unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: major restructuring in migration to terragrunt

Browse Source 
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
This commit is contained in:
Ben Vincent 2026-01-04 23:31:42 +11:00
parent bd112181f5
commit 8070b6f66b
245 changed files with 3943 additions and 985 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
.terraform .terraform
.terraform.lock.hcl .terraform.lock.hcl
env env
.terragrunt-cache

7
.pre-commit-config.yaml
View File

@ -1,4 +1,11 @@
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
types: [yaml]
- id: trailing-whitespace
types: [yaml]
- repo: https://github.com/gruntwork-io/pre-commit - repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.30 rev: v0.1.30
hooks: hooks:

39
Makefile
View File

@ -1,20 +1,29 @@
.PHONY: init plan apply help .PHONY: init plan apply format
#init:
# @echo "Sourcing environment and initializing Terraform..."
# @source ./env && terraform init
#
#plan:
# @echo "Sourcing environment and planning Terraform changes..."
# @source ./env && terraform plan
#
#apply:
# @echo "Sourcing environment and applying Terraform changes..."
# @source ./env && terraform apply -auto-approve
# Default target
help:
@echo "Available targets:"
@echo " init - Initialize Terraform"
@echo " plan - Plan Terraform changes"
@echo " apply - Apply Terraform changes"
init: init:
@echo "Sourcing environment and initializing Terraform..." @terragrunt run --all --non-interactive init -- -upgrade
@source ./env && terraform init
plan: plan: init
@echo "Sourcing environment and planning Terraform changes..." @terragrunt run --all --parallelism 4 --non-interactive plan
@source ./env && terraform plan
apply: apply: init
@echo "Sourcing environment and applying Terraform changes..." @terragrunt run --all --parallelism 2 --non-interactive apply
@source ./env && terraform apply -auto-approve
format:
@echo "Formatting Terraform files..."
@terraform fmt -recursive .
@echo "Formatting Terragrunt files..."
@terragrunt hcl fmt

15
auth_approle_certmanager.tf
View File

@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "certmanager" {
role_name = "certmanager"
bind_secret_id = false
token_policies = ["pki_int/certmanager"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}

16
auth_approle_incus_cluster.tf
View File

@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "incus_cluster" {
role_name = "incus_cluster"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/incus/incus-cluster-join-tokens"
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.13.77/32",
"198.18.13.78/32",
"198.18.13.79/32"
]
}

16
auth_approle_packer_builder.tf
View File

@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "packer_builder" {
role_name = "packer_builder"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/packer/packer_builder",
]
token_ttl = 300 # builds can take a few minutes
token_max_ttl = 600
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}

15
auth_approle_puppetapi.tf
View File

@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "puppetapi" {
role_name = "puppetapi"
bind_secret_id = false
token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}

16
auth_approle_rpmbuilder.tf
View File

@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "rpmbuilder" {
role_name = "rpmbuilder"
bind_secret_id = false
token_policies = [
"kv/service/github/neoloc/tokens/read-only-token/read",
"kv/service/gitea/unkinben/tokens/read-only-packages/read",
]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}

9
auth_approle_rundeck-role.tf
View File

@ -1,9 +0,0 @@
resource "vault_approle_auth_backend_role" "rundeck-role" {
role_name = "rundeck-role"
bind_secret_id = true
token_policies = ["rundeck/rundeck"]
token_ttl = 1 * 3600
token_max_ttl = 4 * 3600
token_bound_cidrs = ["198.18.13.59/32"]
secret_id_bound_cidrs = ["198.18.13.59/32"]
}

15
auth_approle_sshsign-host-role.tf
View File

@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "sshsign-host-role" {
role_name = "sshsign-host-role"
bind_secret_id = false
token_policies = ["ssh-host-signer/sshsign-host-policy"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}

18
auth_approle_sshsigner.tf
View File

@ -1,18 +0,0 @@
resource "vault_approle_auth_backend_role" "sshsigner" {
role_name = "sshsigner"
bind_secret_id = false
token_policies = [
"ssh-host-signer/sshsigner",
"sshca_signhost"
]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}

17
auth_approle_terraform_incus.tf
View File

@ -1,17 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_incus" {
role_name = "terraform_incus"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/terraform/incus",
"kv/service/puppet/certificates/terraform_puppet_cert",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}

16
auth_approle_terraform_nomad.tf
View File

@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_nomad" {
role_name = "terraform_nomad"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/terraform/nomad",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}

17
auth_approle_terraform_repoflow.tf
View File

@ -1,17 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_repoflow" {
role_name = "terraform_repoflow"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/repoflow/unkinadmin/tokens/terraform/read",
"kv/service/terraform/repoflow",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}

33
auth_approle_tf_vault.tf
View File

@ -1,33 +0,0 @@
resource "vault_approle_auth_backend_role" "tf_vault" {
role_name = "tf_vault"
bind_secret_id = false
token_policies = [
"default_access",
"approle_token_create",
"auth/approle/approle_role_admin",
"auth/approle/approle_role_login",
"auth/kubernetes/k8s_auth_admin",
"auth/ldap/ldap_admin",
"auth/token/auth_token_create",
"auth/token/auth_token_self",
"auth/token/auth_token_roles_admin",
"kubernetes/au/config_admin",
"kubernetes/au/roles_admin",
"kv/service/glauth/services/svc_vault_read",
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
"pki_int/pki_int_roles_admin",
"pki_root/pki_root_roles_admin",
"ssh-host-signer/ssh-host-signer_roles_admin",
"sshca/sshca_roles_admin",
"sys/sys_auth_admin",
"sys/sys_mounts_admin",
"sys/sys_policy_admin",
"transit/keys/admin",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
]
}

7
auth_backend_approle.tf
View File

@ -1,7 +0,0 @@
#----------------------------
# Enable approle auth method
#----------------------------
resource "vault_auth_backend" "approle" {
type = "approle"
path = "approle"
}

23
auth_backend_kubernetes.tf
View File

@ -1,23 +0,0 @@
#-----------------------------------
# Enable kubernetes auth method
#-----------------------------------
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "kubernetes"
}
# Data source to read the token_reviewer_jwt from Vault KV
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
}
# Configure Kubernetes auth backend
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
disable_iss_validation = true
use_annotations_as_alias_metadata = true
}

40
auth_backend_ldap.tf
View File

@ -1,40 +0,0 @@
#--------------------------------
# Enable ldap auth method
#--------------------------------
# retrieve the bindpass from Vault
data "vault_generic_secret" "svc_vault" {
path = "kv/service/glauth/services/svc_vault"
}
# create the ldap backend
resource "vault_ldap_auth_backend" "ldap" {
path = "ldap"
url = "ldap://ldap.service.consul"
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
userattr = "uid"
upndomain = "users.main.unkin.net"
discoverdn = false
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
groupattr = "uid"
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
}
resource "vault_ldap_auth_backend_group" "vault_access" {
groupname = "vault_access"
policies = [
"default_access",
]
backend = vault_ldap_auth_backend.ldap.path
}
resource "vault_ldap_auth_backend_group" "vault_admin" {
groupname = "vault_admin"
policies = [
"default_access",
"global-admin",
]
backend = vault_ldap_auth_backend.ldap.path
}

