Compare commits
71 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 65f844cbe1 | |||
| b9632f39e4 | |||
| bb5f6922fa | |||
| f5803605d6 | |||
| 2c4d0d7f64 | |||
| a29ff9fe6a | |||
| 12680f93cd | |||
| 132e5ea4d9 | |||
| 346cf9fa43 | |||
| 1288057b81 | |||
| 3876fa818d | |||
| a548bf1cb1 | |||
| 93ba86baf3 | |||
| 098830c10b | |||
| 9cbac6d3ef | |||
| 73aaaaeb99 | |||
| 7c60a5fd53 | |||
| 27f12f183e | |||
| c61434b692 | |||
| 172ceac2fc | |||
| 48a4fd0dd1 | |||
| 4dc09547ef | |||
| 546a9efe44 | |||
| 679cec4bc1 | |||
| 71789f9f32 | |||
| 4cbcec58d3 | |||
| 9c93e185f8 | |||
| d6c8474bd3 | |||
| 42351000ee | |||
| f7d1330c37 | |||
| d9e07e432e | |||
| 14a258de7d | |||
| be8bcc3743 | |||
| dc257b1bcd | |||
| 66119e5207 | |||
| 9e6de4dc32 | |||
| 7cafafd483 | |||
| c94b2af196 | |||
| dd44146d88 | |||
| 18a62332f6 | |||
| 8fa68e2670 | |||
| 4cad39989f | |||
| c825962490 | |||
| 51bc3fffc0 | |||
| dca26029c0 | |||
| d398911108 | |||
| c093d5830d | |||
| 4b176846f2 | |||
| 90b765d713 | |||
| 3fb5a64a17 | |||
| 33a746e545 | |||
| 4fe0e0de73 | |||
| a47f841028 | |||
| 9192879c03 | |||
| 5cdf6b410d | |||
| b51617c009 | |||
| 66ee6430fa | |||
| fd03727ec2 | |||
| 5536869a38 | |||
| f8f1185b42 | |||
| 75e9db1aa6 | |||
| f47804ffdf | |||
| 24c124d6eb | |||
| 9d54b4cfcc | |||
| 33af7010fb | |||
| cb1b383035 | |||
| f6d06cb319 | |||
| 1c9e063310 | |||
| 8070b6f66b | |||
| b115b7d28a | |||
| 25e3d48337 |
@@ -1,3 +1,4 @@
|
||||
.terraform
|
||||
.terraform.lock.hcl
|
||||
env
|
||||
.terragrunt-cache
|
||||
|
||||
@@ -1,9 +1,16 @@
|
||||
repos:
|
||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||
rev: v4.4.0
|
||||
hooks:
|
||||
- id: end-of-file-fixer
|
||||
types: [yaml]
|
||||
- id: trailing-whitespace
|
||||
types: [yaml]
|
||||
- repo: https://github.com/gruntwork-io/pre-commit
|
||||
rev: v0.1.30
|
||||
hooks:
|
||||
- id: terraform-fmt
|
||||
- id: terraform-validate
|
||||
- id: tofu-fmt
|
||||
- id: tofu-validate
|
||||
- id: tflint
|
||||
- id: terragrunt-hcl-fmt
|
||||
- repo: https://github.com/adrienverge/yamllint.git
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
when:
|
||||
- event: push
|
||||
branch: master
|
||||
|
||||
steps:
|
||||
- name: apply
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
- make apply
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,21 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: plan
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
environment:
|
||||
VAULT_AUTH_METHOD: kubernetes
|
||||
commands:
|
||||
- dnf install vault -y
|
||||
- make plan
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: terraform-vault
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -0,0 +1,18 @@
|
||||
when:
|
||||
- event: pull_request
|
||||
|
||||
steps:
|
||||
- name: pre-commit
|
||||
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||
commands:
|
||||
- uvx pre-commit run --all-files
|
||||
backend_options:
|
||||
kubernetes:
|
||||
serviceAccountName: default
|
||||
resources:
|
||||
requests:
|
||||
memory: 512Mi
|
||||
cpu: 1
|
||||
limits:
|
||||
memory: 2Gi
|
||||
cpu: 2
|
||||
@@ -1,20 +1,35 @@
|
||||
.PHONY: init plan apply help
|
||||
.PHONY: init plan apply format
|
||||
|
||||
# Default target
|
||||
help:
|
||||
@echo "Available targets:"
|
||||
@echo " init - Initialize Terraform"
|
||||
@echo " plan - Plan Terraform changes"
|
||||
@echo " apply - Apply Terraform changes"
|
||||
VAULT_AUTH_METHOD ?= approle
|
||||
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
|
||||
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
|
||||
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||
|
||||
# Define vault_env function to set up vault environment
|
||||
define vault_env
|
||||
@export VAULT_ADDR="https://vault.service.consul:8200" && \
|
||||
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
|
||||
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
|
||||
else \
|
||||
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
|
||||
fi && \
|
||||
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
|
||||
endef
|
||||
|
||||
init:
|
||||
@echo "Sourcing environment and initializing Terraform..."
|
||||
@source ./env && terraform init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --non-interactive init -- -upgrade
|
||||
|
||||
plan:
|
||||
@echo "Sourcing environment and planning Terraform changes..."
|
||||
@source ./env && terraform plan
|
||||
plan: init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 4 --non-interactive plan
|
||||
|
||||
apply:
|
||||
@echo "Sourcing environment and applying Terraform changes..."
|
||||
@source ./env && terraform apply -auto-approve
|
||||
apply: init
|
||||
@$(call vault_env) && \
|
||||
terragrunt run --all --parallelism 2 --non-interactive apply
|
||||
|
||||
format:
|
||||
@echo "Formatting OpenTofu files..."
|
||||
@tofu fmt -recursive .
|
||||
@echo "Formatting Terragrunt files..."
