feat: add transit engine

- add transit engine - add policies to manage keys, encryption and decryption - add ability to create keys to tf_vault approle
2025-11-15 15:55:51 +11:00 · 2025-11-15 15:55:51 +11:00 · 85d81fef72
commit 85d81fef72
parent 59b7b01c23
6 changed files with 34 additions and 1 deletions
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -15,11 +15,12 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
    "pki_int/pki_int_roles_admin",
    "pki_root/pki_root_roles_admin",
    "ssh-host-signer/ssh-host-signer_roles_admin",
-    "sshca_roles_admin",
+    "sshca/sshca_roles_admin",
    "kv/service/glauth/services/svc_vault_read",
    "sys/sys_auth_admin",
    "sys/sys_mounts_admin",
    "sys/sys_policy_admin",
+    "transit/keys/admin",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/engine_transit.tf
+++ b/engine_transit.tf
@ -0,0 +1,13 @@
+resource "vault_mount" "transit" {
+  path                      = "transit"
+  type                      = "transit"
+  description               = "Transit Engine"
+  default_lease_ttl_seconds = 3600
+  max_lease_ttl_seconds     = 86400
+}
+
+resource "vault_transit_secret_backend_key" "key" {
+  backend = vault_mount.transit.path
+  name    = "au-syd1-k8s-vso"
+  type    = "aes256-gcm96"
+}
--- a/policies.tf
+++ b/policies.tf
@ -13,6 +13,9 @@ locals {
    "policies/rundeck",
    "policies/ssh-host-signer",
    "policies/sshca",
+    "policies/transit/decrypt",
+    "policies/transit/encrypt",
+    "policies/transit/keys",
    "policies/kv/service/glauth/services",
    "policies/kv/service/incus",
    "policies/kv/service/packer",
--- a/policies/transit/decrypt/au-syd1-k8s-vso.hcl
+++ b/policies/transit/decrypt/au-syd1-k8s-vso.hcl
@ -0,0 +1,4 @@
+# Allow decryption with the au-syd1-k8s-vso key
+path "transit/decrypt/au-syd1-k8s-vso" {
+  capabilities = ["create", "update"]
+}
--- a/policies/transit/encrypt/au-syd1-k8s-vso.hcl
+++ b/policies/transit/encrypt/au-syd1-k8s-vso.hcl
@ -0,0 +1,4 @@
+# Allow encryption with the au-syd1-k8s-vso key
+path "transit/encrypt/au-syd1-k8s-vso" {
+  capabilities = ["create", "update"]
+}
--- a/policies/transit/keys/admin.hcl
+++ b/policies/transit/keys/admin.hcl
@ -0,0 +1,8 @@
+# Allow management of keys (create, update, delete, list, and read)
+path "transit/keys/*" {
+  capabilities = ["create", "update", "delete", "read", "list"]
+}
+# Allow listing of available keys
+path "transit/keys" {
+  capabilities = ["read", "list"]
+}