117
auth_kubernetes_roles.tf
View File

@ -1,117 +0,0 @@
resource "vault_kubernetes_auth_backend_role" "default" {
backend = vault_auth_backend.kubernetes.path
role_name = "default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["*"]
token_ttl = 3600
token_policies = [
"default"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "demo_default" {
backend = vault_auth_backend.kubernetes.path
role_name = "demo_default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["demo"]
token_ttl = 60
token_policies = [
"kv/service/terraform/nomad"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
backend = vault_auth_backend.kubernetes.path
role_name = "huntarr-default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["huntarr"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "externaldns" {
backend = vault_auth_backend.kubernetes.path
role_name = "externaldns"
bound_service_account_names = ["externaldns"]
bound_service_account_namespaces = ["externaldns"]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
backend = vault_auth_backend.kubernetes.path
role_name = "cert-manager-issuer"
bound_service_account_names = ["cert-manager-vault-issuer"]
bound_service_account_namespaces = ["cert-manager"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
backend = vault_auth_backend.kubernetes.path
role_name = "ceph-csi"
bound_service_account_names = [
"ceph-csi-rbd-csi-rbd-provisioner",
"ceph-csi-cephfs-csi-cephfs-provisioner",
]
bound_service_account_namespaces = [
"csi-cephrbd",
"csi-cephfs",
]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "media-apps" {
backend = vault_auth_backend.kubernetes.path
role_name = "media-apps"
bound_service_account_names = [
"media-apps-vault-reader",
]
bound_service_account_namespaces = [
"media-apps",
]
token_ttl = 60
token_policies = [
"kv/service/media-apps/radarr/read",
"kv/service/media-apps/sonarr/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "repoflow" {
backend = vault_auth_backend.kubernetes.path
role_name = "repoflow"
bound_service_account_names = [
"default",
]
bound_service_account_namespaces = [
"repoflow",
]
token_ttl = 60
token_policies = [
"kv/service/repoflow/au/syd1/ceph-s3/read",
"kv/service/repoflow/au/syd1/elasticsearch/read",
"kv/service/repoflow/au/syd1/hasura/read",
"kv/service/repoflow/au/syd1/postgres/read",
"kv/service/repoflow/au/syd1/repoflow-server/read",
]
audience = "vault"
}

2
config/auth_approle_backend/approle.yaml Normal file
View File

@ -0,0 +1,2 @@
default_lease_ttl: 60s
max_lease_ttl: 24h

13
config/auth_approle_role/approle/certmanager.yaml Normal file
View File

@ -0,0 +1,13 @@
token_policies:
- "pki_int/certmanager"
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false

12
config/auth_approle_role/approle/incus_cluster.yaml Normal file
View File

@ -0,0 +1,12 @@
token_policies:
- "default_access"
- "kv/service/incus/incus-cluster-join-tokens"
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.13.77/32"
- "198.18.13.78/32"
- "198.18.13.79/32"
use_deterministic_role_id: false

12
config/auth_approle_role/approle/packer_builder.yaml Normal file
View File

@ -0,0 +1,12 @@
token_policies:
- "default_access"
- "kv/service/packer/packer_builder"
token_ttl: 300
token_max_ttl: 600
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false

13
config/auth_approle_role/approle/puppetapi.yaml Normal file
View File

@ -0,0 +1,13 @@
token_policies:
- "kv/service/puppetapi/puppetapi_read_tokens"
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false

12
config/auth_approle_role/approle/rpmbuilder.yaml Normal file
View File

@ -0,0 +1,12 @@
token_policies:
- "kv/service/github/neoloc/tokens/read-only-token/read"
- "kv/service/gitea/unkinben/tokens/read-only-packages/read"
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false

8
config/auth_approle_role/approle/rundeck-role.yaml Normal file
View File

@ -0,0 +1,8 @@
token_policies:
- "rundeck/rundeck"
token_ttl: 3600
token_max_ttl: 14400
bind_secret_id: true
token_bound_cidrs:
- "198.18.13.59/32"
use_deterministic_role_id: false

14
config/auth_approle_role/approle/sshsigner.yaml Normal file
View File

@ -0,0 +1,14 @@
token_policies:
- "ssh-host-signer/sshsigner"
- "sshca_signhost"
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false

13
config/auth_approle_role/approle/terraform_incus.yaml Normal file
View File

@ -0,0 +1,13 @@
token_policies:
- "default_access"
- "kv/service/terraform/incus"
- "kv/service/puppet/certificates/terraform_puppet_cert"
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false

12
config/auth_approle_role/approle/terraform_nomad.yaml Normal file
View File

@ -0,0 +1,12 @@
token_policies:
- "default_access"
- "kv/service/terraform/nomad"
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false

13
config/auth_approle_role/approle/terraform_repoflow.yaml Normal file
View File

@ -0,0 +1,13 @@
token_policies:
- "default_access"
- "kv/service/repoflow/unkinadmin/tokens/terraform/read"
- "kv/service/terraform/repoflow"
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false

30
config/auth_approle_role/approle/tf_vault.yaml Normal file
View File

@ -0,0 +1,30 @@
token_policies:
- "default_access"
- "approle_token_create"
- "auth/approle/approle_role_admin"
- "auth/approle/approle_role_login"
- "auth/kubernetes/k8s_auth_admin"
- "auth/ldap/ldap_admin"
- "auth/token/auth_token_create"
- "auth/token/auth_token_self"
- "auth/token/auth_token_roles_admin"
- "kubernetes/au/config_admin"
- "kubernetes/au/roles_admin"
- "kv/service/glauth/services/svc_vault_read"
- "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"
- "kv/service/kubernetes/au/syd1/service_account_jwt/read"
- "kv/service/vault/auth_backends_read"
- "pki_int/pki_int_roles_admin"
- "pki_root/pki_root_roles_admin"
- "ssh-host-signer/ssh-host-signer_roles_admin"
- "sshca/sshca_roles_admin"
- "sys/sys_auth_admin"
- "sys/sys_mounts_admin"
- "sys/sys_policy_admin"
- "transit/keys/admin"
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
use_deterministic_role_id: false

5
config/auth_kubernetes_backend/k8s/au/syd1.yaml Normal file
View File

@ -0,0 +1,5 @@
kubernetes_host: https://api-k8s.service.consul:6443
disable_iss_validation: true
use_annotations_as_alias_metadata: true
default_lease_ttl: 1h
max_lease_ttl: 24h

11
config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml Normal file
View File

@ -0,0 +1,11 @@
bound_service_account_names:
- ceph-csi-rbd-csi-rbd-provisioner
- ceph-csi-cephfs-csi-cephfs-provisioner
bound_service_account_namespaces:
- csi-cephrbd
- csi-cephfs
token_ttl: 60
token_policies:
- kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read
- kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read
audience: vault

9
config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml Normal file
View File

@ -0,0 +1,9 @@
bound_service_account_names:
- cert-manager-vault-issuer
bound_service_account_namespaces:
- cert-manager
token_ttl: 60
token_policies:
- pki_int/sign/servers_default
- pki_int/issue/servers_default
audience: vault

8
config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml Normal file
View File

@ -0,0 +1,8 @@
bound_service_account_names:
- externaldns
bound_service_account_namespaces:
- externaldns
token_ttl: 60
token_policies:
- kv/service/kubernetes/au/syd1/externaldns/tsig/read
audience: vault

9
config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml Normal file
View File

@ -0,0 +1,9 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- huntarr
token_ttl: 60
token_policies:
- pki_int/sign/servers_default
- pki_int/issue/servers_default
audience: vault

9
config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml Normal file
View File

@ -0,0 +1,9 @@
bound_service_account_names:
- media-apps-vault-reader
bound_service_account_namespaces:
- media-apps
token_ttl: 60
token_policies:
- kv/service/media-apps/radarr/read
- kv/service/media-apps/sonarr/read
audience: vault

12
config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml Normal file
View File

@ -0,0 +1,12 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- repoflow
token_ttl: 60
token_policies:
- kv/service/repoflow/au/syd1/ceph-s3/read
- kv/service/repoflow/au/syd1/elasticsearch/read
- kv/service/repoflow/au/syd1/hasura/read
- kv/service/repoflow/au/syd1/postgres/read
- kv/service/repoflow/au/syd1/repoflow-server/read
audience: vault

10
config/auth_ldap_backend/ldap.yaml Normal file
View File

@ -0,0 +1,10 @@
userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
userattr: "uid"
upndomain: "users.main.unkin.net"
discoverdn: false
groupdn: "ou=users,dc=main,dc=unkin,dc=net"
groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
groupattr: "uid"
username_as_alias: true
default_lease_ttl: 24h
max_lease_ttl: 168h

2
config/auth_ldap_group/ldap/vault_access.yaml Normal file
View File

@ -0,0 +1,2 @@
policies:
- "default_access"

3
config/auth_ldap_group/ldap/vault_admin.yaml Normal file
View File

@ -0,0 +1,3 @@
policies:
- "default_access"
- "global-admin"