|
||||
@terragrunt hcl fmt
|
||||
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "certmanager" {
|
||||
role_name = "certmanager"
|
||||
bind_secret_id = false
|
||||
token_policies = ["pki_int/certmanager"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "incus_cluster" {
|
||||
role_name = "incus_cluster"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/incus/incus-cluster-join-tokens"
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.13.77/32",
|
||||
"198.18.13.78/32",
|
||||
"198.18.13.79/32"
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "packer_builder" {
|
||||
role_name = "packer_builder"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/packer/packer_builder",
|
||||
]
|
||||
token_ttl = 300 # builds can take a few minutes
|
||||
token_max_ttl = 600
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "puppetapi" {
|
||||
role_name = "puppetapi"
|
||||
bind_secret_id = false
|
||||
token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "rpmbuilder" {
|
||||
role_name = "rpmbuilder"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"kv/service/github/neoloc/tokens/read-only-token/read",
|
||||
"kv/service/gitea/unkinben/tokens/read-only-packages/read",
|
||||
]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,9 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "rundeck-role" {
|
||||
role_name = "rundeck-role"
|
||||
bind_secret_id = true
|
||||
token_policies = ["rundeck/rundeck"]
|
||||
token_ttl = 1 * 3600
|
||||
token_max_ttl = 4 * 3600
|
||||
token_bound_cidrs = ["198.18.13.59/32"]
|
||||
secret_id_bound_cidrs = ["198.18.13.59/32"]
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "sshsign-host-role" {
|
||||
role_name = "sshsign-host-role"
|
||||
bind_secret_id = false
|
||||
token_policies = ["ssh-host-signer/sshsign-host-policy"]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "sshsigner" {
|
||||
role_name = "sshsigner"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"ssh-host-signer/sshsigner",
|
||||
"sshca_signhost"
|
||||
]
|
||||
token_ttl = 30
|
||||
token_max_ttl = 30
|
||||
token_bound_cidrs = [
|
||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
||||
]
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_incus" {
|
||||
role_name = "terraform_incus"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/terraform/incus",
|
||||
"kv/service/puppet/certificates/terraform_puppet_cert",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,16 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_nomad" {
|
||||
role_name = "terraform_nomad"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/terraform/nomad",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,17 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "terraform_repoflow" {
|
||||
role_name = "terraform_repoflow"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"kv/service/repoflow/unkinadmin/tokens/terraform/read",
|
||||
"kv/service/terraform/repoflow",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
"198.18.25.102/32",
|
||||
"198.18.26.91/32",
|
||||
"198.18.27.40/32",
|
||||
]
|
||||
}
|
||||
@@ -1,33 +0,0 @@
|
||||
resource "vault_approle_auth_backend_role" "tf_vault" {
|
||||
role_name = "tf_vault"
|
||||
bind_secret_id = false
|
||||
token_policies = [
|
||||
"default_access",
|
||||
"approle_token_create",
|
||||
"auth/approle/approle_role_admin",
|
||||
"auth/approle/approle_role_login",
|
||||
"auth/kubernetes/k8s_auth_admin",
|
||||
"auth/ldap/ldap_admin",
|
||||
"auth/token/auth_token_create",
|
||||
"auth/token/auth_token_self",
|
||||
"auth/token/auth_token_roles_admin",
|
||||
"kubernetes/au/config_admin",
|
||||
"kubernetes/au/roles_admin",
|
||||
"kv/service/glauth/services/svc_vault_read",
|
||||
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
|
||||
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
|
||||
"pki_int/pki_int_roles_admin",
|
||||
"pki_root/pki_root_roles_admin",
|
||||
"ssh-host-signer/ssh-host-signer_roles_admin",
|
||||
"sshca/sshca_roles_admin",
|
||||
"sys/sys_auth_admin",
|
||||
"sys/sys_mounts_admin",
|
||||
"sys/sys_policy_admin",
|
||||
"transit/keys/admin",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_max_ttl = 120
|
||||
token_bound_cidrs = [
|
||||
"10.10.12.200/32",
|
||||
]
|
||||
}
|
||||
@@ -1,7 +0,0 @@
|
||||
#----------------------------
|
||||
# Enable approle auth method
|
||||
#----------------------------
|
||||
resource "vault_auth_backend" "approle" {
|
||||
type = "approle"
|
||||
path = "approle"
|
||||
}
|
||||
@@ -1,23 +0,0 @@
|
||||
#-----------------------------------
|
||||
# Enable kubernetes auth method
|
||||
#-----------------------------------
|
||||
resource "vault_auth_backend" "kubernetes" {
|
||||
type = "kubernetes"
|
||||
path = "kubernetes"
|
||||
}
|
||||
|
||||
# Data source to read the token_reviewer_jwt from Vault KV
|
||||
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
|
||||
mount = "kv"
|
||||
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
|
||||
}
|
||||
|
||||
# Configure Kubernetes auth backend
|
||||
resource "vault_kubernetes_auth_backend_config" "config" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
kubernetes_host = "https://api-k8s.service.consul:6443"
|
||||
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
|
||||
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
|
||||
disable_iss_validation = true
|
||||
use_annotations_as_alias_metadata = true
|
||||
}
|
||||
@@ -1,40 +0,0 @@
|
||||
#--------------------------------
|
||||
# Enable ldap auth method
|
||||
#--------------------------------
|
||||
|
||||
# retrieve the bindpass from Vault
|
||||
data "vault_generic_secret" "svc_vault" {
|
||||
path = "kv/service/glauth/services/svc_vault"
|
||||
}
|
||||
|
||||
# create the ldap backend
|
||||
resource "vault_ldap_auth_backend" "ldap" {
|
||||
path = "ldap"
|
||||
url = "ldap://ldap.service.consul"
|
||||
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
||||
userattr = "uid"
|
||||
upndomain = "users.main.unkin.net"
|
||||
discoverdn = false
|
||||
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
|
||||
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
||||
groupattr = "uid"
|
||||
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
|
||||
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
|
||||
}
|
||||
|
||||
resource "vault_ldap_auth_backend_group" "vault_access" {
|
||||
groupname = "vault_access"
|
||||
policies = [
|
||||
"default_access",
|
||||
]
|
||||
backend = vault_ldap_auth_backend.ldap.path
|
||||
}
|
||||
|
||||
resource "vault_ldap_auth_backend_group" "vault_admin" {
|
||||
groupname = "vault_admin"
|
||||
policies = [
|
||||
"default_access",
|
||||
"global-admin",
|
