unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: manage terraform access to vault

Browse Source 
- add approle for terraform, tf_vault
- add policices to manage terraform access to vault
- add policices for default access to vault from ldap users
This commit is contained in:
Ben Vincent 2024-09-26 22:59:40 +10:00
parent 582f38c68f
commit f78416361b
21 changed files with 152 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
auth_approle_tf_vault.tf Normal file
View File

@ -0,0 +1,27 @@
resource "vault_approle_auth_backend_role" "tf_vault" {
role_name = "tf_vault"
bind_secret_id = false
token_policies = [
"default_access",
"auth_token_create",
"auth_token_self",
"auth_token_roles_admin",
"approle_role_admin",
"approle_role_login",
"approle_token_create",
"ldap_admin",
"pki_int_roles_admin",
"pki_root_roles_admin",
"ssh-host-signer_roles_admin",
"sshca_roles_admin",
"svc_vault_read",
"sys_auth_admin",
"sys_mounts_admin",
"sys_policy_admin",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
]
}

12
auth_backend_ldap.tf
View File

@ -3,7 +3,7 @@
#-------------------------------- #--------------------------------
# retrieve the bindpass from Vault # retrieve the bindpass from Vault
data "vault_generic_secret" "ldap_bindpass" { data "vault_generic_secret" "svc_vault" {
path = "kv/service/glauth/services/svc_vault" path = "kv/service/glauth/services/svc_vault"
} }
@ -18,12 +18,14 @@ resource "vault_ldap_auth_backend" "ldap" {
groupdn = "ou=users,dc=main,dc=unkin,dc=net" groupdn = "ou=users,dc=main,dc=unkin,dc=net"
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))" groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
groupattr = "uid" groupattr = "uid"
binddn = data.vault_generic_secret.ldap_bindpass.data["distinguishedName"] binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
bindpass = data.vault_generic_secret.ldap_bindpass.data["pass"] bindpass = data.vault_generic_secret.svc_vault.data["pass"]
} }
resource "vault_ldap_auth_backend_group" "vault_access" { resource "vault_ldap_auth_backend_group" "vault_access" {
groupname = "vault_access" groupname = "vault_access"
policies = ["sshca_signuser"] policies = [
backend = vault_ldap_auth_backend.ldap.path "default_access",
]
backend = vault_ldap_auth_backend.ldap.path
} }

27
policies.tf
View File

@ -1,18 +1,24 @@
# Define directories for different policy sets # Define a list of directories that contain policy files
locals { locals {
policy_directories = { policy_directories = [
pki_int = "policies/pki_int" "policies",
pki_root = "policies/pki_root" "policies/sys",
rundeck = "policies/rundeck" "policies/auth/approle",
ssh_host_signer = "policies/ssh-host-signer" "policies/auth/ldap",
sshca = "policies/sshca" "policies/auth/token",
} "policies/pki_int",
"policies/pki_root",
"policies/rundeck",
"policies/ssh-host-signer",
"policies/sshca",
"policies/kv/service/glauth/services"
]
} }
# Load policy files from each directory # Load policy files from each directory
locals { locals {
policy_files = flatten([ policy_files = flatten([
for dir, path in local.policy_directories : [ for path in local.policy_directories : [
for policy in fileset(path, "*.hcl") : { for policy in fileset(path, "*.hcl") : {
name = trim(replace(policy, ".hcl", ""), "/") name = trim(replace(policy, ".hcl", ""), "/")
path = "${path}/${policy}" path = "${path}/${policy}"
@ -21,11 +27,10 @@ locals {
]) ])
} }
# Define vault policies for all sets # Define Vault policies for all listed directories
resource "vault_policy" "policies" { resource "vault_policy" "policies" {
for_each = { for policy in local.policy_files : policy.name => policy } for_each = { for policy in local.policy_files : policy.name => policy }
name = each.value.name name = each.value.name
policy = file(each.value.path) policy = file(each.value.path)
} }

3
policies/auth/approle/approle_role_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "auth/approle/role/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

3
policies/auth/approle/approle_role_login.hcl Normal file
View File

@ -0,0 +1,3 @@
path "auth/approle/login" {
capabilities = ["create"]
}

3
policies/auth/ldap/ldap_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "auth/ldap/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

7
policies/auth/token/auth_token_create.hcl Normal file
View File

@ -0,0 +1,7 @@
path "auth/token/create" {
capabilities = ["create", "read", "update", "list"]
}
path "auth/token/*" {
capabilities = ["create", "update"]
}

4
policies/auth/token/auth_token_lookup.hcl Normal file
View File

@ -0,0 +1,4 @@
# Allow listing and reading tokens
path "auth/token/lookup" {
capabilities = ["read", "list"]
}

4
policies/auth/token/auth_token_renew.hcl Normal file
View File

@ -0,0 +1,4 @@
# Allow renewing tokens
path "auth/token/renew" {
capabilities = ["update"]
}

3
policies/auth/token/auth_token_roles_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "auth/token/roles/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

14
policies/auth/token/auth_token_self.hcl Normal file
View File

@ -0,0 +1,14 @@
# Allow tokens to query themselves
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow tokens to renew themselves
path "auth/token/renew-self" {
capabilities = ["update"]
}
# Allow tokens to revoke themselves
path "auth/token/revoke-self" {
capabilities = ["update"]
}

15
policies/default_access.hcl Normal file
View File

@ -0,0 +1,15 @@
path "pki_int/*" {
capabilities = ["list", "read"]
}
path "pki_root/*" {
capabilities = ["list", "read"]
}
path "ssh-host-signer/*" {
capabilities = ["list", "read"]
}
path "sshca/*" {
capabilities = ["list", "read"]
}

3
policies/kv/service/glauth/services/svc_vault_read.hcl Normal file
View File

@ -0,0 +1,3 @@
path "kv/data/service/glauth/services/svc_vault" {
capabilities = ["list", "read"]
}

3
policies/pki_int/pki_int_roles_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "pki_int/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

3
policies/pki_root/pki_root_roles_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "pki_root/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

3
policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "ssh-host-signer/roles/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}

3
policies/sshca/sshca_roles_admin.hcl Normal file
View File

@ -0,0 +1,3 @@
path "sshca/roles/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}

4
policies/sys/sys_audit_read.hcl Normal file
View File

@ -0,0 +1,4 @@
# Allow reading audit logs related to secret engines
path "sys/audit" {
capabilities = ["read", "list"]
}

4
policies/sys/sys_auth_admin.hcl Normal file
View File

@ -0,0 +1,4 @@
# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
path "sys/auth/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}

14
policies/sys/sys_mounts_admin.hcl Normal file
View File

@ -0,0 +1,14 @@
# Allow access to manage secret engines (mount, unmount, update)
path "sys/mounts/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow tuning existing secret engines
path "sys/mounts-tune/*" {
capabilities = ["update", "read"]
}
# Allow reaing and listing of enabled secret engines
path "sys/mounts" {
capabilities = ["read", "list"]
}

9
policies/sys/sys_policy_admin.hcl Normal file
View File

@ -0,0 +1,9 @@
# Allow management of policies (create, update, delete, list, and read)
path "sys/policies/acl/*" {
capabilities = ["create", "update", "delete", "read", "list"]
}
# Allow listing of available policies
path "sys/policies/acl" {
capabilities = ["read", "list"]
}