189
config/config.hcl Normal file
View File

@ -0,0 +1,189 @@
# =============================================================================
# VAULT MODULE CONFIGURATION SYSTEM
# =============================================================================
#
# This file automatically discovers and organizes YAML configuration files
# for Vault modules, creating structured configuration maps for Terraform.
#
# HOW IT WORKS:
# 1. Scans all subdirectories for *.yaml files
# 2. Groups files by module type based on directory structure
# 3. Creates unique resource keys to prevent naming conflicts
# 4. Adds computed fields like name, backend, etc. from file paths
#
# DIRECTORY STRUCTURE:
# config/
# auth_approle_role/
# approle/
# certmanager.yaml # Creates key: "approle/certmanager"
# myapp.yaml # Creates key: "approle/myapp"
# auth_kubernetes_role/
# k8s/au/syd1/
# default.yaml # Creates key: "k8s/au/syd1/default"
# myapp.yaml # Creates key: "k8s/au/syd1/myapp"
# kv_secret_backend/
# kv.yaml # Creates key: "kv"
# secrets.yaml # Creates key: "secrets"
#
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
# ```yaml
# token_ttl: 3600
# token_max_ttl: 7200
# bind_secret_id: true
# token_bound_cidrs:
# - "10.0.0.0/8"
# ```
#
# This becomes:
# ```hcl
# auth_approle_role = {
# "approle/myapp" = {
# approle_name = "myapp" # Auto-computed from filename
# mount_path = "approle" # Auto-computed from directory
# token_ttl = 3600 # From YAML content
# token_max_ttl = 7200 # From YAML content
# bind_secret_id = true # From YAML content
# token_bound_cidrs = ["10.0.0.0/8"]
# }
# }
# ```
#
# KEY NAMING PATTERNS:
# - Simple backends: filename only (e.g., "kv", "transit")
# - Role-based resources: full path without extension (e.g., "approle/myapp")
# - This ensures uniqueness when multiple backends have similar role names
#
# GENERATED OUTPUTS:
# - config.auth_approle_backend, config.auth_approle_role, etc.
# - Each module gets its own map with properly structured configuration
#
# =============================================================================
locals {
# Find all YAML files in subdirectories
config_files = fileset(".", "**/*.yaml")
# Create a flat map of all files with their content
all_configs = {
for file_path in local.config_files :
file_path => yamldecode(file(file_path))
}
# Group by module directory (first part of path)
config = {
auth_approle_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_approle_backend/")
}
auth_approle_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
approle_name = trimsuffix(basename(file_path), ".yaml")
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
})
if startswith(file_path, "auth_approle_role/")
}
auth_ldap_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_ldap_backend/")
}
auth_ldap_group = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
groupname = trimsuffix(basename(file_path), ".yaml")
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
})
if startswith(file_path, "auth_ldap_group/")
}
auth_kubernetes_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
if startswith(file_path, "auth_kubernetes_backend/")
}
auth_kubernetes_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
role_name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
})
if startswith(file_path, "auth_kubernetes_role/")
}
kv_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "kv_secret_backend/")
}
transit_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "transit_secret_backend/")
}
transit_secret_backend_key = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
})
if startswith(file_path, "transit_secret_backend_key/")
}
ssh_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "ssh_secret_backend/")
}
ssh_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
})
if startswith(file_path, "ssh_secret_backend_role/")
}
pki_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "pki_secret_backend/")
}
pki_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
})
if startswith(file_path, "pki_secret_backend_role/")
}
kubernetes_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "kubernetes_secret_backend/")
}
kubernetes_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
})
if startswith(file_path, "kubernetes_secret_backend_role/")
}
consul_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "consul_secret_backend/")
}
consul_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
})
if startswith(file_path, "consul_secret_backend_role/")
}
pki_mount_only = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "pki_mount_only/")
}
}
}

5
config/kubernetes_secret_backend/kubernetes/au/syd1.yaml Normal file
View File

@ -0,0 +1,5 @@
description: "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds: 600
max_lease_ttl_seconds: 86400
kubernetes_host: "https://api-k8s.service.consul:6443"
disable_local_ca_jwt: false

5
config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml Normal file
View File

@ -0,0 +1,5 @@
backend: "kubernetes/au/syd1"
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}

5
config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml Normal file
View File

@ -0,0 +1,5 @@
backend: "kubernetes/au/syd1"
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}

5
config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml Normal file
View File

@ -0,0 +1,5 @@
backend: "kubernetes/au/syd1"
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}

5
config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml Normal file
View File

@ -0,0 +1,5 @@
backend: "kubernetes/au/syd1"
allowed_kubernetes_namespaces:
- "media-apps"
kubernetes_role_type: "Role"
extra_labels: {}

4
config/kv_secret_backend/kv.yaml Normal file
View File

@ -0,0 +1,4 @@
type: kv-v2
description: "Key-Value secrets engine"
version: "2"
max_versions: 10

4
config/kv_secret_backend/rundeck.yaml Normal file
View File

@ -0,0 +1,4 @@
type: kv-v2
description: "Rundeck secrets engine"
version: "2"
max_versions: 5

17
config/pki_mount_only/pki_int.yaml Normal file
View File

@ -0,0 +1,17 @@
description: "PKI Intermediate CA"
max_lease_ttl_seconds: 157680000 # 43800 hours * 3600
issuer_ref: "default"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki_int/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki_int/crl"
ocsp_servers: []
enable_templating: false
default_issuer_ref: null
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false
delta_rebuild_interval: null

17
config/pki_mount_only/pki_root.yaml Normal file
View File

@ -0,0 +1,17 @@
description: "PKI Root CA"
max_lease_ttl_seconds: 315360000 # 10 years
issuer_ref: "default"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki_root/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki_root/crl"
ocsp_servers: []
enable_templating: false
default_issuer_ref: null
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false
delta_rebuild_interval: null

18
config/pki_secret_backend/pki/au/syd1.yaml Normal file
View File

@ -0,0 +1,18 @@
description: "PKI Root CA AU SYD1"
max_lease_ttl_seconds: 315360000 # 87600 * 3600
common_name: "unkin.net AU SYD1 Root CA"
issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
ttl: 315360000 # 87600 * 3600
format: "pem"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
ocsp_servers: []
enable_templating: false
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false

17
config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml Normal file
View File

@ -0,0 +1,17 @@
backend: "pki/au/syd1"
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "*.unkin.net"
- "localhost"
allow_subdomains: true
allow_glob_domains: true
allow_bare_domains: true
enforce_hostnames: true
allow_any_name: true
max_ttl: 7776000 # 2160 * 3600
key_bits: 4096
country:
- "Australia"
use_csr_common_name: true
use_csr_sans: true

17
config/pki_secret_backend_role/pki_int/servers_default.yaml Normal file
View File

@ -0,0 +1,17 @@
backend: "pki_int"
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "*.unkin.net"
- "localhost"
allow_subdomains: true
allow_glob_domains: true
allow_bare_domains: true
enforce_hostnames: true
allow_any_name: true
max_ttl: 7776000 # 2160 * 3600
key_bits: 4096
country:
- "Australia"
use_csr_common_name: true
use_csr_sans: true

15
config/pki_secret_backend_role/pki_root/2024-servers.yaml Normal file
View File

@ -0,0 +1,15 @@
backend: "pki_root"
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "unkin.local"
allow_subdomains: true
allow_glob_domains: false
allow_bare_domains: true
enforce_hostnames: false
allow_any_name: false
max_ttl: 31536000 # 8760h in seconds
key_bits: 2048
country: []
use_csr_common_name: true
use_csr_sans: true

4
config/ssh_secret_backend/sshca.yaml Normal file
View File

@ -0,0 +1,4 @@
description: "SSH CA Engine"
max_lease_ttl_seconds: 315360000 # 87600 * 3600
generate_signing_key: true
key_type: ssh-rsa

8
config/ssh_secret_backend_role/sshca/signhost.yaml Normal file
View File

@ -0,0 +1,8 @@
key_type: ca
algorithm_signer: rsa-sha2-256
ttl: 315360000 # 87600 * 3600
allow_host_certificates: true
allow_user_certificates: false
allowed_domains: "main.unkin.net,consul"
allow_subdomains: true
allow_bare_domains: false

3
config/transit_secret_backend/transit.yaml Normal file
View File

@ -0,0 +1,3 @@
description: "Transit Engine"
default_lease_ttl_seconds: 3600
max_lease_ttl_seconds: 86400

