feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,14 @@
|
||||
# Allow full administration of AppRole roles
|
||||
---
|
||||
rules:
|
||||
- path: "auth/approle/role/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "auth/approle/role/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
path "auth/approle/login" {
|
||||
capabilities = ["create"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow AppRole login
|
||||
---
|
||||
rules:
|
||||
- path: "auth/approle/login"
|
||||
capabilities:
|
||||
- create
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,23 @@
|
||||
# Allow administration of Kubernetes authentication backend
|
||||
---
|
||||
rules:
|
||||
- path: "auth/k8s/au/syd1/config"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- path: "auth/k8s/au/syd1/role/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
- path: "auth/k8s/au/syd1/role"
|
||||
capabilities:
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,14 +0,0 @@
|
||||
# Allow configuration of Kubernetes authentication backend
|
||||
path "auth/kubernetes/config" {
|
||||
capabilities = ["create", "update", "read", "delete"]
|
||||
}
|
||||
|
||||
# Allow management of Kubernetes auth roles
|
||||
path "auth/kubernetes/role/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
|
||||
# Allow listing auth/kubernetes/role
|
||||
path "auth/kubernetes/role" {
|
||||
capabilities = ["list"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow full administration of LDAP auth backend
|
||||
---
|
||||
rules:
|
||||
- path: "auth/ldap/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "auth/ldap/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
path "auth/token/create" {
|
||||
capabilities = ["create", "read", "update", "list"]
|
||||
}
|
||||
|
||||
path "auth/token/*" {
|
||||
capabilities = ["create", "update"]
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
# Allow listing and reading tokens
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
# Allow renewing tokens
|
||||
path "auth/token/renew" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
path "auth/token/roles/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
# Allow tokens to query themselves
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow tokens to renew themselves
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow tokens to revoke themselves
|
||||
path "auth/token/revoke-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# Allow token creation and management
|
||||
---
|
||||
rules:
|
||||
- path: "auth/token/create"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- list
|
||||
- path: "auth/token/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow listing and reading tokens
|
||||
---
|
||||
rules:
|
||||
- path: "auth/token/lookup"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow renewing tokens
|
||||
---
|
||||
rules:
|
||||
- path: "auth/token/renew"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow administration of token roles
|
||||
---
|
||||
rules:
|
||||
- path: "auth/token/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,16 @@
|
||||
# Allow tokens to query themselves
|
||||
---
|
||||
rules:
|
||||
- path: "auth/token/lookup-self"
|
||||
capabilities:
|
||||
- read
|
||||
- path: "auth/token/renew-self"
|
||||
capabilities:
|
||||
- update
|
||||
- path: "auth/token/revoke-self"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,15 +0,0 @@
|
||||
path "pki_int/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "pki_root/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "ssh-host-signer/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
|
||||
path "sshca/*" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
@@ -0,0 +1,15 @@
|
||||
# Global root policy with full access to all paths
|
||||
---
|
||||
rules:
|
||||
- path: "*"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
- list
|
||||
- sudo
|
||||
|
||||
auth:
|
||||
ldap:
|
||||
- vault_admin
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kubernetes/au/+/config" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow administration of Kubernetes secret backend config
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/+/config"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,6 +0,0 @@
|
||||
path "kubernetes/au/+/roles" {
|
||||
capabilities = ["list"]
|
||||
}
|
||||
path "kubernetes/au/+/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# Allow administration of Kubernetes secret backend roles
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/+/roles"
|
||||
capabilities:
|
||||
- list
|
||||
- path: "kubernetes/au/+/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-admin" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow access to cluster-admin Kubernetes credentials
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/syd1/creds/cluster-admin"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-operator" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow access to cluster-operator Kubernetes credentials
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/syd1/creds/cluster-operator"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kubernetes/au/syd1/creds/cluster-root" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow access to cluster-root Kubernetes credentials
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/syd1/creds/cluster-root"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kubernetes/au/syd1/creds/media-apps-operator" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow access to media-apps-operator Kubernetes credentials
|
||||
---
|
||||
rules:
|
||||
- path: "kubernetes/au/syd1/creds/media-apps-operator"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/gitea/unkinben/tokens/read-only-packages" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Gitea read-only package tokens
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/gitea/unkinben/tokens/read-only-packages"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- rpmbuilder
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/github/neoloc/tokens/read-only-token" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading GitHub read-only tokens
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/github/neoloc/tokens/read-only-token"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- rpmbuilder
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow reading GLAuth service vault configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/glauth/services/svc_vault"
|
||||
capabilities:
|
||||
- list
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/glauth/services/svc_vault" {
|
||||
capabilities = ["list", "read"]
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
# Allow access to Incus cluster join tokens
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/incus/cluster-join-tokens"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- incus_cluster
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/incus/cluster-join-tokens" {
|
||||
capabilities = ["create", "read", "update", "delete"]
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Ceph CephFS CSI secrets
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- ceph-csi
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Ceph RBD CSI secrets
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- ceph-csi
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading ExternalDNS TSIG keys
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/kubernetes/au/syd1/externaldns/tsig"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- externaldns
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Kubernetes service account JWT
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/kubernetes/au/syd1/service_account_jwt"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Kubernetes token reviewer JWT
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Prowlarr configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/media-apps/nzbget"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- media-apps
