71 Commits

Author SHA1 Message Date
unkinben 65f844cbe1 Fix: add policy binding for forgebot K8s auth role
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
2026-06-08 23:00:35 +10:00
benvin b9632f39e4 Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-06-08 22:57:54 +10:00
unkinben bb5f6922fa feat: add vault policy for terraform-git webhook secrets (#75)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time

## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge

Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-08 22:56:30 +10:00
unkinben f5803605d6 Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
2026-06-08 22:54:58 +10:00
unkinben 2c4d0d7f64 Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
2026-06-08 22:53:25 +10:00
unkinben a29ff9fe6a fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-08 19:08:12 +10:00
unkinben 12680f93cd feat: replace webhook secrets policy with woodpecker token policy
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
2026-06-08 16:17:00 +10:00
unkinben 132e5ea4d9 feat: add vault policy for terraform-git webhook secrets
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
2026-06-08 16:11:58 +10:00
benvin 346cf9fa43 feat: manage gitadmin token (#74)
ci/woodpecker/push/apply Pipeline was successful
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token

---------

Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
2026-06-08 15:17:58 +10:00
unkinben 1288057b81 feat: add vault and consul roles for terraform-git (#73)
ci/woodpecker/push/apply Pipeline was successful
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git

## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace

Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 20:36:35 +10:00
unkinben 3876fa818d chore: bump almalinux9 image tags (#72)
ci/woodpecker/push/apply Pipeline was successful
Bump almalinux9 image tags to 20260606

Reviewed-on: #72
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-06-07 00:35:30 +10:00
unkinben a548bf1cb1 fix: apply requires plan (#71)
ci/woodpecker/push/apply Pipeline was successful
- ensure make plan runs before make apply when deploying

Reviewed-on: #71
2026-05-22 00:03:08 +10:00
unkinben 93ba86baf3 feat: add apply workflow (#70)
ci/woodpecker/push/apply Pipeline was successful
Reviewed-on: #70
2026-05-21 23:57:25 +10:00
unkinben 098830c10b Merge pull request 'feat: add plan workflow' (#69) from benvin/make-plan-buildwq into master
Reviewed-on: #69
2026-05-21 23:54:07 +10:00
unkinben 9cbac6d3ef feat: add plan workflow
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
- update makefile to enable kubernetes auth or roleid auth
- add plan workflow
- update all policies to allow the terraform-vault kubernetes role
2026-05-21 23:52:30 +10:00
unkinben 73aaaaeb99 Merge pull request 'chore: enable access to gateway.networking.k8s.io' (#68) from benvin/gatewayapi into master
Reviewed-on: #68
2026-05-21 22:42:28 +10:00
unkinben 7c60a5fd53 chore: enable access to gateway.networking.k8s.io
ci/woodpecker/pr/pre-commit Pipeline was successful
2026-05-21 22:39:57 +10:00
unkinben 27f12f183e Merge pull request 'chore: change to specific ci image' (#67) from benvin/ci_image into master
Reviewed-on: #67
2026-03-09 01:16:59 +11:00
unkinben c61434b692 chore: change to specific ci image
ci/woodpecker/pr/pre-commit Pipeline was successful
- almalinux9-opentofu image contains all required tools
2026-03-09 01:14:41 +11:00
unkinben 172ceac2fc Merge pull request 'feat: add templated policies for kubernetes' (#66) from benvin/kubernetes_structured_paths into master
Reviewed-on: #66
2026-03-08 12:57:58 +11:00
unkinben 48a4fd0dd1 feat: add templated policies for kubernetes
ci/woodpecker/pr/pre-commit Pipeline was successful
- add default kubernetes auth role
- add templated access kv/kubernetes/*
2026-03-08 12:48:08 +11:00
unkinben 4dc09547ef Merge pull request 'fix: update audience for rpmbuilder' (#65) from benvin/default_aud into master
Reviewed-on: #65
2026-03-08 12:29:43 +11:00
unkinben 546a9efe44 fix: update audience for rpmbuilder
ci/woodpecker/pr/pre-commit Pipeline was successful
when using using the service account jwt directly, the default audience
is the api servers url
2026-03-07 11:31:36 +11:00
unkinben 679cec4bc1 Merge pull request 'feat: add rpmbuilder k8s role' (#64) from benvin/rpmbuilder-in-k8s into master
Reviewed-on: #64
2026-03-07 11:11:23 +11:00
unkinben 71789f9f32 feat: add rpmbuilder k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- create rpmbuilder role
- enable access to gitea/github ro-tokens
- enable access to rpmbuilder role from woodpeckerci
2026-03-07 11:06:27 +11:00
unkinben 4cbcec58d3 Merge pull request 'feat: enable woodpecker access to ro tokens' (#63) from benvin/woodpecker_task_access into master
Reviewed-on: #63
2026-03-07 10:52:38 +11:00
unkinben 9c93e185f8 feat: enable woodpecker access to ro tokens
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable woodpecker tasks to access gitea/github read-only tokens
2026-03-07 10:49:39 +11:00
unkinben d6c8474bd3 Merge pull request 'chore: move pgsql password to vault' (#62) from benvin/artifactapi_postgrespassword into master
Reviewed-on: #62
2026-03-06 19:51:25 +11:00
unkinben 42351000ee chore: move pgsql password to vault
ci/woodpecker/pr/pre-commit Pipeline was successful
- no more storing secrets in configmaps
2026-03-06 19:39:36 +11:00
unkinben f7d1330c37 Merge pull request 'chore: add artifactapi k8s role' (#61) from benvin/artifactapi into master
Reviewed-on: #61
2026-03-06 18:57:05 +11:00
unkinben d9e07e432e chore: add artifactapi k8s role
ci/woodpecker/pr/pre-commit Pipeline was successful
- enable access to read artifactapi secrets
2026-03-06 18:53:42 +11:00
unkinben 14a258de7d Merge pull request 'chore: enable access woodpecker-agent-secret' (#60) from benvin/woodpecker_agent_secret into master
Reviewed-on: #60
2026-03-03 23:34:32 +11:00
unkinben be8bcc3743 chore: enable access woodpecker-agent-secret
ci/woodpecker/pr/pre-commit Pipeline was successful
- add policy to access woodpecker-agent-secret
2026-03-03 23:30:49 +11:00
unkinben dc257b1bcd Merge pull request 'feat: add pre-commit check in ci' (#59) from benvin/woodpecker_integration into master
Reviewed-on: #59
2026-02-28 22:28:21 +11:00
unkinben 66119e5207 feat: add pre-commit check in ci
ci/woodpecker/pr/pre-commit Pipeline was successful
- add a ci workflow to verify pre-commit passes
- fix pre-commit errors/warnings:
  - missing required_version
  - missing required_providers
  - fixed terraform_deprecated_interpolation
  - removed terraform_unused_declarations
2026-02-28 21:42:47 +11:00
unkinben 9e6de4dc32 Merge pull request 'feat: set max token life for auth_kubernetes_role' (#58) from benvin/token_max_ttl into master
Reviewed-on: #58
2026-02-22 22:30:18 +11:00
unkinben 7cafafd483 feat: set max token life for auth_kubernetes_role
found kubernetes vaultauth resources never picking up new policies,
because they would infinitely renew their token.

