Add a gpg_key module and a 'pass' key for password-store
Manage OpenPGP keys in the gpg engine from Terraform using the new
gpgvaultsecret provider, and create the first key ('pass') for passv.
- Add a gpg_key module wrapping the gpg_key resource; wire it through
vault_cluster (variable + module, depends_on the mount) and config discovery
(config.hcl group keyed <backend>/<name>, syd1 terragrunt input), mirroring
the *_secret_backend_role modules.
- Register the gpg provider in root.hcl (provider block + required_providers,
v0.1.0 from the terraform-unkin registry), alongside litellm.
- Add config/gpg_key/gpg/pass.yaml: an rsa-4096 key 'pass' in the gpg mount for
password-store. Private key stays in Vault; clients import the public key and
delegate decryption to gpg/decrypt/pass.
This commit is contained in:
@@ -203,5 +203,13 @@ locals {
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
gpg_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "gpg_key/")
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
# config/gpg_key/gpg/pass.yaml
|
||||
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||
algorithm: rsa-4096
|
||||
identity: "pass <pass@unkin.net>"
|
||||
exportable: false
|
||||
Reference in New Issue
Block a user