unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: unkin:b51617c009669cdf97b0828b17ca2773928a4def
Branches Tags
unkin:master
..
compare: unkin:66ee6430fa8bd6fc9774cbac54879c75e90c009b
Branches Tags
unkin:master

No commits in common. "b51617c009669cdf97b0828b17ca2773928a4def" and "66ee6430fa8bd6fc9774cbac54879c75e90c009b" have entirely different histories.
b51617c009 ... 66ee6430fa

30 changed files with 24 additions and 318 deletions
Show Stats Expand all files Collapse all files

4
.pre-commit-config.yaml
View File

@ -9,8 +9,8 @@ repos:
- repo: https://github.com/gruntwork-io/pre-commit - repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.30 rev: v0.1.30
hooks: hooks:
- id: tofu-fmt - id: terraform-fmt
- id: tofu-validate - id: terraform-validate
- id: tflint - id: tflint
- id: terragrunt-hcl-fmt - id: terragrunt-hcl-fmt
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git

4
Makefile
View File

@ -23,7 +23,7 @@ apply: init
@terragrunt run --all --parallelism 2 --non-interactive apply @terragrunt run --all --parallelism 2 --non-interactive apply
format: format:
@echo "Formatting OpenTofu files..." @echo "Formatting Terraform files..."
@tofu fmt -recursive . @terraform fmt -recursive .
@echo "Formatting Terragrunt files..." @echo "Formatting Terragrunt files..."
@terragrunt hcl fmt @terragrunt hcl fmt

4
config/config.hcl
View File

@ -169,7 +169,7 @@ locals {
} }
consul_secret_backend = { consul_secret_backend = {
for file_path, content in local.all_configs : for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "consul_secret_backend/") if startswith(file_path, "consul_secret_backend/")
} }
consul_secret_backend_role = { consul_secret_backend_role = {
@ -186,4 +186,4 @@ locals {
if startswith(file_path, "pki_mount_only/") if startswith(file_path, "pki_mount_only/")
} }
} }
} }

7
config/consul_secret_backend/consul_root/au/syd1.yaml
View File

@ -1,7 +0,0 @@
description: "consul secret engine for au-syd1 cluster"
default_lease_ttl_seconds: 600
max_lease_ttl_seconds: 86400
address: "consul.service.au-syd1.consul"
scheme: https
bootstrap: false
datacenter: au-syd1

5
config/consul_secret_backend_role/consul_root/au/syd1/terraform-incus.yaml
View File

@ -1,5 +0,0 @@
consul_roles:
- terraform-incus
ttl: 300
max_ttl: 600
datacenters: []

5
config/consul_secret_backend_role/consul_root/au/syd1/terraform-k8s.yaml
View File

@ -1,5 +0,0 @@
consul_roles:
- terraform-k8s
ttl: 120
max_ttl: 300
datacenters: []

5
config/consul_secret_backend_role/consul_root/au/syd1/terraform-nomad.yaml
View File

@ -1,5 +0,0 @@
consul_roles:
- terraform-nomad
ttl: 120
max_ttl: 300
datacenters: []

5
config/consul_secret_backend_role/consul_root/au/syd1/terraform-repoflow.yaml
View File

@ -1,5 +0,0 @@
consul_roles:
- terraform-repoflow
ttl: 120
max_ttl: 300
datacenters: []

5
config/consul_secret_backend_role/consul_root/au/syd1/terraform-vault.yaml
View File

@ -1,5 +0,0 @@
consul_roles:
- terraform-vault
ttl: 120
max_ttl: 300
datacenters: []

