Compare commits
69 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 6f27546207 | |||
| 933de177fa | |||
| ce1185deba | |||
| 3d59758324 | |||
| 8bb071ae46 | |||
| 0dba5e00a6 | |||
| a400e5dc7e | |||
| 95e7a81b2e | |||
| bbde79d2a6 | |||
| f2c54888de | |||
| 36d7afbb65 | |||
| c33dcdc447 | |||
| be9bd96cf3 | |||
| bb5f6922fa | |||
| 346cf9fa43 | |||
| 1288057b81 | |||
| 3876fa818d | |||
| a548bf1cb1 | |||
| 93ba86baf3 | |||
| 098830c10b | |||
| 9cbac6d3ef | |||
| 73aaaaeb99 | |||
| 7c60a5fd53 | |||
| 27f12f183e | |||
| c61434b692 | |||
| 172ceac2fc | |||
| 48a4fd0dd1 | |||
| 4dc09547ef | |||
| 546a9efe44 | |||
| 679cec4bc1 | |||
| 71789f9f32 | |||
| 4cbcec58d3 | |||
| 9c93e185f8 | |||
| d6c8474bd3 | |||
| 42351000ee | |||
| f7d1330c37 | |||
| d9e07e432e | |||
| 14a258de7d | |||
| be8bcc3743 | |||
| dc257b1bcd | |||
| 66119e5207 | |||
| 9e6de4dc32 | |||
| 7cafafd483 | |||
| c94b2af196 | |||
| dd44146d88 | |||
| 18a62332f6 | |||
| 8fa68e2670 | |||
| 4cad39989f | |||
| c825962490 | |||
| 51bc3fffc0 | |||
| dca26029c0 | |||
| d398911108 | |||
| c093d5830d | |||
| 4b176846f2 | |||
| 90b765d713 | |||
| 3fb5a64a17 | |||
| 33a746e545 | |||
| 4fe0e0de73 | |||
| a47f841028 | |||
| 9192879c03 | |||
| 5cdf6b410d | |||
| b51617c009 | |||
| 66ee6430fa | |||
| fd03727ec2 | |||
| 5536869a38 | |||
| f8f1185b42 | |||
| 75e9db1aa6 | |||
| f47804ffdf | |||
| 24c124d6eb |
@@ -9,8 +9,8 @@ repos:
|
||||
- repo: https://github.com/gruntwork-io/pre-commit
|
||||
rev: v0.1.30
|
||||
hooks:
|
||||
- id: terraform-fmt
|
||||
- id: terraform-validate
|
||||
- id: tofu-fmt
|
||||
- id: tofu-validate
|
||||
- id: tflint
|
||||
- id: terragrunt-hcl-fmt
|
||||
- repo: https://github.com/adrienverge/yamllint.git
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
when:
|
||||
- event: push
|
||||
branch: master
|
||||
|
||||
steps:
|
||||
- name: apply
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
- make apply
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,21 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: plan
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,18 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: pre-commit
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
commands:
|
||||
- uvx pre-commit run --all-files
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -1,29 +1,35 @@
|
||||
.PHONY: init plan apply format
|
||||
|
||||
#init:
|
||||
# @echo "Sourcing environment and initializing Terraform..."
|
||||
# @source ./env && terraform init
|
||||
#
|
||||
#plan:
|
||||
# @echo "Sourcing environment and planning Terraform changes..."
|
||||
# @source ./env && terraform plan
|
||||
#
|
||||
#apply:
|
||||
# @echo "Sourcing environment and applying Terraform changes..."
|
||||
# @source ./env && terraform apply -auto-approve
|
||||
VAULT_AUTH_METHOD ?= approle
|
||||
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
|
||||
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
|
||||
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
|
||||
# Define vault_env function to set up vault environment
|
||||
define vault_env
|
||||
@export VAULT_ADDR="https://vault.service.consul:8200" && \
|
||||
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
|
||||
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
|
||||
else \
|
||||
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
|
||||
fi && \
|
||||
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
|
||||
endef
|
||||
|
||||
init:
|
||||
@terragrunt run --all --non-interactive init -- -upgrade
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --non-interactive init -- -upgrade
|
||||
|
||||
plan: init
|
||||
@terragrunt run --all --parallelism 4 --non-interactive plan
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 4 --non-interactive plan
|
||||
|
||||
apply: init
|
||||
@terragrunt run --all --parallelism 2 --non-interactive apply
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 2 --non-interactive apply
|
||||
|
||||
format:
|
||||
@echo "Formatting Terraform files..."