||||
]
|
||||
backend = vault_ldap_auth_backend.ldap.path
|
||||
}
|
||||
@@ -1,118 +0,0 @@
|
||||
resource "vault_kubernetes_auth_backend_role" "default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["*"]
|
||||
token_ttl = 3600
|
||||
token_policies = [
|
||||
"default"
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "demo_default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "demo_default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["demo"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/terraform/nomad"
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "huntarr-default"
|
||||
bound_service_account_names = ["default"]
|
||||
bound_service_account_namespaces = ["huntarr"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"pki_int/sign/servers_default",
|
||||
"pki_int/issue/servers_default",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "externaldns" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "externaldns"
|
||||
bound_service_account_names = ["externaldns"]
|
||||
bound_service_account_namespaces = ["externaldns"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "cert-manager-issuer"
|
||||
bound_service_account_names = ["cert-manager-vault-issuer"]
|
||||
bound_service_account_namespaces = ["cert-manager"]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"pki_int/sign/servers_default",
|
||||
"pki_int/issue/servers_default",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "ceph-csi"
|
||||
bound_service_account_names = [
|
||||
"ceph-csi-rbd-csi-rbd-provisioner",
|
||||
"ceph-csi-cephfs-csi-cephfs-provisioner",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"csi-cephrbd",
|
||||
"csi-cephfs",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
|
||||
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "media-apps" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "media-apps"
|
||||
bound_service_account_names = [
|
||||
"media-apps-vault-reader",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"media-apps",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/media-apps/prowlarr/read",
|
||||
"kv/service/media-apps/radarr/read",
|
||||
"kv/service/media-apps/sonarr/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_auth_backend_role" "repoflow" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "repoflow"
|
||||
bound_service_account_names = [
|
||||
"default",
|
||||
]
|
||||
bound_service_account_namespaces = [
|
||||
"repoflow",
|
||||
]
|
||||
token_ttl = 60
|
||||
token_policies = [
|
||||
"kv/service/repoflow/au/syd1/ceph-s3/read",
|
||||
"kv/service/repoflow/au/syd1/elasticsearch/read",
|
||||
"kv/service/repoflow/au/syd1/hasura/read",
|
||||
"kv/service/repoflow/au/syd1/postgres/read",
|
||||
"kv/service/repoflow/au/syd1/repoflow-server/read",
|
||||
]
|
||||
audience = "vault"
|
||||
}
|
||||
@@ -0,0 +1,2 @@
|
||||
default_lease_ttl: 60s
|
||||
max_lease_ttl: 24h
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.13.77/32"
|
||||
- "198.18.13.78/32"
|
||||
- "198.18.13.79/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 300
|
||||
token_max_ttl: 600
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,6 @@
|
||||
token_ttl: 3600
|
||||
token_max_ttl: 14400
|
||||
bind_secret_id: true
|
||||
token_bound_cidrs:
|
||||
- "198.18.13.59/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,11 @@
|
||||
token_ttl: 30
|
||||
token_max_ttl: 30
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "198.18.25.5/32"
|
||||
- "198.18.26.3/32"
|
||||
- "198.18.27.89/32"
|
||||
- "198.18.28.8/32"
|
||||
- "198.18.29.33/32"
|
||||
- "198.18.29.239/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 120
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: true
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,9 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
- "198.18.25.102/32"
|
||||
- "198.18.26.91/32"
|
||||
- "198.18.27.40/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,6 @@
|
||||
token_ttl: 60
|
||||
token_max_ttl: 120
|
||||
bind_secret_id: false
|
||||
token_bound_cidrs:
|
||||
- "10.10.12.200/32"
|
||||
use_deterministic_role_id: false
|
||||
@@ -0,0 +1,5 @@
|
||||
kubernetes_host: https://api-k8s.service.consul:6443
|
||||
disable_iss_validation: true
|
||||
use_annotations_as_alias_metadata: false # doesnt work with openbao yet
|
||||
default_lease_ttl: 1h
|
||||
max_lease_ttl: 24h
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- artifactapi
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,9 @@
|
||||
bound_service_account_names:
|
||||
- ceph-csi-rbd-csi-rbd-provisioner
|
||||
- ceph-csi-cephfs-csi-cephfs-provisioner
|
||||
bound_service_account_namespaces:
|
||||
- csi-cephrbd
|
||||
- csi-cephfs
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- cert-manager-vault-issuer
|
||||
bound_service_account_namespaces:
|
||||
- cert-manager
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces: ['*']
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- externaldns
|
||||
bound_service_account_namespaces:
|
||||
- externaldns
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,8 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
- forgebot-operator
|
||||
bound_service_account_namespaces:
|
||||
- forgebot
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,6 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- huntarr
|
||||
token_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- identity
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- media-apps-vault-reader
|
||||
bound_service_account_namespaces:
|
||||
- media-apps
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- puppet
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- rancher
|
||||
bound_service_account_namespaces:
|
||||
- cattle-system
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- repoflow
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,8 @@
|
||||
# rpmbuilder is deployed in woodpeckerci
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- default
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: vault
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-git
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,7 @@
|
||||
bound_service_account_names:
|
||||
- terraform-vault
|
||||
bound_service_account_namespaces:
|
||||
- woodpecker
|
||||
token_ttl: 600
|
||||
token_max_ttl: 600
|
||||
audience: https://kubernetes.default.svc.cluster.local
|
||||
@@ -0,0 +1,10 @@
|
||||
userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
||||
userattr: "uid"
|
||||
upndomain: "users.main.unkin.net"
|
||||
discoverdn: false
|
||||
groupdn: "ou=users,dc=main,dc=unkin,dc=net"
|
||||
groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
||||
groupattr: "uid"