5
config/transit_secret_backend_key/transit/au-syd1-k8s-vso.yaml Normal file
View File

@ -0,0 +1,5 @@
type: aes256-gcm96
deletion_allowed: false
derived: false
exportable: false
allow_plaintext_backup: false

72
engine_k8s_au_syd1.tf
View File

@ -1,72 +0,0 @@
# Data source to read the service_token_jwt from Vault KV
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/service_account_jwt"
}
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
path = "kubernetes/au/syd1"
description = "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds = 600
max_lease_ttl_seconds = 86400
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-media-apps-operator"
allowed_kubernetes_namespaces = ["media-apps"]
kubernetes_role_type = "Role"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-media-apps-operator"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-operator"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-operator"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-admin"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-admin"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-root"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-root"
}
}

15
engine_kv.tf
View File

@ -1,15 +0,0 @@
#--------------------------------------------------------------
# kv
# create engine
#--------------------------------------------------------------
resource "vault_mount" "kv" {
path = "kv"
type = "kv"
listing_visibility = "hidden"
max_lease_ttl_seconds = 0
external_entropy_access = false
seal_wrap = false
options = {
version = "2"
}
}

49
engine_pki_int.tf
View File

@ -1,49 +0,0 @@
#--------------------------------------------------------------
# pki_int
# create engine
# generate intermediate csa
# sign the intermediate against rootca
# set the signed intermediate cert in the pki_int engine
#--------------------------------------------------------------
resource "vault_mount" "pki_int" {
path = "pki_int"
type = "pki"
description = "PKI Intermediate CA"
max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
}
## Generate the intermediate CSR
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
# backend = vault_mount.pki_int.path
# common_name = "unkin.net Intermediate Authority"
# format = "pem"
# type = "internal"
#}
#
## Sign the intermediate CSR using the root CA
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
# path = "${vault_mount.pki_root.path}/root/sign-intermediate"
#
# data_json = jsonencode({
# csr = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
# format = "pem_bundle",
# ttl = "43800h",
# issuer_ref = "UNKIN_ROOTCA_2024"
# })
#}
#
## Decode the certificate from the response
#locals {
# intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
#}
#
## Set the signed intermediate certificate
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
# backend = vault_mount.pki_int.path
# certificate = local.intermediate_signed_cert
#}
#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
# backend = vault_mount.pki_int.path
# issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
#}

39
engine_pki_root.tf
View File

@ -1,39 +0,0 @@
#-------------------------------------------
# pki_root:
# create engine
# generate rootca certificate
# read the issuer
# configure the pki urls
#-------------------------------------------
resource "vault_mount" "pki_root" {
path = "pki_root"
type = "pki"
description = "PKI Root CA"
max_lease_ttl_seconds = 87600 * 3600 # 87600h
}
#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
# backend = vault_mount.pki_root.path
# common_name = "unkin.net"
# issuer_name = "UNKIN_ROOTCA_2024"
# ttl = 87600 * 3600
# format = "pem"
# type = "internal"
#}
#
#output "root_certificate" {
# value = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
# sensitive = true
#}
data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
backend = vault_mount.pki_root.path
issuer_ref = "default"
}
resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
backend = vault_mount.pki_root.path
issuing_certificates = ["${local.vault_addr}/v1/pki_root/ca"]
crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
}

14
engine_rundeck.tf
View File

@ -1,14 +0,0 @@
#--------------------------------------------------------------
# rundeck
# create engine
#--------------------------------------------------------------
resource "vault_mount" "rundeck" {
path = "rundeck"
type = "kv"
max_lease_ttl_seconds = 0
external_entropy_access = false
seal_wrap = false
options = {
version = "2"
}
}

18
engine_ssh-host-signer.tf
View File

@ -1,18 +0,0 @@
#--------------------------------------------------------------
# ssh-host-signer
# create engine
# generate ca cert
# tune the ssh engine
#--------------------------------------------------------------
#resource "vault_mount" "ssh_host_signer" {
# path = "ssh-host-signer"
# type = "ssh"
# description = "SSH Host Signing Engine"
# max_lease_ttl_seconds = 87600 * 3600
#}
#
#resource "vault_ssh_secret_backend_ca" "ssh_host_signer_ca" {
# backend = vault_mount.ssh_host_signer.path
# generate_signing_key = false # change to true for new configuration
# key_type = "ssh-rsa"
#}

18
engine_sshca.tf
View File

@ -1,18 +0,0 @@
#--------------------------------------------------------------
# ssh
# create engine
# generate ca cert
# tune the ssh engine
#--------------------------------------------------------------
resource "vault_mount" "sshca" {
path = "sshca"
type = "ssh"
description = "SSH CA Engine"
max_lease_ttl_seconds = 87600 * 3600
}
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
backend = vault_mount.sshca.path
generate_signing_key = true
key_type = "ssh-rsa"
}

13
engine_transit.tf
View File

@ -1,13 +0,0 @@
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
description = "Transit Engine"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_transit_secret_backend_key" "key" {
backend = vault_mount.transit.path
name = "au-syd1-k8s-vso"
type = "aes256-gcm96"
}

60
environments/au/syd1/terragrunt.hcl Normal file
View File

@ -0,0 +1,60 @@
include "root" {
path = find_in_parent_folders("root.hcl")
expose = true
}
include "config" {
path = "${get_repo_root()}/config/config.hcl"
expose = true
}
include "policies" {
path = "${get_repo_root()}/policies/policies.hcl"
expose = true
}
locals {
# Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir()))
country = basename(dirname(get_terragrunt_dir())) # "au"
region = basename(get_terragrunt_dir()) # "syd1"
# Include configuration from config.hcl
config = include.config.locals.config
# Include policies from policies.hcl
policies = include.policies.locals
}
terraform {
source = "../../../modules/vault_cluster"
}
inputs = {
country = local.country
region = local.region
# Pass configuration maps to vault_cluster module
auth_approle_backend = local.config.auth_approle_backend
auth_approle_role = local.config.auth_approle_role
auth_ldap_backend = local.config.auth_ldap_backend
auth_ldap_group = local.config.auth_ldap_group
auth_kubernetes_backend = local.config.auth_kubernetes_backend
auth_kubernetes_role = local.config.auth_kubernetes_role
kv_secret_backend = local.config.kv_secret_backend
transit_secret_backend = local.config.transit_secret_backend
transit_secret_backend_key = local.config.transit_secret_backend_key
ssh_secret_backend = local.config.ssh_secret_backend
ssh_secret_backend_role = local.config.ssh_secret_backend_role
pki_secret_backend = local.config.pki_secret_backend
pki_secret_backend_role = local.config.pki_secret_backend_role
consul_secret_backend = local.config.consul_secret_backend
consul_secret_backend_role = local.config.consul_secret_backend_role
kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map
}

11
main.tf → environments/root.hcl
View File

@ -1,3 +1,8 @@
# Generate root backend.tf
generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
#------------------------------------------- #-------------------------------------------
# locals # locals
#------------------------------------------- #-------------------------------------------
@ -22,7 +27,7 @@ provider "vault" {
terraform { terraform {
backend "consul" { backend "consul" {
address = "https://consul.service.consul" address = "https://consul.service.consul"
path = "infra/terraform/vault/state" path = "infra/terraform/vault/${path_relative_to_include()}/state"
scheme = "https" scheme = "https"
lock = true lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt" ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
@ -31,7 +36,9 @@ terraform {
required_providers { required_providers {
vault = { vault = {
source = "hashicorp/vault" source = "hashicorp/vault"
version = "5.4.0" version = "5.6.0"
} }
} }
} }
EOF
}