- set default max token length for roles to 1 day
- changed all existing role token_max_ttl to match their token_ttl
2026-02-22 22:28:21 +11:00
unkinben c94b2af196 Merge pull request 'feat: add woodpecker secrets' (#57) from benvin/woodpecker into master
Reviewed-on: #57
2026-02-22 22:27:50 +11:00
unkinben dd44146d88 feat: add woodpecker secrets
- add secrets required to integrate woodpecker into gitea/pgsql
2026-02-22 22:27:30 +11:00
unkinben 18a62332f6 Merge pull request 'chore: enable access to openldap admin creds' (#56) from benvin/ldap_admin_pass_terraform_ldap into master
Reviewed-on: #56
2026-02-15 20:17:35 +11:00
unkinben 8fa68e2670 chore: enable access to openldap admin creds
- ensure terraform_ldap can read ldap admin credentials
2026-02-15 20:16:58 +11:00
unkinben 4cad39989f Merge pull request 'chore: add default_user_password credentials policy' (#55) from benvin/openldap_default_pass into master
Reviewed-on: #55
2026-02-15 13:45:45 +11:00
unkinben c825962490 chore: add default_user_password credentials policy
- fix the comment for ldap_admin_password
- add policy to read default_user_password
2026-02-15 13:43:02 +11:00
unkinben 51bc3fffc0 Merge pull request 'feat: add terraform-ldap service' (#54) from benvin/terraform-ldap into master
Reviewed-on: #54
2026-02-15 13:40:32 +11:00
unkinben dca26029c0 feat: add terraform-ldap service
- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
2026-02-15 13:38:31 +11:00
unkinben d398911108 Merge pull request 'fix: kubernetes auth fixes' (#53) from benvin/kubernetes_fixes into master
Reviewed-on: #53
2026-02-15 13:08:43 +11:00
unkinben c093d5830d fix: kubernetes auth fixes
- annotations as alias metadata does not work with openbao (idempotency issue)
- set token_ttl to be 600 for all auth roles for kubernetes (min)
2026-02-15 13:06:08 +11:00
unkinben 4b176846f2 Merge pull request 'feat: add identity secrets' (#52) from benvin/identity into master
Reviewed-on: #52
2026-02-15 13:02:01 +11:00
unkinben 90b765d713 feat: add identity secrets
- add kubernetes auth role for identity namespace
- add policy to access openldap bootstrap credentials
2026-02-15 13:01:06 +11:00
unkinben 3fb5a64a17 Merge pull request 'feat: add kubernetes ldap groups' (#51) from benvin/kubernetes_ldap_groups into master
Reviewed-on: #51
2026-02-14 19:48:56 +11:00
unkinben 33a746e545 feat: add kubernetes ldap groups
vault's terraform approle doesnt need to access all of these kubernetes
roles, it was just added as a placeholder and access to the kubernetes
roles was via the `vault_admin` to-much-access account. this is an
effort to roll back that and make access more targeted.

- add kubernetes* ldap groups for specific cluster/role combinations
- remove tf_vault from kubernetes* roles
2026-02-14 19:46:39 +11:00
unkinben 4fe0e0de73 Merge pull request 'feat: add terraform_k8s approle' (#50) from benvin/terraform_k8s_approle into master
Reviewed-on: #50
2026-02-14 19:38:46 +11:00
unkinben a47f841028 feat: add terraform_k8s approle
- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
2026-02-14 19:37:22 +11:00
unkinben 9192879c03 Merge pull request 'feat: use ephemeral consul token' (#49) from benvin/use_consul_creds into master
Reviewed-on: #49
2026-02-14 18:59:56 +11:00
unkinben 5cdf6b410d feat: use ephemeral consul token
- add vault_env to makefile
- retrieve a consul_http_token on demand from vault
2026-02-14 18:59:05 +11:00
unkinben b51617c009 Merge pull request 'feat: implement consul ACL management with provider aliases' (#48) from benvin/consul_backend into master
Reviewed-on: #48
2026-02-14 18:41:49 +11:00
unkinben 66ee6430fa Merge pull request 'feat: add tf_vault required policies' (#47) from benvin/tf-vault-policy-updates into master
Reviewed-on: #47
2026-02-14 18:41:33 +11:00
unkinben fd03727ec2 feat: add tf_vault required policies
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00
unkinben 5536869a38 feat: implement consul ACL management with provider aliases
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.

- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
2026-02-14 18:13:50 +11:00
unkinben f8f1185b42 Merge pull request 'chore: add puppet k8s role' (#46) from benvin/puppet_secrets into master
Reviewed-on: #46
2026-02-01 14:54:45 +11:00
unkinben 75e9db1aa6 chore: add puppet k8s role
- add role and policies
2026-02-01 14:54:23 +11:00
unkinben f47804ffdf Merge pull request 'chore: rancher pods use rancher service account' (#45) from benvin/rancher_role into master
Reviewed-on: #45
2026-01-30 22:11:53 +11:00
unkinben 24c124d6eb chore: rancher pods use rancher service account
- update bound service account names to be `rancher`
- update namespace to cattle-system (do not run rancher in another namespace)
2026-01-30 22:11:08 +11:00
unkinben 9d54b4cfcc Merge pull request 'chore: add rancher role' (#44) from benvin/rancher_role into master
Reviewed-on: #44
2026-01-30 19:46:19 +11:00
unkinben 33af7010fb chore: add rancher role
- add kubernetes role for rancher
- add policy to enable access to bootstrap-password
2026-01-30 19:43:06 +11:00
unkinben cb1b383035 Merge pull request 'feat: major restructuring in migration to terragrunt' (#43) from benvin/vault_terragrunt into master
Reviewed-on: #43
2026-01-26 23:53:35 +11:00
unkinben f6d06cb319 chore: cleanup unused config data
- remove token_policies from roles config data, this comes from policies.hcl inputs
- remove policies from ldap groups
- remove backend data from roles, this comes from config.hcl inputs
2026-01-26 23:51:50 +11:00
unkinben 1c9e063310 Merge branch 'master' into benvin/vault_terragrunt 2026-01-26 23:07:13 +11:00
unkinben 8070b6f66b feat: major restructuring in migration to terragrunt
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00
unkinben b115b7d28a Merge pull request 'chore: add nzbget secrets' (#42) from benvin/nzbget into master
Reviewed-on: #42
2026-01-26 18:31:48 +11:00
unkinben 25e3d48337 chore: add nzbget secrets
- add policy for nzbget secrets
- enable the media-apps kubernetes role to use policy
2026-01-26 18:30:49 +11:00
339 changed files with 4984 additions and 1026 deletions
+1
View File
@@ -1,3 +1,4 @@
.terraform .terraform
.terraform.lock.hcl .terraform.lock.hcl
env env
.terragrunt-cache
+9 -2
View File
@@ -1,9 +1,16 @@
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.4.0
hooks:
- id: end-of-file-fixer
types: [yaml]
- id: trailing-whitespace
types: [yaml]
- repo: https://github.com/gruntwork-io/pre-commit - repo: https://github.com/gruntwork-io/pre-commit
rev: v0.1.30 rev: v0.1.30
hooks: hooks:
- id: terraform-fmt - id: tofu-fmt
- id: terraform-validate - id: tofu-validate
- id: tflint - id: tflint
- id: terragrunt-hcl-fmt - id: terragrunt-hcl-fmt
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
+23
View File
@@ -0,0 +1,23 @@
when:
- event: push
branch: master
steps:
- name: apply
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
- make apply
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+21
View File
@@ -0,0 +1,21 @@
when:
- event: pull_request
steps:
- name: plan
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
environment:
VAULT_AUTH_METHOD: kubernetes
commands:
- dnf install vault -y
- make plan
backend_options:
kubernetes:
serviceAccountName: terraform-vault
