feat: major restructuring in migration to terragrunt

- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
This commit is contained in:
2026-01-04 23:31:42 +11:00
parent bd112181f5
commit 8070b6f66b
245 changed files with 3943 additions and 985 deletions
+9
View File
@@ -0,0 +1,9 @@
# Allow reading audit logs related to secret engines
---
rules:
- path: "sys/audit"
capabilities:
- read
- list
auth: {}
+14
View File
@@ -0,0 +1,14 @@
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
---
rules:
- path: "sys/auth/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault
+22
View File
@@ -0,0 +1,22 @@
# Allow access to manage secret engines (mount, unmount, update)
---
rules:
- path: "sys/mounts/*"
capabilities:
- create
- update
- delete
- read
- list
- path: "sys/mounts-tune/*"
capabilities:
- update
- read
- path: "sys/mounts"
capabilities:
- read
- list
auth:
approle:
- tf_vault
+18
View File
@@ -0,0 +1,18 @@
# Allow management of policies (create, update, delete, list, and read)
---
rules:
- path: "sys/policies/acl/*"
capabilities:
- create
- update
- delete
- read
- list
- path: "sys/policies/acl"
capabilities:
- read
- list
auth:
approle:
- tf_vault
-4
View File
@@ -1,4 +0,0 @@
# Allow reading audit logs related to secret engines
path "sys/audit" {
capabilities = ["read", "list"]
}
-4
View File
@@ -1,4 +0,0 @@
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
-14
View File
@@ -1,14 +0,0 @@
# Allow access to manage secret engines (mount, unmount, update)
path "sys/mounts/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow tuning existing secret engines
path "sys/mounts-tune/*" {
capabilities = ["update", "read"]
}
# Allow reaing and listing of enabled secret engines
path "sys/mounts" {
capabilities = ["read", "list"]
}
-9
View File
@@ -1,9 +0,0 @@
# Allow management of policies (create, update, delete, list, and read)
path "sys/policies/acl/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow listing of available policies
path "sys/policies/acl" {
capabilities = ["read", "list"]
}