|
||||
@terraform fmt -recursive .
|
||||
@echo "Formatting OpenTofu files..."
|
||||
@tofu fmt -recursive .
|
||||
@echo "Formatting Terragrunt files..."
|
||||
@terragrunt hcl fmt
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -1,5 +1,5 @@
|
||||
kubernetes_host: https://api-k8s.service.consul:6443
|
||||
disable_iss_validation: true
|
||||
use_annotations_as_alias_metadata: true
|
||||
use_annotations_as_alias_metadata: false # doesnt work with openbao yet
|
||||
default_lease_ttl: 1h
|
||||
max_lease_ttl: 24h
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- artifactapi
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -4,5 +4,6 @@ bound_service_account_names:
|
||||
bound_service_account_namespaces:
|
||||
- csi-cephrbd
|
||||
- csi-cephfs
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -2,5 +2,6 @@ bound_service_account_names:
|
||||
- cert-manager-vault-issuer
|
||||
bound_service_account_namespaces:
|
||||
- cert-manager
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces: ['*']
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -2,5 +2,6 @@ bound_service_account_names:
|
||||
- externaldns
|
||||
bound_service_account_namespaces:
|
||||
- externaldns
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -2,5 +2,5 @@ bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- huntarr
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- identity
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -2,5 +2,6 @@ bound_service_account_names:
|
||||
- media-apps-vault-reader
|
||||
bound_service_account_namespaces:
|
||||
- media-apps
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- puppet
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -1,6 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- rancher
|
||||
bound_service_account_namespaces:
|
||||
- default
|
||||
token_ttl: 60
|
||||
- cattle-system
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -2,5 +2,6 @@ bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- repoflow
|
||||
token_ttl: 60
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
|
||||
@@ -0,0 +1,8 @@
|
||||
# rpmbuilder is deployed in woodpeckerci
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-artifactapi
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-authentik
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-git
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-prowlarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-radarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-rancher
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-sonarr
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-vault
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
+35
-2
@@ -169,7 +169,7 @@ locals {
|
||||
}
|
||||
consul_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "consul_secret_backend/")
|
||||
}
|
||||
consul_secret_backend_role = {
|
||||
@@ -185,5 +185,38 @@ locals {
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "pki_mount_only/")
|
||||
}
|
||||
litellm_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "litellm_secret_backend/")
|
||||
}
|
||||
litellm_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "litellm_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "litellm_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "litellm_secret_backend_role/")
|
||||
}
|
||||
plugins = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
})
|
||||
if startswith(file_path, "plugins/")
|
||||
}
|
||||
gpg_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "gpg_secret_backend/")
|
||||
}
|
||||
gpg_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "gpg_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "gpg_key/")
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,7 @@
|
||||
description: "consul secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds: 600
|
||||
max_lease_ttl_seconds: 86400
|
||||
address: "consul.service.au-syd1.consul"
|
||||
scheme: https
|
||||
bootstrap: false
|
||||
datacenter: au-syd1
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-artifactapi
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-authentik
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-git
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-incus
|
||||
ttl: 300
|
||||
max_ttl: 600
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-k8s
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-ldap
|
||||
ttl: 60
|
||||
max_ttl: 60
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-nomad
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-prowlarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-radarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-rancher
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-repoflow
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-sonarr
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-vault
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,7 @@
|
||||
# config/gpg_key/gpg/pass.yaml
|
||||
# An OpenPGP key in the gpg engine for password-store (passv). The private key
|
||||
# stays in Vault; clients import the exported public key to encrypt and delegate
|
||||
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
|
||||
algorithm: rsa-4096
|
||||
identity: "pass <pass@unkin.net>"
