Add a gpg_key module and a 'pass' key for password-store
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful

Manage OpenPGP keys in the gpg engine from Terraform using the new
gpgvaultsecret provider, and create the first key ('pass') for passv.

- Add a gpg_key module wrapping the gpg_key resource; wire it through
  vault_cluster (variable + module, depends_on the mount) and config discovery
  (config.hcl group keyed <backend>/<name>, syd1 terragrunt input), mirroring
  the *_secret_backend_role modules.
- Register the gpg provider in root.hcl (provider block + required_providers,
  v0.1.0 from the terraform-unkin registry), alongside litellm.
- Add config/gpg_key/gpg/pass.yaml: an rsa-4096 key 'pass' in the gpg mount for
  password-store. Private key stays in Vault; clients import the public key and
  delegate decryption to gpg/decrypt/pass.
This commit is contained in:
2026-07-16 23:45:01 +10:00
parent 0c188118a5
commit e90070b9a0
9 changed files with 116 additions and 0 deletions
+10
View File
@@ -17,6 +17,12 @@ provider "litellm" {
address = local.vault_addr
}
# The gpg secrets engine's keys are managed through its own provider (same Vault
# server; token falls back to VAULT_TOKEN).
provider "gpg" {
address = local.vault_addr
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
@@ -39,6 +45,10 @@ terraform {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
}
}
EOF