Compare commits
71 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 65f844cbe1 | |||
| b9632f39e4 | |||
| bb5f6922fa | |||
| f5803605d6 | |||
| 2c4d0d7f64 | |||
| a29ff9fe6a | |||
| 12680f93cd | |||
| 132e5ea4d9 | |||
| 346cf9fa43 | |||
| 1288057b81 | |||
| 3876fa818d | |||
| a548bf1cb1 | |||
| 93ba86baf3 | |||
| 098830c10b | |||
| 9cbac6d3ef | |||
| 73aaaaeb99 | |||
| 7c60a5fd53 | |||
| 27f12f183e | |||
| c61434b692 | |||
| 172ceac2fc | |||
| 48a4fd0dd1 | |||
| 4dc09547ef | |||
| 546a9efe44 | |||
| 679cec4bc1 | |||
| 71789f9f32 | |||
| 4cbcec58d3 | |||
| 9c93e185f8 | |||
| d6c8474bd3 | |||
| 42351000ee | |||
| f7d1330c37 | |||
| d9e07e432e | |||
| 14a258de7d | |||
| be8bcc3743 | |||
| dc257b1bcd | |||
| 66119e5207 | |||
| 9e6de4dc32 | |||
| 7cafafd483 | |||
| c94b2af196 | |||
| dd44146d88 | |||
| 18a62332f6 | |||
| 8fa68e2670 | |||
| 4cad39989f | |||
| c825962490 | |||
| 51bc3fffc0 | |||
| dca26029c0 | |||
| d398911108 | |||
| c093d5830d | |||
| 4b176846f2 | |||
| 90b765d713 | |||
| 3fb5a64a17 | |||
| 33a746e545 | |||
| 4fe0e0de73 | |||
| a47f841028 | |||
| 9192879c03 | |||
| 5cdf6b410d | |||
| b51617c009 | |||
| 66ee6430fa | |||
| fd03727ec2 | |||
| 5536869a38 | |||
| f8f1185b42 | |||
| 75e9db1aa6 | |||
| f47804ffdf | |||
| 24c124d6eb | |||
| 9d54b4cfcc | |||
| 33af7010fb | |||
| cb1b383035 | |||
| f6d06cb319 | |||
| 1c9e063310 | |||
| 8070b6f66b | |||
| b115b7d28a | |||
| 25e3d48337 |
@@ -1,3 +1,4 @@
|
|||||||
.terraform
|
.terraform
|
||||||
.terraform.lock.hcl
|
.terraform.lock.hcl
|
||||||
env
|
env
|
||||||
|
.terragrunt-cache
|
||||||
|
|||||||
@@ -1,9 +1,16 @@
|
|||||||
repos:
|
repos:
|
||||||
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||||
|
rev: v4.4.0
|
||||||
|
hooks:
|
||||||
|
- id: end-of-file-fixer
|
||||||
|
types: [yaml]
|
||||||
|
- id: trailing-whitespace
|
||||||
|
types: [yaml]
|
||||||
- repo: https://github.com/gruntwork-io/pre-commit
|
- repo: https://github.com/gruntwork-io/pre-commit
|
||||||
rev: v0.1.30
|
rev: v0.1.30
|
||||||
hooks:
|
hooks:
|
||||||
- id: terraform-fmt
|
- id: tofu-fmt
|
||||||
- id: terraform-validate
|
- id: tofu-validate
|
||||||
- id: tflint
|
- id: tflint
|
||||||
- id: terragrunt-hcl-fmt
|
- id: terragrunt-hcl-fmt
|
||||||
- repo: https://github.com/adrienverge/yamllint.git
|
- repo: https://github.com/adrienverge/yamllint.git
|
||||||
|
|||||||
@@ -0,0 +1,23 @@
|
|||||||
|
when:
|
||||||
|
- event: push
|
||||||
|
branch: master
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: apply
|
||||||
|
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||||
|
environment:
|
||||||
|
VAULT_AUTH_METHOD: kubernetes
|
||||||
|
commands:
|
||||||
|
- dnf install vault -y
|
||||||
|
- make plan
|
||||||
|
- make apply
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: terraform-vault
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 512Mi
|
||||||
|
cpu: 1
|
||||||
|
limits:
|
||||||
|
memory: 2Gi
|
||||||
|
cpu: 2
|
||||||
@@ -0,0 +1,21 @@
|
|||||||
|
when:
|
||||||
|
- event: pull_request
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: plan
|
||||||
|
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||||
|
environment:
|
||||||
|
VAULT_AUTH_METHOD: kubernetes
|
||||||
|
commands:
|
||||||
|
- dnf install vault -y
|
||||||
|
- make plan
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: terraform-vault
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 512Mi
|
||||||
|
cpu: 1
|
||||||
|
limits:
|
||||||
|
memory: 2Gi
|
||||||
|
cpu: 2
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
when:
|
||||||
|
- event: pull_request
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: pre-commit
|
||||||
|
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
|
||||||
|
commands:
|
||||||
|
- uvx pre-commit run --all-files
|
||||||
|
backend_options:
|
||||||
|
kubernetes:
|
||||||
|
serviceAccountName: default
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: 512Mi
|
||||||
|
cpu: 1
|
||||||
|
limits:
|
||||||
|
memory: 2Gi
|
||||||
|
cpu: 2
|
||||||
@@ -1,20 +1,35 @@
|
|||||||
.PHONY: init plan apply help
|
.PHONY: init plan apply format
|
||||||
|
|
||||||
# Default target
|
VAULT_AUTH_METHOD ?= approle
|
||||||
help:
|
VAULT_K8S_ROLE ?= woodpecker_terraform_vault
|
||||||
@echo "Available targets:"
|
VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
|
||||||
@echo " init - Initialize Terraform"
|
VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
|
||||||
@echo " plan - Plan Terraform changes"
|
|
||||||
@echo " apply - Apply Terraform changes"
|
# Define vault_env function to set up vault environment
|
||||||
|
define vault_env
|
||||||
|
@export VAULT_ADDR="https://vault.service.consul:8200" && \
|
||||||
|
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
|
||||||
|
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
|
||||||
|
else \
|
||||||
|
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
|
||||||
|
fi && \
|
||||||
|
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
|
||||||
|
endef
|
||||||
|
|
||||||
init:
|
init:
|
||||||
@echo "Sourcing environment and initializing Terraform..."
|
@$(call vault_env) && \
|
||||||
@source ./env && terraform init
|
terragrunt run --all --non-interactive init -- -upgrade
|
||||||
|
|
||||||
plan:
|
plan: init
|
||||||
@echo "Sourcing environment and planning Terraform changes..."
|
@$(call vault_env) && \
|
||||||
@source ./env && terraform plan
|
terragrunt run --all --parallelism 4 --non-interactive plan
|
||||||
|
|
||||||
apply:
|
apply: init
|
||||||
@echo "Sourcing environment and applying Terraform changes..."
|
@$(call vault_env) && \
|
||||||
@source ./env && terraform apply -auto-approve
|
terragrunt run --all --parallelism 2 --non-interactive apply
|
||||||
|
|
||||||
|
format:
|
||||||
|
@echo "Formatting OpenTofu files..."
|
||||||
|
@tofu fmt -recursive .
|
||||||
|
@echo "Formatting Terragrunt files..."
