unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
terraform-vault/config/config.hcl
Ben Vincent 5536869a38 feat: implement consul ACL management with provider aliases 
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.

- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
2026-02-14 18:13:50 +11:00

190 lines
7.7 KiB
HCL
Raw Permalink Blame History

# =============================================================================
# VAULT MODULE CONFIGURATION SYSTEM
# =============================================================================
#
# This file automatically discovers and organizes YAML configuration files
# for Vault modules, creating structured configuration maps for Terraform.
#
# HOW IT WORKS:
# 1. Scans all subdirectories for *.yaml files
# 2. Groups files by module type based on directory structure
# 3. Creates unique resource keys to prevent naming conflicts
# 4. Adds computed fields like name, backend, etc. from file paths
#
# DIRECTORY STRUCTURE:
# config/
# ├── auth_approle_role/
# │ └── approle/
# │ ├── certmanager.yaml # Creates key: "approle/certmanager"
# │ └── myapp.yaml # Creates key: "approle/myapp"
# ├── auth_kubernetes_role/
# │ └── k8s/au/syd1/
# │ ├── default.yaml # Creates key: "k8s/au/syd1/default"
# │ └── myapp.yaml # Creates key: "k8s/au/syd1/myapp"
# └── kv_secret_backend/
# ├── kv.yaml # Creates key: "kv"
# └── secrets.yaml # Creates key: "secrets"
#
# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
# ```yaml
# token_ttl: 3600
# token_max_ttl: 7200
# bind_secret_id: true
# token_bound_cidrs:
# - "10.0.0.0/8"
# ```
#
# This becomes:
# ```hcl
# auth_approle_role = {
# "approle/myapp" = {
# approle_name = "myapp" # Auto-computed from filename
# mount_path = "approle" # Auto-computed from directory
# token_ttl = 3600 # From YAML content
# token_max_ttl = 7200 # From YAML content
# bind_secret_id = true # From YAML content
# token_bound_cidrs = ["10.0.0.0/8"]
# }
# }
# ```
#
# KEY NAMING PATTERNS:
# - Simple backends: filename only (e.g., "kv", "transit")
# - Role-based resources: full path without extension (e.g., "approle/myapp")
# - This ensures uniqueness when multiple backends have similar role names
#
# GENERATED OUTPUTS:
# - config.auth_approle_backend, config.auth_approle_role, etc.
# - Each module gets its own map with properly structured configuration
#
# =============================================================================
locals {
# Find all YAML files in subdirectories
config_files = fileset(".", "**/*.yaml")
# Create a flat map of all files with their content
all_configs = {
for file_path in local.config_files :
file_path => yamldecode(file(file_path))
}
# Group by module directory (first part of path)
config = {
auth_approle_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_approle_backend/")
}
auth_approle_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
approle_name = trimsuffix(basename(file_path), ".yaml")
mount_path = split("/", replace(file_path, "auth_approle_role/", ""))[0]
})
if startswith(file_path, "auth_approle_role/")
}
auth_ldap_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "auth_ldap_backend/")
}
auth_ldap_group = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
groupname = trimsuffix(basename(file_path), ".yaml")
backend = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
})
if startswith(file_path, "auth_ldap_group/")
}
auth_kubernetes_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
if startswith(file_path, "auth_kubernetes_backend/")
}
auth_kubernetes_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
role_name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "auth_kubernetes_role/", ""))
})
if startswith(file_path, "auth_kubernetes_role/")
}
kv_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "kv_secret_backend/")
}
transit_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "transit_secret_backend/")
}
transit_secret_backend_key = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
})
if startswith(file_path, "transit_secret_backend_key/")
}
ssh_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "ssh_secret_backend/")
}
ssh_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
})
if startswith(file_path, "ssh_secret_backend_role/")
}
pki_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "pki_secret_backend/")
}
pki_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
})
if startswith(file_path, "pki_secret_backend_role/")
}
kubernetes_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "kubernetes_secret_backend/")
}
kubernetes_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
})
if startswith(file_path, "kubernetes_secret_backend_role/")
}
consul_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend/", ""), ".yaml") => content
if startswith(file_path, "consul_secret_backend/")
}
consul_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
})
if startswith(file_path, "consul_secret_backend_role/")
}
pki_mount_only = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "pki_mount_only/")
}
}
}
Reference in New Issue View Git Blame Copy Permalink