From f78416361b7a22b9840fe01778c913dc53b13c27 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Thu, 26 Sep 2024 22:59:40 +1000 Subject: [PATCH] feat: manage terraform access to vault - add approle for terraform, tf_vault - add policices to manage terraform access to vault - add policices for default access to vault from ldap users --- auth_approle_tf_vault.tf | 27 +++++++++++++++++++ auth_backend_ldap.tf | 12 +++++---- policies.tf | 27 +++++++++++-------- policies/auth/approle/approle_role_admin.hcl | 3 +++ policies/auth/approle/approle_role_login.hcl | 3 +++ policies/auth/ldap/ldap_admin.hcl | 3 +++ policies/auth/token/auth_token_create.hcl | 7 +++++ policies/auth/token/auth_token_lookup.hcl | 4 +++ policies/auth/token/auth_token_renew.hcl | 4 +++ .../auth/token/auth_token_roles_admin.hcl | 3 +++ policies/auth/token/auth_token_self.hcl | 14 ++++++++++ policies/default_access.hcl | 15 +++++++++++ .../glauth/services/svc_vault_read.hcl | 3 +++ policies/pki_int/pki_int_roles_admin.hcl | 3 +++ policies/pki_root/pki_root_roles_admin.hcl | 3 +++ .../ssh-host-signer_roles_admin.hcl | 3 +++ policies/sshca/sshca_roles_admin.hcl | 3 +++ policies/sys/sys_audit_read.hcl | 4 +++ policies/sys/sys_auth_admin.hcl | 4 +++ policies/sys/sys_mounts_admin.hcl | 14 ++++++++++ policies/sys/sys_policy_admin.hcl | 9 +++++++ 21 files changed, 152 insertions(+), 16 deletions(-) create mode 100644 auth_approle_tf_vault.tf create mode 100644 policies/auth/approle/approle_role_admin.hcl create mode 100644 policies/auth/approle/approle_role_login.hcl create mode 100644 policies/auth/ldap/ldap_admin.hcl create mode 100644 policies/auth/token/auth_token_create.hcl create mode 100644 policies/auth/token/auth_token_lookup.hcl create mode 100644 policies/auth/token/auth_token_renew.hcl create mode 100644 policies/auth/token/auth_token_roles_admin.hcl create mode 100644 policies/auth/token/auth_token_self.hcl create mode 100644 policies/default_access.hcl create mode 100644 policies/kv/service/glauth/services/svc_vault_read.hcl create mode 100644 policies/pki_int/pki_int_roles_admin.hcl create mode 100644 policies/pki_root/pki_root_roles_admin.hcl create mode 100644 policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl create mode 100644 policies/sshca/sshca_roles_admin.hcl create mode 100644 policies/sys/sys_audit_read.hcl create mode 100644 policies/sys/sys_auth_admin.hcl create mode 100644 policies/sys/sys_mounts_admin.hcl create mode 100644 policies/sys/sys_policy_admin.hcl diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf new file mode 100644 index 0000000..c78201a --- /dev/null +++ b/auth_approle_tf_vault.tf @@ -0,0 +1,27 @@ +resource "vault_approle_auth_backend_role" "tf_vault" { + role_name = "tf_vault" + bind_secret_id = false + token_policies = [ + "default_access", + "auth_token_create", + "auth_token_self", + "auth_token_roles_admin", + "approle_role_admin", + "approle_role_login", + "approle_token_create", + "ldap_admin", + "pki_int_roles_admin", + "pki_root_roles_admin", + "ssh-host-signer_roles_admin", + "sshca_roles_admin", + "svc_vault_read", + "sys_auth_admin", + "sys_mounts_admin", + "sys_policy_admin", + ] + token_ttl = 60 + token_max_ttl = 120 + token_bound_cidrs = [ + "10.10.12.200/32", + ] +} diff --git a/auth_backend_ldap.tf b/auth_backend_ldap.tf index c2b3c2b..fb34a87 100644 --- a/auth_backend_ldap.tf +++ b/auth_backend_ldap.tf @@ -3,7 +3,7 @@ #-------------------------------- # retrieve the bindpass from Vault -data "vault_generic_secret" "ldap_bindpass" { +data "vault_generic_secret" "svc_vault" { path = "kv/service/glauth/services/svc_vault" } @@ -18,12 +18,14 @@ resource "vault_ldap_auth_backend" "ldap" { groupdn = "ou=users,dc=main,dc=unkin,dc=net" groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))" groupattr = "uid" - binddn = data.vault_generic_secret.ldap_bindpass.data["distinguishedName"] - bindpass = data.vault_generic_secret.ldap_bindpass.data["pass"] + binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"] + bindpass = data.vault_generic_secret.svc_vault.data["pass"] } resource "vault_ldap_auth_backend_group" "vault_access" { groupname = "vault_access" - policies = ["sshca_signuser"] - backend = vault_ldap_auth_backend.ldap.path + policies = [ + "default_access", + ] + backend = vault_ldap_auth_backend.ldap.path } diff --git a/policies.tf b/policies.tf index 29700e4..4eef688 100644 --- a/policies.tf +++ b/policies.tf @@ -1,18 +1,24 @@ -# Define directories for different policy sets +# Define a list of directories that contain policy files locals { - policy_directories = { - pki_int = "policies/pki_int" - pki_root = "policies/pki_root" - rundeck = "policies/rundeck" - ssh_host_signer = "policies/ssh-host-signer" - sshca = "policies/sshca" - } + policy_directories = [ + "policies", + "policies/sys", + "policies/auth/approle", + "policies/auth/ldap", + "policies/auth/token", + "policies/pki_int", + "policies/pki_root", + "policies/rundeck", + "policies/ssh-host-signer", + "policies/sshca", + "policies/kv/service/glauth/services" + ] } # Load policy files from each directory locals { policy_files = flatten([ - for dir, path in local.policy_directories : [ + for path in local.policy_directories : [ for policy in fileset(path, "*.hcl") : { name = trim(replace(policy, ".hcl", ""), "/") path = "${path}/${policy}" @@ -21,11 +27,10 @@ locals { ]) } -# Define vault policies for all sets +# Define Vault policies for all listed directories resource "vault_policy" "policies" { for_each = { for policy in local.policy_files : policy.name => policy } name = each.value.name policy = file(each.value.path) } - diff --git a/policies/auth/approle/approle_role_admin.hcl b/policies/auth/approle/approle_role_admin.hcl new file mode 100644 index 0000000..7ebf64f --- /dev/null +++ b/policies/auth/approle/approle_role_admin.hcl @@ -0,0 +1,3 @@ +path "auth/approle/role/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/policies/auth/approle/approle_role_login.hcl b/policies/auth/approle/approle_role_login.hcl new file mode 100644 index 0000000..f548494 --- /dev/null +++ b/policies/auth/approle/approle_role_login.hcl @@ -0,0 +1,3 @@ +path "auth/approle/login" { + capabilities = ["create"] +} diff --git a/policies/auth/ldap/ldap_admin.hcl b/policies/auth/ldap/ldap_admin.hcl new file mode 100644 index 0000000..5a790b8 --- /dev/null +++ b/policies/auth/ldap/ldap_admin.hcl @@ -0,0 +1,3 @@ +path "auth/ldap/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/policies/auth/token/auth_token_create.hcl b/policies/auth/token/auth_token_create.hcl new file mode 100644 index 0000000..ff3d7f8 --- /dev/null +++ b/policies/auth/token/auth_token_create.hcl @@ -0,0 +1,7 @@ +path "auth/token/create" { + capabilities = ["create", "read", "update", "list"] +} + +path "auth/token/*" { + capabilities = ["create", "update"] +} diff --git a/policies/auth/token/auth_token_lookup.hcl b/policies/auth/token/auth_token_lookup.hcl new file mode 100644 index 0000000..d33244c --- /dev/null +++ b/policies/auth/token/auth_token_lookup.hcl @@ -0,0 +1,4 @@ +# Allow listing and reading tokens +path "auth/token/lookup" { + capabilities = ["read", "list"] +} diff --git a/policies/auth/token/auth_token_renew.hcl b/policies/auth/token/auth_token_renew.hcl new file mode 100644 index 0000000..92e5ca3 --- /dev/null +++ b/policies/auth/token/auth_token_renew.hcl @@ -0,0 +1,4 @@ +# Allow renewing tokens +path "auth/token/renew" { + capabilities = ["update"] +} diff --git a/policies/auth/token/auth_token_roles_admin.hcl b/policies/auth/token/auth_token_roles_admin.hcl new file mode 100644 index 0000000..7bc329f --- /dev/null +++ b/policies/auth/token/auth_token_roles_admin.hcl @@ -0,0 +1,3 @@ +path "auth/token/roles/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} diff --git a/policies/auth/token/auth_token_self.hcl b/policies/auth/token/auth_token_self.hcl new file mode 100644 index 0000000..55a1157 --- /dev/null +++ b/policies/auth/token/auth_token_self.hcl @@ -0,0 +1,14 @@ +# Allow tokens to query themselves +path "auth/token/lookup-self" { + capabilities = ["read"] +} + +# Allow tokens to renew themselves +path "auth/token/renew-self" { + capabilities = ["update"] +} + +# Allow tokens to revoke themselves +path "auth/token/revoke-self" { + capabilities = ["update"] +} diff --git a/policies/default_access.hcl b/policies/default_access.hcl new file mode 100644 index 0000000..f981711 --- /dev/null +++ b/policies/default_access.hcl @@ -0,0 +1,15 @@ +path "pki_int/*" { + capabilities = ["list", "read"] +} + +path "pki_root/*" { + capabilities = ["list", "read"] +} + +path "ssh-host-signer/*" { + capabilities = ["list", "read"] +} + +path "sshca/*" { + capabilities = ["list", "read"] +} diff --git a/policies/kv/service/glauth/services/svc_vault_read.hcl b/policies/kv/service/glauth/services/svc_vault_read.hcl new file mode 100644 index 0000000..93300b6 --- /dev/null +++ b/policies/kv/service/glauth/services/svc_vault_read.hcl @@ -0,0 +1,3 @@ +path "kv/data/service/glauth/services/svc_vault" { + capabilities = ["list", "read"] +} diff --git a/policies/pki_int/pki_int_roles_admin.hcl b/policies/pki_int/pki_int_roles_admin.hcl new file mode 100644 index 0000000..ffbab59 --- /dev/null +++ b/policies/pki_int/pki_int_roles_admin.hcl @@ -0,0 +1,3 @@ +path "pki_int/roles/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/policies/pki_root/pki_root_roles_admin.hcl b/policies/pki_root/pki_root_roles_admin.hcl new file mode 100644 index 0000000..11ec94b --- /dev/null +++ b/policies/pki_root/pki_root_roles_admin.hcl @@ -0,0 +1,3 @@ +path "pki_root/roles/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl b/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl new file mode 100644 index 0000000..a6e723f --- /dev/null +++ b/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl @@ -0,0 +1,3 @@ +path "ssh-host-signer/roles/*" { + capabilities = ["create", "read", "update", "delete", "list"] +} diff --git a/policies/sshca/sshca_roles_admin.hcl b/policies/sshca/sshca_roles_admin.hcl new file mode 100644 index 0000000..ac09136 --- /dev/null +++ b/policies/sshca/sshca_roles_admin.hcl @@ -0,0 +1,3 @@ +path "sshca/roles/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/policies/sys/sys_audit_read.hcl b/policies/sys/sys_audit_read.hcl new file mode 100644 index 0000000..b294013 --- /dev/null +++ b/policies/sys/sys_audit_read.hcl @@ -0,0 +1,4 @@ +# Allow reading audit logs related to secret engines +path "sys/audit" { + capabilities = ["read", "list"] +} diff --git a/policies/sys/sys_auth_admin.hcl b/policies/sys/sys_auth_admin.hcl new file mode 100644 index 0000000..b07492e --- /dev/null +++ b/policies/sys/sys_auth_admin.hcl @@ -0,0 +1,4 @@ +# Allow creating and management of authentication backends (AppRole, LDAP, etc.) +path "sys/auth/*" { + capabilities = ["create", "update", "delete", "read", "list"] +} diff --git a/policies/sys/sys_mounts_admin.hcl b/policies/sys/sys_mounts_admin.hcl new file mode 100644 index 0000000..4383e1e --- /dev/null +++ b/policies/sys/sys_mounts_admin.hcl @@ -0,0 +1,14 @@ +# Allow access to manage secret engines (mount, unmount, update) +path "sys/mounts/*" { + capabilities = ["create", "update", "delete", "read", "list"] +} + +# Allow tuning existing secret engines +path "sys/mounts-tune/*" { + capabilities = ["update", "read"] +} + +# Allow reaing and listing of enabled secret engines +path "sys/mounts" { + capabilities = ["read", "list"] +} diff --git a/policies/sys/sys_policy_admin.hcl b/policies/sys/sys_policy_admin.hcl new file mode 100644 index 0000000..43d2310 --- /dev/null +++ b/policies/sys/sys_policy_admin.hcl @@ -0,0 +1,9 @@ +# Allow management of policies (create, update, delete, list, and read) +path "sys/policies/acl/*" { + capabilities = ["create", "update", "delete", "read", "list"] +} + +# Allow listing of available policies +path "sys/policies/acl" { + capabilities = ["read", "list"] +}