|
||||||
|
@terragrunt hcl fmt
|
||||||
|
|||||||
@@ -1,15 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "certmanager" {
|
|
||||||
role_name = "certmanager"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = ["pki_int/certmanager"]
|
|
||||||
token_ttl = 30
|
|
||||||
token_max_ttl = 30
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
|
||||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
|
||||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
|
||||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
|
||||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
|
||||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "incus_cluster" {
|
|
||||||
role_name = "incus_cluster"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"kv/service/incus/incus-cluster-join-tokens"
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_max_ttl = 120
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.13.77/32",
|
|
||||||
"198.18.13.78/32",
|
|
||||||
"198.18.13.79/32"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "packer_builder" {
|
|
||||||
role_name = "packer_builder"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"kv/service/packer/packer_builder",
|
|
||||||
]
|
|
||||||
token_ttl = 300 # builds can take a few minutes
|
|
||||||
token_max_ttl = 600
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.25.102/32",
|
|
||||||
"198.18.26.91/32",
|
|
||||||
"198.18.27.40/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "puppetapi" {
|
|
||||||
role_name = "puppetapi"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
|
|
||||||
token_ttl = 30
|
|
||||||
token_max_ttl = 30
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
|
||||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
|
||||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
|
||||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
|
||||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
|
||||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "rpmbuilder" {
|
|
||||||
role_name = "rpmbuilder"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/github/neoloc/tokens/read-only-token/read",
|
|
||||||
"kv/service/gitea/unkinben/tokens/read-only-packages/read",
|
|
||||||
]
|
|
||||||
token_ttl = 30
|
|
||||||
token_max_ttl = 30
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.25.102/32",
|
|
||||||
"198.18.26.91/32",
|
|
||||||
"198.18.27.40/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,9 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "rundeck-role" {
|
|
||||||
role_name = "rundeck-role"
|
|
||||||
bind_secret_id = true
|
|
||||||
token_policies = ["rundeck/rundeck"]
|
|
||||||
token_ttl = 1 * 3600
|
|
||||||
token_max_ttl = 4 * 3600
|
|
||||||
token_bound_cidrs = ["198.18.13.59/32"]
|
|
||||||
secret_id_bound_cidrs = ["198.18.13.59/32"]
|
|
||||||
}
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "sshsign-host-role" {
|
|
||||||
role_name = "sshsign-host-role"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = ["ssh-host-signer/sshsign-host-policy"]
|
|
||||||
token_ttl = 30
|
|
||||||
token_max_ttl = 30
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
|
||||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
|
||||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
|
||||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
|
||||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
|
||||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "sshsigner" {
|
|
||||||
role_name = "sshsigner"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"ssh-host-signer/sshsigner",
|
|
||||||
"sshca_signhost"
|
|
||||||
]
|
|
||||||
token_ttl = 30
|
|
||||||
token_max_ttl = 30
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
|
|
||||||
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
|
|
||||||
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
|
|
||||||
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
|
|
||||||
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
|
|
||||||
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "terraform_incus" {
|
|
||||||
role_name = "terraform_incus"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"kv/service/terraform/incus",
|
|
||||||
"kv/service/puppet/certificates/terraform_puppet_cert",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_max_ttl = 120
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.25.102/32",
|
|
||||||
"198.18.26.91/32",
|
|
||||||
"198.18.27.40/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "terraform_nomad" {
|
|
||||||
role_name = "terraform_nomad"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"kv/service/terraform/nomad",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_max_ttl = 120
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.25.102/32",
|
|
||||||
"198.18.26.91/32",
|
|
||||||
"198.18.27.40/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "terraform_repoflow" {
|
|
||||||
role_name = "terraform_repoflow"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"kv/service/repoflow/unkinadmin/tokens/terraform/read",
|
|
||||||
"kv/service/terraform/repoflow",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_max_ttl = 120
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
"198.18.25.102/32",
|
|
||||||
"198.18.26.91/32",
|
|
||||||
"198.18.27.40/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,33 +0,0 @@
|
|||||||
resource "vault_approle_auth_backend_role" "tf_vault" {
|
|
||||||
role_name = "tf_vault"
|
|
||||||
bind_secret_id = false
|
|
||||||
token_policies = [
|
|
||||||
"default_access",
|
|
||||||
"approle_token_create",
|
|
||||||
"auth/approle/approle_role_admin",
|
|
||||||
"auth/approle/approle_role_login",
|
|
||||||
"auth/kubernetes/k8s_auth_admin",
|
|
||||||
"auth/ldap/ldap_admin",
|
|
||||||
"auth/token/auth_token_create",
|
|
||||||
"auth/token/auth_token_self",
|
|
||||||
"auth/token/auth_token_roles_admin",
|
|
||||||
"kubernetes/au/config_admin",
|
|
||||||
"kubernetes/au/roles_admin",
|
|
||||||
"kv/service/glauth/services/svc_vault_read",
|
|
||||||
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
|
|
||||||
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
|
|
||||||
"pki_int/pki_int_roles_admin",
|
|
||||||
"pki_root/pki_root_roles_admin",
|
|
||||||
"ssh-host-signer/ssh-host-signer_roles_admin",
|
|
||||||
"sshca/sshca_roles_admin",
|
|
||||||
"sys/sys_auth_admin",
|
|
||||||
"sys/sys_mounts_admin",
|
|
||||||
"sys/sys_policy_admin",
|
|
||||||
"transit/keys/admin",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_max_ttl = 120
|
|
||||||
token_bound_cidrs = [
|
|
||||||
"10.10.12.200/32",
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
#----------------------------
|
|
||||||
# Enable approle auth method
|
|
||||||
#----------------------------
|
|
||||||
resource "vault_auth_backend" "approle" {
|
|
||||||
type = "approle"
|
|
||||||
path = "approle"
|
|
||||||
}
|
|
||||||
@@ -1,23 +0,0 @@
|
|||||||
#-----------------------------------
|
|
||||||
# Enable kubernetes auth method
|
|
||||||
#-----------------------------------
|
|
||||||
resource "vault_auth_backend" "kubernetes" {
|
|
||||||
type = "kubernetes"
|
|
||||||
path = "kubernetes"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Data source to read the token_reviewer_jwt from Vault KV
|
|
||||||
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
|
|
||||||
mount = "kv"
|
|
||||||
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure Kubernetes auth backend
|
|
||||||
resource "vault_kubernetes_auth_backend_config" "config" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
kubernetes_host = "https://api-k8s.service.consul:6443"
|
|
||||||
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
|
|
||||||
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
|
|
||||||
disable_iss_validation = true
|
|
||||||
use_annotations_as_alias_metadata = true
|
|
||||||
}
|
|
||||||
@@ -1,40 +0,0 @@
|
|||||||
#--------------------------------
|
|
||||||
# Enable ldap auth method
|
|
||||||
#--------------------------------
|
|
||||||
|
|
||||||
# retrieve the bindpass from Vault
|
|
||||||
data "vault_generic_secret" "svc_vault" {
|
|
||||||
path = "kv/service/glauth/services/svc_vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
# create the ldap backend
|
|
||||||
resource "vault_ldap_auth_backend" "ldap" {
|
|
||||||
path = "ldap"
|
|
||||||
url = "ldap://ldap.service.consul"
|
|
||||||
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
|
||||||
userattr = "uid"
|
|
||||||
upndomain = "users.main.unkin.net"
|
|
||||||
discoverdn = false
|
|
||||||
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
|
|
||||||
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
|
||||||
groupattr = "uid"
|
|
||||||
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
|
|
||||||
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_ldap_auth_backend_group" "vault_access" {
