unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
terraform-vault/modules/vault_cluster/state_migrations.tf
Ben Vincent 8070b6f66b feat: major restructuring in migration to terragrunt 
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00

428 lines
13 KiB
HCL
Raw Permalink Blame History

# AppRole Backend
moved {
from = vault_auth_backend.approle
to = module.auth_approle_backend["approle"].vault_auth_backend.approle
}
# AppRole Roles (12 roles)
moved {
from = vault_approle_auth_backend_role.certmanager
to = module.auth_approle_role["approle/certmanager"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.incus_cluster
to = module.auth_approle_role["approle/incus_cluster"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.packer_builder
to = module.auth_approle_role["approle/packer_builder"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.puppetapi
to = module.auth_approle_role["approle/puppetapi"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.rpmbuilder
to = module.auth_approle_role["approle/rpmbuilder"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.rundeck-role
to = module.auth_approle_role["approle/rundeck-role"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.sshsign-host-role
to = module.auth_approle_role["approle/sshsign-host-role"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.sshsigner
to = module.auth_approle_role["approle/sshsigner"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.terraform_incus
to = module.auth_approle_role["approle/terraform_incus"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.terraform_nomad
to = module.auth_approle_role["approle/terraform_nomad"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.terraform_repoflow
to = module.auth_approle_role["approle/terraform_repoflow"].vault_approle_auth_backend_role.role
}
moved {
from = vault_approle_auth_backend_role.tf_vault
to = module.auth_approle_role["approle/tf_vault"].vault_approle_auth_backend_role.role
}
# LDAP Backend
moved {
from = vault_ldap_auth_backend.ldap
to = module.auth_ldap_backend["ldap"].vault_ldap_auth_backend.ldap
}
# LDAP Groups
moved {
from = vault_ldap_auth_backend_group.vault_access
to = module.auth_ldap_group["ldap/vault_access"].vault_ldap_auth_backend_group.group
}
moved {
from = vault_ldap_auth_backend_group.vault_admin
to = module.auth_ldap_group["ldap/vault_admin"].vault_ldap_auth_backend_group.group
}
# Kubernetes Secrets
moved {
from = vault_kubernetes_secret_backend.kubernetes_au_syd1
to = module.kubernetes_secret_backend["kubernetes/au/syd1"].vault_kubernetes_secret_backend.kubernetes
}
moved {
from = vault_kubernetes_secret_backend_role.cluster_admin
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_admin"].vault_kubernetes_secret_backend_role.role
}
moved {
from = vault_kubernetes_secret_backend_role.cluster_operator
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_operator"].vault_kubernetes_secret_backend_role.role
}
moved {
from = vault_kubernetes_secret_backend_role.cluster_root
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_root"].vault_kubernetes_secret_backend_role.role
}
moved {
from = vault_kubernetes_secret_backend_role.media_apps_operator
to = module.kubernetes_secret_backend_role["kubernetes/au/syd1/media_apps_operator"].vault_kubernetes_secret_backend_role.role
}
# Kubernetes Backend
moved {
from = vault_auth_backend.kubernetes
to = module.auth_kubernetes_backend["k8s/au/syd1"].vault_auth_backend.kubernetes
}
moved {
from = vault_kubernetes_auth_backend_config.config
to = module.auth_kubernetes_backend["k8s/au/syd1"].vault_kubernetes_auth_backend_config.config
}
# Kubernetes Roles (7 roles)
moved {
from = vault_kubernetes_auth_backend_role.ceph-csi
to = module.auth_kubernetes_role["k8s/au/syd1/ceph-csi"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.cert_manager_issuer
to = module.auth_kubernetes_role["k8s/au/syd1/cert_manager_issuer"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.default
to = module.auth_kubernetes_role["k8s/au/syd1/default"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.externaldns
to = module.auth_kubernetes_role["k8s/au/syd1/externaldns"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.huntarr-default
to = module.auth_kubernetes_role["k8s/au/syd1/huntarr-default"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.media-apps
to = module.auth_kubernetes_role["k8s/au/syd1/media-apps"].vault_kubernetes_auth_backend_role.role
}
moved {
from = vault_kubernetes_auth_backend_role.repoflow
to = module.auth_kubernetes_role["k8s/au/syd1/repoflow"].vault_kubernetes_auth_backend_role.role
}
# KV Backends:
moved {
from = vault_mount.kv
to = module.kv_secret_backend["kv"].vault_mount.kv
}
moved {
from = vault_mount.rundeck
to = module.kv_secret_backend["rundeck"].vault_mount.kv
}
# SSH CA:
moved {
from = vault_mount.sshca
to = module.ssh_secret_backend["sshca"].vault_mount.ssh
}
moved {
from = vault_ssh_secret_backend_ca.ssh_ca
to = module.ssh_secret_backend["sshca"].vault_ssh_secret_backend_ca.ssh_ca[0]
}
moved {
from = vault_ssh_secret_backend_role.signhost
to = module.ssh_secret_backend_role["sshca/signhost"].vault_ssh_secret_backend_role.role
}
# Transit:
moved {
from = vault_mount.transit
to = module.transit_secret_backend["transit"].vault_mount.transit
}
moved {
from = vault_transit_secret_backend_key.key
to = module.transit_secret_backend_key["transit/au-syd1-k8s-vso"].vault_transit_secret_backend_key.key
}
# Policy Migrations
moved {
from = vault_policy.policies["auth/approle/approle_role_admin"]
to = module.vault_policy["auth/approle/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/approle/approle_role_login"]
to = module.vault_policy["auth/approle/login"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/kubernetes/k8s_auth_admin"]
