933de177fa
ci/woodpecker/push/apply Pipeline was successful
Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](unkin/puppet-prod#480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable. - Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path). - Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`. - Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary. Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI). Reviewed-on: #87 Co-authored-by: Ben Vincent <ben@unkin.net> Co-committed-by: Ben Vincent <ben@unkin.net>
368 lines
12 KiB
Terraform
368 lines
12 KiB
Terraform
variable "country" {
|
|
description = "Country identifier"
|
|
type = string
|
|
}
|
|
|
|
variable "region" {
|
|
description = "Region identifier"
|
|
type = string
|
|
}
|
|
|
|
variable "auth_approle_backend" {
|
|
description = "Map of AppRole auth backends to create"
|
|
type = map(object({
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_approle_role" {
|
|
description = "Map of AppRole roles to create"
|
|
type = map(object({
|
|
approle_name = string
|
|
mount_path = string
|
|
token_ttl = optional(number)
|
|
token_max_ttl = optional(number)
|
|
bind_secret_id = optional(bool, false)
|
|
secret_id_ttl = optional(number)
|
|
token_bound_cidrs = optional(list(string), [])
|
|
alias_metadata = optional(map(string))
|
|
use_deterministic_role_id = optional(bool, true)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_ldap_backend" {
|
|
description = "Map of LDAP auth backends to create"
|
|
type = map(object({
|
|
userdn = string
|
|
userattr = optional(string, "uid")
|
|
upndomain = optional(string)
|
|
discoverdn = optional(bool, false)
|
|
groupdn = optional(string)
|
|
groupfilter = optional(string)
|
|
groupattr = optional(string, "cn")
|
|
alias_metadata = optional(map(string))
|
|
username_as_alias = optional(bool, true)
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_ldap_group" {
|
|
description = "Map of LDAP groups to create"
|
|
type = map(object({
|
|
groupname = string
|
|
backend = string
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_kubernetes_backend" {
|
|
description = "Map of Kubernetes auth backends to create"
|
|
type = map(object({
|
|
kubernetes_host = string
|
|
disable_iss_validation = optional(bool, true)
|
|
use_annotations_as_alias_metadata = optional(bool, true)
|
|
listing_visibility = optional(string)
|
|
default_lease_ttl = optional(string)
|
|
max_lease_ttl = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "auth_kubernetes_role" {
|
|
description = "Map of Kubernetes auth roles to create"
|
|
type = map(object({
|
|
role_name = string
|
|
backend = string
|
|
bound_service_account_names = list(string)
|
|
bound_service_account_namespaces = list(string)
|
|
token_ttl = optional(number, 3600)
|
|
token_max_ttl = optional(number, 86400)
|
|
audience = optional(string, "vault")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "kv_secret_backend" {
|
|
description = "Map of KV secret engines to create"
|
|
type = map(object({
|
|
type = optional(string, "kv-v2")
|
|
description = optional(string)
|
|
version = optional(string, "2")
|
|
max_versions = optional(number)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "transit_secret_backend" {
|
|
description = "Map of Transit secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
default_lease_ttl_seconds = optional(number, 3600)
|
|
max_lease_ttl_seconds = optional(number, 86400)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "transit_secret_backend_key" {
|
|
description = "Map of Transit keys to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
type = optional(string, "aes256-gcm96")
|
|
deletion_allowed = optional(bool, false)
|
|
derived = optional(bool, false)
|
|
exportable = optional(bool, false)
|
|
allow_plaintext_backup = optional(bool, false)
|
|
auto_rotate_period = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "ssh_secret_backend" {
|
|
description = "Map of SSH secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
generate_signing_key = optional(bool)
|
|
key_type = optional(string, "ssh-rsa")
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "ssh_secret_backend_role" {
|
|
description = "Map of SSH roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
key_type = optional(string, "ca")
|
|
algorithm_signer = optional(string, "rsa-sha2-256")
|
|
ttl = optional(number, 315360000)
|
|
allow_host_certificates = optional(bool, false)
|
|
allow_user_certificates = optional(bool, false)
|
|
allowed_domains = optional(string)
|
|
allow_subdomains = optional(bool, false)
|
|
allow_bare_domains = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_secret_backend" {
|
|
description = "Map of PKI secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
common_name = string
|
|
issuer_name = string
|
|
ttl = optional(number, 315360000)
|
|
format = optional(string, "pem")
|
|
issuing_certificates = optional(list(string), [])
|
|
crl_distribution_points = optional(list(string), [])
|
|
ocsp_servers = optional(list(string), [])
|
|
enable_templating = optional(bool, false)
|
|
default_follows_latest_issuer = optional(bool, false)
|
|
crl_expiry = optional(string, "72h")
|
|
crl_disable = optional(bool, false)
|
|
ocsp_disable = optional(bool, false)
|
|
auto_rebuild = optional(bool, false)
|
|
enable_delta = optional(bool, false)
|
|
delta_rebuild_interval = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_secret_backend_role" {
|
|