|
|
||||||
groupname = "vault_access"
|
|
||||||
policies = [
|
|
||||||
"default_access",
|
|
||||||
]
|
|
||||||
backend = vault_ldap_auth_backend.ldap.path
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_ldap_auth_backend_group" "vault_admin" {
|
|
||||||
groupname = "vault_admin"
|
|
||||||
policies = [
|
|
||||||
"default_access",
|
|
||||||
"global-admin",
|
|
||||||
]
|
|
||||||
backend = vault_ldap_auth_backend.ldap.path
|
|
||||||
}
|
|
||||||
@@ -1,118 +0,0 @@
|
|||||||
resource "vault_kubernetes_auth_backend_role" "default" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "default"
|
|
||||||
bound_service_account_names = ["default"]
|
|
||||||
bound_service_account_namespaces = ["*"]
|
|
||||||
token_ttl = 3600
|
|
||||||
token_policies = [
|
|
||||||
"default"
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "demo_default" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "demo_default"
|
|
||||||
bound_service_account_names = ["default"]
|
|
||||||
bound_service_account_namespaces = ["demo"]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/terraform/nomad"
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "huntarr-default"
|
|
||||||
bound_service_account_names = ["default"]
|
|
||||||
bound_service_account_namespaces = ["huntarr"]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"pki_int/sign/servers_default",
|
|
||||||
"pki_int/issue/servers_default",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "externaldns" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "externaldns"
|
|
||||||
bound_service_account_names = ["externaldns"]
|
|
||||||
bound_service_account_namespaces = ["externaldns"]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "cert-manager-issuer"
|
|
||||||
bound_service_account_names = ["cert-manager-vault-issuer"]
|
|
||||||
bound_service_account_namespaces = ["cert-manager"]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"pki_int/sign/servers_default",
|
|
||||||
"pki_int/issue/servers_default",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "ceph-csi"
|
|
||||||
bound_service_account_names = [
|
|
||||||
"ceph-csi-rbd-csi-rbd-provisioner",
|
|
||||||
"ceph-csi-cephfs-csi-cephfs-provisioner",
|
|
||||||
]
|
|
||||||
bound_service_account_namespaces = [
|
|
||||||
"csi-cephrbd",
|
|
||||||
"csi-cephfs",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
|
|
||||||
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "media-apps" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "media-apps"
|
|
||||||
bound_service_account_names = [
|
|
||||||
"media-apps-vault-reader",
|
|
||||||
]
|
|
||||||
bound_service_account_namespaces = [
|
|
||||||
"media-apps",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/media-apps/prowlarr/read",
|
|
||||||
"kv/service/media-apps/radarr/read",
|
|
||||||
"kv/service/media-apps/sonarr/read",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "repoflow" {
|
|
||||||
backend = vault_auth_backend.kubernetes.path
|
|
||||||
role_name = "repoflow"
|
|
||||||
bound_service_account_names = [
|
|
||||||
"default",
|
|
||||||
]
|
|
||||||
bound_service_account_namespaces = [
|
|
||||||
"repoflow",
|
|
||||||
]
|
|
||||||
token_ttl = 60
|
|
||||||
token_policies = [
|
|
||||||
"kv/service/repoflow/au/syd1/ceph-s3/read",
|
|
||||||
"kv/service/repoflow/au/syd1/elasticsearch/read",
|
|
||||||
"kv/service/repoflow/au/syd1/hasura/read",
|
|
||||||
"kv/service/repoflow/au/syd1/postgres/read",
|
|
||||||
"kv/service/repoflow/au/syd1/repoflow-server/read",
|
|
||||||
]
|
|
||||||
audience = "vault"
|
|
||||||
}
|
|
||||||
@@ -0,0 +1,2 @@
|
|||||||
|
default_lease_ttl: 60s
|
||||||
|
max_lease_ttl: 24h
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
token_ttl: 30
|
||||||
|
token_max_ttl: 30
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "198.18.25.5/32"
|
||||||
|
- "198.18.26.3/32"
|
||||||
|
- "198.18.27.89/32"
|
||||||
|
- "198.18.28.8/32"
|
||||||
|
- "198.18.29.33/32"
|
||||||
|
- "198.18.29.239/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.13.77/32"
|
||||||
|
- "198.18.13.78/32"
|
||||||
|
- "198.18.13.79/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 300
|
||||||
|
token_max_ttl: 600
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
token_ttl: 30
|
||||||
|
token_max_ttl: 30
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "198.18.25.5/32"
|
||||||
|
- "198.18.26.3/32"
|
||||||
|
- "198.18.27.89/32"
|
||||||
|
- "198.18.28.8/32"
|
||||||
|
- "198.18.29.33/32"
|
||||||
|
- "198.18.29.239/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 30
|
||||||
|
token_max_ttl: 30
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
token_ttl: 3600
|
||||||
|
token_max_ttl: 14400
|
||||||
|
bind_secret_id: true
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "198.18.13.59/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
token_ttl: 30
|
||||||
|
token_max_ttl: 30
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "198.18.25.5/32"
|
||||||
|
- "198.18.26.3/32"
|
||||||
|
- "198.18.27.89/32"
|
||||||
|
- "198.18.28.8/32"
|
||||||
|
- "198.18.29.33/32"
|
||||||
|
- "198.18.29.239/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 120
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: true
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 120
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: true
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: true
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
- "198.18.25.102/32"
|
||||||
|
- "198.18.26.91/32"
|
||||||
|
- "198.18.27.40/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
token_ttl: 60
|
||||||
|
token_max_ttl: 120
|
||||||
|
bind_secret_id: false
|
||||||
|
token_bound_cidrs:
|
||||||
|
- "10.10.12.200/32"
|
||||||
|
use_deterministic_role_id: false
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
kubernetes_host: https://api-k8s.service.consul:6443
|
||||||
|
disable_iss_validation: true
|
||||||
|
use_annotations_as_alias_metadata: false # doesnt work with openbao yet
|
||||||
|
default_lease_ttl: 1h
|
||||||
|
max_lease_ttl: 24h
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- artifactapi
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,9 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- ceph-csi-rbd-csi-rbd-provisioner
|
||||||
|
- ceph-csi-cephfs-csi-cephfs-provisioner
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- csi-cephrbd
|
||||||
|
- csi-cephfs
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- cert-manager-vault-issuer
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- cert-manager
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces: ['*']
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- externaldns
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- externaldns
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
- forgebot-operator
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- forgebot
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,6 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- huntarr
|
||||||
|
token_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- identity
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- media-apps-vault-reader
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- media-apps
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- puppet
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- rancher
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- cattle-system
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- repoflow
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
# rpmbuilder is deployed in woodpeckerci
|
||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- woodpecker
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: https://kubernetes.default.svc.cluster.local
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- default
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- woodpecker
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: vault
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- terraform-git
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- woodpecker
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: https://kubernetes.default.svc.cluster.local
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
bound_service_account_names:
|
||||||
|
- terraform-vault
|
||||||
|
bound_service_account_namespaces:
|
||||||
|
- woodpecker
|
||||||
|
token_ttl: 600
|
||||||
|
token_max_ttl: 600
|
||||||
|
audience: https://kubernetes.default.svc.cluster.local
|
||||||
@@ -0,0 +1,10 @@
|
|||||||
|
userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
|
||||||
|
userattr: "uid"
|
||||||
|
upndomain: "users.main.unkin.net"
|
||||||
|
discoverdn: false
|
||||||
|
groupdn: "ou=users,dc=main,dc=unkin,dc=net"
|
||||||
|
groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
|
||||||
|
groupattr: "uid"