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+18
View File
@@ -0,0 +1,18 @@
when:
- event: pull_request
steps:
- name: pre-commit
image: git.unkin.net/unkin/almalinux9-opentofu:20260606
commands:
- uvx pre-commit run --all-files
backend_options:
kubernetes:
serviceAccountName: default
resources:
requests:
memory: 512Mi
cpu: 1
limits:
memory: 2Gi
cpu: 2
+30 -15
View File
@@ -1,20 +1,35 @@
.PHONY: init plan apply help .PHONY: init plan apply format
# Default target VAULT_AUTH_METHOD ?= approle
help: VAULT_K8S_ROLE ?= woodpecker_terraform_vault
@echo "Available targets:" VAULT_K8S_MOUNT ?= auth/k8s/au/syd1
@echo " init - Initialize Terraform" VAULT_K8S_JWT_PATH ?= /var/run/secrets/kubernetes.io/serviceaccount/token
@echo " plan - Plan Terraform changes"
@echo " apply - Apply Terraform changes" # Define vault_env function to set up vault environment
define vault_env
@export VAULT_ADDR="https://vault.service.consul:8200" && \
if [ "$(VAULT_AUTH_METHOD)" = "kubernetes" ]; then \
export VAULT_TOKEN=$$(vault write -field=token $(VAULT_K8S_MOUNT)/login role=$(VAULT_K8S_ROLE) jwt=$$(cat $(VAULT_K8S_JWT_PATH))); \
else \
export VAULT_TOKEN=$$(vault write -field=token auth/approle/login role_id=$$VAULT_ROLEID); \
fi && \
export CONSUL_HTTP_TOKEN=$$(vault read -field=token consul_root/au/syd1/creds/terraform-vault)
endef
init: init:
@echo "Sourcing environment and initializing Terraform..." @$(call vault_env) && \
@source ./env && terraform init terragrunt run --all --non-interactive init -- -upgrade
plan: plan: init
@echo "Sourcing environment and planning Terraform changes..." @$(call vault_env) && \
@source ./env && terraform plan terragrunt run --all --parallelism 4 --non-interactive plan
apply: apply: init
@echo "Sourcing environment and applying Terraform changes..." @$(call vault_env) && \
@source ./env && terraform apply -auto-approve terragrunt run --all --parallelism 2 --non-interactive apply
format:
@echo "Formatting OpenTofu files..."
@tofu fmt -recursive .
@echo "Formatting Terragrunt files..."
@terragrunt hcl fmt
-15
View File
@@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "certmanager" {
role_name = "certmanager"
bind_secret_id = false
token_policies = ["pki_int/certmanager"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}
-16
View File
@@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "incus_cluster" {
role_name = "incus_cluster"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/incus/incus-cluster-join-tokens"
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.13.77/32",
"198.18.13.78/32",
"198.18.13.79/32"
]
}
-16
View File
@@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "packer_builder" {
role_name = "packer_builder"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/packer/packer_builder",
]
token_ttl = 300 # builds can take a few minutes
token_max_ttl = 600
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}
-15
View File
@@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "puppetapi" {
role_name = "puppetapi"
bind_secret_id = false
token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}
-16
View File
@@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "rpmbuilder" {
role_name = "rpmbuilder"
bind_secret_id = false
token_policies = [
"kv/service/github/neoloc/tokens/read-only-token/read",
"kv/service/gitea/unkinben/tokens/read-only-packages/read",
]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}
-9
View File
@@ -1,9 +0,0 @@
resource "vault_approle_auth_backend_role" "rundeck-role" {
role_name = "rundeck-role"
bind_secret_id = true
token_policies = ["rundeck/rundeck"]
token_ttl = 1 * 3600
token_max_ttl = 4 * 3600
token_bound_cidrs = ["198.18.13.59/32"]
secret_id_bound_cidrs = ["198.18.13.59/32"]
}
-15
View File
@@ -1,15 +0,0 @@
resource "vault_approle_auth_backend_role" "sshsign-host-role" {
role_name = "sshsign-host-role"
bind_secret_id = false
token_policies = ["ssh-host-signer/sshsign-host-policy"]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}
-18
View File
@@ -1,18 +0,0 @@
resource "vault_approle_auth_backend_role" "sshsigner" {
role_name = "sshsigner"
bind_secret_id = false
token_policies = [
"ssh-host-signer/sshsigner",
"sshca_signhost"
]
token_ttl = 30
token_max_ttl = 30
token_bound_cidrs = [
"198.18.25.5/32", # ausyd1nxvm2052.main.unkin.net
"198.18.26.3/32", # ausyd1nxvm2053.main.unkin.net
"198.18.27.89/32", # ausyd1nxvm2054.main.unkin.net
"198.18.28.8/32", # ausyd1nxvm2055.main.unkin.net
"198.18.29.33/32", # ausyd1nxvm2056.main.unkin.net
"198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
]
}
-17
View File
@@ -1,17 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_incus" {
role_name = "terraform_incus"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/terraform/incus",
"kv/service/puppet/certificates/terraform_puppet_cert",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}
-16
View File
@@ -1,16 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_nomad" {
role_name = "terraform_nomad"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/terraform/nomad",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}
-17
View File
@@ -1,17 +0,0 @@
resource "vault_approle_auth_backend_role" "terraform_repoflow" {
role_name = "terraform_repoflow"
bind_secret_id = false
token_policies = [
"default_access",
"kv/service/repoflow/unkinadmin/tokens/terraform/read",
"kv/service/terraform/repoflow",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
"198.18.25.102/32",
"198.18.26.91/32",
"198.18.27.40/32",
]
}
-33
View File
@@ -1,33 +0,0 @@
resource "vault_approle_auth_backend_role" "tf_vault" {
role_name = "tf_vault"
bind_secret_id = false
token_policies = [
"default_access",
"approle_token_create",
"auth/approle/approle_role_admin",
"auth/approle/approle_role_login",
"auth/kubernetes/k8s_auth_admin",
"auth/ldap/ldap_admin",
"auth/token/auth_token_create",
"auth/token/auth_token_self",
"auth/token/auth_token_roles_admin",
"kubernetes/au/config_admin",
"kubernetes/au/roles_admin",
"kv/service/glauth/services/svc_vault_read",
"kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
"kv/service/kubernetes/au/syd1/service_account_jwt/read",
"pki_int/pki_int_roles_admin",
"pki_root/pki_root_roles_admin",
"ssh-host-signer/ssh-host-signer_roles_admin",
"sshca/sshca_roles_admin",
"sys/sys_auth_admin",
"sys/sys_mounts_admin",
"sys/sys_policy_admin",
"transit/keys/admin",
]
token_ttl = 60
token_max_ttl = 120
token_bound_cidrs = [
"10.10.12.200/32",
]
}
-7
View File
@@ -1,7 +0,0 @@
#----------------------------
# Enable approle auth method
#----------------------------
resource "vault_auth_backend" "approle" {
type = "approle"
path = "approle"
}
-23
View File
@@ -1,23 +0,0 @@
#-----------------------------------
# Enable kubernetes auth method
#-----------------------------------
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "kubernetes"
}
# Data source to read the token_reviewer_jwt from Vault KV
data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/token_reviewer_jwt"
}
# Configure Kubernetes auth backend
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
token_reviewer_jwt = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
disable_iss_validation = true
use_annotations_as_alias_metadata = true
}
-40