description = "Map of PKI roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
allow_ip_sans = optional(bool, false)
|
|
allowed_domains = optional(list(string), [])
|
|
allow_subdomains = optional(bool, false)
|
|
allow_glob_domains = optional(bool, false)
|
|
allow_bare_domains = optional(bool, false)
|
|
enforce_hostnames = optional(bool, false)
|
|
allow_any_name = optional(bool, false)
|
|
max_ttl = optional(number)
|
|
key_bits = optional(number, 4096)
|
|
country = optional(list(string), [])
|
|
use_csr_common_name = optional(bool, false)
|
|
use_csr_sans = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "pki_mount_only" {
|
|
description = "Map of PKI mounts to create (without certificate generation)"
|
|
type = map(object({
|
|
description = optional(string)
|
|
max_lease_ttl_seconds = optional(number, 315360000)
|
|
issuing_certificates = optional(list(string), [])
|
|
crl_distribution_points = optional(list(string), [])
|
|
ocsp_servers = optional(list(string), [])
|
|
enable_templating = optional(bool, false)
|
|
default_issuer_ref = optional(string)
|
|
default_follows_latest_issuer = optional(bool, false)
|
|
crl_expiry = optional(string, "72h")
|
|
crl_disable = optional(bool, false)
|
|
ocsp_disable = optional(bool, false)
|
|
auto_rebuild = optional(bool, false)
|
|
enable_delta = optional(bool, false)
|
|
delta_rebuild_interval = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_secret_backend" {
|
|
description = "Map of Consul secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
address = string
|
|
bootstrap = optional(bool, false)
|
|
bootstrap_token = optional(string)
|
|
scheme = optional(string, "https")
|
|
ca_cert = optional(string)
|
|
client_cert = optional(string)
|
|
client_key = optional(string)
|
|
default_lease_ttl_seconds = optional(number)
|
|
max_lease_ttl_seconds = optional(number)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_secret_backend_role" {
|
|
description = "Map of Consul roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
consul_roles = optional(list(string), [])
|
|
ttl = optional(number)
|
|
max_ttl = optional(number)
|
|
local = optional(bool, false)
|
|
datacenters = optional(list(string))
|
|
description = optional(string)
|
|
service_identities = optional(list(object({
|
|
service_name = string
|
|
datacenters = optional(list(string))
|
|
})))
|
|
node_identities = optional(list(object({
|
|
node_name = string
|
|
datacenter = string
|
|
})))
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "consul_backend_aliases" {
|
|
description = "Map of consul backend names to sanitized provider aliases"
|
|
type = map(string)
|
|
default = {}
|
|
}
|
|
|
|
variable "kubernetes_secret_backend" {
|
|
description = "Map of Kubernetes secret engines to create"
|
|
type = map(object({
|
|
description = optional(string)
|
|
default_lease_ttl_seconds = optional(number, 600)
|
|
max_lease_ttl_seconds = optional(number, 86400)
|
|
kubernetes_host = string
|
|
disable_local_ca_jwt = optional(bool, false)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "kubernetes_secret_backend_role" {
|
|
description = "Map of Kubernetes secret backend roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
allowed_kubernetes_namespaces = optional(list(string), ["*"])
|
|
kubernetes_role_type = optional(string, "Role")
|
|
extra_labels = optional(map(string), {})
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "litellm_secret_backend" {
|
|
description = "Map of LiteLLM secret engines to create (mount + config). The master key is read from KV"
|
|
type = map(object({
|
|
plugin = optional(string, "vault-plugin-secrets-litellm")
|
|
description = optional(string)
|
|
base_url = string
|
|
request_timeout_seconds = optional(number, 30)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "litellm_secret_backend_role" {
|
|
description = "Map of LiteLLM roles to create"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
models = optional(list(string))
|
|
max_budget = optional(number)
|
|
key_alias_prefix = optional(string)
|
|
ttl = optional(number)
|
|
max_ttl = optional(number)
|
|
metadata = optional(map(string))
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "plugins" {
|
|
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
|
|
type = map(object({
|
|
name = string
|
|
type = optional(string, "secret")
|
|
command = optional(string)
|
|
sha256 = string
|
|
version = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "gpg_secret_backend" {
|
|
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
|
|
type = map(object({
|
|
plugin = optional(string, "vault-plugin-secrets-gpg")
|
|
description = optional(string)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "gpg_key" {
|
|
description = "Map of OpenPGP keys to manage in a gpg engine mount"
|
|
type = map(object({
|
|
name = string
|
|
backend = string
|
|
algorithm = optional(string, "rsa-3072")
|
|
identity = optional(string)
|
|
exportable = optional(bool, false)
|
|
deletion_allowed = optional(bool, false)
|
|
min_decryption_version = optional(number)
|
|
}))
|
|
default = {}
|
|
}
|
|
|
|
variable "policy_auth_map" {
|
|
description = "Map of auth mounts -> auth roles -> policy names"
|
|
type = map(map(list(string)))
|
|
default = {}
|
|
}
|
|
|
|
variable "policy_rules_map" {
|
|
description = "Map of policy names to their rules"
|
|
type = map(list(object({
|
|
path = string
|
|
capabilities = list(string)
|
|
})))
|
|
default = {}
|
|
}
|
|
|