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Prowlarr configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/media-apps/prowlarr"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- media-apps
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/media-apps/radarr" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Radarr configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/media-apps/radarr"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- media-apps
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/media-apps/sonarr" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Sonarr configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/media-apps/sonarr"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- media-apps
|
||||
@@ -0,0 +1,13 @@
|
||||
# Allow Packer builder to read configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/packer/builder/env"
|
||||
capabilities:
|
||||
- read
|
||||
- path: "kv/data/service/packer/builder/docker-incus-client"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- packer_builder
|
||||
@@ -1,6 +0,0 @@
|
||||
path "kv/data/service/packer/builder/env" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/data/service/packer/builder/docker-incus-client" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Puppet CA Certificate
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/puppet/certificates/ca"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_incus
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Puppet certificates for Terraform
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/puppet/certificates/terraform"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_incus
|
||||
@@ -1,6 +0,0 @@
|
||||
path "kv/data/service/puppet/certificates/terraform" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
path "kv/data/service/puppet/certificates/ca" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/puppetapi/tokens" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Puppet API tokens
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/puppetapi/tokens"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- puppetapi
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/au/syd1/ceph-s3" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow Ceph S3 configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/au/syd1/ceph-s3"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/au/syd1/elasticsearch" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow Elasticsearch configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/au/syd1/elasticsearch"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/au/syd1/hasura" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow Hasura configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/au/syd1/hasura"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/au/syd1/postgres" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow PostgreSQL configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/au/syd1/postgres"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/au/syd1/repoflow-server" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow server configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/au/syd1/repoflow-server"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/repoflow/unkinadmin/tokens/terraform" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Repoflow admin Terraform tokens
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/repoflow/unkinadmin/tokens/terraform"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_repoflow
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/terraform/incus" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Terraform Incus configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/incus"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_incus
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/terraform/nomad" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Terraform Nomad configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/nomad"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_nomad
|
||||
@@ -1,3 +0,0 @@
|
||||
path "kv/data/service/terraform/repoflow" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
# Allow reading Terraform Repoflow configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/terraform/repoflow"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- terraform_repoflow
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow reading Vault auth AppRole role configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/vault/+/+/auth_approle_role/*"
|
||||
capabilities:
|
||||
- list
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow reading Vault auth backend configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/vault/+/+/auth_backend/*"
|
||||
capabilities:
|
||||
- list
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow reading Vault secret backend configuration
|
||||
---
|
||||
rules:
|
||||
- path: "kv/data/service/vault/+/+/secret_backend/*"
|
||||
capabilities:
|
||||
- list
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,19 @@
|
||||
# Allow cert-manager to issue and manage certificates
|
||||
# used by the puppet autossl role
|
||||
---
|
||||
rules:
|
||||
- path: "pki/au/syd1/issue/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- path: "pki/au/syd1/renew/*"
|
||||
capabilities:
|
||||
- update
|
||||
- path: "pki/au/syd1/cert/*"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- certmanager
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow issuing server certificates from servers_default role
|
||||
---
|
||||
rules:
|
||||
- path: "pki/au/syd1/issue/servers_default"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- huntarr-default
|
||||
- cert_manager_issuer
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow administration of PKI roles
|
||||
---
|
||||
rules:
|
||||
- path: "pki/au/syd1/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow signing server certificates with servers_default role
|
||||
---
|
||||
rules:
|
||||
- path: "pki/au/syd1/sign/servers_default"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- huntarr-default
|
||||
- cert_manager_issuer
|
||||
@@ -1,9 +0,0 @@
|
||||
path "pki_int/issue/*" {
|
||||
capabilities = ["create", "update", "read"]
|
||||
}
|
||||
path "pki_int/renew/*" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
path "pki_int/cert/*" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
@@ -0,0 +1,19 @@
|
||||
# Allow cert-manager to issue and manage certificates
|
||||
# used by the puppet autossl role
|
||||
---
|
||||
rules:
|
||||
- path: "pki_int/issue/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- path: "pki_int/renew/*"
|
||||
capabilities:
|
||||
- update
|
||||
- path: "pki_int/cert/*"
|
||||
capabilities:
|
||||
- read
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- certmanager
|
||||
@@ -1,3 +0,0 @@
|
||||
path "pki_int/issue/servers_default" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow issuing server certificates from servers_default role
|
||||
---
|
||||
rules:
|
||||
- path: "pki_int/issue/servers_default"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- huntarr-default
|
||||
- cert_manager_issuer
|
||||
@@ -1,3 +0,0 @@
|
||||
path "pki_int/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow administration of PKI roles
|
||||
---
|
||||
rules:
|
||||
- path: "pki_int/roles/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- read
|
||||
- delete
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,3 +0,0 @@
|
||||
path "pki_int/sign/servers_default" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
# Allow signing server certificates with servers_default role
|
||||
---
|
||||
rules:
|
||||
- path: "pki_int/sign/servers_default"
|
||||
capabilities:
|
||||
- update
|
||||
|
||||
auth:
|
||||
k8s/au/syd1:
|
||||
- huntarr-default
|
||||
- cert_manager_issuer
|
||||
@@ -1,3 +0,0 @@
|
||||
path "pki_root/roles/*" {
|
||||
capabilities = ["create", "update", "read", "delete", "list"]