|
||||
username_as_alias: true
|
||||
default_lease_ttl: 24h
|
||||
max_lease_ttl: 168h
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,3 @@
|
||||
---
|
||||
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||
description: foo
|
||||
@@ -0,0 +1,189 @@
|
||||
# =============================================================================
|
||||
# VAULT MODULE CONFIGURATION SYSTEM
|
||||
# =============================================================================
|
||||
#
|
||||
# This file automatically discovers and organizes YAML configuration files
|
||||
# for Vault modules, creating structured configuration maps for Terraform.
|
||||
#
|
||||
# HOW IT WORKS:
|
||||
# 1. Scans all subdirectories for *.yaml files
|
||||
# 2. Groups files by module type based on directory structure
|
||||
# 3. Creates unique resource keys to prevent naming conflicts
|
||||
# 4. Adds computed fields like name, backend, etc. from file paths
|
||||
#
|
||||
# DIRECTORY STRUCTURE:
|
||||
# config/
|
||||
# ├── auth_approle_role/
|
||||
# │ └── approle/
|
||||
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
|
||||
# │ └── myapp.yaml # Creates key: "approle/myapp"
|
||||
# ├── auth_kubernetes_role/
|
||||
# │ └── k8s/au/syd1/
|
||||
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
|
||||
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
|
||||
# └── kv_secret_backend/
|
||||
# ├── kv.yaml # Creates key: "kv"
|
||||
# └── secrets.yaml # Creates key: "secrets"
|
||||
#
|
||||
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
|
||||
# ```yaml
|
||||
# token_ttl: 3600
|
||||
# token_max_ttl: 7200
|
||||
# bind_secret_id: true
|
||||
# token_bound_cidrs:
|
||||
# - "10.0.0.0/8"
|
||||
# ```
|
||||
#
|
||||
# This becomes:
|
||||
# ```hcl
|
||||
# auth_approle_role = {
|
||||
# "approle/myapp" = {
|
||||
# approle_name = "myapp" # Auto-computed from filename
|
||||
# mount_path = "approle" # Auto-computed from directory
|
||||
# token_ttl = 3600 # From YAML content
|
||||
# token_max_ttl = 7200 # From YAML content
|
||||
# bind_secret_id = true # From YAML content
|
||||
# token_bound_cidrs = ["10.0.0.0/8"]
|
||||
# }
|
||||
# }
|
||||
# ```
|
||||
#
|
||||
# KEY NAMING PATTERNS:
|
||||
# - Simple backends: filename only (e.g., "kv", "transit")
|
||||
# - Role-based resources: full path without extension (e.g., "approle/myapp")
|
||||
# - This ensures uniqueness when multiple backends have similar role names
|
||||
#
|
||||
# GENERATED OUTPUTS:
|
||||
# - config.auth_approle_backend, config.auth_approle_role, etc.
|
||||
# - Each module gets its own map with properly structured configuration
|
||||
#
|
||||
# =============================================================================
|
||||
|
||||
locals {
|
||||
# Find all YAML files in subdirectories
|
||||
config_files = fileset(".", "**/*.yaml")
|
||||
|
||||
# Create a flat map of all files with their content
|
||||
all_configs = {
|
||||
for file_path in local.config_files :
|
||||
file_path => yamldecode(file(file_path))
|
||||
}
|
||||
|
||||
# Group by module directory (first part of path)
|
||||
config = {
|
||||
auth_approle_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_approle_backend/")
|
||||
}
|
||||
auth_approle_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
|
||||
approle_name = trimsuffix(basename(file_path), ".yaml")
|
||||
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_approle_role/")
|
||||
}
|
||||
auth_ldap_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "auth_ldap_backend/")
|
||||
}
|
||||
auth_ldap_group = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
|
||||
groupname = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
|
||||
})
|
||||
if startswith(file_path, "auth_ldap_group/")
|
||||
}
|
||||
auth_kubernetes_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "auth_kubernetes_backend/")
|
||||
}
|
||||
auth_kubernetes_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
|
||||
role_name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "auth_kubernetes_role/")
|
||||
}
|
||||
kv_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "kv_secret_backend/")
|
||||
}
|
||||
transit_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "transit_secret_backend/")
|
||||
}
|
||||
transit_secret_backend_key = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
|
||||
})
|
||||
if startswith(file_path, "transit_secret_backend_key/")
|
||||
}
|
||||
ssh_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "ssh_secret_backend/")
|
||||
}
|
||||
ssh_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "ssh_secret_backend_role/")
|
||||
}
|
||||
pki_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "pki_secret_backend/")
|
||||
}
|
||||
pki_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "pki_secret_backend_role/")
|
||||
}
|
||||
kubernetes_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "kubernetes_secret_backend/")
|
||||
}
|
||||
kubernetes_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "kubernetes_secret_backend_role/")
|
||||
}
|
||||
consul_secret_backend = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
|
||||
if startswith(file_path, "consul_secret_backend/")
|
||||
}
|
||||
consul_secret_backend_role = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||
name = trimsuffix(basename(file_path), ".yaml")
|
||||
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
|
||||
})
|
||||
if startswith(file_path, "consul_secret_backend_role/")
|
||||
}
|
||||
pki_mount_only = {
|
||||
for file_path, content in local.all_configs :
|
||||
trimsuffix(basename(file_path), ".yaml") => content
|
||||
if startswith(file_path, "pki_mount_only/")
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,7 @@
|
||||
description: "consul secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds: 600
|
||||
max_lease_ttl_seconds: 86400
|
||||
address: "consul.service.au-syd1.consul"
|
||||
scheme: https
|
||||
bootstrap: false
|
||||
datacenter: au-syd1
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-git
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-incus
|
||||
ttl: 300
|
||||
max_ttl: 600
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-k8s
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-ldap
|
||||
ttl: 60
|
||||
max_ttl: 60
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-nomad
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-repoflow
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
consul_roles:
|
||||
- terraform-vault
|
||||
ttl: 120
|
||||
max_ttl: 300
|
||||
datacenters: []
|
||||
@@ -0,0 +1,5 @@
|
||||
description: "kubernetes secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds: 600
|
||||
max_lease_ttl_seconds: 86400
|
||||
kubernetes_host: "https://api-k8s.service.consul:6443"
|
||||
disable_local_ca_jwt: false
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "*"
|
||||
kubernetes_role_type: "ClusterRole"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