|
||||||
|
username_as_alias: true
|
||||||
|
default_lease_ttl: 24h
|
||||||
|
max_lease_ttl: 168h
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||||
|
description: foo
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||||
|
description: foo
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||||
|
description: foo
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
---
|
||||||
|
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
|
||||||
|
description: foo
|
||||||
@@ -0,0 +1,189 @@
|
|||||||
|
# =============================================================================
|
||||||
|
# VAULT MODULE CONFIGURATION SYSTEM
|
||||||
|
# =============================================================================
|
||||||
|
#
|
||||||
|
# This file automatically discovers and organizes YAML configuration files
|
||||||
|
# for Vault modules, creating structured configuration maps for Terraform.
|
||||||
|
#
|
||||||
|
# HOW IT WORKS:
|
||||||
|
# 1. Scans all subdirectories for *.yaml files
|
||||||
|
# 2. Groups files by module type based on directory structure
|
||||||
|
# 3. Creates unique resource keys to prevent naming conflicts
|
||||||
|
# 4. Adds computed fields like name, backend, etc. from file paths
|
||||||
|
#
|
||||||
|
# DIRECTORY STRUCTURE:
|
||||||
|
# config/
|
||||||
|
# ├── auth_approle_role/
|
||||||
|
# │ └── approle/
|
||||||
|
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
|
||||||
|
# │ └── myapp.yaml # Creates key: "approle/myapp"
|
||||||
|
# ├── auth_kubernetes_role/
|
||||||
|
# │ └── k8s/au/syd1/
|
||||||
|
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
|
||||||
|
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
|
||||||
|
# └── kv_secret_backend/
|
||||||
|
# ├── kv.yaml # Creates key: "kv"
|
||||||
|
# └── secrets.yaml # Creates key: "secrets"
|
||||||
|
#
|
||||||
|
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
|
||||||
|
# ```yaml
|
||||||
|
# token_ttl: 3600
|
||||||
|
# token_max_ttl: 7200
|
||||||
|
# bind_secret_id: true
|
||||||
|
# token_bound_cidrs:
|
||||||
|
# - "10.0.0.0/8"
|
||||||
|
# ```
|
||||||
|
#
|
||||||
|
# This becomes:
|
||||||
|
# ```hcl
|
||||||
|
# auth_approle_role = {
|
||||||
|
# "approle/myapp" = {
|
||||||
|
# approle_name = "myapp" # Auto-computed from filename
|
||||||
|
# mount_path = "approle" # Auto-computed from directory
|
||||||
|
# token_ttl = 3600 # From YAML content
|
||||||
|
# token_max_ttl = 7200 # From YAML content
|
||||||
|
# bind_secret_id = true # From YAML content
|
||||||
|
# token_bound_cidrs = ["10.0.0.0/8"]
|
||||||
|
# }
|
||||||
|
# }
|
||||||
|
# ```
|
||||||
|
#
|
||||||
|
# KEY NAMING PATTERNS:
|
||||||
|
# - Simple backends: filename only (e.g., "kv", "transit")
|
||||||
|
# - Role-based resources: full path without extension (e.g., "approle/myapp")
|
||||||
|
# - This ensures uniqueness when multiple backends have similar role names
|
||||||
|
#
|
||||||
|
# GENERATED OUTPUTS:
|
||||||
|
# - config.auth_approle_backend, config.auth_approle_role, etc.
|
||||||
|
# - Each module gets its own map with properly structured configuration
|
||||||
|
#
|
||||||
|
# =============================================================================
|
||||||
|
|
||||||
|
locals {
|
||||||
|
# Find all YAML files in subdirectories
|
||||||
|
config_files = fileset(".", "**/*.yaml")
|
||||||
|
|
||||||
|
# Create a flat map of all files with their content
|
||||||
|
all_configs = {
|
||||||
|
for file_path in local.config_files :
|
||||||
|
file_path => yamldecode(file(file_path))
|
||||||
|
}
|
||||||
|
|
||||||
|
# Group by module directory (first part of path)
|
||||||
|
config = {
|
||||||
|
auth_approle_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "auth_approle_backend/")
|
||||||
|
}
|
||||||
|
auth_approle_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
|
||||||
|
approle_name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
|
||||||
|
})
|
||||||
|
if startswith(file_path, "auth_approle_role/")
|
||||||
|
}
|
||||||
|
auth_ldap_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "auth_ldap_backend/")
|
||||||
|
}
|
||||||
|
auth_ldap_group = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
|
||||||
|
groupname = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
|
||||||
|
})
|
||||||
|
if startswith(file_path, "auth_ldap_group/")
|
||||||
|
}
|
||||||
|
auth_kubernetes_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
|
||||||
|
if startswith(file_path, "auth_kubernetes_backend/")
|
||||||
|
}
|
||||||
|
auth_kubernetes_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
|
||||||
|
role_name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "auth_kubernetes_role/")
|
||||||
|
}
|
||||||
|
kv_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "kv_secret_backend/")
|
||||||
|
}
|
||||||
|
transit_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "transit_secret_backend/")
|
||||||
|
}
|
||||||
|
transit_secret_backend_key = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "transit_secret_backend_key/")
|
||||||
|
}
|
||||||
|
ssh_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "ssh_secret_backend/")
|
||||||
|
}
|
||||||
|
ssh_secret_backend_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "ssh_secret_backend_role/")
|
||||||
|
}
|
||||||
|
pki_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
|
||||||
|
if startswith(file_path, "pki_secret_backend/")
|
||||||
|
}
|
||||||
|
pki_secret_backend_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "pki_secret_backend_role/")
|
||||||
|
}
|
||||||
|
kubernetes_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
|
||||||
|
if startswith(file_path, "kubernetes_secret_backend/")
|
||||||
|
}
|
||||||
|
kubernetes_secret_backend_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "kubernetes_secret_backend_role/")
|
||||||
|
}
|
||||||
|
consul_secret_backend = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
|
||||||
|
if startswith(file_path, "consul_secret_backend/")
|
||||||
|
}
|
||||||
|
consul_secret_backend_role = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
|
||||||
|
name = trimsuffix(basename(file_path), ".yaml")
|
||||||
|
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
|
||||||
|
})
|
||||||
|
if startswith(file_path, "consul_secret_backend_role/")
|
||||||
|
}
|
||||||
|
pki_mount_only = {
|
||||||
|
for file_path, content in local.all_configs :
|
||||||
|
trimsuffix(basename(file_path), ".yaml") => content
|
||||||
|
if startswith(file_path, "pki_mount_only/")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,7 @@
|
|||||||
|
description: "consul secret engine for au-syd1 cluster"
|
||||||
|
default_lease_ttl_seconds: 600
|
||||||
|
max_lease_ttl_seconds: 86400
|
||||||
|
address: "consul.service.au-syd1.consul"
|
||||||
|
scheme: https
|
||||||
|
bootstrap: false
|
||||||
|
datacenter: au-syd1
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-git
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-incus
|
||||||
|
ttl: 300
|
||||||
|
max_ttl: 600
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-k8s
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-ldap
|
||||||
|
ttl: 60
|
||||||
|
max_ttl: 60
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-nomad
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-repoflow
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
consul_roles:
|
||||||
|
- terraform-vault
|
||||||
|
ttl: 120
|
||||||
|
max_ttl: 300
|
||||||
|
datacenters: []
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
description: "kubernetes secret engine for au-syd1 cluster"
|
||||||
|
default_lease_ttl_seconds: 600
|
||||||
|
max_lease_ttl_seconds: 86400
|
||||||
|
kubernetes_host: "https://api-k8s.service.consul:6443"
|
||||||
|
disable_local_ca_jwt: false
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
allowed_kubernetes_namespaces:
|
||||||
|
- "*"
|
||||||
|
kubernetes_role_type: "ClusterRole"
|
||||||
|
extra_labels: {}
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
allowed_kubernetes_namespaces:
|
||||||
|
- "*"
|
||||||
|
kubernetes_role_type: "ClusterRole"
|
||||||
|
extra_labels: {}
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
allowed_kubernetes_namespaces:
|
||||||
|
- "*"
|
||||||
|
kubernetes_role_type: "ClusterRole"
|
||||||
|
extra_labels: {}
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
allowed_kubernetes_namespaces:
|
||||||
|
- "media-apps"
|
||||||
|
kubernetes_role_type: "Role"
|
||||||
|
extra_labels: {}
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
type: kv-v2
|
||||||
|
description: "Key-Value secrets engine"
|
||||||
|
version: "2"
|
||||||
|
max_versions: 10
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
type: kv-v2
|
||||||
|
description: "Rundeck secrets engine"
|
||||||
|
version: "2"
|
||||||
|
max_versions: 5
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
description: "PKI Intermediate CA"
|
||||||
|
max_lease_ttl_seconds: 157680000 # 43800 hours * 3600
|
||||||
|
issuer_ref: "default"
|
||||||