View File
@@ -1,40 +0,0 @@
#--------------------------------
# Enable ldap auth method
#--------------------------------
# retrieve the bindpass from Vault
data "vault_generic_secret" "svc_vault" {
path = "kv/service/glauth/services/svc_vault"
}
# create the ldap backend
resource "vault_ldap_auth_backend" "ldap" {
path = "ldap"
url = "ldap://ldap.service.consul"
userdn = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
userattr = "uid"
upndomain = "users.main.unkin.net"
discoverdn = false
groupdn = "ou=users,dc=main,dc=unkin,dc=net"
groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
groupattr = "uid"
binddn = data.vault_generic_secret.svc_vault.data["distinguishedName"]
bindpass = data.vault_generic_secret.svc_vault.data["pass"]
}
resource "vault_ldap_auth_backend_group" "vault_access" {
groupname = "vault_access"
policies = [
"default_access",
]
backend = vault_ldap_auth_backend.ldap.path
}
resource "vault_ldap_auth_backend_group" "vault_admin" {
groupname = "vault_admin"
policies = [
"default_access",
"global-admin",
]
backend = vault_ldap_auth_backend.ldap.path
}
-118
View File
@@ -1,118 +0,0 @@
resource "vault_kubernetes_auth_backend_role" "default" {
backend = vault_auth_backend.kubernetes.path
role_name = "default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["*"]
token_ttl = 3600
token_policies = [
"default"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "demo_default" {
backend = vault_auth_backend.kubernetes.path
role_name = "demo_default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["demo"]
token_ttl = 60
token_policies = [
"kv/service/terraform/nomad"
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
backend = vault_auth_backend.kubernetes.path
role_name = "huntarr-default"
bound_service_account_names = ["default"]
bound_service_account_namespaces = ["huntarr"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "externaldns" {
backend = vault_auth_backend.kubernetes.path
role_name = "externaldns"
bound_service_account_names = ["externaldns"]
bound_service_account_namespaces = ["externaldns"]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/externaldns/tsig/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
backend = vault_auth_backend.kubernetes.path
role_name = "cert-manager-issuer"
bound_service_account_names = ["cert-manager-vault-issuer"]
bound_service_account_namespaces = ["cert-manager"]
token_ttl = 60
token_policies = [
"pki_int/sign/servers_default",
"pki_int/issue/servers_default",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
backend = vault_auth_backend.kubernetes.path
role_name = "ceph-csi"
bound_service_account_names = [
"ceph-csi-rbd-csi-rbd-provisioner",
"ceph-csi-cephfs-csi-cephfs-provisioner",
]
bound_service_account_namespaces = [
"csi-cephrbd",
"csi-cephfs",
]
token_ttl = 60
token_policies = [
"kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
"kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "media-apps" {
backend = vault_auth_backend.kubernetes.path
role_name = "media-apps"
bound_service_account_names = [
"media-apps-vault-reader",
]
bound_service_account_namespaces = [
"media-apps",
]
token_ttl = 60
token_policies = [
"kv/service/media-apps/prowlarr/read",
"kv/service/media-apps/radarr/read",
"kv/service/media-apps/sonarr/read",
]
audience = "vault"
}
resource "vault_kubernetes_auth_backend_role" "repoflow" {
backend = vault_auth_backend.kubernetes.path
role_name = "repoflow"
bound_service_account_names = [
"default",
]
bound_service_account_namespaces = [
"repoflow",
]
token_ttl = 60
token_policies = [
"kv/service/repoflow/au/syd1/ceph-s3/read",
"kv/service/repoflow/au/syd1/elasticsearch/read",
"kv/service/repoflow/au/syd1/hasura/read",
"kv/service/repoflow/au/syd1/postgres/read",
"kv/service/repoflow/au/syd1/repoflow-server/read",
]
audience = "vault"
}
+2
View File
@@ -0,0 +1,2 @@
default_lease_ttl: 60s
max_lease_ttl: 24h
@@ -0,0 +1,11 @@
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.13.77/32"
- "198.18.13.78/32"
- "198.18.13.79/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 300
token_max_ttl: 600
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false
@@ -0,0 +1,11 @@
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false
@@ -0,0 +1,6 @@
token_ttl: 3600
token_max_ttl: 14400
bind_secret_id: true
token_bound_cidrs:
- "198.18.13.59/32"
use_deterministic_role_id: false
@@ -0,0 +1,11 @@
token_ttl: 30
token_max_ttl: 30
bind_secret_id: false
token_bound_cidrs:
- "198.18.25.5/32"
- "198.18.26.3/32"
- "198.18.27.89/32"
- "198.18.28.8/32"
- "198.18.29.33/32"
- "198.18.29.239/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -0,0 +1,9 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false
@@ -0,0 +1,9 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: false
@@ -0,0 +1,6 @@
token_ttl: 60
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
use_deterministic_role_id: false
@@ -0,0 +1,5 @@
kubernetes_host: https://api-k8s.service.consul:6443
disable_iss_validation: true
use_annotations_as_alias_metadata: false # doesnt work with openbao yet
default_lease_ttl: 1h
max_lease_ttl: 24h
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- artifactapi
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,9 @@
bound_service_account_names:
- ceph-csi-rbd-csi-rbd-provisioner
- ceph-csi-cephfs-csi-cephfs-provisioner
bound_service_account_namespaces:
- csi-cephrbd
- csi-cephfs
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- cert-manager-vault-issuer
bound_service_account_namespaces:
- cert-manager
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,6 @@
bound_service_account_names:
- default
bound_service_account_namespaces: ['*']
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- externaldns
bound_service_account_namespaces:
- externaldns
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,8 @@
bound_service_account_names:
- default
- forgebot-operator
bound_service_account_namespaces:
- forgebot
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,6 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- huntarr
token_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- identity
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- media-apps-vault-reader
bound_service_account_namespaces:
- media-apps
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- puppet
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- rancher
bound_service_account_namespaces:
- cattle-system
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- repoflow
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,8 @@
# rpmbuilder is deployed in woodpeckerci
bound_service_account_names:
- default
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- default
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: vault
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-git
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -0,0 +1,7 @@
bound_service_account_names:
- terraform-vault
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
+10
View File
@@ -0,0 +1,10 @@
userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
userattr: "uid"
upndomain: "users.main.unkin.net"
discoverdn: false
groupdn: "ou=users,dc=main,dc=unkin,dc=net"
groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
groupattr: "uid"
