feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,290 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "auth_approle_backend" {
|
||||
description = "Map of AppRole auth backends to create"
|
||||
type = map(object({
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_approle_role" {
|
||||
description = "Map of AppRole roles to create"
|
||||
type = map(object({
|
||||
approle_name = string
|
||||
mount_path = string
|
||||
token_ttl = optional(number)
|
||||
token_max_ttl = optional(number)
|
||||
bind_secret_id = optional(bool, false)
|
||||
secret_id_ttl = optional(number)
|
||||
token_bound_cidrs = optional(list(string), [])
|
||||
alias_metadata = optional(map(string))
|
||||
use_deterministic_role_id = optional(bool, true)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_ldap_backend" {
|
||||
description = "Map of LDAP auth backends to create"
|
||||
type = map(object({
|
||||
userdn = string
|
||||
userattr = optional(string, "uid")
|
||||
upndomain = optional(string)
|
||||
discoverdn = optional(bool, false)
|
||||
groupdn = optional(string)
|
||||
groupfilter = optional(string)
|
||||
groupattr = optional(string, "cn")
|
||||
alias_metadata = optional(map(string))
|
||||
username_as_alias = optional(bool, true)
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_ldap_group" {
|
||||
description = "Map of LDAP groups to create"
|
||||
type = map(object({
|
||||
groupname = string
|
||||
backend = string
|
||||
policies = list(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_kubernetes_backend" {
|
||||
description = "Map of Kubernetes auth backends to create"
|
||||
type = map(object({
|
||||
kubernetes_host = string
|
||||
disable_iss_validation = optional(bool, true)
|
||||
use_annotations_as_alias_metadata = optional(bool, true)
|
||||
listing_visibility = optional(string)
|
||||
default_lease_ttl = optional(string)
|
||||
max_lease_ttl = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "auth_kubernetes_role" {
|
||||
description = "Map of Kubernetes auth roles to create"
|
||||
type = map(object({
|
||||
role_name = string
|
||||
backend = string
|
||||
bound_service_account_names = list(string)
|
||||
bound_service_account_namespaces = list(string)
|
||||
token_ttl = optional(number, 3600)
|
||||
audience = optional(string, "vault")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kv_secret_backend" {
|
||||
description = "Map of KV secret engines to create"
|
||||
type = map(object({
|
||||
type = optional(string, "kv-v2")
|
||||
description = optional(string)
|
||||
version = optional(string, "2")
|
||||
max_versions = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "transit_secret_backend" {
|
||||
description = "Map of Transit secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
default_lease_ttl_seconds = optional(number, 3600)
|
||||
max_lease_ttl_seconds = optional(number, 86400)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "transit_secret_backend_key" {
|
||||
description = "Map of Transit keys to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
type = optional(string, "aes256-gcm96")
|
||||
deletion_allowed = optional(bool, false)
|
||||
derived = optional(bool, false)
|
||||
exportable = optional(bool, false)
|
||||
allow_plaintext_backup = optional(bool, false)
|
||||
auto_rotate_period = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "ssh_secret_backend" {
|
||||
description = "Map of SSH secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
generate_signing_key = optional(bool)
|
||||
key_type = optional(string, "ssh-rsa")
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "ssh_secret_backend_role" {
|
||||
description = "Map of SSH roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
key_type = optional(string, "ca")
|
||||
algorithm_signer = optional(string, "rsa-sha2-256")
|
||||
ttl = optional(number, 315360000)
|
||||
allow_host_certificates = optional(bool, false)
|
||||
allow_user_certificates = optional(bool, false)
|
||||
allowed_domains = optional(string)
|
||||
allow_subdomains = optional(bool, false)
|
||||
allow_bare_domains = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_secret_backend" {
|
||||
description = "Map of PKI secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
common_name = string
|
||||
issuer_name = string
|
||||
ttl = optional(number, 315360000)
|
||||
format = optional(string, "pem")
|
||||
issuing_certificates = optional(list(string), [])
|
||||
crl_distribution_points = optional(list(string), [])
|
||||
ocsp_servers = optional(list(string), [])
|
||||
enable_templating = optional(bool, false)
|
||||
default_issuer_ref = optional(string)
|
||||
default_follows_latest_issuer = optional(bool, false)
|
||||
crl_expiry = optional(string, "72h")
|
||||
crl_disable = optional(bool, false)
|
||||
ocsp_disable = optional(bool, false)
|
||||
auto_rebuild = optional(bool, false)
|
||||
enable_delta = optional(bool, false)
|
||||
delta_rebuild_interval = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_secret_backend_role" {
|
||||
description = "Map of PKI roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
allow_ip_sans = optional(bool, false)
|
||||
allowed_domains = optional(list(string), [])
|
||||
allow_subdomains = optional(bool, false)
|
||||
allow_glob_domains = optional(bool, false)
|
||||
allow_bare_domains = optional(bool, false)
|
||||
enforce_hostnames = optional(bool, false)
|
||||
allow_any_name = optional(bool, false)
|
||||
max_ttl = optional(number)
|
||||
key_bits = optional(number, 4096)
|
||||
country = optional(list(string), [])
|
||||
use_csr_common_name = optional(bool, false)
|
||||
use_csr_sans = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "pki_mount_only" {
|
||||
description = "Map of PKI mounts to create (without certificate generation)"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
max_lease_ttl_seconds = optional(number, 315360000)
|
||||
issuer_ref = optional(string, "default")
|
||||
issuing_certificates = optional(list(string), [])
|
||||
crl_distribution_points = optional(list(string), [])
|
||||
ocsp_servers = optional(list(string), [])
|
||||
enable_templating = optional(bool, false)
|
||||
default_issuer_ref = optional(string)
|
||||
default_follows_latest_issuer = optional(bool, false)
|
||||
crl_expiry = optional(string, "72h")
|
||||
crl_disable = optional(bool, false)
|
||||
ocsp_disable = optional(bool, false)
|
||||
auto_rebuild = optional(bool, false)
|
||||
enable_delta = optional(bool, false)
|
||||
delta_rebuild_interval = optional(string)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "consul_secret_backend" {
|
||||
description = "Map of Consul secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
address = string
|
||||
bootstrap = optional(bool, false)
|
||||
scheme = optional(string, "https")
|
||||
ca_cert = optional(string)
|
||||
client_cert = optional(string)
|
||||
client_key = optional(string)
|
||||
default_lease_ttl_seconds = optional(number)
|
||||
max_lease_ttl_seconds = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "consul_secret_backend_role" {
|
||||
description = "Map of Consul roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
consul_roles = optional(list(string), [])
|
||||
ttl = optional(number)
|
||||
max_ttl = optional(number)
|
||||
local = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kubernetes_secret_backend" {
|
||||
description = "Map of Kubernetes secret engines to create"
|
||||
type = map(object({
|
||||
description = optional(string)
|
||||
default_lease_ttl_seconds = optional(number, 600)
|
||||
max_lease_ttl_seconds = optional(number, 86400)
|
||||
kubernetes_host = string
|
||||
disable_local_ca_jwt = optional(bool, false)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "kubernetes_secret_backend_role" {
|
||||
description = "Map of Kubernetes secret backend roles to create"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
allowed_kubernetes_namespaces = optional(list(string), ["*"])
|
||||
kubernetes_role_type = optional(string, "Role")
|
||||
extra_labels = optional(map(string), {})
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_rules_map" {
|
||||
description = "Map of policy names to their rules"
|
||||
type = map(list(object({
|
||||
path = string
|
||||
capabilities = list(string)
|
||||
})))
|
||||
default = {}
|
||||
}
|
||||
Reference in New Issue
Block a user