|
issuing_certificates:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki_int/ca"
|
||||||
|
crl_distribution_points:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki_int/crl"
|
||||||
|
ocsp_servers: []
|
||||||
|
enable_templating: false
|
||||||
|
default_issuer_ref: null
|
||||||
|
default_follows_latest_issuer: false
|
||||||
|
crl_expiry: "72h"
|
||||||
|
crl_disable: false
|
||||||
|
ocsp_disable: false
|
||||||
|
auto_rebuild: false
|
||||||
|
enable_delta: false
|
||||||
|
delta_rebuild_interval: null
|
||||||
@@ -0,0 +1,17 @@
|
|||||||
|
description: "PKI Root CA"
|
||||||
|
max_lease_ttl_seconds: 315360000 # 10 years
|
||||||
|
issuer_ref: "default"
|
||||||
|
issuing_certificates:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki_root/ca"
|
||||||
|
crl_distribution_points:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki_root/crl"
|
||||||
|
ocsp_servers: []
|
||||||
|
enable_templating: false
|
||||||
|
default_issuer_ref: null
|
||||||
|
default_follows_latest_issuer: false
|
||||||
|
crl_expiry: "72h"
|
||||||
|
crl_disable: false
|
||||||
|
ocsp_disable: false
|
||||||
|
auto_rebuild: false
|
||||||
|
enable_delta: false
|
||||||
|
delta_rebuild_interval: null
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
description: "PKI Root CA AU SYD1"
|
||||||
|
max_lease_ttl_seconds: 315360000 # 87600 * 3600
|
||||||
|
common_name: "unkin.net AU SYD1 Root CA"
|
||||||
|
issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
|
||||||
|
ttl: 315360000 # 87600 * 3600
|
||||||
|
format: "pem"
|
||||||
|
issuing_certificates:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
|
||||||
|
crl_distribution_points:
|
||||||
|
- "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
|
||||||
|
ocsp_servers: []
|
||||||
|
enable_templating: false
|
||||||
|
default_follows_latest_issuer: false
|
||||||
|
crl_expiry: "72h"
|
||||||
|
crl_disable: false
|
||||||
|
ocsp_disable: false
|
||||||
|
auto_rebuild: false
|
||||||
|
enable_delta: false
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
allow_ip_sans: true
|
||||||
|
allowed_domains:
|
||||||
|
- "unkin.net"
|
||||||
|
- "*.unkin.net"
|
||||||
|
- "localhost"
|
||||||
|
allow_subdomains: true
|
||||||
|
allow_glob_domains: true
|
||||||
|
allow_bare_domains: true
|
||||||
|
enforce_hostnames: true
|
||||||
|
allow_any_name: true
|
||||||
|
max_ttl: 7776000 # 2160 * 3600
|
||||||
|
key_bits: 4096
|
||||||
|
country:
|
||||||
|
- "Australia"
|
||||||
|
use_csr_common_name: true
|
||||||
|
use_csr_sans: true
|
||||||
@@ -0,0 +1,16 @@
|
|||||||
|
allow_ip_sans: true
|
||||||
|
allowed_domains:
|
||||||
|
- "unkin.net"
|
||||||
|
- "*.unkin.net"
|
||||||
|
- "localhost"
|
||||||
|
allow_subdomains: true
|
||||||
|
allow_glob_domains: true
|
||||||
|
allow_bare_domains: true
|
||||||
|
enforce_hostnames: true
|
||||||
|
allow_any_name: true
|
||||||
|
max_ttl: 7776000 # 2160 * 3600
|
||||||
|
key_bits: 4096
|
||||||
|
country:
|
||||||
|
- "Australia"
|
||||||
|
use_csr_common_name: true
|
||||||
|
use_csr_sans: true
|
||||||
@@ -0,0 +1,14 @@
|
|||||||
|
allow_ip_sans: true
|
||||||
|
allowed_domains:
|
||||||
|
- "unkin.net"
|
||||||
|
- "unkin.local"
|
||||||
|
allow_subdomains: true
|
||||||
|
allow_glob_domains: false
|
||||||
|
allow_bare_domains: true
|
||||||
|
enforce_hostnames: false
|
||||||
|
allow_any_name: false
|
||||||
|
max_ttl: 31536000 # 8760h in seconds
|
||||||
|
key_bits: 2048
|
||||||
|
country: []
|
||||||
|
use_csr_common_name: true
|
||||||
|
use_csr_sans: true
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
description: "SSH CA Engine"
|
||||||
|
max_lease_ttl_seconds: 315360000 # 87600 * 3600
|
||||||
|
generate_signing_key: true
|
||||||
|
key_type: ssh-rsa
|
||||||
@@ -0,0 +1,8 @@
|
|||||||
|
key_type: ca
|
||||||
|
algorithm_signer: rsa-sha2-256
|
||||||
|
ttl: 315360000 # 87600 * 3600
|
||||||
|
allow_host_certificates: true
|
||||||
|
allow_user_certificates: false
|
||||||
|
allowed_domains: "main.unkin.net,consul"
|
||||||
|
allow_subdomains: true
|
||||||
|
allow_bare_domains: false
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
description: "Transit Engine"
|
||||||
|
default_lease_ttl_seconds: 3600
|
||||||
|
max_lease_ttl_seconds: 86400
|
||||||
@@ -0,0 +1,5 @@
|
|||||||
|
type: aes256-gcm96
|
||||||
|
deletion_allowed: false
|
||||||
|
derived: false
|
||||||
|
exportable: false
|
||||||
|
allow_plaintext_backup: false
|
||||||
@@ -1,72 +0,0 @@
|
|||||||
# Data source to read the service_token_jwt from Vault KV
|
|
||||||
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
|
|
||||||
mount = "kv"
|
|
||||||
name = "service/kubernetes/au/syd1/service_account_jwt"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
|
|
||||||
path = "kubernetes/au/syd1"
|
|
||||||
description = "kubernetes secret engine for au-syd1 cluster"
|
|
||||||
default_lease_ttl_seconds = 600
|
|
||||||
max_lease_ttl_seconds = 86400
|
|
||||||
kubernetes_host = "https://api-k8s.service.consul:6443"
|
|
||||||
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
|
|
||||||
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
|
|
||||||
disable_local_ca_jwt = false
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
|
|
||||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
|
||||||
name = "vault-media-apps-operator"
|
|
||||||
allowed_kubernetes_namespaces = ["media-apps"]
|
|
||||||
kubernetes_role_type = "Role"
|
|
||||||
|
|
||||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
|
|
||||||
|
|
||||||
extra_labels = {
|
|
||||||
vault-region = "au-syd1"
|
|
||||||
vault-role = "vault-media-apps-operator"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
|
|
||||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
|
||||||
name = "vault-cluster-operator"
|
|
||||||
allowed_kubernetes_namespaces = ["*"]
|
|
||||||
kubernetes_role_type = "ClusterRole"
|
|
||||||
|
|
||||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
|
|
||||||
|
|
||||||
extra_labels = {
|
|
||||||
vault-region = "au-syd1"
|
|
||||||
vault-role = "vault-cluster-operator"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
|
|
||||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
|
||||||
name = "vault-cluster-admin"
|
|
||||||
allowed_kubernetes_namespaces = ["*"]
|
|
||||||
kubernetes_role_type = "ClusterRole"
|
|
||||||
|
|
||||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
|
|
||||||
|
|
||||||
extra_labels = {
|
|
||||||
vault-region = "au-syd1"
|
|
||||||
vault-role = "vault-cluster-admin"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
|
|
||||||
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
|
|
||||||
name = "vault-cluster-root"
|
|
||||||
allowed_kubernetes_namespaces = ["*"]
|
|
||||||
kubernetes_role_type = "ClusterRole"
|
|
||||||
|
|
||||||
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
|
|
||||||
|
|
||||||
extra_labels = {
|
|
||||||
vault-region = "au-syd1"
|
|
||||||
vault-role = "vault-cluster-root"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,15 +0,0 @@
|
|||||||
#--------------------------------------------------------------
|
|
||||||
# kv
|
|
||||||
# create engine
|
|
||||||
#--------------------------------------------------------------
|
|
||||||
resource "vault_mount" "kv" {
|
|
||||||
path = "kv"
|
|
||||||
type = "kv"
|
|
||||||
listing_visibility = "hidden"
|
|
||||||
max_lease_ttl_seconds = 0
|
|
||||||
external_entropy_access = false
|
|
||||||
seal_wrap = false
|
|
||||||
options = {
|
|
||||||
version = "2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,49 +0,0 @@
|
|||||||
#--------------------------------------------------------------
|
|
||||||
# pki_int
|
|
||||||
# create engine
|
|
||||||
# generate intermediate csa
|
|
||||||
# sign the intermediate against rootca
|
|
||||||
# set the signed intermediate cert in the pki_int engine
|
|
||||||
#--------------------------------------------------------------
|
|
||||||
resource "vault_mount" "pki_int" {
|
|
||||||
path = "pki_int"
|
|
||||||
type = "pki"
|
|
||||||
description = "PKI Intermediate CA"
|
|
||||||
max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
|
|
||||||
}
|
|
||||||
|
|
||||||
## Generate the intermediate CSR
|
|
||||||
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
|
|
||||||
# backend = vault_mount.pki_int.path
|
|
||||||
# common_name = "unkin.net Intermediate Authority"
|
|
||||||
# format = "pem"
|
|
||||||
# type = "internal"
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
## Sign the intermediate CSR using the root CA
|
|
||||||
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
|
|
||||||
# path = "${vault_mount.pki_root.path}/root/sign-intermediate"
|
|
||||||
#
|
|
||||||
# data_json = jsonencode({
|
|
||||||
# csr = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
|
|
||||||
# format = "pem_bundle",
|
|
||||||
# ttl = "43800h",
|
|
||||||
# issuer_ref = "UNKIN_ROOTCA_2024"
|
|
||||||
# })
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
## Decode the certificate from the response
|