to = module.vault_policy["auth/k8s/au/syd1/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/ldap/ldap_admin"]
to = module.vault_policy["auth/ldap/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/token/auth_token_create"]
to = module.vault_policy["auth/token/create"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/token/auth_token_lookup"]
to = module.vault_policy["auth/token/lookup"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/token/auth_token_renew"]
to = module.vault_policy["auth/token/renew"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/token/auth_token_roles_admin"]
to = module.vault_policy["auth/token/roles/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["auth/token/auth_token_self"]
to = module.vault_policy["auth/token/self"].vault_policy.this
}
moved {
from = vault_policy.policies["default_access"]
to = module.vault_policy["global-root"].vault_policy.this
}
moved {
from = vault_policy.policies["kubernetes/au/config_admin"]
to = module.vault_policy["kubernetes/au/config_admin"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/glauth/services/svc_vault_read"]
to = module.vault_policy["kv/service/glauth/services/svc_vault/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/incus/incus-cluster-join-tokens"]
to = module.vault_policy["kv/service/incus/cluster-join-tokens/crud"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"]
to = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"]
to = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/kubernetes/au/syd1/externaldns/tsig/read"]
to = module.vault_policy["kv/service/kubernetes/au/syd1/externaldns/tsig/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/kubernetes/au/syd1/service_account_jwt/read"]
to = module.vault_policy["kv/service/kubernetes/au/syd1/service_account_jwt/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"]
to = module.vault_policy["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/media-apps/radarr/read"]
to = module.vault_policy["kv/service/media-apps/radarr/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/media-apps/sonarr/read"]
to = module.vault_policy["kv/service/media-apps/sonarr/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/packer/packer_builder"]
to = module.vault_policy["kv/service/packer/builder/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/puppet/certificates/terraform_puppet_cert"]
to = module.vault_policy["kv/service/puppet/certificates/ca/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/puppetapi/puppetapi_read_tokens"]
to = module.vault_policy["kv/service/puppetapi/tokens/read"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/terraform/incus"]
to = module.vault_policy["kv/service/terraform/incus"].vault_policy.this
}
moved {
from = vault_policy.policies["kv/service/terraform/nomad"]
to = module.vault_policy["kv/service/terraform/nomad"].vault_policy.this
}
moved {
from = vault_policy.policies["rundeck/rundeck"]
to = module.vault_policy["rundeck/rundeck"].vault_policy.this
}
moved {
from = vault_policy.policies["sshca/sshca_roles_admin"]
to = module.vault_policy["sshca/roles/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["sshca/sshca_signhost"]
to = module.vault_policy["sshca/sign/host"].vault_policy.this
}
moved {
from = vault_policy.policies["sys/sys_audit_read"]
to = module.vault_policy["sys/audit/read"].vault_policy.this
}
moved {
from = vault_policy.policies["sys/sys_auth_admin"]
to = module.vault_policy["sys/auth/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["sys/sys_mounts_admin"]
to = module.vault_policy["sys/mounts/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["sys/sys_policy_admin"]
to = module.vault_policy["sys/policy/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["transit/decrypt/au-syd1-k8s-vso"]
to = module.vault_policy["transit/decrypt/au-syd1-k8s-vso"].vault_policy.this
}
moved {
from = vault_policy.policies["transit/encrypt/au-syd1-k8s-vso"]
to = module.vault_policy["transit/encrypt/au-syd1-k8s-vso"].vault_policy.this
}
moved {
from = vault_policy.policies["transit/keys/admin"]
to = module.vault_policy["transit/keys/admin"].vault_policy.this
}
# PKI Mount Only Migrations
moved {
from = vault_mount.pki_root
to = module.pki_mount_only["pki_root"].vault_mount.pki
}
moved {
from = vault_mount.pki_int
to = module.pki_mount_only["pki_int"].vault_mount.pki
}
moved {
from = vault_pki_secret_backend_config_urls.pki_root_urls
to = module.pki_mount_only["pki_root"].vault_pki_secret_backend_config_urls.config_urls
}
# PKI Role Migrations
moved {
from = vault_pki_secret_backend_role.pki_root_2024_servers
to = module.pki_secret_backend_role["pki_root/2024-servers"].vault_pki_secret_backend_role.role
}
moved {
from = vault_pki_secret_backend_role.servers_default
to = module.pki_secret_backend_role["pki_int/servers_default"].vault_pki_secret_backend_role.role
}
# PKI Policy Migrations (keep original names where policies exist)
moved {
from = vault_policy.policies["pki_int/certmanager"]
to = module.vault_policy["pki_int/certmanager"].vault_policy.this
}
moved {
from = vault_policy.policies["pki_int/issue/servers_default"]
to = module.vault_policy["pki_int/issue/servers_default"].vault_policy.this
}
moved {
from = vault_policy.policies["pki_int/pki_int_roles_admin"]
to = module.vault_policy["pki_int/roles/admin"].vault_policy.this
}
moved {
from = vault_policy.policies["pki_int/sign/servers_default"]
to = module.vault_policy["pki_int/sign/servers_default"].vault_policy.this
}
moved {
from = vault_policy.policies["pki_root/pki_root_roles_admin"]
to = module.vault_policy["pki_root/roles/admin"].vault_policy.this
}
Reference in New Issue View Git Blame Copy Permalink