|
||||
}
|
||||
@@ -0,0 +1,76 @@
|
||||
# =============================================================================
|
||||
# VAULT POLICY CONFIGURATION SYSTEM
|
||||
# =============================================================================
|
||||
#
|
||||
# This file automatically discovers and processes all YAML policy files from
|
||||
# subdirectories, creating a unified policy configuration for Vault.
|
||||
#
|
||||
# HOW IT WORKS:
|
||||
# 1. Scans all subdirectories for *.yaml files
|
||||
# 2. Parses each YAML file to extract policy rules and auth assignments
|
||||
# 3. Creates mappings for auth methods -> roles -> assigned policies
|
||||
#
|
||||
# YAML STRUCTURE:
|
||||
# Each policy YAML file should contain:
|
||||
# - rules: List of Vault policy rules (path + capabilities)
|
||||
# - auth: Map of auth methods to roles that should have this policy
|
||||
#
|
||||
# EXAMPLE YAML FILE (policies/kv/service/myapp/read.yaml):
|
||||
# ```yaml
|
||||
# rules:
|
||||
# - path: "kv/data/service/myapp/*"
|
||||
# capabilities:
|
||||
# - read
|
||||
#
|
||||
# auth:
|
||||
# approle:
|
||||
# - myapp-service
|
||||
# k8s/au/syd1:
|
||||
# - myapp-pod
|
||||
# ```
|
||||
#
|
||||
# This creates a policy that allows reading secrets under kv/service/myapp/
|
||||
# and assigns it to:
|
||||
# - AppRole role "myapp-service" in the "approle" mount
|
||||
# - Kubernetes role "myapp-pod" in the "k8s/au/syd1" mount
|
||||
#
|
||||
# GENERATED OUTPUTS:
|
||||
# - policy_rules_map: policy_name -> [rules]
|
||||
# - policy_auth_map: auth_mount -> role_name -> [policy_names]
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
locals {
|
||||
# Find all YAML files in subdirectories
|
||||
policy_files = fileset(".", "**/*.yaml")
|
||||
|
||||
# Create a flat map of all files with their content
|
||||
all_policies = {
|
||||
for file_path in local.policy_files :
|
||||
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
# Create a map of just the rules for each policy
|
||||
policy_rules_map = {
|
||||
for file_path in local.policy_files :
|
||||
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path)).rules
|
||||
}
|
||||
|
||||
# Create a map of auth mounts -> auth roles -> policy names
|
||||
policy_auth_map = {
|
||||
for auth_mount in distinct(flatten([
|
||||
for file_path in local.policy_files : [
|
||||
for auth_type, roles in yamldecode(file(file_path)).auth : auth_type
|
||||
]
|
||||
])) : auth_mount => {
|
||||
for auth_role in distinct(flatten([
|
||||
for file_path in local.policy_files : [
|
||||
for role in try(yamldecode(file(file_path)).auth[auth_mount], []) : role
|
||||
]
|
||||
])) : auth_role => [
|
||||
for file_path in local.policy_files : trimsuffix(file_path, ".yaml")
|
||||
if contains(try(yamldecode(file(file_path)).auth[auth_mount], []), auth_role)
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
path "rundeck/data/*" {
|
||||
capabilities = ["create", "read", "update", "delete", "list"]
|
||||
}
|
||||
|
||||
path "rundeck/metadata/*" {
|
||||
capabilities = ["list"]
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
# Allow Rundeck access to its KV secrets
|
||||
---
|
||||
rules:
|
||||
- path: "rundeck/data/*"
|
||||
capabilities:
|
||||
- create
|
||||
- read
|
||||
- update
|
||||
- delete
|
||||
- list
|
||||
- path: "rundeck/metadata/*"
|
||||
capabilities:
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- rundeck-role
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user