18
environments/au/syd1/terragrunt.hcl
View File

@ -13,11 +13,6 @@ include "policies" {
expose = true expose = true
} }
include "resources" {
path = "${get_repo_root()}/resources/resources.hcl"
expose = true
}
locals { locals {
# Extract country and region from path # Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir())) path_parts = split("/", dirname(get_terragrunt_dir()))
@ -29,16 +24,6 @@ locals {
# Include policies from policies.hcl # Include policies from policies.hcl
policies = include.policies.locals policies = include.policies.locals
# Include resources from resources.hcl
resources = include.resources.locals
# Create sanitized backend name mapping for Consul providers
# Provider aliases can't contain slashes, so replace them with underscores
consul_backend_aliases = {
for backend_name, _ in local.config.consul_secret_backend :
backend_name => replace(backend_name, "/", "_")
}
} }
terraform { terraform {
@ -72,7 +57,4 @@ inputs = {
# Pass policy maps to vault_cluster module # Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map policy_rules_map = local.policies.policy_rules_map
# Pass sanitized consul backend aliases for provider configuration
consul_backend_aliases = local.consul_backend_aliases
} }

17
environments/root.hcl
View File

@ -3,14 +3,27 @@ generate "backend" {
path = "backend.tf" path = "backend.tf"
if_exists = "overwrite" if_exists = "overwrite"
contents = <<EOF contents = <<EOF
#-------------------------------------------
# locals
#-------------------------------------------
locals { locals {
vault_addr = "https://vault.service.consul:8200" vault_addr = "https://vault.service.consul:8200"
} }
#-----------------------------------------------------------------------------
# Configure this provider through the environment variables:
# - VAULT_ADDR
# - VAULT_TOKEN
#-----------------------------------------------------------------------------
provider "vault" { provider "vault" {
address = local.vault_addr address = local.vault_addr
} }
#------------------------------------------------------------------------------
# Use remote state file and encrypt it since your state files may contains
# sensitive data.
# export CONSUL_HTTP_TOKEN=<your-token>
#------------------------------------------------------------------------------
terraform { terraform {
backend "consul" { backend "consul" {
address = "https://consul.service.consul" address = "https://consul.service.consul"
@ -25,10 +38,6 @@ terraform {
source = "hashicorp/vault" source = "hashicorp/vault"
version = "5.6.0" version = "5.6.0"
} }
consul = {
source = "hashicorp/consul"
version = "2.23.0"
}
} }
} }
EOF EOF

26
modules/vault_cluster/main.tf
View File

@ -237,29 +237,6 @@ module "consul_secret_backend" {
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
} }
# Create data sources for consul backend tokens
data "vault_kv_secret_v2" "consul_backend_configs" {
for_each = {
for k, v in var.consul_secret_backend : k => v
if !v.bootstrap
}
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
}
# Create Consul ACL management module
module "consul_acl_management" {
source = "./modules/consul_acl_management"
country = var.country
region = var.region
consul_backends = var.consul_secret_backend
consul_roles = var.consul_secret_backend_role
consul_backend_aliases = var.consul_backend_aliases
}
# Create consul secret backend roles (Vault resources only)
module "consul_secret_backend_role" { module "consul_secret_backend_role" {
source = "./modules/consul_secret_backend_role" source = "./modules/consul_secret_backend_role"
@ -272,7 +249,7 @@ module "consul_secret_backend_role" {
max_ttl = each.value.max_ttl max_ttl = each.value.max_ttl
local = each.value.local local = each.value.local
depends_on = [module.consul_secret_backend, module.consul_acl_management] depends_on = [module.consul_secret_backend]
} }
module "kubernetes_secret_backend" { module "kubernetes_secret_backend" {
@ -337,4 +314,3 @@ module "pki_mount_only" {
enable_delta = each.value.enable_delta enable_delta = each.value.enable_delta
delta_rebuild_interval = each.value.delta_rebuild_interval delta_rebuild_interval = each.value.delta_rebuild_interval
} }

7
modules/vault_cluster/modules/consul_acl_management/.tflint.hcl
View File

@ -1,7 +0,0 @@
rule "terraform_required_providers" {
enabled = false
}
rule "terraform_required_version" {
enabled = false
}

