feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,76 @@
|
||||
# =============================================================================
|
||||
# VAULT POLICY CONFIGURATION SYSTEM
|
||||
# =============================================================================
|
||||
#
|
||||
# This file automatically discovers and processes all YAML policy files from
|
||||
# subdirectories, creating a unified policy configuration for Vault.
|
||||
#
|
||||
# HOW IT WORKS:
|
||||
# 1. Scans all subdirectories for *.yaml files
|
||||
# 2. Parses each YAML file to extract policy rules and auth assignments
|
||||
# 3. Creates mappings for auth methods -> roles -> assigned policies
|
||||
#
|
||||
# YAML STRUCTURE:
|
||||
# Each policy YAML file should contain:
|
||||
# - rules: List of Vault policy rules (path + capabilities)
|
||||
# - auth: Map of auth methods to roles that should have this policy
|
||||
#
|
||||
# EXAMPLE YAML FILE (policies/kv/service/myapp/read.yaml):
|
||||
# ```yaml
|
||||
# rules:
|
||||
# - path: "kv/data/service/myapp/*"
|
||||
# capabilities:
|
||||
# - read
|
||||
#
|
||||
# auth:
|
||||
# approle:
|
||||
# - myapp-service
|
||||
# k8s/au/syd1:
|
||||
# - myapp-pod
|
||||
# ```
|
||||
#
|
||||
# This creates a policy that allows reading secrets under kv/service/myapp/
|
||||
# and assigns it to:
|
||||
# - AppRole role "myapp-service" in the "approle" mount
|
||||
# - Kubernetes role "myapp-pod" in the "k8s/au/syd1" mount
|
||||
#
|
||||
# GENERATED OUTPUTS:
|
||||
# - policy_rules_map: policy_name -> [rules]
|
||||
# - policy_auth_map: auth_mount -> role_name -> [policy_names]
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
locals {
|
||||
# Find all YAML files in subdirectories
|
||||
policy_files = fileset(".", "**/*.yaml")
|
||||
|
||||
# Create a flat map of all files with their content
|
||||
all_policies = {
|
||||
for file_path in local.policy_files :
|
||||
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
# Create a map of just the rules for each policy
|
||||
policy_rules_map = {
|
||||
for file_path in local.policy_files :
|
||||
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path)).rules
|
||||
}
|
||||
|
||||
# Create a map of auth mounts -> auth roles -> policy names
|
||||
policy_auth_map = {
|
||||
for auth_mount in distinct(flatten([
|
||||
for file_path in local.policy_files : [
|
||||
for auth_type, roles in yamldecode(file(file_path)).auth : auth_type
|
||||
]
|
||||
])) : auth_mount => {
|
||||
for auth_role in distinct(flatten([
|
||||
for file_path in local.policy_files : [
|
||||
for role in try(yamldecode(file(file_path)).auth[auth_mount], []) : role
|
||||
]
|
||||
])) : auth_role => [
|
||||
for file_path in local.policy_files : trimsuffix(file_path, ".yaml")
|
||||
if contains(try(yamldecode(file(file_path)).auth[auth_mount], []), auth_role)
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user