||
for_each = var.transit_secret_backend_key
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
type = each.value.type
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
derived = each.value.derived
|
||||
exportable = each.value.exportable
|
||||
allow_plaintext_backup = each.value.allow_plaintext_backup
|
||||
auto_rotate_period = each.value.auto_rotate_period
|
||||
|
||||
depends_on = [module.transit_secret_backend]
|
||||
}
|
||||
|
||||
module "ssh_secret_backend" {
|
||||
source = "./modules/ssh_secret_backend"
|
||||
|
||||
for_each = var.ssh_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
generate_signing_key = each.value.generate_signing_key
|
||||
key_type = each.value.key_type
|
||||
}
|
||||
|
||||
module "ssh_secret_backend_role" {
|
||||
source = "./modules/ssh_secret_backend_role"
|
||||
|
||||
for_each = var.ssh_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
key_type = each.value.key_type
|
||||
algorithm_signer = each.value.algorithm_signer
|
||||
ttl = each.value.ttl
|
||||
allow_host_certificates = each.value.allow_host_certificates
|
||||
allow_user_certificates = each.value.allow_user_certificates
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
|
||||
depends_on = [module.ssh_secret_backend]
|
||||
}
|
||||
|
||||
module "pki_secret_backend" {
|
||||
source = "./modules/pki_secret_backend"
|
||||
|
||||
for_each = var.pki_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
common_name = each.value.common_name
|
||||
issuer_name = each.value.issuer_name
|
||||
ttl = each.value.ttl
|
||||
format = each.value.format
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
|
||||
module "pki_secret_backend_role" {
|
||||
source = "./modules/pki_secret_backend_role"
|
||||
|
||||
for_each = var.pki_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allow_ip_sans = each.value.allow_ip_sans
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_glob_domains = each.value.allow_glob_domains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
enforce_hostnames = each.value.enforce_hostnames
|
||||
allow_any_name = each.value.allow_any_name
|
||||
max_ttl = each.value.max_ttl
|
||||
key_bits = each.value.key_bits
|
||||
country = each.value.country
|
||||
use_csr_common_name = each.value.use_csr_common_name
|
||||
use_csr_sans = each.value.use_csr_sans
|
||||
|
||||
depends_on = [module.pki_secret_backend]
|
||||
}
|
||||
|
||||
module "consul_secret_backend" {
|
||||
source = "./modules/consul_secret_backend"
|
||||
|
||||
for_each = var.consul_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
address = each.value.address
|
||||
bootstrap = each.value.bootstrap
|
||||
scheme = each.value.scheme
|
||||
ca_cert = each.value.ca_cert
|
||||
client_cert = each.value.client_cert
|
||||
client_key = each.value.client_key
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
module "consul_secret_backend_role" {
|
||||
source = "./modules/consul_secret_backend_role"
|
||||
|
||||
for_each = var.consul_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
consul_roles = each.value.consul_roles
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
local = each.value.local
|
||||
|
||||
depends_on = [module.consul_secret_backend]
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend" {
|
||||
source = "./modules/kubernetes_secret_backend"
|
||||
|
||||
for_each = var.kubernetes_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_local_ca_jwt = each.value.disable_local_ca_jwt
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend_role" {
|
||||
source = "./modules/kubernetes_secret_backend_role"
|
||||
|
||||
for_each = var.kubernetes_secret_backend_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
|
||||
kubernetes_role_type = each.value.kubernetes_role_type
|
||||
extra_labels = each.value.extra_labels
|
||||
|
||||
depends_on = [module.kubernetes_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
for_each = var.policy_rules_map
|
||||
|
||||
policy_name = each.key
|
||||
policy_rules = each.value
|
||||
}
|
||||
|
||||
module "pki_mount_only" {
|
||||
source = "./modules/pki_mount_only"
|
||||
|
||||
for_each = var.pki_mount_only
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
issuer_ref = each.value.issuer_ref
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
Reference in New Issue
Block a user