316
modules/vault_cluster/main.tf Normal file
View File

@ -0,0 +1,316 @@
module "auth_approle_backend" {
source = "./modules/auth_approle_backend"
for_each = var.auth_approle_backend
country = var.country
region = var.region
path = each.key
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_approle_role" {
source = "./modules/auth_approle_role"
for_each = var.auth_approle_role
country = var.country
region = var.region
approle_name = each.value.approle_name
mount_path = each.value.mount_path
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
token_ttl = each.value.token_ttl
token_max_ttl = each.value.token_max_ttl
bind_secret_id = each.value.bind_secret_id
secret_id_ttl = each.value.secret_id_ttl
token_bound_cidrs = each.value.token_bound_cidrs
alias_metadata = each.value.alias_metadata
use_deterministic_role_id = each.value.use_deterministic_role_id
depends_on = [module.auth_approle_backend]
}
module "auth_ldap_backend" {
source = "./modules/auth_ldap_backend"
for_each = var.auth_ldap_backend
country = var.country
region = var.region
path = each.key
userdn = each.value.userdn
userattr = each.value.userattr
upndomain = each.value.upndomain
discoverdn = each.value.discoverdn
groupdn = each.value.groupdn
groupfilter = each.value.groupfilter
groupattr = each.value.groupattr
alias_metadata = each.value.alias_metadata
username_as_alias = each.value.username_as_alias
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_ldap_group" {
source = "./modules/auth_ldap_group"
for_each = var.auth_ldap_group
groupname = each.value.groupname
backend = each.value.backend
policies = each.value.policies
depends_on = [module.auth_ldap_backend]
}
module "auth_kubernetes_backend" {
source = "./modules/auth_kubernetes_backend"
for_each = var.auth_kubernetes_backend
country = var.country
region = var.region
path = each.key
kubernetes_host = each.value.kubernetes_host
disable_iss_validation = each.value.disable_iss_validation
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_kubernetes_role" {
source = "./modules/auth_kubernetes_role"
for_each = var.auth_kubernetes_role
role_name = each.value.role_name
backend = each.value.backend
bound_service_account_names = each.value.bound_service_account_names
bound_service_account_namespaces = each.value.bound_service_account_namespaces
token_ttl = each.value.token_ttl
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
audience = each.value.audience
depends_on = [module.auth_kubernetes_backend]
}
module "kv_secret_backend" {
source = "./modules/kv_secret_backend"
for_each = var.kv_secret_backend
path = each.key
type = each.value.type
description = each.value.description
kv_version = each.value.version
max_versions = each.value.max_versions
}
module "transit_secret_backend" {
source = "./modules/transit_secret_backend"
for_each = var.transit_secret_backend
path = each.key
description = each.value.description
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
}
module "transit_secret_backend_key" {
source = "./modules/transit_secret_backend_key"
for_each = var.transit_secret_backend_key
name = each.value.name
backend = each.value.backend
type = each.value.type
deletion_allowed = each.value.deletion_allowed
derived = each.value.derived
exportable = each.value.exportable
allow_plaintext_backup = each.value.allow_plaintext_backup
auto_rotate_period = each.value.auto_rotate_period
depends_on = [module.transit_secret_backend]
}
module "ssh_secret_backend" {
source = "./modules/ssh_secret_backend"
for_each = var.ssh_secret_backend
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
generate_signing_key = each.value.generate_signing_key
key_type = each.value.key_type
}
module "ssh_secret_backend_role" {
source = "./modules/ssh_secret_backend_role"
for_each = var.ssh_secret_backend_role
name = each.value.name
backend = each.value.backend
key_type = each.value.key_type
algorithm_signer = each.value.algorithm_signer
ttl = each.value.ttl
allow_host_certificates = each.value.allow_host_certificates
allow_user_certificates = each.value.allow_user_certificates
allowed_domains = each.value.allowed_domains
allow_subdomains = each.value.allow_subdomains
allow_bare_domains = each.value.allow_bare_domains
depends_on = [module.ssh_secret_backend]
}
module "pki_secret_backend" {
source = "./modules/pki_secret_backend"
for_each = var.pki_secret_backend
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
common_name = each.value.common_name
issuer_name = each.value.issuer_name
ttl = each.value.ttl
format = each.value.format
issuing_certificates = each.value.issuing_certificates
crl_distribution_points = each.value.crl_distribution_points
ocsp_servers = each.value.ocsp_servers
enable_templating = each.value.enable_templating
default_issuer_ref = each.value.default_issuer_ref
default_follows_latest_issuer = each.value.default_follows_latest_issuer
crl_expiry = each.value.crl_expiry
crl_disable = each.value.crl_disable
ocsp_disable = each.value.ocsp_disable
auto_rebuild = each.value.auto_rebuild
enable_delta = each.value.enable_delta
delta_rebuild_interval = each.value.delta_rebuild_interval
}
module "pki_secret_backend_role" {
source = "./modules/pki_secret_backend_role"
for_each = var.pki_secret_backend_role
name = each.value.name
backend = each.value.backend
allow_ip_sans = each.value.allow_ip_sans
allowed_domains = each.value.allowed_domains
allow_subdomains = each.value.allow_subdomains
allow_glob_domains = each.value.allow_glob_domains
allow_bare_domains = each.value.allow_bare_domains
enforce_hostnames = each.value.enforce_hostnames
allow_any_name = each.value.allow_any_name
max_ttl = each.value.max_ttl
key_bits = each.value.key_bits
country = each.value.country
use_csr_common_name = each.value.use_csr_common_name
use_csr_sans = each.value.use_csr_sans
depends_on = [module.pki_secret_backend]
}
module "consul_secret_backend" {
source = "./modules/consul_secret_backend"
for_each = var.consul_secret_backend
country = var.country
region = var.region
path = each.key
description = each.value.description
address = each.value.address
bootstrap = each.value.bootstrap
scheme = each.value.scheme
ca_cert = each.value.ca_cert
client_cert = each.value.client_cert
client_key = each.value.client_key
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
}
module "consul_secret_backend_role" {
source = "./modules/consul_secret_backend_role"
for_each = var.consul_secret_backend_role
name = each.value.name
backend = each.value.backend
consul_roles = each.value.consul_roles
ttl = each.value.ttl
max_ttl = each.value.max_ttl
local = each.value.local
depends_on = [module.consul_secret_backend]
}
module "kubernetes_secret_backend" {
source = "./modules/kubernetes_secret_backend"
for_each = var.kubernetes_secret_backend
country = var.country
region = var.region
path = each.key
description = each.value.description
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
kubernetes_host = each.value.kubernetes_host
disable_local_ca_jwt = each.value.disable_local_ca_jwt
}
module "kubernetes_secret_backend_role" {
source = "./modules/kubernetes_secret_backend_role"
for_each = var.kubernetes_secret_backend_role
country = var.country
region = var.region
name = each.value.name
backend = each.value.backend
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
kubernetes_role_type = each.value.kubernetes_role_type
extra_labels = each.value.extra_labels
depends_on = [module.kubernetes_secret_backend]
}
module "vault_policy" {
source = "./modules/vault_policy"
for_each = var.policy_rules_map
policy_name = each.key
policy_rules = each.value
}
module "pki_mount_only" {
source = "./modules/pki_mount_only"
for_each = var.pki_mount_only
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
issuer_ref = each.value.issuer_ref
issuing_certificates = each.value.issuing_certificates
crl_distribution_points = each.value.crl_distribution_points
ocsp_servers = each.value.ocsp_servers
enable_templating = each.value.enable_templating
default_issuer_ref = each.value.default_issuer_ref
default_follows_latest_issuer = each.value.default_follows_latest_issuer
crl_expiry = each.value.crl_expiry
crl_disable = each.value.crl_disable
ocsp_disable = each.value.ocsp_disable
auto_rebuild = each.value.auto_rebuild
enable_delta = each.value.enable_delta
delta_rebuild_interval = each.value.delta_rebuild_interval
}

11
modules/vault_cluster/modules/auth_approle_backend/main.tf Normal file
View File

@ -0,0 +1,11 @@
resource "vault_auth_backend" "approle" {
type = "approle"
path = var.path
tune {
default_lease_ttl = var.default_lease_ttl
max_lease_ttl = var.max_lease_ttl
listing_visibility = var.listing_visibility
}
}

4
modules/vault_cluster/modules/auth_approle_backend/outputs.tf Normal file
View File

@ -0,0 +1,4 @@
output "backend" {
description = "The created auth backend"
value = vault_auth_backend.approle
}

37
modules/vault_cluster/modules/auth_approle_backend/variables.tf Normal file
View File

@ -0,0 +1,37 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "path" {
description = "Mount path of the AppRole auth backend"
type = string
default = "approle"
}
variable "listing_visibility" {
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
type = string
default = null
validation {
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
}
}
variable "default_lease_ttl" {
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}
variable "max_lease_ttl" {
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}