|
||||
exportable: false
|
||||
@@ -0,0 +1,4 @@
|
||||
# config/gpg_secret_backend/gpg.yaml
|
||||
# Mounts the gpg secrets engine at "gpg". The plugin itself is registered in the
|
||||
# catalog separately (see config/plugins/vault-plugin-secrets-gpg.yaml).
|
||||
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
|
||||
@@ -0,0 +1,6 @@
|
||||
# Mounts the LiteLLM dynamic secrets engine at "litellm" and writes its config.
|
||||
# The master key is sensitive and read from KV, not stored here:
|
||||
# kv/service/vault/au/syd1/secret_backend/litellm -> key "master_key"
|
||||
description: "LiteLLM dynamic virtual keys"
|
||||
base_url: "https://litellm.k8s.syd1.au.unkin.net"
|
||||
request_timeout_seconds: 30
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
models:
|
||||
- claude-opus-4-7
|
||||
max_budget: 5
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 86400 # seconds (24h)
|
||||
metadata:
|
||||
team: testuser
|
||||
env: prod
|
||||
@@ -0,0 +1,10 @@
|
||||
---
|
||||
models:
|
||||
- claude-haiku-4-5
|
||||
- claude-sonnet-4-6
|
||||
max_budget: 50
|
||||
ttl: 3600 # seconds (1h)
|
||||
max_ttl: 86400 # seconds (24h)
|
||||
metadata:
|
||||
team: mailfiltering
|
||||
env: prod
|
||||
@@ -0,0 +1,10 @@
|
||||
# config/plugins/vault-plugin-secrets-gpg.yaml
|
||||
# Imports (registers) the gpg secrets plugin in the catalog. Filename = catalog
|
||||
# name = mount type. The binary is installed on the OpenBao nodes by Puppet
|
||||
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
|
||||
#
|
||||
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
|
||||
# upgrade or OpenBao will refuse to launch the plugin.
|
||||
type: secret
|
||||
command: vault-plugin-secrets-gpg
|
||||
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
|
||||
@@ -13,6 +13,11 @@ include "policies" {
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "resources" {
|
||||
path = "${get_repo_root()}/resources/resources.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
locals {
|
||||
# Extract country and region from path
|
||||
path_parts = split("/", dirname(get_terragrunt_dir()))
|
||||
@@ -24,6 +29,16 @@ locals {
|
||||
|
||||
# Include policies from policies.hcl
|
||||
policies = include.policies.locals
|
||||
|
||||
# Include resources from resources.hcl
|
||||
resources = include.resources.locals
|
||||
|
||||
# Create sanitized backend name mapping for Consul providers
|
||||
# Provider aliases can't contain slashes, so replace them with underscores
|
||||
consul_backend_aliases = {
|
||||
for backend_name, _ in local.config.consul_secret_backend :
|
||||
backend_name => replace(backend_name, "/", "_")
|
||||
}
|
||||
}
|
||||
|
||||
terraform {
|
||||
@@ -53,8 +68,16 @@ inputs = {
|
||||
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
||||
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
||||
pki_mount_only = local.config.pki_mount_only
|
||||
litellm_secret_backend = local.config.litellm_secret_backend
|
||||
litellm_secret_backend_role = local.config.litellm_secret_backend_role
|
||||
plugins = local.config.plugins
|
||||
gpg_secret_backend = local.config.gpg_secret_backend
|
||||
gpg_key = local.config.gpg_key
|
||||
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
policy_rules_map = local.policies.policy_rules_map
|
||||
|
||||
# Pass sanitized consul backend aliases for provider configuration
|
||||
consul_backend_aliases = local.consul_backend_aliases
|
||||
}
|
||||
|
||||
+24
-13
@@ -3,27 +3,26 @@ generate "backend" {
|
||||
path = "backend.tf"
|
||||
if_exists = "overwrite"
|
||||
contents = <<EOF
|
||||
#-------------------------------------------
|
||||
# locals
|
||||
#-------------------------------------------
|
||||
locals {
|
||||
vault_addr = "https://vault.service.consul:8200"
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------
|
||||
# Configure this provider through the environment variables:
|
||||
# - VAULT_ADDR
|
||||
# - VAULT_TOKEN
|
||||
#-----------------------------------------------------------------------------
|
||||
provider "vault" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Use remote state file and encrypt it since your state files may contains