58
modules/vault_cluster/modules/consul_acl_management/main.tf
View File

@ -1,58 +0,0 @@
# Get consul backend tokens from Vault
data "vault_kv_secret_v2" "consul_backend_configs" {
for_each = var.consul_backends
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
}
# Create consul provider instances for each consul backend
provider "consul" {
alias = "by_backend"
for_each = var.consul_backend_aliases
address = var.consul_backends[each.key].address
scheme = var.consul_backends[each.key].scheme
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
token = data.vault_kv_secret_v2.consul_backend_configs[each.key].data["token"]
}
# Create Consul ACL policies
resource "consul_acl_policy" "policies" {
for_each = var.consul_roles
provider = consul.by_backend[each.value.backend]
name = each.value.name
description = each.value.description != null ? each.value.description : "Auto-generated policy for Vault role ${each.value.name}"
rules = file("${path.module}/../../../../../../../../resources/secret_backend/${each.value.backend}/${each.value.name}.hcl")
datacenters = each.value.datacenters
}
# Create Consul ACL roles
resource "consul_acl_role" "roles" {
for_each = var.consul_roles
provider = consul.by_backend[each.value.backend]
name = each.value.name
description = each.value.description != null ? each.value.description : "Auto-generated role for Vault role ${each.value.name}"
policies = [consul_acl_policy.policies[each.key].name]
dynamic "service_identities" {
for_each = each.value.service_identities != null ? each.value.service_identities : []
content {
service_name = service_identities.value.service_name
datacenters = service_identities.value.datacenters
}
}
dynamic "node_identities" {
for_each = each.value.node_identities != null ? each.value.node_identities : []
content {
node_name = node_identities.value.node_name
datacenter = node_identities.value.datacenter
}
}
}

9
modules/vault_cluster/modules/consul_acl_management/outputs.tf
View File

@ -1,9 +0,0 @@
output "consul_acl_policies" {
description = "Map of created Consul ACL policies"
value = consul_acl_policy.policies
}
output "consul_acl_roles" {
description = "Map of created Consul ACL roles"
value = consul_acl_role.roles
}

46
modules/vault_cluster/modules/consul_acl_management/variables.tf
View File

@ -1,46 +0,0 @@
variable "consul_backends" {
description = "Map of consul secret backends"
type = map(object({
address = string
scheme = string
bootstrap = bool
bootstrap_token = optional(string)
ca_cert = optional(string)
client_cert = optional(string)
client_key = optional(string)
}))
}
variable "consul_roles" {
description = "Map of consul secret backend roles"
type = map(object({
name = string
backend = string
description = optional(string)
datacenters = optional(list(string))
service_identities = optional(list(object({
service_name = string
datacenters = optional(list(string))
})))
node_identities = optional(list(object({
node_name = string
datacenter = string
})))
}))
}
variable "consul_backend_aliases" {
description = "Map of consul backend names to sanitized provider aliases"
type = map(string)
default = {}
}
variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}

2
modules/vault_cluster/modules/consul_secret_backend/main.tf
View File

@ -18,4 +18,4 @@ resource "vault_consul_secret_backend" "consul" {
client_key = var.client_key client_key = var.client_key
default_lease_ttl_seconds = var.default_lease_ttl_seconds default_lease_ttl_seconds = var.default_lease_ttl_seconds
max_lease_ttl_seconds = var.max_lease_ttl_seconds max_lease_ttl_seconds = var.max_lease_ttl_seconds
} }

5
modules/vault_cluster/modules/consul_secret_backend_role/main.tf
View File

@ -1,9 +1,8 @@
# Create Vault Consul secret backend role
resource "vault_consul_secret_backend_role" "role" { resource "vault_consul_secret_backend_role" "role" {
backend = var.backend backend = var.backend
name = var.name name = var.name
consul_roles = [var.name] # Use the role name created by consul_acl_management module consul_roles = var.consul_roles
ttl = var.ttl ttl = var.ttl
max_ttl = var.max_ttl max_ttl = var.max_ttl
local = var.local local = var.local
} }

3
modules/vault_cluster/modules/consul_secret_backend_role/variables.tf
View File

@ -32,5 +32,4 @@ variable "local" {
description = "Whether tokens should be local to the datacenter" description = "Whether tokens should be local to the datacenter"
type = bool type = bool
default = false default = false
} }