allowed_kubernetes_namespaces:
|
||||
- "media-apps"
|
||||
kubernetes_role_type: "Role"
|
||||
extra_labels: {}
|
||||
@@ -0,0 +1,4 @@
|
||||
type: kv-v2
|
||||
description: "Key-Value secrets engine"
|
||||
version: "2"
|
||||
max_versions: 10
|
||||
@@ -0,0 +1,4 @@
|
||||
type: kv-v2
|
||||
description: "Rundeck secrets engine"
|
||||
version: "2"
|
||||
max_versions: 5
|
||||
@@ -0,0 +1,17 @@
|
||||
description: "PKI Intermediate CA"
|
||||
max_lease_ttl_seconds: 157680000 # 43800 hours * 3600
|
||||
issuer_ref: "default"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki_int/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki_int/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_issuer_ref: null
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
delta_rebuild_interval: null
|
||||
@@ -0,0 +1,17 @@
|
||||
description: "PKI Root CA"
|
||||
max_lease_ttl_seconds: 315360000 # 10 years
|
||||
issuer_ref: "default"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki_root/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki_root/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_issuer_ref: null
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
delta_rebuild_interval: null
|
||||
@@ -0,0 +1,18 @@
|
||||
description: "PKI Root CA AU SYD1"
|
||||
max_lease_ttl_seconds: 315360000 # 87600 * 3600
|
||||
common_name: "unkin.net AU SYD1 Root CA"
|
||||
issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
|
||||
ttl: 315360000 # 87600 * 3600
|
||||
format: "pem"
|
||||
issuing_certificates:
|
||||
- "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
|
||||
crl_distribution_points:
|
||||
- "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
|
||||
ocsp_servers: []
|
||||
enable_templating: false
|
||||
default_follows_latest_issuer: false
|
||||
crl_expiry: "72h"
|
||||
crl_disable: false
|
||||
ocsp_disable: false
|
||||
auto_rebuild: false
|
||||
enable_delta: false
|
||||
@@ -0,0 +1,16 @@
|
||||
allow_ip_sans: true
|
||||
allowed_domains:
|
||||
- "unkin.net"
|
||||
- "*.unkin.net"
|
||||
- "localhost"
|
||||
allow_subdomains: true
|
||||
allow_glob_domains: true
|
||||
allow_bare_domains: true
|
||||
enforce_hostnames: true
|
||||
allow_any_name: true
|
||||
max_ttl: 7776000 # 2160 * 3600
|
||||
key_bits: 4096
|
||||
country:
|
||||
- "Australia"
|
||||
use_csr_common_name: true
|
||||
use_csr_sans: true
|
||||
@@ -0,0 +1,16 @@
|
||||
allow_ip_sans: true
|
||||
allowed_domains:
|
||||
- "unkin.net"
|
||||
- "*.unkin.net"
|
||||
- "localhost"
|
||||
allow_subdomains: true
|
||||
allow_glob_domains: true
|
||||
allow_bare_domains: true
|
||||
enforce_hostnames: true
|
||||
allow_any_name: true
|
||||
max_ttl: 7776000 # 2160 * 3600
|
||||
key_bits: 4096
|
||||
country:
|
||||
- "Australia"
|
||||
use_csr_common_name: true
|
||||
use_csr_sans: true
|
||||
@@ -0,0 +1,14 @@
|
||||
allow_ip_sans: true
|
||||
allowed_domains:
|
||||
- "unkin.net"
|
||||
- "unkin.local"
|
||||
allow_subdomains: true
|
||||
allow_glob_domains: false
|
||||
allow_bare_domains: true
|
||||
enforce_hostnames: false
|
||||
allow_any_name: false
|
||||
max_ttl: 31536000 # 8760h in seconds
|
||||
key_bits: 2048
|
||||
country: []
|
||||
use_csr_common_name: true
|
||||
use_csr_sans: true
|
||||
@@ -0,0 +1,4 @@
|
||||
description: "SSH CA Engine"
|
||||
max_lease_ttl_seconds: 315360000 # 87600 * 3600
|
||||
generate_signing_key: true
|
||||
key_type: ssh-rsa
|
||||
@@ -0,0 +1,8 @@
|
||||
key_type: ca
|
||||
algorithm_signer: rsa-sha2-256
|
||||
ttl: 315360000 # 87600 * 3600
|
||||
allow_host_certificates: true
|
||||
allow_user_certificates: false
|
||||
allowed_domains: "main.unkin.net,consul"
|
||||
allow_subdomains: true
|
||||
allow_bare_domains: false
|
||||
@@ -0,0 +1,3 @@
|
||||
description: "Transit Engine"
|
||||
default_lease_ttl_seconds: 3600
|
||||
max_lease_ttl_seconds: 86400
|
||||
@@ -0,0 +1,5 @@
|
||||
type: aes256-gcm96
|
||||
deletion_allowed: false
|
||||
derived: false
|
||||
exportable: false
|
||||
allow_plaintext_backup: false
|
||||
@@ -1,72 +0,0 @@
|
||||
# Data source to read the service_token_jwt from Vault KV
|
||||
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
|
||||
mount = "kv"
|
||||
name = "service/kubernetes/au/syd1/service_account_jwt"
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
|
||||
path = "kubernetes/au/syd1"
|
||||
description = "kubernetes secret engine for au-syd1 cluster"
|
||||
default_lease_ttl_seconds = 600
|
||||
max_lease_ttl_seconds = 86400
|
||||
kubernetes_host = "https://api-k8s.service.consul:6443"
|
||||
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
|
||||
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
|
||||
disable_local_ca_jwt = false
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
|
||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
||||
name = "vault-media-apps-operator"
|
||||
allowed_kubernetes_namespaces = ["media-apps"]
|
||||
kubernetes_role_type = "Role"
|
||||
|
||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
|
||||
|
||||
extra_labels = {
|
||||
vault-region = "au-syd1"
|
||||
vault-role = "vault-media-apps-operator"
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
|
||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
||||
name = "vault-cluster-operator"
|
||||
allowed_kubernetes_namespaces = ["*"]
|
||||
kubernetes_role_type = "ClusterRole"
|
||||
|
||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
|
||||
|
||||
extra_labels = {
|
||||
vault-region = "au-syd1"
|
||||
vault-role = "vault-cluster-operator"
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
|
||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
||||
name = "vault-cluster-admin"
|
||||
allowed_kubernetes_namespaces = ["*"]
|
||||
kubernetes_role_type = "ClusterRole"
|
||||
|
||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
|
||||
|
||||
extra_labels = {
|
||||
vault-region = "au-syd1"
|
||||
vault-role = "vault-cluster-admin"
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
|
||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
||||
name = "vault-cluster-root"
|
||||
allowed_kubernetes_namespaces = ["*"]
|
||||
kubernetes_role_type = "ClusterRole"
|
||||
|
||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
|
||||
|
||||
extra_labels = {
|
||||
vault-region = "au-syd1"
|
||||
vault-role = "vault-cluster-root"
|
||||
}
|
||||
}
|
||||
@@ -1,15 +0,0 @@
|
||||
#--------------------------------------------------------------
|
||||
# kv
|
||||
# create engine
|
||||
#--------------------------------------------------------------
|
||||
resource "vault_mount" "kv" {
|
||||
path = "kv"
|
||||
type = "kv"
|
||||
listing_visibility = "hidden"
|
||||
max_lease_ttl_seconds = 0
|
||||
external_entropy_access = false
|
||||
seal_wrap = false
|
||||
options = {
|
||||
version = "2"
|
||||
}
|
||||
}
|
||||
@@ -1,49 +0,0 @@
|
||||