|
||||
# sensitive data.
|
||||
# export CONSUL_HTTP_TOKEN=<your-token>
|
||||
#------------------------------------------------------------------------------
|
||||
# The LiteLLM secrets engine is managed through its own provider, which talks to
|
||||
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
|
||||
provider "litellm" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
# The gpg secrets engine's keys are managed through its own provider (same Vault
|
||||
# server; token falls back to VAULT_TOKEN).
|
||||
provider "gpg" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
@@ -38,6 +37,18 @@ terraform {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
consul = {
|
||||
source = "hashicorp/consul"
|
||||
version = "2.23.0"
|
||||
}
|
||||
litellm = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
rule "terraform_required_providers" {
|
||||
enabled = false
|
||||
}
|
||||
|
||||
rule "terraform_required_version" {
|
||||
enabled = false
|
||||
}
|
||||
|
||||
rule "terraform_unused_declarations" {
|
||||
enabled = false
|
||||
}
|
||||
+102
-11
@@ -3,8 +3,6 @@ module "auth_approle_backend" {
|
||||
|
||||
for_each = var.auth_approle_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
@@ -92,6 +90,7 @@ module "auth_kubernetes_role" {
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
@@ -185,7 +184,6 @@ module "pki_secret_backend" {
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
@@ -237,19 +235,41 @@ module "consul_secret_backend" {
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
# Create data sources for consul backend tokens
|
||||
data "vault_kv_secret_v2" "consul_backend_configs" {
|
||||
for_each = {
|
||||
for k, v in var.consul_secret_backend : k => v
|
||||
if !v.bootstrap
|
||||
}
|
||||
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
|
||||
}
|
||||
|
||||
# Create Consul ACL management module
|
||||
module "consul_acl_management" {
|
||||
source = "./modules/consul_acl_management"
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
consul_backends = var.consul_secret_backend
|
||||
consul_roles = var.consul_secret_backend_role
|
||||
consul_backend_aliases = var.consul_backend_aliases
|
||||
}
|
||||
|
||||
# Create consul secret backend roles (Vault resources only)
|
||||
module "consul_secret_backend_role" {
|
||||
source = "./modules/consul_secret_backend_role"
|
||||
|
||||
for_each = var.consul_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
consul_roles = each.value.consul_roles
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
local = each.value.local
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
local = each.value.local
|
||||
|
||||
depends_on = [module.consul_secret_backend]
|
||||
depends_on = [module.consul_secret_backend, module.consul_acl_management]
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend" {
|
||||
@@ -283,6 +303,77 @@ module "kubernetes_secret_backend_role" {
|
||||
depends_on = [module.kubernetes_secret_backend]
|
||||
}
|
||||
|
||||
module "litellm_secret_backend" {
|
||||
source = "./modules/litellm_secret_backend"
|
||||
|
||||
for_each = var.litellm_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
base_url = each.value.base_url
|
||||
request_timeout_seconds = each.value.request_timeout_seconds
|
||||
}
|
||||
|
||||
module "litellm_secret_backend_role" {
|
||||
source = "./modules/litellm_secret_backend_role"
|
||||
|
||||
for_each = var.litellm_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
models = each.value.models
|
||||
max_budget = each.value.max_budget
|
||||
key_alias_prefix = each.value.key_alias_prefix
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
metadata = each.value.metadata
|
||||
|
||||
depends_on = [module.litellm_secret_backend]
|
||||
}
|
||||
|
||||
module "plugin" {
|
||||
source = "./modules/plugin"
|
||||
|
||||
for_each = var.plugins
|
||||
|
||||
name = each.value.name
|
||||
type = each.value.type
|
||||
command = each.value.command
|
||||
sha256 = each.value.sha256
|
||||
plugin_version = each.value.version
|
||||
}
|
||||
|
||||
module "gpg_secret_backend" {
|
