feat: major restructuring in migration to terragrunt

- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
This commit is contained in:
2026-01-04 23:31:42 +11:00
parent bd112181f5
commit 8070b6f66b
245 changed files with 3943 additions and 985 deletions
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Ceph CephFS CSI secrets
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- ceph-csi
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Ceph RBD CSI secrets
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret"
capabilities:
- read
auth:
k8s/au/syd1:
- ceph-csi
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading ExternalDNS TSIG keys
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/externaldns/tsig"
capabilities:
- read
auth:
k8s/au/syd1:
- externaldns
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Kubernetes service account JWT
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/service_account_jwt"
capabilities:
- read
auth:
approle:
- tf_vault
@@ -1,3 +0,0 @@
path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
capabilities = ["read"]
}
@@ -0,0 +1,10 @@
# Allow reading Kubernetes token reviewer JWT
---
rules:
- path: "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt"
capabilities:
- read
auth:
approle:
- tf_vault