|
||||||
#locals {
|
|
||||||
# intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
## Set the signed intermediate certificate
|
|
||||||
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
|
|
||||||
# backend = vault_mount.pki_int.path
|
|
||||||
# certificate = local.intermediate_signed_cert
|
|
||||||
#}
|
|
||||||
|
|
||||||
#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
|
|
||||||
# backend = vault_mount.pki_int.path
|
|
||||||
# issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
|
|
||||||
#}
|
|
||||||
@@ -1,39 +0,0 @@
|
|||||||
#-------------------------------------------
|
|
||||||
# pki_root:
|
|
||||||
# create engine
|
|
||||||
# generate rootca certificate
|
|
||||||
# read the issuer
|
|
||||||
# configure the pki urls
|
|
||||||
#-------------------------------------------
|
|
||||||
resource "vault_mount" "pki_root" {
|
|
||||||
path = "pki_root"
|
|
||||||
type = "pki"
|
|
||||||
description = "PKI Root CA"
|
|
||||||
max_lease_ttl_seconds = 87600 * 3600 # 87600h
|
|
||||||
}
|
|
||||||
|
|
||||||
#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
|
|
||||||
# backend = vault_mount.pki_root.path
|
|
||||||
# common_name = "unkin.net"
|
|
||||||
# issuer_name = "UNKIN_ROOTCA_2024"
|
|
||||||
# ttl = 87600 * 3600
|
|
||||||
# format = "pem"
|
|
||||||
# type = "internal"
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
#output "root_certificate" {
|
|
||||||
# value = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
|
|
||||||
# sensitive = true
|
|
||||||
#}
|
|
||||||
|
|
||||||
data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
|
|
||||||
backend = vault_mount.pki_root.path
|
|
||||||
issuer_ref = "default"
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
|
|
||||||
backend = vault_mount.pki_root.path
|
|
||||||
|
|
||||||
issuing_certificates = ["${local.vault_addr}/v1/pki_root/ca"]
|
|
||||||
crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
|
|
||||||
}
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
#--------------------------------------------------------------
|
|
||||||
# rundeck
|
|
||||||
# create engine
|
|
||||||
#--------------------------------------------------------------
|
|
||||||
resource "vault_mount" "rundeck" {
|
|
||||||
path = "rundeck"
|
|
||||||
type = "kv"
|
|
||||||
max_lease_ttl_seconds = 0
|
|
||||||
external_entropy_access = false
|
|
||||||
seal_wrap = false
|
|
||||||
options = {
|
|
||||||
version = "2"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
#--------------------------------------------------------------
|
|
||||||
# ssh-host-signer
|
|
||||||
# create engine
|
|
||||||
# generate ca cert
|
|
||||||
# tune the ssh engine
|
|
||||||
#--------------------------------------------------------------
|
|
||||||
#resource "vault_mount" "ssh_host_signer" {
|
|
||||||
# path = "ssh-host-signer"
|
|
||||||
# type = "ssh"
|
|
||||||
# description = "SSH Host Signing Engine"
|
|
||||||
# max_lease_ttl_seconds = 87600 * 3600
|
|
||||||
#}
|
|
||||||
#
|
|
||||||
#resource "vault_ssh_secret_backend_ca" "ssh_host_signer_ca" {
|
|
||||||
# backend = vault_mount.ssh_host_signer.path
|
|
||||||
# generate_signing_key = false # change to true for new configuration
|
|
||||||
# key_type = "ssh-rsa"
|
|
||||||
#}
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
#--------------------------------------------------------------
|
|
||||||
# ssh
|
|
||||||
# create engine
|
|
||||||
# generate ca cert
|
|
||||||
# tune the ssh engine
|
|
||||||
#--------------------------------------------------------------
|
|
||||||
resource "vault_mount" "sshca" {
|
|
||||||
path = "sshca"
|
|
||||||
type = "ssh"
|
|
||||||
description = "SSH CA Engine"
|
|
||||||
max_lease_ttl_seconds = 87600 * 3600
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
|
|
||||||
backend = vault_mount.sshca.path
|
|
||||||
generate_signing_key = true
|
|
||||||
key_type = "ssh-rsa"
|
|
||||||
}
|
|
||||||
@@ -1,13 +0,0 @@
|
|||||||
resource "vault_mount" "transit" {
|
|
||||||
path = "transit"
|
|
||||||
type = "transit"
|
|
||||||
description = "Transit Engine"
|
|
||||||
default_lease_ttl_seconds = 3600
|
|
||||||
max_lease_ttl_seconds = 86400
|
|
||||||
}
|
|
||||||
|
|
||||||
resource "vault_transit_secret_backend_key" "key" {
|
|
||||||
backend = vault_mount.transit.path
|
|
||||||
name = "au-syd1-k8s-vso"
|
|
||||||
type = "aes256-gcm96"
|
|
||||||
}
|
|
||||||
@@ -0,0 +1,78 @@
|
|||||||
|
include "root" {
|
||||||
|
path = find_in_parent_folders("root.hcl")
|
||||||
|
expose = true
|
||||||
|
}
|
||||||
|
|
||||||
|
include "config" {
|
||||||
|
path = "${get_repo_root()}/config/config.hcl"
|
||||||
|
expose = true
|
||||||
|
}
|
||||||
|
|
||||||
|
include "policies" {
|
||||||
|
path = "${get_repo_root()}/policies/policies.hcl"
|
||||||
|
expose = true
|
||||||
|
}
|
||||||
|
|
||||||
|
include "resources" {
|
||||||
|
path = "${get_repo_root()}/resources/resources.hcl"
|
||||||
|
expose = true
|
||||||
|
}
|
||||||
|
|
||||||
|
locals {
|
||||||
|
# Extract country and region from path
|
||||||
|
path_parts = split("/", dirname(get_terragrunt_dir()))
|
||||||
|
country = basename(dirname(get_terragrunt_dir())) # "au"
|
||||||
|
region = basename(get_terragrunt_dir()) # "syd1"
|
||||||
|
|
||||||
|
# Include configuration from config.hcl
|
||||||
|
config = include.config.locals.config
|
||||||
|
|
||||||
|
# Include policies from policies.hcl
|
||||||
|
policies = include.policies.locals
|
||||||
|
|
||||||
|
# Include resources from resources.hcl
|
||||||
|
resources = include.resources.locals
|
||||||
|
|
||||||
|
# Create sanitized backend name mapping for Consul providers
|
||||||
|
# Provider aliases can't contain slashes, so replace them with underscores
|
||||||
|
consul_backend_aliases = {
|
||||||
|
for backend_name, _ in local.config.consul_secret_backend :
|
||||||
|
backend_name => replace(backend_name, "/", "_")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
source = "../../../modules/vault_cluster"
|
||||||
|
}
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
country = local.country
|
||||||
|
region = local.region
|
||||||
|
|
||||||
|
# Pass configuration maps to vault_cluster module
|
||||||
|
auth_approle_backend = local.config.auth_approle_backend
|
||||||
|
auth_approle_role = local.config.auth_approle_role
|
||||||
|
auth_ldap_backend = local.config.auth_ldap_backend
|
||||||
|
auth_ldap_group = local.config.auth_ldap_group
|
||||||
|
auth_kubernetes_backend = local.config.auth_kubernetes_backend
|
||||||
|
auth_kubernetes_role = local.config.auth_kubernetes_role
|
||||||
|
kv_secret_backend = local.config.kv_secret_backend
|
||||||
|
transit_secret_backend = local.config.transit_secret_backend
|
||||||
|
transit_secret_backend_key = local.config.transit_secret_backend_key
|
||||||
|
ssh_secret_backend = local.config.ssh_secret_backend
|
||||||
|
ssh_secret_backend_role = local.config.ssh_secret_backend_role
|
||||||
|
pki_secret_backend = local.config.pki_secret_backend
|
||||||
|
pki_secret_backend_role = local.config.pki_secret_backend_role
|
||||||
|
consul_secret_backend = local.config.consul_secret_backend
|
||||||
|
consul_secret_backend_role = local.config.consul_secret_backend_role
|
||||||
|
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
||||||
|
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
||||||
|
pki_mount_only = local.config.pki_mount_only
|
||||||
|
|
||||||
|
# Pass policy maps to vault_cluster module
|
||||||
|
policy_auth_map = local.policies.policy_auth_map
|
||||||
|
policy_rules_map = local.policies.policy_rules_map
|
||||||
|
|
||||||
|
# Pass sanitized consul backend aliases for provider configuration
|
||||||
|
consul_backend_aliases = local.consul_backend_aliases
|
||||||
|
}
|
||||||
@@ -0,0 +1,35 @@
|
|||||||
|
# Generate root backend.tf
|
||||||
|
generate "backend" {
|
||||||
|
path = "backend.tf"
|
||||||
|
if_exists = "overwrite"
|
||||||
|
contents = <<EOF
|
||||||
|
locals {
|
||||||
|
vault_addr = "https://vault.service.consul:8200"
|
||||||
|
}
|
||||||
|
|
||||||
|
provider "vault" {
|
||||||
|
address = local.vault_addr
|
||||||
|
}
|
||||||
|
|
||||||
|
terraform {
|
||||||
|
backend "consul" {
|
||||||
|
address = "https://consul.service.consul"
|
||||||
|
path = "infra/terraform/vault/${path_relative_to_include()}/state"
|
||||||
|
scheme = "https"
|
||||||
|
lock = true
|
||||||
|
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
||||||
|
}
|
||||||
|
required_version = ">= 1.10"
|
||||||
|
required_providers {
|
||||||
|
vault = {
|
||||||
|
source = "hashicorp/vault"
|
||||||
|
version = "5.6.0"
|
||||||
|
}
|
||||||
|
consul = {
|
||||||
|
source = "hashicorp/consul"
|
||||||
|
version = "2.23.0"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
}
|
||||||
@@ -1,37 +0,0 @@
|
|||||||
#-------------------------------------------
|
|
||||||
# locals
|
|
||||||
#-------------------------------------------
|
|
||||||
locals {
|
|
||||||
vault_addr = "https://vault.service.consul:8200"