#--------------------------------------------------------------
|
||||
# pki_int
|
||||
# create engine
|
||||
# generate intermediate csa
|
||||
# sign the intermediate against rootca
|
||||
# set the signed intermediate cert in the pki_int engine
|
||||
#--------------------------------------------------------------
|
||||
resource "vault_mount" "pki_int" {
|
||||
path = "pki_int"
|
||||
type = "pki"
|
||||
description = "PKI Intermediate CA"
|
||||
max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
|
||||
}
|
||||
|
||||
## Generate the intermediate CSR
|
||||
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
|
||||
# backend = vault_mount.pki_int.path
|
||||
# common_name = "unkin.net Intermediate Authority"
|
||||
# format = "pem"
|
||||
# type = "internal"
|
||||
#}
|
||||
#
|
||||
## Sign the intermediate CSR using the root CA
|
||||
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
|
||||
# path = "${vault_mount.pki_root.path}/root/sign-intermediate"
|
||||
#
|
||||
# data_json = jsonencode({
|
||||
# csr = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
|
||||
# format = "pem_bundle",
|
||||
# ttl = "43800h",
|
||||
# issuer_ref = "UNKIN_ROOTCA_2024"
|
||||
# })
|
||||
#}
|
||||
#
|
||||
## Decode the certificate from the response
|
||||
#locals {
|
||||
# intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
|
||||
#}
|
||||
#
|
||||
## Set the signed intermediate certificate
|
||||
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
|
||||
# backend = vault_mount.pki_int.path
|
||||
# certificate = local.intermediate_signed_cert
|
||||
#}
|
||||
|
||||
#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
|
||||
# backend = vault_mount.pki_int.path
|
||||
# issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
|
||||
#}
|
||||
@@ -1,39 +0,0 @@
|
||||
#-------------------------------------------
|
||||
# pki_root:
|
||||
# create engine
|
||||
# generate rootca certificate
|
||||
# read the issuer
|
||||
# configure the pki urls
|
||||
#-------------------------------------------
|
||||
resource "vault_mount" "pki_root" {
|
||||
path = "pki_root"
|
||||
type = "pki"
|
||||
description = "PKI Root CA"
|
||||
max_lease_ttl_seconds = 87600 * 3600 # 87600h
|
||||
}
|
||||
|
||||
#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
|
||||
# backend = vault_mount.pki_root.path
|
||||
# common_name = "unkin.net"
|
||||
# issuer_name = "UNKIN_ROOTCA_2024"
|
||||
# ttl = 87600 * 3600
|
||||
# format = "pem"
|
||||
# type = "internal"
|
||||
#}
|
||||
#
|
||||
#output "root_certificate" {
|
||||
# value = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
|
||||
# sensitive = true
|
||||
#}
|
||||
|
||||
data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
|
||||
backend = vault_mount.pki_root.path
|
||||
issuer_ref = "default"
|
||||
}
|
||||
|
||||
resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
|
||||
backend = vault_mount.pki_root.path
|
||||
|
||||
issuing_certificates = ["${local.vault_addr}/v1/pki_root/ca"]
|
||||
crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
|
||||
}
|
||||
@@ -1,14 +0,0 @@
|
||||
#--------------------------------------------------------------
|
||||
# rundeck
|
||||
# create engine
|
||||
#--------------------------------------------------------------
|
||||
resource "vault_mount" "rundeck" {
|
||||
path = "rundeck"
|
||||
type = "kv"
|
||||
max_lease_ttl_seconds = 0
|
||||
external_entropy_access = false
|
||||
seal_wrap = false
|
||||
options = {
|
||||
version = "2"
|
||||
}
|
||||
}
|
||||
@@ -1,18 +0,0 @@
|
||||
#--------------------------------------------------------------
|
||||
# ssh-host-signer
|
||||
# create engine
|
||||
# generate ca cert
|
||||
# tune the ssh engine
|
||||
#--------------------------------------------------------------
|
||||
#resource "vault_mount" "ssh_host_signer" {
|
||||
# path = "ssh-host-signer"
|
||||
# type = "ssh"
|
||||
# description = "SSH Host Signing Engine"
|
||||
# max_lease_ttl_seconds = 87600 * 3600
|
||||
#}
|
||||
#
|
||||
#resource "vault_ssh_secret_backend_ca" "ssh_host_signer_ca" {
|
||||
# backend = vault_mount.ssh_host_signer.path
|
||||
# generate_signing_key = false # change to true for new configuration
|
||||
# key_type = "ssh-rsa"
|
||||
#}
|
||||
@@ -1,18 +0,0 @@
|
||||
#--------------------------------------------------------------
|
||||
# ssh
|
||||
# create engine
|
||||
# generate ca cert
|
||||
# tune the ssh engine
|
||||
#--------------------------------------------------------------
|
||||
resource "vault_mount" "sshca" {
|
||||
path = "sshca"
|
||||
type = "ssh"
|
||||
description = "SSH CA Engine"
|
||||
max_lease_ttl_seconds = 87600 * 3600
|
||||
}
|
||||
|
||||
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
|
||||
backend = vault_mount.sshca.path
|
||||
generate_signing_key = true
|
||||
key_type = "ssh-rsa"
|
||||
}
|
||||
@@ -1,13 +0,0 @@
|
||||
resource "vault_mount" "transit" {
|
||||
path = "transit"
|
||||
type = "transit"
|
||||
description = "Transit Engine"
|
||||
default_lease_ttl_seconds = 3600
|
||||
max_lease_ttl_seconds = 86400
|
||||
}
|
||||
|
||||
resource "vault_transit_secret_backend_key" "key" {
|
||||
backend = vault_mount.transit.path
|
||||
name = "au-syd1-k8s-vso"
|
||||
type = "aes256-gcm96"
|
||||
}
|
||||
@@ -0,0 +1,78 @@
|
||||
include "root" {
|
||||
path = find_in_parent_folders("root.hcl")
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "config" {
|
||||
path = "${get_repo_root()}/config/config.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "policies" {
|
||||
path = "${get_repo_root()}/policies/policies.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
include "resources" {
|
||||
path = "${get_repo_root()}/resources/resources.hcl"
|
||||
expose = true
|
||||
}
|
||||
|
||||
locals {
|
||||
# Extract country and region from path
|
||||
path_parts = split("/", dirname(get_terragrunt_dir()))
|
||||
country = basename(dirname(get_terragrunt_dir())) # "au"
|
||||
region = basename(get_terragrunt_dir()) # "syd1"
|
||||
|
||||
# Include configuration from config.hcl
|
||||
config = include.config.locals.config
|
||||
|
||||
# Include policies from policies.hcl
|
||||
policies = include.policies.locals
|
||||
|
||||
# Include resources from resources.hcl
|
||||
resources = include.resources.locals
|
||||
|
||||
# Create sanitized backend name mapping for Consul providers
|
||||
# Provider aliases can't contain slashes, so replace them with underscores
|
||||
consul_backend_aliases = {
|
||||
for backend_name, _ in local.config.consul_secret_backend :
|
||||
backend_name => replace(backend_name, "/", "_")
|
||||
}
|
||||
}
|
||||
|
||||
terraform {
|
||||
source = "../../../modules/vault_cluster"
|
||||
}
|
||||
|
||||
inputs = {
|
||||
country = local.country
|
||||
region = local.region
|
||||
|
||||
# Pass configuration maps to vault_cluster module
|
||||
auth_approle_backend = local.config.auth_approle_backend
|
||||