username_as_alias: true
default_lease_ttl: 24h
max_lease_ttl: 168h
@@ -0,0 +1,3 @@
---
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
description: foo
@@ -0,0 +1,3 @@
---
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
description: foo
@@ -0,0 +1,3 @@
---
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
description: foo
@@ -0,0 +1,3 @@
---
# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
description: foo
+189
View File
@@ -0,0 +1,189 @@
# =============================================================================
# VAULT MODULE CONFIGURATION SYSTEM
# =============================================================================
#
# This file automatically discovers and organizes YAML configuration files
# for Vault modules, creating structured configuration maps for Terraform.
#
# HOW IT WORKS:
# 1. Scans all subdirectories for *.yaml files
# 2. Groups files by module type based on directory structure
# 3. Creates unique resource keys to prevent naming conflicts
# 4. Adds computed fields like name, backend, etc. from file paths
#
# DIRECTORY STRUCTURE:
# config/
# ├── auth_approle_role/
# │ └── approle/
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
# │ └── myapp.yaml # Creates key: "approle/myapp"
# ├── auth_kubernetes_role/
# │ └── k8s/au/syd1/
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
# └── kv_secret_backend/
# ├── kv.yaml # Creates key: "kv"
# └── secrets.yaml # Creates key: "secrets"
#
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
# ```yaml
# token_ttl: 3600
# token_max_ttl: 7200
# bind_secret_id: true
# token_bound_cidrs:
# - "10.0.0.0/8"
# ```
#
# This becomes:
# ```hcl
# auth_approle_role = {
# "approle/myapp" = {
# approle_name = "myapp" # Auto-computed from filename
# mount_path = "approle" # Auto-computed from directory
# token_ttl = 3600 # From YAML content
# token_max_ttl = 7200 # From YAML content
# bind_secret_id = true # From YAML content
# token_bound_cidrs = ["10.0.0.0/8"]
# }
# }
# ```
#
# KEY NAMING PATTERNS:
# - Simple backends: filename only (e.g., "kv", "transit")
# - Role-based resources: full path without extension (e.g., "approle/myapp")
# - This ensures uniqueness when multiple backends have similar role names
#
# GENERATED OUTPUTS:
# - config.auth_approle_backend, config.auth_approle_role, etc.
# - Each module gets its own map with properly structured configuration
#
# =============================================================================
locals {
# Find all YAML files in subdirectories
config_files = fileset(".", "**/*.yaml")
# Create a flat map of all files with their content
all_configs = {
for file_path in local.config_files :
file_path => yamldecode(file(file_path))
}
# Group by module directory (first part of path)
config = {
auth_approle_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_approle_backend/")
}
auth_approle_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
approle_name = trimsuffix(basename(file_path), ".yaml")
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
})
if startswith(file_path, "auth_approle_role/")
}
auth_ldap_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_ldap_backend/")
}
auth_ldap_group = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
groupname = trimsuffix(basename(file_path), ".yaml")
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
})
if startswith(file_path, "auth_ldap_group/")
}
auth_kubernetes_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
if startswith(file_path, "auth_kubernetes_backend/")
}
auth_kubernetes_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
role_name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
})
if startswith(file_path, "auth_kubernetes_role/")
}
kv_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "kv_secret_backend/")
}
transit_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "transit_secret_backend/")
}
transit_secret_backend_key = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
})
if startswith(file_path, "transit_secret_backend_key/")
}
ssh_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "ssh_secret_backend/")
}
ssh_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
})
if startswith(file_path, "ssh_secret_backend_role/")
}
pki_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "pki_secret_backend/")
}
pki_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
})
if startswith(file_path, "pki_secret_backend_role/")
}
kubernetes_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "kubernetes_secret_backend/")
}
kubernetes_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
})
if startswith(file_path, "kubernetes_secret_backend_role/")
}
consul_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "consul_secret_backend/")
}
consul_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
})
if startswith(file_path, "consul_secret_backend_role/")
}
pki_mount_only = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "pki_mount_only/")
}
}
}
@@ -0,0 +1,7 @@
description: "consul secret engine for au-syd1 cluster"
default_lease_ttl_seconds: 600
max_lease_ttl_seconds: 86400
address: "consul.service.au-syd1.consul"
scheme: https
bootstrap: false
datacenter: au-syd1
@@ -0,0 +1,5 @@
consul_roles:
- terraform-git
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-incus
ttl: 300
max_ttl: 600
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-k8s
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-ldap
ttl: 60
max_ttl: 60
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-nomad
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-repoflow
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
consul_roles:
- terraform-vault
ttl: 120
max_ttl: 300
datacenters: []
@@ -0,0 +1,5 @@
description: "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds: 600
max_lease_ttl_seconds: 86400
kubernetes_host: "https://api-k8s.service.consul:6443"
disable_local_ca_jwt: false
@@ -0,0 +1,4 @@
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}
@@ -0,0 +1,4 @@
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}
@@ -0,0 +1,4 @@
allowed_kubernetes_namespaces:
- "*"
kubernetes_role_type: "ClusterRole"
extra_labels: {}
@@ -0,0 +1,4 @@
allowed_kubernetes_namespaces:
- "media-apps"
kubernetes_role_type: "Role"
extra_labels: {}
+4
View File
@@ -0,0 +1,4 @@
type: kv-v2
description: "Key-Value secrets engine"
version: "2"
max_versions: 10
+4
View File
@@ -0,0 +1,4 @@
type: kv-v2
description: "Rundeck secrets engine"
version: "2"
max_versions: 5
+17
View File
@@ -0,0 +1,17 @@
description: "PKI Intermediate CA"
max_lease_ttl_seconds: 157680000 # 43800 hours * 3600
issuer_ref: "default"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki_int/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki_int/crl"
ocsp_servers: []
enable_templating: false
default_issuer_ref: null
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false
delta_rebuild_interval: null
+17
View File
@@ -0,0 +1,17 @@
description: "PKI Root CA"
max_lease_ttl_seconds: 315360000 # 10 years
issuer_ref: "default"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki_root/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki_root/crl"
ocsp_servers: []
enable_templating: false
default_issuer_ref: null
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false
