feat: manage terraform access to vault

- add approle for terraform, tf_vault - add policices to manage terraform access to vault - add policices for default access to vault from ldap users
2024-09-26 22:59:40 +10:00 · 2024-09-26 22:59:40 +10:00 · f78416361b
commit f78416361b
parent 582f38c68f
21 changed files with 152 additions and 16 deletions
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -0,0 +1,27 @@
+resource "vault_approle_auth_backend_role" "tf_vault" {
+  role_name      = "tf_vault"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "auth_token_create",
+    "auth_token_self",
+    "auth_token_roles_admin",
+    "approle_role_admin",
+    "approle_role_login",
+    "approle_token_create",
+    "ldap_admin",
+    "pki_int_roles_admin",
+    "pki_root_roles_admin",
+    "ssh-host-signer_roles_admin",
+    "sshca_roles_admin",
+    "svc_vault_read",
+    "sys_auth_admin",
+    "sys_mounts_admin",
+    "sys_policy_admin",
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+  ]
+}
--- a/auth_backend_ldap.tf
+++ b/auth_backend_ldap.tf
@ -3,7 +3,7 @@
 #--------------------------------

 # retrieve the bindpass from Vault
-data "vault_generic_secret" "ldap_bindpass" {
+data "vault_generic_secret" "svc_vault" {
  path = "kv/service/glauth/services/svc_vault"
 }

@ -18,12 +18,14 @@ resource "vault_ldap_auth_backend" "ldap" {
  groupdn     = "ou=users,dc=main,dc=unkin,dc=net"
  groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
  groupattr   = "uid"
-  binddn      = data.vault_generic_secret.ldap_bindpass.data["distinguishedName"]
-  bindpass    = data.vault_generic_secret.ldap_bindpass.data["pass"]
+  binddn      = data.vault_generic_secret.svc_vault.data["distinguishedName"]
+  bindpass    = data.vault_generic_secret.svc_vault.data["pass"]
 }

 resource "vault_ldap_auth_backend_group" "vault_access" {
  groupname = "vault_access"
-  policies  = ["sshca_signuser"]
+  policies = [
+    "default_access",
+  ]
  backend = vault_ldap_auth_backend.ldap.path
 }
--- a/policies.tf
+++ b/policies.tf
@ -1,18 +1,24 @@
-# Define directories for different policy sets
+# Define a list of directories that contain policy files
 locals {
-  policy_directories = {
-    pki_int         = "policies/pki_int"
-    pki_root        = "policies/pki_root"
-    rundeck         = "policies/rundeck"
-    ssh_host_signer = "policies/ssh-host-signer"
-    sshca           = "policies/sshca"
-  }
+  policy_directories = [
+    "policies",
+    "policies/sys",
+    "policies/auth/approle",
+    "policies/auth/ldap",
+    "policies/auth/token",
+    "policies/pki_int",
+    "policies/pki_root",
+    "policies/rundeck",
+    "policies/ssh-host-signer",
+    "policies/sshca",
+    "policies/kv/service/glauth/services"
+  ]
 }

 # Load policy files from each directory
 locals {
  policy_files = flatten([
-    for dir, path in local.policy_directories : [
+    for path in local.policy_directories : [
      for policy in fileset(path, "*.hcl") : {
        name = trim(replace(policy, ".hcl", ""), "/")
        path = "${path}/${policy}"
@ -21,11 +27,10 @@ locals {
  ])
 }

-# Define vault policies for all sets
+# Define Vault policies for all listed directories
 resource "vault_policy" "policies" {
  for_each = { for policy in local.policy_files : policy.name => policy }