auth_approle_role = local.config.auth_approle_role
|
||||
auth_ldap_backend = local.config.auth_ldap_backend
|
||||
auth_ldap_group = local.config.auth_ldap_group
|
||||
auth_kubernetes_backend = local.config.auth_kubernetes_backend
|
||||
auth_kubernetes_role = local.config.auth_kubernetes_role
|
||||
kv_secret_backend = local.config.kv_secret_backend
|
||||
transit_secret_backend = local.config.transit_secret_backend
|
||||
transit_secret_backend_key = local.config.transit_secret_backend_key
|
||||
ssh_secret_backend = local.config.ssh_secret_backend
|
||||
ssh_secret_backend_role = local.config.ssh_secret_backend_role
|
||||
pki_secret_backend = local.config.pki_secret_backend
|
||||
pki_secret_backend_role = local.config.pki_secret_backend_role
|
||||
consul_secret_backend = local.config.consul_secret_backend
|
||||
consul_secret_backend_role = local.config.consul_secret_backend_role
|
||||
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
||||
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
||||
pki_mount_only = local.config.pki_mount_only
|
||||
|
||||
# Pass policy maps to vault_cluster module
|
||||
policy_auth_map = local.policies.policy_auth_map
|
||||
policy_rules_map = local.policies.policy_rules_map
|
||||
|
||||
# Pass sanitized consul backend aliases for provider configuration
|
||||
consul_backend_aliases = local.consul_backend_aliases
|
||||
}
|
||||
@@ -0,0 +1,35 @@
|
||||
# Generate root backend.tf
|
||||
generate "backend" {
|
||||
path = "backend.tf"
|
||||
if_exists = "overwrite"
|
||||
contents = <<EOF
|
||||
locals {
|
||||
vault_addr = "https://vault.service.consul:8200"
|
||||
}
|
||||
|
||||
provider "vault" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
path = "infra/terraform/vault/${path_relative_to_include()}/state"
|
||||
scheme = "https"
|
||||
lock = true
|
||||
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
}
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.6.0"
|
||||
}
|
||||
consul = {
|
||||
source = "hashicorp/consul"
|
||||
version = "2.23.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
EOF
|
||||
}
|
||||
@@ -1,37 +0,0 @@
|
||||
#-------------------------------------------
|
||||
# locals
|
||||
#-------------------------------------------
|
||||
locals {
|
||||
vault_addr = "https://vault.service.consul:8200"
|
||||
}
|
||||
|
||||
#-----------------------------------------------------------------------------
|
||||
# Configure this provider through the environment variables:
|
||||
# - VAULT_ADDR
|
||||
# - VAULT_TOKEN
|
||||
#-----------------------------------------------------------------------------
|
||||
provider "vault" {
|
||||
address = local.vault_addr
|
||||
}
|
||||
|
||||
#------------------------------------------------------------------------------
|
||||
# Use remote state file and encrypt it since your state files may contains
|
||||
# sensitive data.
|
||||
# export CONSUL_HTTP_TOKEN=<your-token>
|
||||
#------------------------------------------------------------------------------
|
||||
terraform {
|
||||
backend "consul" {
|
||||
address = "https://consul.service.consul"
|
||||
path = "infra/terraform/vault/state"
|
||||
scheme = "https"
|
||||
lock = true
|
||||
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
||||
}
|
||||
required_version = ">= 1.10"
|
||||
required_providers {
|
||||
vault = {
|
||||
source = "hashicorp/vault"
|
||||
version = "5.4.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
rule "terraform_required_providers" {
|
||||
enabled = false
|
||||
}
|
||||
|
||||
rule "terraform_required_version" {
|
||||
enabled = false
|
||||
}
|
||||
|
||||
rule "terraform_unused_declarations" {
|
||||
enabled = false
|
||||
}
|
||||
@@ -0,0 +1,336 @@
|
||||
module "auth_approle_backend" {
|
||||
source = "./modules/auth_approle_backend"
|
||||
|
||||
for_each = var.auth_approle_backend
|
||||
|
||||
path = each.key
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_approle_role" {
|
||||
source = "./modules/auth_approle_role"
|
||||
|
||||
for_each = var.auth_approle_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
approle_name = each.value.approle_name
|
||||
mount_path = each.value.mount_path
|
||||
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
bind_secret_id = each.value.bind_secret_id
|
||||
secret_id_ttl = each.value.secret_id_ttl
|
||||
token_bound_cidrs = each.value.token_bound_cidrs
|
||||
alias_metadata = each.value.alias_metadata
|
||||
use_deterministic_role_id = each.value.use_deterministic_role_id
|
||||
|
||||
depends_on = [module.auth_approle_backend]
|
||||
}
|
||||
|
||||
module "auth_ldap_backend" {
|
||||
source = "./modules/auth_ldap_backend"
|
||||
|
||||
for_each = var.auth_ldap_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
userdn = each.value.userdn
|
||||
userattr = each.value.userattr
|
||||
upndomain = each.value.upndomain
|
||||
discoverdn = each.value.discoverdn
|
||||
groupdn = each.value.groupdn
|
||||
groupfilter = each.value.groupfilter
|
||||
groupattr = each.value.groupattr
|
||||
alias_metadata = each.value.alias_metadata
|
||||
username_as_alias = each.value.username_as_alias
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_ldap_group" {
|
||||
source = "./modules/auth_ldap_group"
|
||||
|
||||
for_each = var.auth_ldap_group
|
||||
|
||||
groupname = each.value.groupname
|
||||
backend = each.value.backend
|
||||
policies = var.policy_auth_map[each.value.backend][each.value.groupname]
|
||||
|
||||
depends_on = [module.auth_ldap_backend]
|
||||
}
|
||||
|
||||
module "auth_kubernetes_backend" {
|
||||
source = "./modules/auth_kubernetes_backend"
|
||||
|
||||
for_each = var.auth_kubernetes_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_iss_validation = each.value.disable_iss_validation
|
||||
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
|
||||
listing_visibility = each.value.listing_visibility
|
||||
default_lease_ttl = each.value.default_lease_ttl
|
||||
max_lease_ttl = each.value.max_lease_ttl
|
||||
}
|
||||
|
||||
module "auth_kubernetes_role" {
|
||||
source = "./modules/auth_kubernetes_role"
|
||||
|
||||
for_each = var.auth_kubernetes_role
|
||||
|
||||
role_name = each.value.role_name
|
||||
backend = each.value.backend
|
||||
bound_service_account_names = each.value.bound_service_account_names
|
||||
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||
token_ttl = each.value.token_ttl
|
||||
token_max_ttl = each.value.token_max_ttl
|
||||
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||
audience = each.value.audience
|
||||
|
||||
depends_on = [module.auth_kubernetes_backend]
|
||||
}
|
||||
|
||||
module "kv_secret_backend" {
|
||||
source = "./modules/kv_secret_backend"
|
||||
|
||||
for_each = var.kv_secret_backend
|
||||
|
||||
path = each.key
|
||||
type = each.value.type
|
||||
description = each.value.description
|
||||
kv_version = each.value.version
|
||||
max_versions = each.value.max_versions
