feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure - add vault_cluster module with config discovery system - replace individual .tf files with centralized config.hcl - restructure auth and secret backends as configurable modules - move auth roles and secret backends to yaml-based configuration - convert policies from .hcl to .yaml format, add rules/auth definition - add pre-commit hooks for yaml formatting and file cleanup - add terragrunt cache to gitignore - update makefile with terragrunt commands and format target
This commit is contained in:
@@ -0,0 +1,9 @@
|
||||
# Allow reading audit logs related to secret engines
|
||||
---
|
||||
rules:
|
||||
- path: "sys/audit"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth: {}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
|
||||
---
|
||||
rules:
|
||||
- path: "sys/auth/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,22 @@
|
||||
# Allow access to manage secret engines (mount, unmount, update)
|
||||
---
|
||||
rules:
|
||||
- path: "sys/mounts/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- read
|
||||
- list
|
||||
- path: "sys/mounts-tune/*"
|
||||
capabilities:
|
||||
- update
|
||||
- read
|
||||
- path: "sys/mounts"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -0,0 +1,18 @@
|
||||
# Allow management of policies (create, update, delete, list, and read)
|
||||
---
|
||||
rules:
|
||||
- path: "sys/policies/acl/*"
|
||||
capabilities:
|
||||
- create
|
||||
- update
|
||||
- delete
|
||||
- read
|
||||
- list
|
||||
- path: "sys/policies/acl"
|
||||
capabilities:
|
||||
- read
|
||||
- list
|
||||
|
||||
auth:
|
||||
approle:
|
||||
- tf_vault
|
||||
@@ -1,4 +0,0 @@
|
||||
# Allow reading audit logs related to secret engines
|
||||
path "sys/audit" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -1,4 +0,0 @@
|
||||
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
|
||||
path "sys/auth/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
# Allow access to manage secret engines (mount, unmount, update)
|
||||
path "sys/mounts/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
|
||||
# Allow tuning existing secret engines
|
||||
path "sys/mounts-tune/*" {
|
||||
capabilities = ["update", "read"]
|
||||
}
|
||||
|
||||
# Allow reaing and listing of enabled secret engines
|
||||
path "sys/mounts" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
# Allow management of policies (create, update, delete, list, and read)
|
||||
path "sys/policies/acl/*" {
|
||||
capabilities = ["create", "update", "delete", "read", "list"]
|
||||
}
|
||||
|
||||
# Allow listing of available policies
|
||||
path "sys/policies/acl" {
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
Reference in New Issue
Block a user