feat: major restructuring in migration to terragrunt

- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
This commit is contained in:
2026-01-04 23:31:42 +11:00
parent bd112181f5
commit 8070b6f66b
245 changed files with 3943 additions and 985 deletions
@@ -1,3 +0,0 @@
path "kv/data/service/gitea/unkinben/tokens/read-only-packages" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Gitea read-only package tokens
---
rules:
- path: "kv/data/service/gitea/unkinben/tokens/read-only-packages"
capabilities:
- read
auth:
approle:
- rpmbuilder
@@ -1,3 +0,0 @@
path "kv/data/service/github/neoloc/tokens/read-only-token" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading GitHub read-only tokens
---
rules:
- path: "kv/data/service/github/neoloc/tokens/read-only-token"
capabilities:
- read
auth:
approle:
- rpmbuilder
@@ -0,0 +1,11 @@
# Allow reading GLAuth service vault configuration
---
rules:
- path: "kv/data/service/glauth/services/svc_vault"
capabilities:
- list
- read
auth:
approle:
- tf_vault
@@ -1,3 +0,0 @@
path "kv/data/service/glauth/services/svc_vault" {
capabilities = ["list", "read"]
}
@@ -0,0 +1,13 @@
# Allow access to Incus cluster join tokens
---
rules:
- path: "kv/data/service/incus/cluster-join-tokens"
capabilities:
- create
- read
- update
- delete
auth:
approle:
- incus_cluster
@@ -1,3 +0,0 @@
path "kv/data/service/incus/cluster-join-tokens" {
capabilities = ["create", "read", "update", "delete"]
}
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Ceph CephFS CSI secrets
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- ceph-csi
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Ceph RBD CSI secrets
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- ceph-csi
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading ExternalDNS TSIG keys
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/externaldns/tsig"
capabilities:
- read
auth:
k8s/au/syd1:
- externaldns
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Kubernetes service account JWT
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/service_account_jwt"
capabilities:
- read
auth:
approle:
- tf_vault
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Kubernetes token reviewer JWT
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt"
capabilities:
- read
auth:
approle:
- tf_vault
@@ -0,0 +1,10 @@
# Allow reading Prowlarr configuration
---
rules:
- path: "kv/data/service/media-apps/nzbget"
capabilities:
- read
auth:
k8s/au/syd1:
- media-apps
@@ -0,0 +1,10 @@
# Allow reading Prowlarr configuration
---
rules:
- path: "kv/data/service/media-apps/prowlarr"
capabilities:
- read
auth:
k8s/au/syd1:
- media-apps
@@ -1,3 +0,0 @@
path "kv/data/service/media-apps/radarr" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Radarr configuration
---
rules:
- path: "kv/data/service/media-apps/radarr"
capabilities:
- read
auth:
k8s/au/syd1:
- media-apps
@@ -1,3 +0,0 @@
path "kv/data/service/media-apps/sonarr" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Sonarr configuration
---
rules:
- path: "kv/data/service/media-apps/sonarr"
capabilities:
- read
auth:
k8s/au/syd1:
- media-apps
@@ -0,0 +1,13 @@
# Allow Packer builder to read configuration
---
rules:
- path: "kv/data/service/packer/builder/env"
capabilities:
- read
- path: "kv/data/service/packer/builder/docker-incus-client"
capabilities:
- read
auth:
approle:
- packer_builder
@@ -1,6 +0,0 @@
path "kv/data/service/packer/builder/env" {
capabilities = ["read"]
}
path "kv/data/service/packer/builder/docker-incus-client" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Puppet CA Certificate
---
rules:
- path: "kv/data/service/puppet/certificates/ca"
capabilities:
- read
auth:
approle:
- terraform_incus
@@ -0,0 +1,10 @@
# Allow reading Puppet certificates for Terraform
---
rules:
- path: "kv/data/service/puppet/certificates/terraform"
capabilities:
- read
auth:
approle:
- terraform_incus
@@ -1,6 +0,0 @@
path "kv/data/service/puppet/certificates/terraform" {
capabilities = ["read"]
}
path "kv/data/service/puppet/certificates/ca" {
capabilities = ["read"]
}
@@ -1,3 +0,0 @@
path "kv/data/service/puppetapi/tokens" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Puppet API tokens
---
rules:
- path: "kv/data/service/puppetapi/tokens"
capabilities:
- read
auth:
approle:
- puppetapi
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/au/syd1/ceph-s3" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow Ceph S3 configuration
---
rules:
- path: "kv/data/service/repoflow/au/syd1/ceph-s3"
capabilities:
- read
auth:
k8s/au/syd1:
- repoflow
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/au/syd1/elasticsearch" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow Elasticsearch configuration
---
rules:
- path: "kv/data/service/repoflow/au/syd1/elasticsearch"
capabilities:
- read
auth:
k8s/au/syd1:
- repoflow
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/au/syd1/hasura" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow Hasura configuration
---
rules:
- path: "kv/data/service/repoflow/au/syd1/hasura"
capabilities:
- read
auth:
k8s/au/syd1:
- repoflow
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/au/syd1/postgres" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow PostgreSQL configuration
---
rules:
- path: "kv/data/service/repoflow/au/syd1/postgres"
capabilities:
- read
auth:
k8s/au/syd1:
- repoflow
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/au/syd1/repoflow-server" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow server configuration
---
rules:
- path: "kv/data/service/repoflow/au/syd1/repoflow-server"
capabilities:
- read
auth:
k8s/au/syd1:
- repoflow
@@ -1,3 +0,0 @@
path "kv/data/service/repoflow/unkinadmin/tokens/terraform" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Repoflow admin Terraform tokens
---
rules:
- path: "kv/data/service/repoflow/unkinadmin/tokens/terraform"
capabilities:
- read
auth:
approle:
- terraform_repoflow
-3
View File
@@ -1,3 +0,0 @@
path "kv/data/service/terraform/incus" {
capabilities = ["read"]
}
+10
View File
@@ -0,0 +1,10 @@
# Allow reading Terraform Incus configuration
---
rules:
- path: "kv/data/service/terraform/incus"
capabilities:
- read
auth:
approle:
- terraform_incus
-3
View File
@@ -1,3 +0,0 @@
path "kv/data/service/terraform/nomad" {
capabilities = ["read"]
}
+10
View File
@@ -0,0 +1,10 @@
# Allow reading Terraform Nomad configuration
---
rules:
- path: "kv/data/service/terraform/nomad"
capabilities:
- read
auth:
approle:
- terraform_nomad
@@ -1,3 +0,0 @@
path "kv/data/service/terraform/repoflow" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Terraform Repoflow configuration
---
rules:
- path: "kv/data/service/terraform/repoflow"
capabilities:
- read
auth:
approle:
- terraform_repoflow
@@ -0,0 +1,11 @@
# Allow reading Vault auth AppRole role configuration
---
rules:
- path: "kv/data/service/vault/+/+/auth_approle_role/*"
capabilities:
- list
- read
auth:
approle:
- tf_vault
@@ -0,0 +1,11 @@
# Allow reading Vault auth backend configuration
---
rules:
- path: "kv/data/service/vault/+/+/auth_backend/*"
capabilities:
- list
- read
auth:
approle:
- tf_vault
@@ -0,0 +1,11 @@
# Allow reading Vault secret backend configuration
---
rules:
- path: "kv/data/service/vault/+/+/secret_backend/*"
capabilities:
- list
- read
auth:
approle:
- tf_vault