||||
source = "./modules/gpg_secret_backend"
|
||||
|
||||
for_each = var.gpg_secret_backend
|
||||
|
||||
path = each.key
|
||||
plugin = each.value.plugin
|
||||
description = each.value.description
|
||||
|
||||
depends_on = [module.plugin]
|
||||
}
|
||||
|
||||
module "gpg_key" {
|
||||
source = "./modules/gpg_key"
|
||||
|
||||
for_each = var.gpg_key
|
||||
|
||||
backend = each.value.backend
|
||||
name = each.value.name
|
||||
algorithm = each.value.algorithm
|
||||
identity = each.value.identity
|
||||
exportable = each.value.exportable
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
min_decryption_version = each.value.min_decryption_version
|
||||
|
||||
depends_on = [module.gpg_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
@@ -300,7 +391,6 @@ module "pki_mount_only" {
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
issuer_ref = each.value.issuer_ref
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
@@ -314,3 +404,4 @@ module "pki_mount_only" {
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
|
||||
|
||||
@@ -8,4 +8,4 @@ resource "vault_auth_backend" "approle" {
|
||||
max_lease_ttl = var.max_lease_ttl
|
||||
listing_visibility = var.listing_visibility
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,13 +1,3 @@
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the AppRole auth backend"
|
||||
type = string
|
||||
@@ -34,4 +24,4 @@ variable "max_lease_ttl" {
|
||||
description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
}
|
||||
|
||||
@@ -16,7 +16,7 @@ data "vault_kv_secret_v2" "role_config" {
|
||||
locals {
|
||||
salt = data.vault_kv_secret_v2.salt_config.data["salt"]
|
||||
role_id_input = "${local.salt}-${var.approle_name}-${var.mount_path}"
|
||||
deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
|
||||
deterministic_role_id = uuidv5("dns", local.role_id_input)
|
||||
|
||||
# Use deterministic role-id by default, or read from KV if specified
|
||||
role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -4,6 +4,7 @@ resource "vault_kubernetes_auth_backend_role" "role" {
|
||||
bound_service_account_names = var.bound_service_account_names
|
||||
bound_service_account_namespaces = var.bound_service_account_namespaces
|
||||
token_ttl = var.token_ttl
|
||||
token_max_ttl = var.token_max_ttl
|
||||
token_policies = var.token_policies
|
||||
audience = var.audience
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -24,6 +24,12 @@ variable "token_ttl" {
|
||||
default = 3600
|
||||
}
|
||||
|
||||
variable "token_max_ttl" {
|
||||
description = "The maximum lifetime for generated tokens in number of seconds. Its current value will be referenced at renewal time."
|
||||
type = number
|
||||
default = 86400
|
||||
}
|
||||
|
||||
variable "token_policies" {
|
||||
description = "List of policies to assign to the role (passed from policy_auth_map)"
|
||||
type = list(string)
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
rule "terraform_required_providers" {
|
||||
enabled = false
|
||||
}
|
||||
|
||||
rule "terraform_required_version" {
|
||||
enabled = false
|
||||
}
|
||||
@@ -0,0 +1,58 @@
|
||||
# Get consul backend tokens from Vault
|
||||
data "vault_kv_secret_v2" "consul_backend_configs" {
|
||||
for_each = var.consul_backends
|
||||
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
|
||||
}
|
||||
|
||||
# Create consul provider instances for each consul backend
|
||||
provider "consul" {
|
||||
alias = "by_backend"
|
||||
for_each = var.consul_backend_aliases
|
||||
|
||||
address = var.consul_backends[each.key].address
|
||||
scheme = var.consul_backends[each.key].scheme
|
||||
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
token = data.vault_kv_secret_v2.consul_backend_configs[each.key].data["token"]
|
||||
}
|
||||
|
||||
# Create Consul ACL policies
|
||||
resource "consul_acl_policy" "policies" {
|
||||
for_each = var.consul_roles
|
||||
|
||||
provider = consul.by_backend[each.value.backend]
|
||||
|
||||
name = each.value.name
|
||||
description = each.value.description != null ? each.value.description : "Auto-generated policy for Vault role ${each.value.name}"