  name   = each.value.name
  policy = file(each.value.path)
 }
-
--- a/policies/auth/approle/approle_role_admin.hcl
+++ b/policies/auth/approle/approle_role_admin.hcl
@ -0,0 +1,3 @@
+path "auth/approle/role/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
--- a/policies/auth/approle/approle_role_login.hcl
+++ b/policies/auth/approle/approle_role_login.hcl
@ -0,0 +1,3 @@
+path "auth/approle/login" {
+  capabilities = ["create"]
+}
--- a/policies/auth/ldap/ldap_admin.hcl
+++ b/policies/auth/ldap/ldap_admin.hcl
@ -0,0 +1,3 @@
+path "auth/ldap/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
--- a/policies/auth/token/auth_token_create.hcl
+++ b/policies/auth/token/auth_token_create.hcl
@ -0,0 +1,7 @@
+path "auth/token/create" {
+  capabilities = ["create", "read", "update", "list"]
+}
+
+path "auth/token/*" {
+  capabilities = ["create", "update"]
+}
--- a/policies/auth/token/auth_token_lookup.hcl
+++ b/policies/auth/token/auth_token_lookup.hcl
@ -0,0 +1,4 @@
+# Allow listing and reading tokens
+path "auth/token/lookup" {
+  capabilities = ["read", "list"]
+}
--- a/policies/auth/token/auth_token_renew.hcl
+++ b/policies/auth/token/auth_token_renew.hcl
@ -0,0 +1,4 @@
+# Allow renewing tokens
+path "auth/token/renew" {
+  capabilities = ["update"]
+}
--- a/policies/auth/token/auth_token_roles_admin.hcl
+++ b/policies/auth/token/auth_token_roles_admin.hcl
@ -0,0 +1,3 @@
+path "auth/token/roles/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
--- a/policies/auth/token/auth_token_self.hcl
+++ b/policies/auth/token/auth_token_self.hcl
@ -0,0 +1,14 @@
+# Allow tokens to query themselves
+path "auth/token/lookup-self" {
+  capabilities = ["read"]
+}
+
+# Allow tokens to renew themselves
+path "auth/token/renew-self" {
+    capabilities = ["update"]
+}
+
+# Allow tokens to revoke themselves
+path "auth/token/revoke-self" {
+    capabilities = ["update"]
+}
--- a/policies/default_access.hcl
+++ b/policies/default_access.hcl
@ -0,0 +1,15 @@
+path "pki_int/*" {
+  capabilities = ["list", "read"]
+}
+
+path "pki_root/*" {
+  capabilities = ["list", "read"]
+}
+
+path "ssh-host-signer/*" {
+  capabilities = ["list", "read"]
+}
+
+path "sshca/*" {
+  capabilities = ["list", "read"]
+}
--- a/policies/kv/service/glauth/services/svc_vault_read.hcl
+++ b/policies/kv/service/glauth/services/svc_vault_read.hcl
@ -0,0 +1,3 @@
+path "kv/data/service/glauth/services/svc_vault" {
+    capabilities = ["list", "read"]
+}
--- a/policies/pki_int/pki_int_roles_admin.hcl
+++ b/policies/pki_int/pki_int_roles_admin.hcl
@ -0,0 +1,3 @@
+path "pki_int/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
--- a/policies/pki_root/pki_root_roles_admin.hcl
+++ b/policies/pki_root/pki_root_roles_admin.hcl
@ -0,0 +1,3 @@
+path "pki_root/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
--- a/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl
+++ b/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl
@ -0,0 +1,3 @@
+path "ssh-host-signer/roles/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
--- a/policies/sshca/sshca_roles_admin.hcl
+++ b/policies/sshca/sshca_roles_admin.hcl
@ -0,0 +1,3 @@
+path "sshca/roles/*" {
+  capabilities = ["create", "update", "read", "delete", "list"]
+}
--- a/policies/sys/sys_audit_read.hcl
+++ b/policies/sys/sys_audit_read.hcl
@ -0,0 +1,4 @@
+# Allow reading audit logs related to secret engines
+path "sys/audit" {
+  capabilities = ["read", "list"]
+}
--- a/policies/sys/sys_auth_admin.hcl
+++ b/policies/sys/sys_auth_admin.hcl
@ -0,0 +1,4 @@
+# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
+path "sys/auth/*" {
+  capabilities = ["create", "update", "delete", "read", "list"]
+}
--- a/policies/sys/sys_mounts_admin.hcl
+++ b/policies/sys/sys_mounts_admin.hcl
@ -0,0 +1,14 @@
+# Allow access to manage secret engines (mount, unmount, update)
+path "sys/mounts/*" {
+  capabilities = ["create", "update", "delete", "read", "list"]
+}
+
+# Allow tuning existing secret engines
+path "sys/mounts-tune/*" {
+  capabilities = ["update", "read"]
+}
+
+# Allow reaing and listing of enabled secret engines
+path "sys/mounts" {
+  capabilities = ["read", "list"]
+}
--- a/policies/sys/sys_policy_admin.hcl
+++ b/policies/sys/sys_policy_admin.hcl
@ -0,0 +1,9 @@
+# Allow management of policies (create, update, delete, list, and read)
+path "sys/policies/acl/*" {
+  capabilities = ["create", "update", "delete", "read", "list"]
+}
+
+# Allow listing of available policies
+path "sys/policies/acl" {
+  capabilities = ["read", "list"]
+}