36
modules/vault_cluster/modules/auth_approle_role/main.tf Normal file
View File

@ -0,0 +1,36 @@
# Expected keys in KV secret for salt: salt
data "vault_kv_secret_v2" "salt_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.mount_path}"
}
# Expected keys in KV secret for role_id: role_id (when use_deterministic_role_id = false)
data "vault_kv_secret_v2" "role_config" {
count = var.use_deterministic_role_id ? 0 : 1
mount = "kv"
name = "service/vault/${var.country}/${var.region}/auth_approle_role/${var.mount_path}/${var.approle_name}"
}
locals {
salt = data.vault_kv_secret_v2.salt_config.data["salt"]
role_id_input = "${local.salt}-${var.approle_name}-${var.mount_path}"
deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
# Use deterministic role-id by default, or read from KV if specified
role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
}
resource "vault_approle_auth_backend_role" "role" {
backend = var.mount_path
role_name = var.approle_name
role_id = local.role_id
token_policies = var.token_policies
token_ttl = var.token_ttl
token_max_ttl = var.token_max_ttl
bind_secret_id = var.bind_secret_id
secret_id_ttl = var.secret_id_ttl
token_bound_cidrs = var.token_bound_cidrs
alias_metadata = var.alias_metadata
}

68
modules/vault_cluster/modules/auth_approle_role/variables.tf Normal file
View File

@ -0,0 +1,68 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "approle_name" {
description = "Name of the AppRole role"
type = string
}
variable "mount_path" {
description = "Mount path of the AppRole auth backend"
type = string
default = "approle"
}
variable "token_policies" {
description = "List of policies to assign to the role (passed from policy_auth_map)"
type = list(string)
}
variable "token_ttl" {
description = "The TTL period of tokens issued using this role"
type = number
default = null
}
variable "token_max_ttl" {
description = "The maximum TTL period of tokens issued using this role"
type = number
default = null
}
variable "bind_secret_id" {
description = "Whether or not to require secret_id to be presented when logging in using this AppRole"
type = bool
default = false
}
variable "secret_id_ttl" {
description = "The TTL period of SecretIDs generated against this AppRole"
type = number
default = null
}
variable "token_bound_cidrs" {
description = "List of CIDR blocks that can authenticate using this role"
type = list(string)
default = []
}
variable "alias_metadata" {
description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
type = map(string)
default = null
}
variable "use_deterministic_role_id" {
description = "Whether to use deterministic role-id generation (true) or read pre-generated role-id from KV (false)"
type = bool
default = true
}

25
modules/vault_cluster/modules/auth_kubernetes_backend/main.tf Normal file
View File

@ -0,0 +1,25 @@
# Expected keys in KV secret: kubernetes_ca_cert, token_reviewer_jwt
data "vault_kv_secret_v2" "auth_backend_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
}
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = var.path
tune {
default_lease_ttl = var.default_lease_ttl
max_lease_ttl = var.max_lease_ttl
listing_visibility = var.listing_visibility
}
}
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = var.kubernetes_host
kubernetes_ca_cert = data.vault_kv_secret_v2.auth_backend_config.data["kubernetes_ca_cert"]
token_reviewer_jwt = data.vault_kv_secret_v2.auth_backend_config.data["token_reviewer_jwt"]
disable_iss_validation = var.disable_iss_validation
use_annotations_as_alias_metadata = var.use_annotations_as_alias_metadata
}

54
modules/vault_cluster/modules/auth_kubernetes_backend/variables.tf Normal file
View File

@ -0,0 +1,54 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "path" {
description = "Mount path of the Kubernetes auth backend"
type = string
default = "kubernetes"
}
variable "disable_iss_validation" {
description = "Disable JWT issuer validation"
type = bool
default = true
}
variable "use_annotations_as_alias_metadata" {
description = "Use annotations as alias metadata"
type = bool
default = true
}
variable "listing_visibility" {
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
type = string
default = null
validation {
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
}
}
variable "default_lease_ttl" {
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}
variable "max_lease_ttl" {
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}
variable "kubernetes_host" {
description = "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server"
type = string
}

9
modules/vault_cluster/modules/auth_kubernetes_role/main.tf Normal file
View File

@ -0,0 +1,9 @@
resource "vault_kubernetes_auth_backend_role" "role" {
backend = var.backend
role_name = var.role_name
bound_service_account_names = var.bound_service_account_names
bound_service_account_namespaces = var.bound_service_account_namespaces
token_ttl = var.token_ttl
token_policies = var.token_policies
audience = var.audience
}

36
modules/vault_cluster/modules/auth_kubernetes_role/variables.tf Normal file
View File

@ -0,0 +1,36 @@
variable "backend" {
description = "The unique path of the Kubernetes auth backend to configure"
type = string
}
variable "role_name" {
description = "The name of the role"
type = string
}
variable "bound_service_account_names" {
description = "List of service account names able to access this role"
type = list(string)
}
variable "bound_service_account_namespaces" {
description = "List of namespaces allowed to access this role"
type = list(string)
}
variable "token_ttl" {
description = "The TTL period of tokens issued using this role, in seconds"
type = number
default = 3600
}
variable "token_policies" {
description = "List of policies to assign to the role (passed from policy_auth_map)"
type = list(string)
}
variable "audience" {
description = "Audience claim to verify in the JWT"
type = string
default = "vault"
}

27
modules/vault_cluster/modules/auth_ldap_backend/main.tf Normal file
View File

@ -0,0 +1,27 @@
# Expected keys in KV secret: url, binddn, bindpass
data "vault_kv_secret_v2" "auth_backend_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
}
resource "vault_ldap_auth_backend" "ldap" {
path = var.path
url = data.vault_kv_secret_v2.auth_backend_config.data["url"]
userdn = var.userdn
userattr = var.userattr
upndomain = var.upndomain
discoverdn = var.discoverdn
groupdn = var.groupdn
groupfilter = var.groupfilter
groupattr = var.groupattr
binddn = data.vault_kv_secret_v2.auth_backend_config.data["binddn"]
bindpass = data.vault_kv_secret_v2.auth_backend_config.data["bindpass"]
alias_metadata = var.alias_metadata
username_as_alias = var.username_as_alias
tune {
default_lease_ttl = var.default_lease_ttl
max_lease_ttl = var.max_lease_ttl
listing_visibility = var.listing_visibility
}
}

91
modules/vault_cluster/modules/auth_ldap_backend/variables.tf Normal file
View File

@ -0,0 +1,91 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "path" {
description = "Mount path of the LDAP auth backend"
type = string
default = "ldap"
}
variable "userdn" {
description = "Base DN under which to perform user search"
type = string
}
variable "userattr" {
description = "Attribute on user objects matching the username"
type = string
default = "uid"
}
variable "upndomain" {
description = "UPN domain for users"
type = string
default = null
}
variable "discoverdn" {
description = "Use anonymous bind to discover the bind DN of a user"
type = bool
default = false
}
variable "groupdn" {
description = "Base DN under which to perform group search"
type = string
default = null
}
variable "groupfilter" {
description = "Go template for querying group membership"
type = string
default = null
}
variable "groupattr" {
description = "LDAP attribute to follow on objects returned by groupfilter"
type = string
default = "cn"
}
variable "listing_visibility" {
description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
type = string
default = null
validation {
condition = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
error_message = "listing_visibility must be either 'unauth' or 'hidden'."
}
}
variable "default_lease_ttl" {
description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}
variable "max_lease_ttl" {
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
type = string
default = null
}
variable "alias_metadata" {
description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
type = map(string)
default = null
}
variable "username_as_alias" {
description = "Force the auth method to use the username passed by the user as the alias name"
type = bool
default = true
}

5
modules/vault_cluster/modules/auth_ldap_group/main.tf Normal file
View File

@ -0,0 +1,5 @@
resource "vault_ldap_auth_backend_group" "group" {
groupname = var.groupname
policies = var.policies
backend = var.backend
}

14
modules/vault_cluster/modules/auth_ldap_group/variables.tf Normal file
View File