delta_rebuild_interval: null
@@ -0,0 +1,18 @@
description: "PKI Root CA AU SYD1"
max_lease_ttl_seconds: 315360000 # 87600 * 3600
common_name: "unkin.net AU SYD1 Root CA"
issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
ttl: 315360000 # 87600 * 3600
format: "pem"
issuing_certificates:
- "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
crl_distribution_points:
- "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
ocsp_servers: []
enable_templating: false
default_follows_latest_issuer: false
crl_expiry: "72h"
crl_disable: false
ocsp_disable: false
auto_rebuild: false
enable_delta: false
@@ -0,0 +1,16 @@
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "*.unkin.net"
- "localhost"
allow_subdomains: true
allow_glob_domains: true
allow_bare_domains: true
enforce_hostnames: true
allow_any_name: true
max_ttl: 7776000 # 2160 * 3600
key_bits: 4096
country:
- "Australia"
use_csr_common_name: true
use_csr_sans: true
@@ -0,0 +1,16 @@
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "*.unkin.net"
- "localhost"
allow_subdomains: true
allow_glob_domains: true
allow_bare_domains: true
enforce_hostnames: true
allow_any_name: true
max_ttl: 7776000 # 2160 * 3600
key_bits: 4096
country:
- "Australia"
use_csr_common_name: true
use_csr_sans: true
@@ -0,0 +1,14 @@
allow_ip_sans: true
allowed_domains:
- "unkin.net"
- "unkin.local"
allow_subdomains: true
allow_glob_domains: false
allow_bare_domains: true
enforce_hostnames: false
allow_any_name: false
max_ttl: 31536000 # 8760h in seconds
key_bits: 2048
country: []
use_csr_common_name: true
use_csr_sans: true
+4
View File
@@ -0,0 +1,4 @@
description: "SSH CA Engine"
max_lease_ttl_seconds: 315360000 # 87600 * 3600
generate_signing_key: true
key_type: ssh-rsa
@@ -0,0 +1,8 @@
key_type: ca
algorithm_signer: rsa-sha2-256
ttl: 315360000 # 87600 * 3600
allow_host_certificates: true
allow_user_certificates: false
allowed_domains: "main.unkin.net,consul"
allow_subdomains: true
allow_bare_domains: false
@@ -0,0 +1,3 @@
description: "Transit Engine"
default_lease_ttl_seconds: 3600
max_lease_ttl_seconds: 86400
@@ -0,0 +1,5 @@
type: aes256-gcm96
deletion_allowed: false
derived: false
exportable: false
allow_plaintext_backup: false
-72
View File
@@ -1,72 +0,0 @@
# Data source to read the service_token_jwt from Vault KV
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
mount = "kv"
name = "service/kubernetes/au/syd1/service_account_jwt"
}
resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
path = "kubernetes/au/syd1"
description = "kubernetes secret engine for au-syd1 cluster"
default_lease_ttl_seconds = 600
max_lease_ttl_seconds = 86400
kubernetes_host = "https://api-k8s.service.consul:6443"
kubernetes_ca_cert = local.kubernetes_ca_cert_au_syd1
service_account_jwt = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
disable_local_ca_jwt = false
}
resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-media-apps-operator"
allowed_kubernetes_namespaces = ["media-apps"]
kubernetes_role_type = "Role"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-media-apps-operator"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-operator"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-operator"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-admin"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-admin"
}
}
resource "vault_kubernetes_secret_backend_role" "cluster_root" {
backend = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
name = "vault-cluster-root"
allowed_kubernetes_namespaces = ["*"]
kubernetes_role_type = "ClusterRole"
generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
extra_labels = {
vault-region = "au-syd1"
vault-role = "vault-cluster-root"
}
}
-15
View File
@@ -1,15 +0,0 @@
#--------------------------------------------------------------
# kv
# create engine
#--------------------------------------------------------------
resource "vault_mount" "kv" {
path = "kv"
type = "kv"
listing_visibility = "hidden"
max_lease_ttl_seconds = 0
external_entropy_access = false
seal_wrap = false
options = {
version = "2"
}
}
-49
View File
@@ -1,49 +0,0 @@
#--------------------------------------------------------------
# pki_int
# create engine
# generate intermediate csa
# sign the intermediate against rootca
# set the signed intermediate cert in the pki_int engine
#--------------------------------------------------------------
resource "vault_mount" "pki_int" {
path = "pki_int"
type = "pki"
description = "PKI Intermediate CA"
max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
}
## Generate the intermediate CSR
#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
# backend = vault_mount.pki_int.path
# common_name = "unkin.net Intermediate Authority"
# format = "pem"
# type = "internal"
#}
#
## Sign the intermediate CSR using the root CA
#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
# path = "${vault_mount.pki_root.path}/root/sign-intermediate"
#
# data_json = jsonencode({
# csr = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
# format = "pem_bundle",
# ttl = "43800h",
# issuer_ref = "UNKIN_ROOTCA_2024"
# })
#}
#
## Decode the certificate from the response
#locals {
# intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
#}
#
## Set the signed intermediate certificate
#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
# backend = vault_mount.pki_int.path
# certificate = local.intermediate_signed_cert
#}
#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
# backend = vault_mount.pki_int.path
# issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
#}
-39
View File
@@ -1,39 +0,0 @@
#-------------------------------------------
# pki_root:
# create engine
# generate rootca certificate
# read the issuer
# configure the pki urls
#-------------------------------------------
resource "vault_mount" "pki_root" {
path = "pki_root"
type = "pki"
description = "PKI Root CA"
max_lease_ttl_seconds = 87600 * 3600 # 87600h
}
#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
# backend = vault_mount.pki_root.path
# common_name = "unkin.net"
# issuer_name = "UNKIN_ROOTCA_2024"
# ttl = 87600 * 3600
# format = "pem"
# type = "internal"
#}
#
#output "root_certificate" {
# value = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
# sensitive = true
#}
data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
backend = vault_mount.pki_root.path
issuer_ref = "default"
}
resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
backend = vault_mount.pki_root.path
issuing_certificates = ["${local.vault_addr}/v1/pki_root/ca"]
crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
}
-14
View File
@@ -1,14 +0,0 @@
#--------------------------------------------------------------
# rundeck
# create engine
#--------------------------------------------------------------
resource "vault_mount" "rundeck" {
path = "rundeck"
type = "kv"
max_lease_ttl_seconds = 0
external_entropy_access = false
seal_wrap = false
options = {
version = "2"
}
}
-18
View File
@@ -1,18 +0,0 @@
#--------------------------------------------------------------
# ssh-host-signer
# create engine
# generate ca cert
# tune the ssh engine
#--------------------------------------------------------------
#resource "vault_mount" "ssh_host_signer" {