|
||||
rules = file("${path.module}/../../../../../../../../resources/secret_backend/${each.value.backend}/${each.value.name}.hcl")
|
||||
datacenters = each.value.datacenters
|
||||
}
|
||||
|
||||
# Create Consul ACL roles
|
||||
resource "consul_acl_role" "roles" {
|
||||
for_each = var.consul_roles
|
||||
|
||||
provider = consul.by_backend[each.value.backend]
|
||||
|
||||
name = each.value.name
|
||||
description = each.value.description != null ? each.value.description : "Auto-generated role for Vault role ${each.value.name}"
|
||||
|
||||
policies = [consul_acl_policy.policies[each.key].name]
|
||||
|
||||
dynamic "service_identities" {
|
||||
for_each = each.value.service_identities != null ? each.value.service_identities : []
|
||||
content {
|
||||
service_name = service_identities.value.service_name
|
||||
datacenters = service_identities.value.datacenters
|
||||
}
|
||||
}
|
||||
|
||||
dynamic "node_identities" {
|
||||
for_each = each.value.node_identities != null ? each.value.node_identities : []
|
||||
content {
|
||||
node_name = node_identities.value.node_name
|
||||
datacenter = node_identities.value.datacenter
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
output "consul_acl_policies" {
|
||||
description = "Map of created Consul ACL policies"
|
||||
value = consul_acl_policy.policies
|
||||
}
|
||||
|
||||
output "consul_acl_roles" {
|
||||
description = "Map of created Consul ACL roles"
|
||||
value = consul_acl_role.roles
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
consul = {
|
||||
source = "hashicorp/consul"
|
||||
version = "2.23.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,46 @@
|
||||
variable "consul_backends" {
|
||||
description = "Map of consul secret backends"
|
||||
type = map(object({
|
||||
address = string
|
||||
scheme = string
|
||||
bootstrap = bool
|
||||
bootstrap_token = optional(string)
|
||||
ca_cert = optional(string)
|
||||
client_cert = optional(string)
|
||||
client_key = optional(string)
|
||||
}))
|
||||
}
|
||||
|
||||
variable "consul_roles" {
|
||||
description = "Map of consul secret backend roles"
|
||||
type = map(object({
|
||||
name = string
|
||||
backend = string
|
||||
description = optional(string)
|
||||
datacenters = optional(list(string))
|
||||
service_identities = optional(list(object({
|
||||
service_name = string
|
||||
datacenters = optional(list(string))
|
||||
})))
|
||||
node_identities = optional(list(object({
|
||||
node_name = string
|
||||
datacenter = string
|
||||
})))
|
||||
}))
|
||||
}
|
||||
|
||||
variable "consul_backend_aliases" {
|
||||
description = "Map of consul backend names to sanitized provider aliases"
|
||||
type = map(string)
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "country" {
|
||||
description = "Country identifier"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier"
|
||||
type = string
|
||||
}
|
||||
@@ -18,4 +18,4 @@ resource "vault_consul_secret_backend" "consul" {
|
||||
client_key = var.client_key
|
||||
default_lease_ttl_seconds = var.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = var.max_lease_ttl_seconds
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -1,8 +1,9 @@
|
||||
# Create Vault Consul secret backend role
|
||||
resource "vault_consul_secret_backend_role" "role" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
consul_roles = var.consul_roles
|
||||
consul_roles = [var.name] # Use the role name created by consul_acl_management module
|
||||
ttl = var.ttl
|
||||
max_ttl = var.max_ttl
|
||||
local = var.local
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -9,12 +9,6 @@ variable "name" {
|
||||
}
|
||||
|
||||
|
||||
variable "consul_roles" {
|
||||
description = "List of Consul roles to attach to tokens"
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
|
||||
variable "ttl" {
|
||||
description = "TTL for generated tokens"
|
||||
@@ -32,4 +26,5 @@ variable "local" {
|
||||
description = "Whether tokens should be local to the datacenter"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -0,0 +1,12 @@