|
|
||||||
}
|
|
||||||
|
|
||||||
#-----------------------------------------------------------------------------
|
|
||||||
# Configure this provider through the environment variables:
|
|
||||||
# - VAULT_ADDR
|
|
||||||
# - VAULT_TOKEN
|
|
||||||
#-----------------------------------------------------------------------------
|
|
||||||
provider "vault" {
|
|
||||||
address = local.vault_addr
|
|
||||||
}
|
|
||||||
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
# Use remote state file and encrypt it since your state files may contains
|
|
||||||
# sensitive data.
|
|
||||||
# export CONSUL_HTTP_TOKEN=<your-token>
|
|
||||||
#------------------------------------------------------------------------------
|
|
||||||
terraform {
|
|
||||||
backend "consul" {
|
|
||||||
address = "https://consul.service.consul"
|
|
||||||
path = "infra/terraform/vault/state"
|
|
||||||
scheme = "https"
|
|
||||||
lock = true
|
|
||||||
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
|
|
||||||
}
|
|
||||||
required_version = ">= 1.10"
|
|
||||||
required_providers {
|
|
||||||
vault = {
|
|
||||||
source = "hashicorp/vault"
|
|
||||||
version = "5.4.0"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
rule "terraform_required_providers" {
|
||||||
|
enabled = false
|
||||||
|
}
|
||||||
|
|
||||||
|
rule "terraform_required_version" {
|
||||||
|
enabled = false
|
||||||
|
}
|
||||||
|
|
||||||
|
rule "terraform_unused_declarations" {
|
||||||
|
enabled = false
|
||||||
|
}
|
||||||
@@ -0,0 +1,336 @@
|
|||||||
|
module "auth_approle_backend" {
|
||||||
|
source = "./modules/auth_approle_backend"
|
||||||
|
|
||||||
|
for_each = var.auth_approle_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
listing_visibility = each.value.listing_visibility
|
||||||
|
default_lease_ttl = each.value.default_lease_ttl
|
||||||
|
max_lease_ttl = each.value.max_lease_ttl
|
||||||
|
}
|
||||||
|
|
||||||
|
module "auth_approle_role" {
|
||||||
|
source = "./modules/auth_approle_role"
|
||||||
|
|
||||||
|
for_each = var.auth_approle_role
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
approle_name = each.value.approle_name
|
||||||
|
mount_path = each.value.mount_path
|
||||||
|
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
|
||||||
|
token_ttl = each.value.token_ttl
|
||||||
|
token_max_ttl = each.value.token_max_ttl
|
||||||
|
bind_secret_id = each.value.bind_secret_id
|
||||||
|
secret_id_ttl = each.value.secret_id_ttl
|
||||||
|
token_bound_cidrs = each.value.token_bound_cidrs
|
||||||
|
alias_metadata = each.value.alias_metadata
|
||||||
|
use_deterministic_role_id = each.value.use_deterministic_role_id
|
||||||
|
|
||||||
|
depends_on = [module.auth_approle_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "auth_ldap_backend" {
|
||||||
|
source = "./modules/auth_ldap_backend"
|
||||||
|
|
||||||
|
for_each = var.auth_ldap_backend
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
path = each.key
|
||||||
|
userdn = each.value.userdn
|
||||||
|
userattr = each.value.userattr
|
||||||
|
upndomain = each.value.upndomain
|
||||||
|
discoverdn = each.value.discoverdn
|
||||||
|
groupdn = each.value.groupdn
|
||||||
|
groupfilter = each.value.groupfilter
|
||||||
|
groupattr = each.value.groupattr
|
||||||
|
alias_metadata = each.value.alias_metadata
|
||||||
|
username_as_alias = each.value.username_as_alias
|
||||||
|
listing_visibility = each.value.listing_visibility
|
||||||
|
default_lease_ttl = each.value.default_lease_ttl
|
||||||
|
max_lease_ttl = each.value.max_lease_ttl
|
||||||
|
}
|
||||||
|
|
||||||
|
module "auth_ldap_group" {
|
||||||
|
source = "./modules/auth_ldap_group"
|
||||||
|
|
||||||
|
for_each = var.auth_ldap_group
|
||||||
|
|
||||||
|
groupname = each.value.groupname
|
||||||
|
backend = each.value.backend
|
||||||
|
policies = var.policy_auth_map[each.value.backend][each.value.groupname]
|
||||||
|
|
||||||
|
depends_on = [module.auth_ldap_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "auth_kubernetes_backend" {
|
||||||
|
source = "./modules/auth_kubernetes_backend"
|
||||||
|
|
||||||
|
for_each = var.auth_kubernetes_backend
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
path = each.key
|
||||||
|
kubernetes_host = each.value.kubernetes_host
|
||||||
|
disable_iss_validation = each.value.disable_iss_validation
|
||||||
|
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
|
||||||
|
listing_visibility = each.value.listing_visibility
|
||||||
|
default_lease_ttl = each.value.default_lease_ttl
|
||||||
|
max_lease_ttl = each.value.max_lease_ttl
|
||||||
|
}
|
||||||
|
|
||||||
|
module "auth_kubernetes_role" {
|
||||||
|
source = "./modules/auth_kubernetes_role"
|
||||||
|
|
||||||
|
for_each = var.auth_kubernetes_role
|
||||||
|
|
||||||
|
role_name = each.value.role_name
|
||||||
|
backend = each.value.backend
|
||||||
|
bound_service_account_names = each.value.bound_service_account_names
|
||||||
|
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
||||||
|
token_ttl = each.value.token_ttl
|
||||||
|
token_max_ttl = each.value.token_max_ttl
|
||||||
|
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
||||||
|
audience = each.value.audience
|
||||||
|
|
||||||
|
depends_on = [module.auth_kubernetes_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "kv_secret_backend" {
|
||||||
|
source = "./modules/kv_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.kv_secret_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
type = each.value.type
|
||||||
|
description = each.value.description
|
||||||
|
kv_version = each.value.version
|
||||||
|
max_versions = each.value.max_versions
|
||||||
|
}
|
||||||
|
|
||||||
|
module "transit_secret_backend" {
|
||||||
|
source = "./modules/transit_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.transit_secret_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
}
|
||||||
|
|
||||||
|
module "transit_secret_backend_key" {
|
||||||
|
source = "./modules/transit_secret_backend_key"
|
||||||
|
|
||||||
|
for_each = var.transit_secret_backend_key
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
backend = each.value.backend
|
||||||
|
type = each.value.type
|
||||||
|
deletion_allowed = each.value.deletion_allowed
|
||||||
|
derived = each.value.derived
|
||||||
|
exportable = each.value.exportable
|
||||||
|
allow_plaintext_backup = each.value.allow_plaintext_backup
|
||||||
|
auto_rotate_period = each.value.auto_rotate_period
|
||||||
|
|
||||||
|
depends_on = [module.transit_secret_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "ssh_secret_backend" {
|
||||||
|
source = "./modules/ssh_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.ssh_secret_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
generate_signing_key = each.value.generate_signing_key
|
||||||
|
key_type = each.value.key_type
|
||||||
|
}
|
||||||
|
|
||||||
|
module "ssh_secret_backend_role" {
|
||||||
|
source = "./modules/ssh_secret_backend_role"
|
||||||
|
|
||||||
|
for_each = var.ssh_secret_backend_role
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
backend = each.value.backend