# path = "ssh-host-signer"
# type = "ssh"
# description = "SSH Host Signing Engine"
# max_lease_ttl_seconds = 87600 * 3600
#}
#
#resource "vault_ssh_secret_backend_ca" "ssh_host_signer_ca" {
# backend = vault_mount.ssh_host_signer.path
# generate_signing_key = false # change to true for new configuration
# key_type = "ssh-rsa"
#}
-18
View File
@@ -1,18 +0,0 @@
#--------------------------------------------------------------
# ssh
# create engine
# generate ca cert
# tune the ssh engine
#--------------------------------------------------------------
resource "vault_mount" "sshca" {
path = "sshca"
type = "ssh"
description = "SSH CA Engine"
max_lease_ttl_seconds = 87600 * 3600
}
resource "vault_ssh_secret_backend_ca" "ssh_ca" {
backend = vault_mount.sshca.path
generate_signing_key = true
key_type = "ssh-rsa"
}
-13
View File
@@ -1,13 +0,0 @@
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
description = "Transit Engine"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_transit_secret_backend_key" "key" {
backend = vault_mount.transit.path
name = "au-syd1-k8s-vso"
type = "aes256-gcm96"
}
+78
View File
@@ -0,0 +1,78 @@
include "root" {
path = find_in_parent_folders("root.hcl")
expose = true
}
include "config" {
path = "${get_repo_root()}/config/config.hcl"
expose = true
}
include "policies" {
path = "${get_repo_root()}/policies/policies.hcl"
expose = true
}
include "resources" {
path = "${get_repo_root()}/resources/resources.hcl"
expose = true
}
locals {
# Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir()))
country = basename(dirname(get_terragrunt_dir())) # "au"
region = basename(get_terragrunt_dir()) # "syd1"
# Include configuration from config.hcl
config = include.config.locals.config
# Include policies from policies.hcl
policies = include.policies.locals
# Include resources from resources.hcl
resources = include.resources.locals
# Create sanitized backend name mapping for Consul providers
# Provider aliases can't contain slashes, so replace them with underscores
consul_backend_aliases = {
for backend_name, _ in local.config.consul_secret_backend :
backend_name => replace(backend_name, "/", "_")
}
}
terraform {
source = "../../../modules/vault_cluster"
}
inputs = {
country = local.country
region = local.region
# Pass configuration maps to vault_cluster module
auth_approle_backend = local.config.auth_approle_backend
auth_approle_role = local.config.auth_approle_role
auth_ldap_backend = local.config.auth_ldap_backend
auth_ldap_group = local.config.auth_ldap_group
auth_kubernetes_backend = local.config.auth_kubernetes_backend
auth_kubernetes_role = local.config.auth_kubernetes_role
kv_secret_backend = local.config.kv_secret_backend
transit_secret_backend = local.config.transit_secret_backend
transit_secret_backend_key = local.config.transit_secret_backend_key
ssh_secret_backend = local.config.ssh_secret_backend
ssh_secret_backend_role = local.config.ssh_secret_backend_role
pki_secret_backend = local.config.pki_secret_backend
pki_secret_backend_role = local.config.pki_secret_backend_role
consul_secret_backend = local.config.consul_secret_backend
consul_secret_backend_role = local.config.consul_secret_backend_role
kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map
# Pass sanitized consul backend aliases for provider configuration
consul_backend_aliases = local.consul_backend_aliases
}
+35
View File
@@ -0,0 +1,35 @@
# Generate root backend.tf
generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
locals {
vault_addr = "https://vault.service.consul:8200"
}
provider "vault" {
address = local.vault_addr
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
path = "infra/terraform/vault/${path_relative_to_include()}/state"
scheme = "https"
lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
}
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
consul = {
source = "hashicorp/consul"
version = "2.23.0"
}
}
}
EOF
}
-37
View File
@@ -1,37 +0,0 @@
#-------------------------------------------
# locals
#-------------------------------------------
locals {
vault_addr = "https://vault.service.consul:8200"
}
#-----------------------------------------------------------------------------
# Configure this provider through the environment variables:
# - VAULT_ADDR
# - VAULT_TOKEN
#-----------------------------------------------------------------------------
provider "vault" {
address = local.vault_addr
}
#------------------------------------------------------------------------------
# Use remote state file and encrypt it since your state files may contains
# sensitive data.
# export CONSUL_HTTP_TOKEN=<your-token>
#------------------------------------------------------------------------------
terraform {
backend "consul" {
address = "https://consul.service.consul"
path = "infra/terraform/vault/state"
scheme = "https"
lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
}
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.4.0"
}
}
}
+11
View File
@@ -0,0 +1,11 @@
rule "terraform_required_providers" {
enabled = false
}
rule "terraform_required_version" {
enabled = false
}
rule "terraform_unused_declarations" {
enabled = false
}
+336
View File
@@ -0,0 +1,336 @@
module "auth_approle_backend" {
source = "./modules/auth_approle_backend"
for_each = var.auth_approle_backend
path = each.key
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_approle_role" {
source = "./modules/auth_approle_role"
for_each = var.auth_approle_role
country = var.country
region = var.region
approle_name = each.value.approle_name
mount_path = each.value.mount_path
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
token_ttl = each.value.token_ttl
token_max_ttl = each.value.token_max_ttl
bind_secret_id = each.value.bind_secret_id
secret_id_ttl = each.value.secret_id_ttl
token_bound_cidrs = each.value.token_bound_cidrs
alias_metadata = each.value.alias_metadata
use_deterministic_role_id = each.value.use_deterministic_role_id
depends_on = [module.auth_approle_backend]
}
module "auth_ldap_backend" {
source = "./modules/auth_ldap_backend"
for_each = var.auth_ldap_backend
country = var.country
region = var.region
path = each.key
userdn = each.value.userdn
userattr = each.value.userattr
upndomain = each.value.upndomain
discoverdn = each.value.discoverdn
groupdn = each.value.groupdn
groupfilter = each.value.groupfilter
groupattr = each.value.groupattr
alias_metadata = each.value.alias_metadata
username_as_alias = each.value.username_as_alias
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_ldap_group" {
source = "./modules/auth_ldap_group"
for_each = var.auth_ldap_group
groupname = each.value.groupname
backend = each.value.backend
policies = var.policy_auth_map[each.value.backend][each.value.groupname]
depends_on = [module.auth_ldap_backend]
}
module "auth_kubernetes_backend" {
source = "./modules/auth_kubernetes_backend"
for_each = var.auth_kubernetes_backend
country = var.country
region = var.region
path = each.key
kubernetes_host = each.value.kubernetes_host
disable_iss_validation = each.value.disable_iss_validation
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
listing_visibility = each.value.listing_visibility
default_lease_ttl = each.value.default_lease_ttl
max_lease_ttl = each.value.max_lease_ttl
}
module "auth_kubernetes_role" {
source = "./modules/auth_kubernetes_role"