|
||||
}
|
||||
|
||||
module "transit_secret_backend" {
|
||||
source = "./modules/transit_secret_backend"
|
||||
|
||||
for_each = var.transit_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
module "transit_secret_backend_key" {
|
||||
source = "./modules/transit_secret_backend_key"
|
||||
|
||||
for_each = var.transit_secret_backend_key
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
type = each.value.type
|
||||
deletion_allowed = each.value.deletion_allowed
|
||||
derived = each.value.derived
|
||||
exportable = each.value.exportable
|
||||
allow_plaintext_backup = each.value.allow_plaintext_backup
|
||||
auto_rotate_period = each.value.auto_rotate_period
|
||||
|
||||
depends_on = [module.transit_secret_backend]
|
||||
}
|
||||
|
||||
module "ssh_secret_backend" {
|
||||
source = "./modules/ssh_secret_backend"
|
||||
|
||||
for_each = var.ssh_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
generate_signing_key = each.value.generate_signing_key
|
||||
key_type = each.value.key_type
|
||||
}
|
||||
|
||||
module "ssh_secret_backend_role" {
|
||||
source = "./modules/ssh_secret_backend_role"
|
||||
|
||||
for_each = var.ssh_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
key_type = each.value.key_type
|
||||
algorithm_signer = each.value.algorithm_signer
|
||||
ttl = each.value.ttl
|
||||
allow_host_certificates = each.value.allow_host_certificates
|
||||
allow_user_certificates = each.value.allow_user_certificates
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
|
||||
depends_on = [module.ssh_secret_backend]
|
||||
}
|
||||
|
||||
module "pki_secret_backend" {
|
||||
source = "./modules/pki_secret_backend"
|
||||
|
||||
for_each = var.pki_secret_backend
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
common_name = each.value.common_name
|
||||
issuer_name = each.value.issuer_name
|
||||
ttl = each.value.ttl
|
||||
format = each.value.format
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
|
||||
module "pki_secret_backend_role" {
|
||||
source = "./modules/pki_secret_backend_role"
|
||||
|
||||
for_each = var.pki_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allow_ip_sans = each.value.allow_ip_sans
|
||||
allowed_domains = each.value.allowed_domains
|
||||
allow_subdomains = each.value.allow_subdomains
|
||||
allow_glob_domains = each.value.allow_glob_domains
|
||||
allow_bare_domains = each.value.allow_bare_domains
|
||||
enforce_hostnames = each.value.enforce_hostnames
|
||||
allow_any_name = each.value.allow_any_name
|
||||
max_ttl = each.value.max_ttl
|
||||
key_bits = each.value.key_bits
|
||||
country = each.value.country
|
||||
use_csr_common_name = each.value.use_csr_common_name
|
||||
use_csr_sans = each.value.use_csr_sans
|
||||
|
||||
depends_on = [module.pki_secret_backend]
|
||||
}
|
||||
|
||||
module "consul_secret_backend" {
|
||||
source = "./modules/consul_secret_backend"
|
||||
|
||||
for_each = var.consul_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
address = each.value.address
|
||||
bootstrap = each.value.bootstrap
|
||||
scheme = each.value.scheme
|
||||
ca_cert = each.value.ca_cert
|
||||
client_cert = each.value.client_cert
|
||||
client_key = each.value.client_key
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
}
|
||||
|
||||
# Create data sources for consul backend tokens
|
||||
data "vault_kv_secret_v2" "consul_backend_configs" {
|
||||
for_each = {
|
||||
for k, v in var.consul_secret_backend : k => v
|
||||
if !v.bootstrap
|
||||
}
|
||||
|
||||
mount = "kv"
|
||||
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
|
||||
}
|
||||
|
||||
# Create Consul ACL management module
|
||||
module "consul_acl_management" {
|
||||
source = "./modules/consul_acl_management"
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
consul_backends = var.consul_secret_backend
|
||||
consul_roles = var.consul_secret_backend_role
|
||||
consul_backend_aliases = var.consul_backend_aliases
|
||||
}
|
||||
|
||||
# Create consul secret backend roles (Vault resources only)
|
||||
module "consul_secret_backend_role" {
|
||||
source = "./modules/consul_secret_backend_role"
|
||||
|
||||
for_each = var.consul_secret_backend_role
|
||||
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
ttl = each.value.ttl
|
||||
max_ttl = each.value.max_ttl
|
||||
local = each.value.local
|
||||
|
||||
depends_on = [module.consul_secret_backend, module.consul_acl_management]
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend" {
|
||||
source = "./modules/kubernetes_secret_backend"
|
||||
|
||||
for_each = var.kubernetes_secret_backend
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
kubernetes_host = each.value.kubernetes_host
|
||||
disable_local_ca_jwt = each.value.disable_local_ca_jwt
|
||||
}
|
||||
|
||||
module "kubernetes_secret_backend_role" {
|
||||
source = "./modules/kubernetes_secret_backend_role"
|
||||
|
||||
for_each = var.kubernetes_secret_backend_role
|
||||
|
||||
country = var.country
|
||||
region = var.region
|
||||
name = each.value.name
|
||||
backend = each.value.backend
|
||||
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
|
||||
kubernetes_role_type = each.value.kubernetes_role_type
|
||||
extra_labels = each.value.extra_labels
|
||||
|
||||
depends_on = [module.kubernetes_secret_backend]
|
||||
}
|
||||
|
||||
module "vault_policy" {
|
||||
source = "./modules/vault_policy"
|
||||
|
||||
for_each = var.policy_rules_map
|
||||
|
||||
policy_name = each.key
|
||||
policy_rules = each.value
|
||||
}
|
||||
|
||||
module "pki_mount_only" {
|
||||
source = "./modules/pki_mount_only"
|
||||
|
||||
for_each = var.pki_mount_only
|
||||
|
||||
path = each.key
|
||||
description = each.value.description
|
||||
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||
issuing_certificates = each.value.issuing_certificates
|
||||
crl_distribution_points = each.value.crl_distribution_points
|
||||
ocsp_servers = each.value.ocsp_servers
|
||||
enable_templating = each.value.enable_templating
|
||||
default_issuer_ref = each.value.default_issuer_ref
|
||||
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||
crl_expiry = each.value.crl_expiry
|
||||
crl_disable = each.value.crl_disable
|
||||
ocsp_disable = each.value.ocsp_disable
|
||||
auto_rebuild = each.value.auto_rebuild
|
||||
enable_delta = each.value.enable_delta
|
||||
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||
}
|
||||
|
||||
@@ -0,0 +1,11 @@
|
||||
|
||||
resource "vault_auth_backend" "approle" {
|
||||
type = "approle"
|
||||
path = var.path
|
||||
|
||||
tune {
|
||||
default_lease_ttl = var.default_lease_ttl
|
||||
max_lease_ttl = var.max_lease_ttl
|
||||
listing_visibility = var.listing_visibility
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,4 @@
|
||||
output "backend" {
|
||||
description = "The created auth backend"
|
||||
value = vault_auth_backend.approle
|
||||
}
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user