|
||||||
|
key_type = each.value.key_type
|
||||||
|
algorithm_signer = each.value.algorithm_signer
|
||||||
|
ttl = each.value.ttl
|
||||||
|
allow_host_certificates = each.value.allow_host_certificates
|
||||||
|
allow_user_certificates = each.value.allow_user_certificates
|
||||||
|
allowed_domains = each.value.allowed_domains
|
||||||
|
allow_subdomains = each.value.allow_subdomains
|
||||||
|
allow_bare_domains = each.value.allow_bare_domains
|
||||||
|
|
||||||
|
depends_on = [module.ssh_secret_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "pki_secret_backend" {
|
||||||
|
source = "./modules/pki_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.pki_secret_backend
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
common_name = each.value.common_name
|
||||||
|
issuer_name = each.value.issuer_name
|
||||||
|
ttl = each.value.ttl
|
||||||
|
format = each.value.format
|
||||||
|
issuing_certificates = each.value.issuing_certificates
|
||||||
|
crl_distribution_points = each.value.crl_distribution_points
|
||||||
|
ocsp_servers = each.value.ocsp_servers
|
||||||
|
enable_templating = each.value.enable_templating
|
||||||
|
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||||
|
crl_expiry = each.value.crl_expiry
|
||||||
|
crl_disable = each.value.crl_disable
|
||||||
|
ocsp_disable = each.value.ocsp_disable
|
||||||
|
auto_rebuild = each.value.auto_rebuild
|
||||||
|
enable_delta = each.value.enable_delta
|
||||||
|
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||||
|
}
|
||||||
|
|
||||||
|
module "pki_secret_backend_role" {
|
||||||
|
source = "./modules/pki_secret_backend_role"
|
||||||
|
|
||||||
|
for_each = var.pki_secret_backend_role
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
backend = each.value.backend
|
||||||
|
allow_ip_sans = each.value.allow_ip_sans
|
||||||
|
allowed_domains = each.value.allowed_domains
|
||||||
|
allow_subdomains = each.value.allow_subdomains
|
||||||
|
allow_glob_domains = each.value.allow_glob_domains
|
||||||
|
allow_bare_domains = each.value.allow_bare_domains
|
||||||
|
enforce_hostnames = each.value.enforce_hostnames
|
||||||
|
allow_any_name = each.value.allow_any_name
|
||||||
|
max_ttl = each.value.max_ttl
|
||||||
|
key_bits = each.value.key_bits
|
||||||
|
country = each.value.country
|
||||||
|
use_csr_common_name = each.value.use_csr_common_name
|
||||||
|
use_csr_sans = each.value.use_csr_sans
|
||||||
|
|
||||||
|
depends_on = [module.pki_secret_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "consul_secret_backend" {
|
||||||
|
source = "./modules/consul_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.consul_secret_backend
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
address = each.value.address
|
||||||
|
bootstrap = each.value.bootstrap
|
||||||
|
scheme = each.value.scheme
|
||||||
|
ca_cert = each.value.ca_cert
|
||||||
|
client_cert = each.value.client_cert
|
||||||
|
client_key = each.value.client_key
|
||||||
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create data sources for consul backend tokens
|
||||||
|
data "vault_kv_secret_v2" "consul_backend_configs" {
|
||||||
|
for_each = {
|
||||||
|
for k, v in var.consul_secret_backend : k => v
|
||||||
|
if !v.bootstrap
|
||||||
|
}
|
||||||
|
|
||||||
|
mount = "kv"
|
||||||
|
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create Consul ACL management module
|
||||||
|
module "consul_acl_management" {
|
||||||
|
source = "./modules/consul_acl_management"
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
consul_backends = var.consul_secret_backend
|
||||||
|
consul_roles = var.consul_secret_backend_role
|
||||||
|
consul_backend_aliases = var.consul_backend_aliases
|
||||||
|
}
|
||||||
|
|
||||||
|
# Create consul secret backend roles (Vault resources only)
|
||||||
|
module "consul_secret_backend_role" {
|
||||||
|
source = "./modules/consul_secret_backend_role"
|
||||||
|
|
||||||
|
for_each = var.consul_secret_backend_role
|
||||||
|
|
||||||
|
name = each.value.name
|
||||||
|
backend = each.value.backend
|
||||||
|
ttl = each.value.ttl
|
||||||
|
max_ttl = each.value.max_ttl
|
||||||
|
local = each.value.local
|
||||||
|
|
||||||
|
depends_on = [module.consul_secret_backend, module.consul_acl_management]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "kubernetes_secret_backend" {
|
||||||
|
source = "./modules/kubernetes_secret_backend"
|
||||||
|
|
||||||
|
for_each = var.kubernetes_secret_backend
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
kubernetes_host = each.value.kubernetes_host
|
||||||
|
disable_local_ca_jwt = each.value.disable_local_ca_jwt
|
||||||
|
}
|
||||||
|
|
||||||
|
module "kubernetes_secret_backend_role" {
|
||||||
|
source = "./modules/kubernetes_secret_backend_role"
|
||||||
|
|
||||||
|
for_each = var.kubernetes_secret_backend_role
|
||||||
|
|
||||||
|
country = var.country
|
||||||
|
region = var.region
|
||||||
|
name = each.value.name
|
||||||
|
backend = each.value.backend
|
||||||
|
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
|
||||||
|
kubernetes_role_type = each.value.kubernetes_role_type
|
||||||
|
extra_labels = each.value.extra_labels
|
||||||
|
|
||||||
|
depends_on = [module.kubernetes_secret_backend]
|
||||||
|
}
|
||||||
|
|
||||||
|
module "vault_policy" {
|
||||||
|
source = "./modules/vault_policy"
|
||||||
|
|
||||||
|
for_each = var.policy_rules_map
|
||||||
|
|
||||||
|
policy_name = each.key
|
||||||
|
policy_rules = each.value
|
||||||
|
}
|
||||||
|
|
||||||
|
module "pki_mount_only" {
|
||||||
|
source = "./modules/pki_mount_only"
|
||||||
|
|
||||||
|
for_each = var.pki_mount_only
|
||||||
|
|
||||||
|
path = each.key
|
||||||
|
description = each.value.description
|
||||||
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
||||||
|
issuing_certificates = each.value.issuing_certificates
|
||||||
|
crl_distribution_points = each.value.crl_distribution_points
|
||||||
|
ocsp_servers = each.value.ocsp_servers
|
||||||
|
enable_templating = each.value.enable_templating
|
||||||
|
default_issuer_ref = each.value.default_issuer_ref
|
||||||
|
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
||||||
|
crl_expiry = each.value.crl_expiry
|
||||||
|
crl_disable = each.value.crl_disable
|
||||||
|
ocsp_disable = each.value.ocsp_disable
|
||||||
|
auto_rebuild = each.value.auto_rebuild
|
||||||
|
enable_delta = each.value.enable_delta
|
||||||
|
delta_rebuild_interval = each.value.delta_rebuild_interval
|
||||||
|
}
|
||||||
|
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
|
||||||
|
resource "vault_auth_backend" "approle" {
|
||||||
|
type = "approle"
|
||||||
|
path = var.path
|
||||||
|
|
||||||
|
tune {
|
||||||
|
default_lease_ttl = var.default_lease_ttl
|
||||||
|
max_lease_ttl = var.max_lease_ttl
|
||||||
|
listing_visibility = var.listing_visibility
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
output "backend" {
|
||||||
|
description = "The created auth backend"
|
||||||
|
value = vault_auth_backend.approle
|
||||||
|
}
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user