Files
terraform-vault/modules/vault_cluster/variables.tf
unkinben 933de177fa
ci/woodpecker/push/apply Pipeline was successful
Register + mount the GPG secrets engine at gpg/ (#87)
Complete the deploy of the [vault-plugin-secrets-gpg](https://git.unkin.net/unkin/vault-plugin-secrets-gpg) engine. Puppet ([puppet-prod #480](unkin/puppet-prod#480)) installs the `openbao-plugin-secrets-gpg` RPM onto the OpenBao nodes; this registers that binary in the plugin catalog and enables the secrets engine so `gpg/` is actually usable.

- Add a `gpg_secret_backend` module using the standard `hashicorp/vault` provider (already required at 5.6.0): `vault_plugin` (catalog register with a pinned sha256) + `vault_mount` (enable at the mount path).
- Wire it through `vault_cluster` (new `gpg_secret_backend` variable + module block) and the config discovery (`config.hcl` group + syd1 terragrunt input), mirroring `litellm_secret_backend`.
- Add `config/gpg_secret_backend/gpg.yaml` mounting at `gpg/` and pinning the released v0.1.0 binary sha256 (`0e92d740…a7b20`, extracted from the published RPM). Puppet installs the RPM floating, so this sha must be bumped in lockstep on any plugin upgrade or OpenBao rejects the binary.

Validated locally with `tofu validate` + `tofu fmt`. Granting non-root access to `gpg/*` (auth roles + policies) is a follow-up scoped to whoever consumes the engine (e.g. passv from CI).

Reviewed-on: #87
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-17 23:19:38 +10:00