18
modules/vault_cluster/variables.tf
View File

@ -226,7 +226,6 @@ variable "consul_secret_backend" {
description = optional(string) description = optional(string)
address = string address = string
bootstrap = optional(bool, false) bootstrap = optional(bool, false)
bootstrap_token = optional(string)
scheme = optional(string, "https") scheme = optional(string, "https")
ca_cert = optional(string) ca_cert = optional(string)
client_cert = optional(string) client_cert = optional(string)
@ -246,26 +245,10 @@ variable "consul_secret_backend_role" {
ttl = optional(number) ttl = optional(number)
max_ttl = optional(number) max_ttl = optional(number)
local = optional(bool, false) local = optional(bool, false)
datacenters = optional(list(string))
description = optional(string)
service_identities = optional(list(object({
service_name = string
datacenters = optional(list(string))
})))
node_identities = optional(list(object({
node_name = string
datacenter = string
})))
})) }))
default = {} default = {}
} }
variable "consul_backend_aliases" {
description = "Map of consul backend names to sanitized provider aliases"
type = map(string)
default = {}
}
variable "kubernetes_secret_backend" { variable "kubernetes_secret_backend" {
description = "Map of Kubernetes secret engines to create" description = "Map of Kubernetes secret engines to create"
type = map(object({ type = map(object({
@ -304,4 +287,3 @@ variable "policy_rules_map" {
}))) })))
default = {} default = {}
} }

10
policies/consul_root/au/syd1/creds/terraform-incus.yaml
View File

@ -1,10 +0,0 @@
# generate credentials for the terraform-incus role in consul
---
rules:
- path: "consul_root/au/syd1/creds/terraform-incus"
capabilities:
- read
auth:
approle:
- terraform_incus

10
policies/consul_root/au/syd1/creds/terraform-k8s.yaml
View File

@ -1,10 +0,0 @@
# generate credentials for the terraform-k8s role in consul
---
rules:
- path: "consul_root/au/syd1/creds/terraform-k8s"
capabilities:
- read
auth:
approle:
- terraform_k8s

10
policies/consul_root/au/syd1/creds/terraform-nomad.yaml
View File

@ -1,10 +0,0 @@
# generate credentials for the terraform-nomad role in consul
---
rules:
- path: "consul_root/au/syd1/creds/terraform-nomad"
capabilities:
- read
auth:
approle:
- terraform_nomad

10
policies/consul_root/au/syd1/creds/terraform-repoflow.yaml
View File

@ -1,10 +0,0 @@
# generate credentials for the terraform-repoflow role in consul
---
rules:
- path: "consul_root/au/syd1/creds/terraform-repoflow"
capabilities:
- read
auth:
approle:
- terraform_repoflow

10
policies/consul_root/au/syd1/creds/terraform-vault.yaml
View File

@ -1,10 +0,0 @@
# generate credentials for the terraform-vault role in consul
---
rules:
- path: "consul_root/au/syd1/creds/terraform-vault"
capabilities:
- read
auth:
approle:
- tf_vault

7
resources/secret_backend/consul_root/au/syd1/terraform-incus.hcl
View File

@ -1,7 +0,0 @@
key_prefix "infra/terraform/incus/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}

7
resources/secret_backend/consul_root/au/syd1/terraform-k8s.hcl
View File

@ -1,7 +0,0 @@
key_prefix "infra/terraform/k8s/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}

7
resources/secret_backend/consul_root/au/syd1/terraform-nomad.hcl
View File

@ -1,7 +0,0 @@
key_prefix "infra/terraform/nomad/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}

7
resources/secret_backend/consul_root/au/syd1/terraform-repoflow.hcl
View File

@ -1,7 +0,0 @@
key_prefix "infra/terraform/repoflow/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}

11
resources/secret_backend/consul_root/au/syd1/terraform-vault.hcl
View File

@ -1,11 +0,0 @@
key_prefix "infra/terraform/state" {
policy = "write"
}
key_prefix "infra/terraform/vault/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}