Add a gpg_key module and a 'pass' key for password-store
Manage OpenPGP keys in the gpg engine from Terraform using the new
gpgvaultsecret provider, and create the first key ('pass') for passv.
- Add a gpg_key module wrapping the gpg_key resource; wire it through
vault_cluster (variable + module, depends_on the mount) and config discovery
(config.hcl group keyed <backend>/<name>, syd1 terragrunt input), mirroring
the *_secret_backend_role modules.
- Register the gpg provider in root.hcl (provider block + required_providers,
v0.1.0 from the terraform-unkin registry), alongside litellm.
- Add config/gpg_key/gpg/pass.yaml: an rsa-4096 key 'pass' in the gpg mount for
password-store. Private key stays in Vault; clients import the public key and
delegate decryption to gpg/decrypt/pass.
This commit is contained in:
@@ -326,6 +326,20 @@ variable "gpg_secret_backend" {
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "gpg_key" {
|
||||
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
algorithm = optional(string, "rsa-3072")
|
||||
identity = optional(string)
|
||||
exportable = optional(bool, false)
|
||||
deletion_allowed = optional(bool, false)
|
||||
min_decryption_version = optional(number)
|
||||
}))
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "policy_auth_map" {
|
||||
description = "Map of auth mounts -> auth roles -> policy names"
|
||||
type = map(map(list(string)))
|
||||
|
||||
Reference in New Issue
Block a user