368 lines
12 KiB
Terraform

variable "country" {
description = "Country identifier"
type = string
}
variable "region" {
description = "Region identifier"
type = string
}
variable "auth_approle_backend" {
description = "Map of AppRole auth backends to create"
type = map(object({
listing_visibility = optional(string)
default_lease_ttl = optional(string)
max_lease_ttl = optional(string)
}))
default = {}
}
variable "auth_approle_role" {
description = "Map of AppRole roles to create"
type = map(object({
approle_name = string
mount_path = string
token_ttl = optional(number)
token_max_ttl = optional(number)
bind_secret_id = optional(bool, false)
secret_id_ttl = optional(number)
token_bound_cidrs = optional(list(string), [])
alias_metadata = optional(map(string))
use_deterministic_role_id = optional(bool, true)
}))
default = {}
}
variable "auth_ldap_backend" {
description = "Map of LDAP auth backends to create"
type = map(object({
userdn = string
userattr = optional(string, "uid")
upndomain = optional(string)
discoverdn = optional(bool, false)
groupdn = optional(string)
groupfilter = optional(string)
groupattr = optional(string, "cn")
alias_metadata = optional(map(string))
username_as_alias = optional(bool, true)
listing_visibility = optional(string)
default_lease_ttl = optional(string)
max_lease_ttl = optional(string)
}))
default = {}
}
variable "auth_ldap_group" {
description = "Map of LDAP groups to create"
type = map(object({
groupname = string
backend = string
}))
default = {}
}
variable "auth_kubernetes_backend" {
description = "Map of Kubernetes auth backends to create"
type = map(object({
kubernetes_host = string
disable_iss_validation = optional(bool, true)
use_annotations_as_alias_metadata = optional(bool, true)
listing_visibility = optional(string)
default_lease_ttl = optional(string)
max_lease_ttl = optional(string)
}))
default = {}
}
variable "auth_kubernetes_role" {
description = "Map of Kubernetes auth roles to create"
type = map(object({
role_name = string
backend = string
bound_service_account_names = list(string)
bound_service_account_namespaces = list(string)
token_ttl = optional(number, 3600)
token_max_ttl = optional(number, 86400)
audience = optional(string, "vault")
}))
default = {}
}
variable "kv_secret_backend" {
description = "Map of KV secret engines to create"
type = map(object({
type = optional(string, "kv-v2")
description = optional(string)
version = optional(string, "2")
max_versions = optional(number)
}))
default = {}
}
variable "transit_secret_backend" {
description = "Map of Transit secret engines to create"
type = map(object({
description = optional(string)
default_lease_ttl_seconds = optional(number, 3600)
max_lease_ttl_seconds = optional(number, 86400)
}))
default = {}
}
variable "transit_secret_backend_key" {
description = "Map of Transit keys to create"
type = map(object({
name = string
backend = string
type = optional(string, "aes256-gcm96")
deletion_allowed = optional(bool, false)
derived = optional(bool, false)
exportable = optional(bool, false)
allow_plaintext_backup = optional(bool, false)
auto_rotate_period = optional(string)
}))
default = {}
}
variable "ssh_secret_backend" {
description = "Map of SSH secret engines to create"
type = map(object({
description = optional(string)
max_lease_ttl_seconds = optional(number, 315360000)
generate_signing_key = optional(bool)
key_type = optional(string, "ssh-rsa")
}))
default = {}
}
variable "ssh_secret_backend_role" {
description = "Map of SSH roles to create"
type = map(object({
name = string
backend = string
key_type = optional(string, "ca")
algorithm_signer = optional(string, "rsa-sha2-256")
ttl = optional(number, 315360000)
allow_host_certificates = optional(bool, false)
allow_user_certificates = optional(bool, false)
allowed_domains = optional(string)
allow_subdomains = optional(bool, false)
allow_bare_domains = optional(bool, false)
}))
default = {}
}
variable "pki_secret_backend" {
description = "Map of PKI secret engines to create"
type = map(object({
description = optional(string)
max_lease_ttl_seconds = optional(number, 315360000)
common_name = string
issuer_name = string
ttl = optional(number, 315360000)
format = optional(string, "pem")
issuing_certificates = optional(list(string), [])
crl_distribution_points = optional(list(string), [])
ocsp_servers = optional(list(string), [])
enable_templating = optional(bool, false)
default_follows_latest_issuer = optional(bool, false)
crl_expiry = optional(string, "72h")
crl_disable = optional(bool, false)
ocsp_disable = optional(bool, false)
auto_rebuild = optional(bool, false)
enable_delta = optional(bool, false)
delta_rebuild_interval = optional(string)
}))
default = {}
}
variable "pki_secret_backend_role" {
description = "Map of PKI roles to create"
type = map(object({
name = string
backend = string
allow_ip_sans = optional(bool, false)
allowed_domains = optional(list(string), [])
allow_subdomains = optional(bool, false)
allow_glob_domains = optional(bool, false)
allow_bare_domains = optional(bool, false)
enforce_hostnames = optional(bool, false)
allow_any_name = optional(bool, false)
max_ttl = optional(number)
key_bits = optional(number, 4096)
country = optional(list(string), [])
use_csr_common_name = optional(bool, false)
use_csr_sans = optional(bool, false)
}))
default = {}
}
variable "pki_mount_only" {
description = "Map of PKI mounts to create (without certificate generation)"
type = map(object({
description = optional(string)
max_lease_ttl_seconds = optional(number, 315360000)
issuing_certificates = optional(list(string), [])
crl_distribution_points = optional(list(string), [])
ocsp_servers = optional(list(string), [])
enable_templating = optional(bool, false)
default_issuer_ref = optional(string)
default_follows_latest_issuer = optional(bool, false)
crl_expiry = optional(string, "72h")
crl_disable = optional(bool, false)
ocsp_disable = optional(bool, false)
auto_rebuild = optional(bool, false)
enable_delta = optional(bool, false)
delta_rebuild_interval = optional(string)
}))
default = {}
}
variable "consul_secret_backend" {
description = "Map of Consul secret engines to create"
type = map(object({
description = optional(string)
address = string
bootstrap = optional(bool, false)
bootstrap_token = optional(string)
scheme = optional(string, "https")
ca_cert = optional(string)
client_cert = optional(string)
client_key = optional(string)
default_lease_ttl_seconds = optional(number)
max_lease_ttl_seconds = optional(number)
}))
default = {}
}
variable "consul_secret_backend_role" {
description = "Map of Consul roles to create"
type = map(object({
name = string
backend = string
consul_roles = optional(list(string), [])
ttl = optional(number)
max_ttl = optional(number)
local = optional(bool, false)
datacenters = optional(list(string))
description = optional(string)
service_identities = optional(list(object({
service_name = string
datacenters = optional(list(string))
})))
node_identities = optional(list(object({
node_name = string
datacenter = string
})))
}))
default = {}
}
variable "consul_backend_aliases" {
description = "Map of consul backend names to sanitized provider aliases"
type = map(string)
default = {}
}
variable "kubernetes_secret_backend" {
description = "Map of Kubernetes secret engines to create"
type = map(object({
description = optional(string)
default_lease_ttl_seconds = optional(number, 600)
max_lease_ttl_seconds = optional(number, 86400)
kubernetes_host = string
disable_local_ca_jwt = optional(bool, false)
}))
default = {}
}
variable "kubernetes_secret_backend_role" {
description = "Map of Kubernetes secret backend roles to create"
type = map(object({
name = string
backend = string
allowed_kubernetes_namespaces = optional(list(string), ["*"])
kubernetes_role_type = optional(string, "Role")
extra_labels = optional(map(string), {})
}))
default = {}
}
variable "litellm_secret_backend" {
description = "Map of LiteLLM secret engines to create (mount + config). The master key is read from KV"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-litellm")
description = optional(string)
base_url = string
request_timeout_seconds = optional(number, 30)
}))
default = {}
}
variable "litellm_secret_backend_role" {
description = "Map of LiteLLM roles to create"
type = map(object({
name = string
backend = string
models = optional(list(string))
max_budget = optional(number)
key_alias_prefix = optional(string)
ttl = optional(number)
max_ttl = optional(number)
metadata = optional(map(string))
}))
default = {}
}
variable "plugins" {
description = "Map of plugins to import (register) in the catalog, keyed by catalog name"
type = map(object({
name = string
type = optional(string, "secret")
command = optional(string)
sha256 = string
version = optional(string)
}))
default = {}
}
variable "gpg_secret_backend" {
description = "Map of GPG/OpenPGP secret engines to mount (path => registered plugin + description). The plugin is registered separately via config/plugins."
type = map(object({
plugin = optional(string, "vault-plugin-secrets-gpg")
description = optional(string)
}))
default = {}
}
variable "gpg_key" {
description = "Map of OpenPGP keys to manage in a gpg engine mount"
type = map(object({
name = string
backend = string
algorithm = optional(string, "rsa-3072")
identity = optional(string)
exportable = optional(bool, false)
deletion_allowed = optional(bool, false)
min_decryption_version = optional(number)
}))
default = {}
}
variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string)))
default = {}
}
variable "policy_rules_map" {
description = "Map of policy names to their rules"
type = map(list(object({
path = string
capabilities = list(string)
})))
default = {}
}