@ -0,0 +1,14 @@
variable "groupname" {
description = "Name of the LDAP group"
type = string
}
variable "policies" {
description = "List of policies to assign to the LDAP group"
type = list(string)
}
variable "backend" {
description = "Path of the LDAP auth backend"
type = string
}

21
modules/vault_cluster/modules/consul_secret_backend/main.tf Normal file
View File

@ -0,0 +1,21 @@
# Expected keys in KV secret: token (if not bootstrapping)
data "vault_kv_secret_v2" "secret_backend_config" {
count = var.bootstrap ? 0 : 1
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
}
resource "vault_consul_secret_backend" "consul" {
path = var.path
description = var.description
address = var.address
token = var.bootstrap ? null : data.vault_kv_secret_v2.secret_backend_config[0].data["token"]
bootstrap = var.bootstrap
scheme = var.scheme
ca_cert = var.ca_cert
client_cert = var.client_cert
client_key = var.client_key
default_lease_ttl_seconds = var.default_lease_ttl_seconds
max_lease_ttl_seconds = var.max_lease_ttl_seconds
}

67
modules/vault_cluster/modules/consul_secret_backend/variables.tf Normal file
View File

@ -0,0 +1,67 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "path" {
description = "Mount path of the Consul secrets engine"
type = string
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "address" {
description = "The address of the Consul instance"
type = string
}
variable "bootstrap" {
description = "Whether to bootstrap the Consul backend"
type = bool
default = false
}
variable "scheme" {
description = "The scheme to use when connecting to Consul"
type = string
default = "https"
}
variable "ca_cert" {
description = "CA certificate for TLS verification"
type = string
default = null
}
variable "client_cert" {
description = "Client certificate for TLS authentication"
type = string
default = null
}
variable "client_key" {
description = "Client key for TLS authentication"
type = string
default = null
}
variable "default_lease_ttl_seconds" {
description = "Default lease TTL in seconds"
type = number
default = null
}
variable "max_lease_ttl_seconds" {
description = "Maximum lease TTL in seconds"
type = number
default = null
}

8
modules/vault_cluster/modules/consul_secret_backend_role/main.tf Normal file
View File

@ -0,0 +1,8 @@
resource "vault_consul_secret_backend_role" "role" {
backend = var.backend
name = var.name
consul_roles = var.consul_roles
ttl = var.ttl
max_ttl = var.max_ttl
local = var.local
}

35
modules/vault_cluster/modules/consul_secret_backend_role/variables.tf Normal file
View File

@ -0,0 +1,35 @@
variable "backend" {
description = "The unique path where the Consul backend is mounted"
type = string
}
variable "name" {
description = "The name of the role"
type = string
}
variable "consul_roles" {
description = "List of Consul roles to attach to tokens"
type = list(string)
default = []
}
variable "ttl" {
description = "TTL for generated tokens"
type = number
default = null
}
variable "max_ttl" {
description = "Maximum TTL for generated tokens"
type = number
default = null
}
variable "local" {
description = "Whether tokens should be local to the datacenter"
type = bool
default = false
}

16
modules/vault_cluster/modules/kubernetes_secret_backend/main.tf Normal file
View File

@ -0,0 +1,16 @@
# Expected keys in KV secret: service_account_jwt, kubernetes_ca_cert
data "vault_kv_secret_v2" "secret_backend_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
}
resource "vault_kubernetes_secret_backend" "kubernetes" {
path = var.path
description = var.description
default_lease_ttl_seconds = var.default_lease_ttl_seconds
max_lease_ttl_seconds = var.max_lease_ttl_seconds
kubernetes_host = var.kubernetes_host
kubernetes_ca_cert = data.vault_kv_secret_v2.secret_backend_config.data["kubernetes_ca_cert"]
service_account_jwt = data.vault_kv_secret_v2.secret_backend_config.data["service_account_jwt"]
disable_local_ca_jwt = var.disable_local_ca_jwt
}

43
modules/vault_cluster/modules/kubernetes_secret_backend/variables.tf Normal file
View File

@ -0,0 +1,43 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "path" {
description = "Mount path of the Kubernetes secrets engine"
type = string
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "default_lease_ttl_seconds" {
description = "Default lease TTL in seconds"
type = number
default = 600
}
variable "max_lease_ttl_seconds" {
description = "Maximum lease TTL in seconds"
type = number
default = 86400
}
variable "kubernetes_host" {
description = "The Kubernetes API server URL"
type = string
}
variable "disable_local_ca_jwt" {
description = "Whether to disable local CA JWT validation"
type = bool
default = false
}

19
modules/vault_cluster/modules/kubernetes_secret_backend_role/main.tf Normal file
View File

@ -0,0 +1,19 @@
locals {
# Auto-generate role rules path: resources/secret_backend/{backend_path}/roles/{role_name}.yaml
role_rules_file = "resources/secret_backend/${var.backend}/roles/${var.name}.yaml"
# Auto-generate extra labels based on country/region and role name
auto_labels = merge(var.extra_labels, {
vault-region = "${var.country}-${var.region}"
vault-role = var.name
})
}
resource "vault_kubernetes_secret_backend_role" "role" {
backend = var.backend
name = var.name
allowed_kubernetes_namespaces = var.allowed_kubernetes_namespaces
kubernetes_role_type = var.kubernetes_role_type
generated_role_rules = file("${path.module}/../../../../../../../../${local.role_rules_file}")
extra_labels = local.auto_labels
}

37
modules/vault_cluster/modules/kubernetes_secret_backend_role/variables.tf Normal file
View File

@ -0,0 +1,37 @@
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "backend" {
description = "The unique path where the Kubernetes backend is mounted"
type = string
}
variable "name" {
description = "The name of the role"
type = string
}
variable "allowed_kubernetes_namespaces" {
description = "List of allowed Kubernetes namespaces"
type = list(string)
default = ["*"]
}
variable "kubernetes_role_type" {
description = "Type of Kubernetes role (Role or ClusterRole)"
type = string
default = "Role"
}
variable "extra_labels" {
description = "Additional labels to apply to generated Kubernetes objects"
type = map(string)
default = {}
}

17
modules/vault_cluster/modules/kv_secret_backend/main.tf Normal file
View File

@ -0,0 +1,17 @@
resource "vault_mount" "kv" {
path = var.path
type = "kv"
description = var.description
options = {
version = var.kv_version
type = var.type
}
}
resource "vault_kv_secret_backend_v2" "config" {
count = var.type == "kv-v2" && var.max_versions != null ? 1 : 0
mount = vault_mount.kv.path
max_versions = var.max_versions
}

28
modules/vault_cluster/modules/kv_secret_backend/variables.tf Normal file
View File

@ -0,0 +1,28 @@
variable "path" {
description = "Mount path of the KV secrets engine"
type = string
}
variable "type" {
description = "Type of the secrets engine"
type = string
default = "kv-v2"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "kv_version" {
description = "KV secrets engine version"
type = string
default = "2"
}
variable "max_versions" {
description = "Maximum number of versions to keep per key"
type = number
default = null
}

38
modules/vault_cluster/modules/pki_mount_only/main.tf Normal file
View File

@ -0,0 +1,38 @@
resource "vault_mount" "pki" {
path = var.path
type = "pki"
description = var.description
max_lease_ttl_seconds = var.max_lease_ttl_seconds
}
data "vault_pki_secret_backend_issuer" "issuer" {
backend = vault_mount.pki.path
issuer_ref = var.issuer_ref
}
resource "vault_pki_secret_backend_config_urls" "config_urls" {
backend = vault_mount.pki.path
issuing_certificates = var.issuing_certificates
crl_distribution_points = var.crl_distribution_points
ocsp_servers = var.ocsp_servers
enable_templating = var.enable_templating
}
resource "vault_pki_secret_backend_config_issuers" "issuers" {
count = var.default_issuer_ref != null ? 1 : 0
backend = vault_mount.pki.path
default = var.default_issuer_ref
default_follows_latest_issuer = var.default_follows_latest_issuer
}
resource "vault_pki_secret_backend_crl_config" "crl" {
backend = vault_mount.pki.path
expiry = var.crl_expiry
disable = var.crl_disable
ocsp_disable = var.ocsp_disable
auto_rebuild = var.auto_rebuild
enable_delta = var.enable_delta
delta_rebuild_interval = var.delta_rebuild_interval
}