for_each = var.auth_kubernetes_role
role_name = each.value.role_name
backend = each.value.backend
bound_service_account_names = each.value.bound_service_account_names
bound_service_account_namespaces = each.value.bound_service_account_namespaces
token_ttl = each.value.token_ttl
token_max_ttl = each.value.token_max_ttl
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
audience = each.value.audience
depends_on = [module.auth_kubernetes_backend]
}
module "kv_secret_backend" {
source = "./modules/kv_secret_backend"
for_each = var.kv_secret_backend
path = each.key
type = each.value.type
description = each.value.description
kv_version = each.value.version
max_versions = each.value.max_versions
}
module "transit_secret_backend" {
source = "./modules/transit_secret_backend"
for_each = var.transit_secret_backend
path = each.key
description = each.value.description
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
}
module "transit_secret_backend_key" {
source = "./modules/transit_secret_backend_key"
for_each = var.transit_secret_backend_key
name = each.value.name
backend = each.value.backend
type = each.value.type
deletion_allowed = each.value.deletion_allowed
derived = each.value.derived
exportable = each.value.exportable
allow_plaintext_backup = each.value.allow_plaintext_backup
auto_rotate_period = each.value.auto_rotate_period
depends_on = [module.transit_secret_backend]
}
module "ssh_secret_backend" {
source = "./modules/ssh_secret_backend"
for_each = var.ssh_secret_backend
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
generate_signing_key = each.value.generate_signing_key
key_type = each.value.key_type
}
module "ssh_secret_backend_role" {
source = "./modules/ssh_secret_backend_role"
for_each = var.ssh_secret_backend_role
name = each.value.name
backend = each.value.backend
key_type = each.value.key_type
algorithm_signer = each.value.algorithm_signer
ttl = each.value.ttl
allow_host_certificates = each.value.allow_host_certificates
allow_user_certificates = each.value.allow_user_certificates
allowed_domains = each.value.allowed_domains
allow_subdomains = each.value.allow_subdomains
allow_bare_domains = each.value.allow_bare_domains
depends_on = [module.ssh_secret_backend]
}
module "pki_secret_backend" {
source = "./modules/pki_secret_backend"
for_each = var.pki_secret_backend
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
common_name = each.value.common_name
issuer_name = each.value.issuer_name
ttl = each.value.ttl
format = each.value.format
issuing_certificates = each.value.issuing_certificates
crl_distribution_points = each.value.crl_distribution_points
ocsp_servers = each.value.ocsp_servers
enable_templating = each.value.enable_templating
default_follows_latest_issuer = each.value.default_follows_latest_issuer
crl_expiry = each.value.crl_expiry
crl_disable = each.value.crl_disable
ocsp_disable = each.value.ocsp_disable
auto_rebuild = each.value.auto_rebuild
enable_delta = each.value.enable_delta
delta_rebuild_interval = each.value.delta_rebuild_interval
}
module "pki_secret_backend_role" {
source = "./modules/pki_secret_backend_role"
for_each = var.pki_secret_backend_role
name = each.value.name
backend = each.value.backend
allow_ip_sans = each.value.allow_ip_sans
allowed_domains = each.value.allowed_domains
allow_subdomains = each.value.allow_subdomains
allow_glob_domains = each.value.allow_glob_domains
allow_bare_domains = each.value.allow_bare_domains
enforce_hostnames = each.value.enforce_hostnames
allow_any_name = each.value.allow_any_name
max_ttl = each.value.max_ttl
key_bits = each.value.key_bits
country = each.value.country
use_csr_common_name = each.value.use_csr_common_name
use_csr_sans = each.value.use_csr_sans
depends_on = [module.pki_secret_backend]
}
module "consul_secret_backend" {
source = "./modules/consul_secret_backend"
for_each = var.consul_secret_backend
country = var.country
region = var.region
path = each.key
description = each.value.description
address = each.value.address
bootstrap = each.value.bootstrap
scheme = each.value.scheme
ca_cert = each.value.ca_cert
client_cert = each.value.client_cert
client_key = each.value.client_key
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
}
# Create data sources for consul backend tokens
data "vault_kv_secret_v2" "consul_backend_configs" {
for_each = {
for k, v in var.consul_secret_backend : k => v
if !v.bootstrap
}
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
}
# Create Consul ACL management module
module "consul_acl_management" {
source = "./modules/consul_acl_management"
country = var.country
region = var.region
consul_backends = var.consul_secret_backend
consul_roles = var.consul_secret_backend_role
consul_backend_aliases = var.consul_backend_aliases
}
# Create consul secret backend roles (Vault resources only)
module "consul_secret_backend_role" {
source = "./modules/consul_secret_backend_role"
for_each = var.consul_secret_backend_role
name = each.value.name
backend = each.value.backend
ttl = each.value.ttl
max_ttl = each.value.max_ttl
local = each.value.local
depends_on = [module.consul_secret_backend, module.consul_acl_management]
}
module "kubernetes_secret_backend" {
source = "./modules/kubernetes_secret_backend"
for_each = var.kubernetes_secret_backend
country = var.country
region = var.region
path = each.key
description = each.value.description
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
kubernetes_host = each.value.kubernetes_host
disable_local_ca_jwt = each.value.disable_local_ca_jwt
}
module "kubernetes_secret_backend_role" {
source = "./modules/kubernetes_secret_backend_role"
for_each = var.kubernetes_secret_backend_role
country = var.country
region = var.region
name = each.value.name
backend = each.value.backend
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
kubernetes_role_type = each.value.kubernetes_role_type
extra_labels = each.value.extra_labels
depends_on = [module.kubernetes_secret_backend]
}
module "vault_policy" {
source = "./modules/vault_policy"
for_each = var.policy_rules_map
policy_name = each.key
policy_rules = each.value
}
module "pki_mount_only" {
source = "./modules/pki_mount_only"
for_each = var.pki_mount_only
path = each.key
description = each.value.description
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
issuing_certificates = each.value.issuing_certificates
crl_distribution_points = each.value.crl_distribution_points
ocsp_servers = each.value.ocsp_servers
enable_templating = each.value.enable_templating
default_issuer_ref = each.value.default_issuer_ref
default_follows_latest_issuer = each.value.default_follows_latest_issuer
crl_expiry = each.value.crl_expiry
crl_disable = each.value.crl_disable
ocsp_disable = each.value.ocsp_disable
auto_rebuild = each.value.auto_rebuild
enable_delta = each.value.enable_delta
delta_rebuild_interval = each.value.delta_rebuild_interval
}
@@ -0,0 +1,11 @@
resource "vault_auth_backend" "approle" {
type = "approle"
path = var.path
tune {
default_lease_ttl = var.default_lease_ttl
max_lease_ttl = var.max_lease_ttl
listing_visibility = var.listing_visibility
}
}
@@ -0,0 +1,4 @@
output "backend" {
description = "The created auth backend"
value = vault_auth_backend.approle
}

Some files were not shown because too many files have changed in this diff Show More