|
||||
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
|
||||
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
|
||||
# exported public_key to encrypt and delegate decryption back to the engine.
|
||||
resource "gpg_key" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
algorithm = var.algorithm
|
||||
identity = var.identity
|
||||
exportable = var.exportable
|
||||
deletion_allowed = var.deletion_allowed
|
||||
min_decryption_version = var.min_decryption_version
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
gpg = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,39 @@
|
||||
variable "backend" {
|
||||
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
description = "Name of the key"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "algorithm" {
|
||||
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
|
||||
type = string
|
||||
default = "rsa-3072"
|
||||
}
|
||||
|
||||
variable "identity" {
|
||||
description = "OpenPGP User ID (defaults to the key name)"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "exportable" {
|
||||
description = "Allow exporting the private key (enable-only)"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "deletion_allowed" {
|
||||
description = "Whether the key may be deleted"
|
||||
type = bool
|
||||
default = false
|
||||
}
|
||||
|
||||
variable "min_decryption_version" {
|
||||
description = "Minimum key version usable for decryption/verification"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,8 @@
|
||||
# Mounts the gpg secrets engine. The plugin is registered ("imported") in the
|
||||
# catalog separately via the config/plugins/ discovery and the plugin module;
|
||||
# this module just enables a mount of the already-registered plugin type.
|
||||
resource "vault_mount" "this" {
|
||||
path = var.path
|
||||
type = var.plugin
|
||||
description = var.description
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,16 @@
|
||||
variable "path" {
|
||||
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Registered plugin name to mount (the catalog name = mount type)"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-gpg"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,14 @@
|
||||
# Expected keys in KV secret: master_key
|
||||
data "vault_kv_secret_v2" "secret_backend_config" {
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
|
||||
}
|
||||
|
||||
resource "litellm_secret_backend" "this" {
|
||||
path = var.path
|
||||
plugin = var.plugin
|
||||
description = var.description
|
||||
base_url = var.base_url
|
||||
master_key = data.vault_kv_secret_v2.secret_backend_config.data["master_key"]
|
||||
request_timeout_seconds = var.request_timeout_seconds
|
||||
}
|
||||
@@ -0,0 +1,13 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
litellm = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,37 @@
|
||||
variable "country" {
|
||||
description = "Country identifier (used to locate the KV secret holding the master key)"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "region" {
|
||||
description = "Region identifier (used to locate the KV secret holding the master key)"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "path" {
|
||||
description = "Mount path of the LiteLLM secrets engine"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "plugin" {
|
||||
description = "Registered plugin name/type to mount"
|
||||
type = string
|
||||
default = "vault-plugin-secrets-litellm"
|
||||
}
|
||||
|
||||
variable "description" {
|
||||
description = "Human-friendly description of the mount"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "base_url" {
|
||||
description = "Base URL of the LiteLLM proxy (e.g. http://litellm.litellm.svc:4000)"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "request_timeout_seconds" {
|
||||
description = "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy"
|
||||
type = number
|
||||
default = 30
|
||||
}
|
||||
@@ -0,0 +1,10 @@
|
||||
resource "litellm_secret_backend_role" "this" {
|
||||
backend = var.backend
|
||||
name = var.name
|
||||
models = var.models
|
||||
max_budget = var.max_budget
|
||||
key_alias_prefix = var.key_alias_prefix
|
||||
ttl = var.ttl
|
||||
max_ttl = var.max_ttl
|
||||
metadata = var.metadata
|
||||
}
|
||||
@@ -0,0 +1,9 @@
|
||||
terraform {
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
litellm = {
|
||||
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
|
||||
version = "0.1.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,45 @@
|
||||
variable "name" {
|
||||
description = "Name of the role"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "backend" {
|
||||
description = "Mount path of the LiteLLM secrets engine this role belongs to"
|
||||
type = string
|
||||
}
|
||||
|
||||
variable "models" {
|
||||
description = "Models a generated key may access. Empty means unrestricted"
|
||||
type = list(string)
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_budget" {
|
||||
description = "Spending limit applied to each generated key. 0 means unlimited"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "key_alias_prefix" {
|
||||
description = "Prefix for the auto-generated key alias"
|
||||
type = string
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "ttl" {
|
||||
description = "Default lease TTL in seconds for keys generated from this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "max_ttl" {
|
||||
description = "Maximum lease TTL in seconds for keys generated from this role"
|
||||
type = number
|
||||
default = null
|
||||
}
|
||||
|
||||
variable "metadata" {
|
||||
description = "Metadata attached to each generated key"
|
||||
type = map(string)
|
||||
default = null
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user