92
modules/vault_cluster/modules/pki_mount_only/variables.tf Normal file
View File

@ -0,0 +1,92 @@
variable "path" {
description = "Path where the PKI backend will be mounted"
type = string
}
variable "description" {
description = "Description of the PKI mount"
type = string
}
variable "max_lease_ttl_seconds" {
description = "Maximum possible lease duration for tokens and secrets in seconds"
type = number
}
variable "issuer_ref" {
description = "Reference to the PKI issuer (default, or issuer ID/name)"
type = string
default = "default"
}
variable "issuing_certificates" {
description = "List of URLs for issuing certificates"
type = list(string)
default = []
}
variable "crl_distribution_points" {
description = "List of URLs for CRL distribution points"
type = list(string)
default = []
}
variable "ocsp_servers" {
description = "List of OCSP server URLs"
type = list(string)
default = []
}
variable "enable_templating" {
description = "Whether to enable URL templating"
type = bool
default = false
}
variable "default_issuer_ref" {
description = "Default issuer reference"
type = string
default = null
}
variable "default_follows_latest_issuer" {
description = "Whether the default issuer follows the latest issuer"
type = bool
default = false
}
variable "crl_expiry" {
description = "CRL expiry time"
type = string
default = "72h"
}
variable "crl_disable" {
description = "Whether to disable CRL"
type = bool
default = false
}
variable "ocsp_disable" {
description = "Whether to disable OCSP"
type = bool
default = false
}
variable "auto_rebuild" {
description = "Whether to enable auto rebuild of CRL"
type = bool
default = false
}
variable "enable_delta" {
description = "Whether to enable delta CRL"
type = bool
default = false
}
variable "delta_rebuild_interval" {
description = "Delta CRL rebuild interval"
type = string
default = null
}

54
modules/vault_cluster/modules/pki_secret_backend/main.tf Normal file
View File

@ -0,0 +1,54 @@
resource "vault_mount" "pki" {
path = var.path
type = "pki"
description = var.description
max_lease_ttl_seconds = var.max_lease_ttl_seconds
}
resource "vault_pki_secret_backend_root_cert" "root_cert" {
backend = vault_mount.pki.path
common_name = var.common_name
issuer_name = var.issuer_name
ttl = var.ttl
format = var.format
type = "internal"
}
data "vault_pki_secret_backend_issuer" "issuer" {
backend = vault_mount.pki.path
issuer_ref = vault_pki_secret_backend_root_cert.root_cert.issuer_id
depends_on = [vault_pki_secret_backend_root_cert.root_cert]
}
resource "vault_pki_secret_backend_config_urls" "urls" {
backend = vault_mount.pki.path
issuing_certificates = var.issuing_certificates
crl_distribution_points = var.crl_distribution_points
ocsp_servers = var.ocsp_servers
enable_templating = var.enable_templating
}
resource "vault_pki_secret_backend_config_issuers" "issuers" {
backend = vault_mount.pki.path
default = data.vault_pki_secret_backend_issuer.issuer.issuer_id
default_follows_latest_issuer = var.default_follows_latest_issuer
depends_on = [
vault_pki_secret_backend_root_cert.root_cert,
data.vault_pki_secret_backend_issuer.issuer
]
}
resource "vault_pki_secret_backend_crl_config" "crl" {
backend = vault_mount.pki.path
expiry = var.crl_expiry
disable = var.crl_disable
ocsp_disable = var.ocsp_disable
auto_rebuild = var.auto_rebuild
enable_delta = var.enable_delta
delta_rebuild_interval = var.delta_rebuild_interval
depends_on = [vault_pki_secret_backend_root_cert.root_cert]
}

110
modules/vault_cluster/modules/pki_secret_backend/variables.tf Normal file
View File

@ -0,0 +1,110 @@
variable "path" {
description = "Mount path of the PKI secrets engine"
type = string
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "max_lease_ttl_seconds" {
description = "Maximum lease TTL in seconds"
type = number
default = 315360000 # 87600 * 3600
}
variable "common_name" {
description = "Common name for the root certificate"
type = string
}
variable "issuer_name" {
description = "Name for the root CA issuer"
type = string
}
variable "ttl" {
description = "TTL for the root certificate in seconds"
type = number
default = 315360000 # 87600 * 3600
}
variable "format" {
description = "Format for the certificate"
type = string
default = "pem"
}
variable "issuing_certificates" {
description = "List of issuing certificate URLs"
type = list(string)
default = []
}
variable "crl_distribution_points" {
description = "List of CRL distribution point URLs"
type = list(string)
default = []
}
variable "ocsp_servers" {
description = "List of OCSP server URLs"
type = list(string)
default = []
}
variable "enable_templating" {
description = "Whether to enable templating for URL configuration"
type = bool
default = false
}
variable "default_issuer_ref" {
description = "Reference to the default issuer"
type = string
default = null
}
variable "default_follows_latest_issuer" {
description = "Whether the default issuer should follow the latest issuer"
type = bool
default = false
}
variable "crl_expiry" {
description = "CRL expiration time"
type = string
default = "72h"
}
variable "crl_disable" {
description = "Whether to disable CRL"
type = bool
default = false
}
variable "ocsp_disable" {
description = "Whether to disable OCSP"
type = bool
default = false
}
variable "auto_rebuild" {
description = "Whether to auto-rebuild CRL"
type = bool
default = false
}
variable "enable_delta" {
description = "Whether to enable delta CRL"
type = bool
default = false
}
variable "delta_rebuild_interval" {
description = "Delta CRL rebuild interval"
type = string
default = null
}

16
modules/vault_cluster/modules/pki_secret_backend_role/main.tf Normal file
View File

@ -0,0 +1,16 @@
resource "vault_pki_secret_backend_role" "role" {
backend = var.backend
name = var.name
allow_ip_sans = var.allow_ip_sans
allowed_domains = var.allowed_domains
allow_subdomains = var.allow_subdomains
allow_glob_domains = var.allow_glob_domains
allow_bare_domains = var.allow_bare_domains
enforce_hostnames = var.enforce_hostnames
allow_any_name = var.allow_any_name
max_ttl = var.max_ttl
key_bits = var.key_bits
country = var.country
use_csr_common_name = var.use_csr_common_name
use_csr_sans = var.use_csr_sans
}

81
modules/vault_cluster/modules/pki_secret_backend_role/variables.tf Normal file
View File

@ -0,0 +1,81 @@
variable "backend" {
description = "The unique path where the PKI backend is mounted"
type = string
}
variable "name" {
description = "The name of the role"
type = string
}
variable "allow_ip_sans" {
description = "Whether IP Subject Alternative Names are allowed"
type = bool
default = false
}
variable "allowed_domains" {
description = "List of allowed domains for certificates"
type = list(string)
default = []
}
variable "allow_subdomains" {
description = "Whether subdomains are allowed"
type = bool
default = false
}
variable "allow_glob_domains" {
description = "Whether glob domains are allowed"
type = bool
default = false
}
variable "allow_bare_domains" {
description = "Whether bare domains are allowed"
type = bool
default = false
}
variable "enforce_hostnames" {
description = "Whether to enforce hostnames"
type = bool
default = false
}
variable "allow_any_name" {
description = "Whether any name is allowed"
type = bool
default = false
}
variable "max_ttl" {
description = "Maximum TTL for certificates in seconds"
type = number
default = null
}
variable "key_bits" {
description = "Number of bits for the key"
type = number
default = 4096
}
variable "country" {
description = "List of countries for certificate subject"
type = list(string)
default = []
}
variable "use_csr_common_name" {
description = "Whether to use CSR common name"
type = bool
default = false
}
variable "use_csr_sans" {
description = "Whether to use CSR Subject Alternative Names"
type = bool
default = false
}

14
modules/vault_cluster/modules/ssh_secret_backend/main.tf Normal file
View File

@ -0,0 +1,14 @@
resource "vault_mount" "ssh" {
path = var.path
type = "ssh"
description = var.description
max_lease_ttl_seconds = var.max_lease_ttl_seconds
}
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
count = var.generate_signing_key != null ? 1 : 0
backend = vault_mount.ssh.path
generate_signing_key = var.generate_signing_key
key_type = var.key_type
}

Some files were not shown because too many files have changed in this diff Show More