Mount the gpg engine and manage a 'pass' key
Mount the gpg secrets engine (the plugin is registered separately via the plugin module + config/plugins, #89) and manage OpenPGP keys with the gpgvaultsecret provider. - gpg_secret_backend module: mounts the registered plugin type; depends_on the plugin module so the mount waits for catalog registration. - gpg_key module (via the gpgvaultsecret provider, registered in root.hcl): create/configure keys; wired through vault_cluster + config discovery (config/gpg_key/<backend>/<name>.yaml). - config/gpg_secret_backend/gpg.yaml mounts at gpg/; config/gpg_key/gpg/pass.yaml is an rsa-4096 'pass' key for password-store (private key stays in Vault; clients decrypt via gpg/decrypt/pass). Rebased onto master after the access (#88) and plugin-import (#89) PRs merged.
This commit is contained in:
@@ -346,6 +346,34 @@ module "plugin" {
|
||||
plugin_version = each.value.version
|
||||
}
|
||||
|
||||
module "gpg_secret_backend" {
|
||||
source = "./modules/gpg_secret_backend"
|
||||
|
||||
for_each = var.gpg_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
|
||||
depends_on = [module.plugin]
|
||||
}
|
||||
|
||||
module "gpg_key" {
|
||||
source = "./modules/gpg_key"
|
||||
|
||||
for_each = var.gpg_key
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
algorithm = each.value.algorithm
|
||||
identity = each.value.identity
|
||||
exportable = each.value.exportable
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
min_decryption_version = each.value.min_decryption_version
|
||||
|
||||
depends_on = [module.gpg_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user