unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
terraform-vault/policies/policies.hcl
Ben Vincent 8070b6f66b feat: major restructuring in migration to terragrunt 
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
2026-01-26 23:02:44 +11:00

76 lines
2.5 KiB
HCL
Raw Permalink Blame History

# =============================================================================
# VAULT POLICY CONFIGURATION SYSTEM
# =============================================================================
#
# This file automatically discovers and processes all YAML policy files from
# subdirectories, creating a unified policy configuration for Vault.
#
# HOW IT WORKS:
# 1. Scans all subdirectories for *.yaml files
# 2. Parses each YAML file to extract policy rules and auth assignments
# 3. Creates mappings for auth methods -> roles -> assigned policies
#
# YAML STRUCTURE:
# Each policy YAML file should contain:
# - rules: List of Vault policy rules (path + capabilities)
# - auth: Map of auth methods to roles that should have this policy
#
# EXAMPLE YAML FILE (policies/kv/service/myapp/read.yaml):
# ```yaml
# rules:
# - path: "kv/data/service/myapp/*"
# capabilities:
# - read
#
# auth:
# approle:
# - myapp-service
# k8s/au/syd1:
# - myapp-pod
# ```
#
# This creates a policy that allows reading secrets under kv/service/myapp/
# and assigns it to:
# - AppRole role "myapp-service" in the "approle" mount
# - Kubernetes role "myapp-pod" in the "k8s/au/syd1" mount
#
# GENERATED OUTPUTS:
# - policy_rules_map: policy_name -> [rules]
# - policy_auth_map: auth_mount -> role_name -> [policy_names]
#
# =============================================================================
locals {
# Find all YAML files in subdirectories
policy_files = fileset(".", "**/*.yaml")
# Create a flat map of all files with their content
all_policies = {
for file_path in local.policy_files :
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path))
}
# Create a map of just the rules for each policy
policy_rules_map = {
for file_path in local.policy_files :
trimsuffix(file_path, ".yaml") => yamldecode(file(file_path)).rules
}
# Create a map of auth mounts -> auth roles -> policy names
policy_auth_map = {
for auth_mount in distinct(flatten([
for file_path in local.policy_files : [
for auth_type, roles in yamldecode(file(file_path)).auth : auth_type
]
])) : auth_mount => {
for auth_role in distinct(flatten([
for file_path in local.policy_files : [
for role in try(yamldecode(file(file_path)).auth[auth_mount], []) : role
]
])) : auth_role => [
for file_path in local.policy_files : trimsuffix(file_path, ".yaml")
if contains(try(yamldecode(file(file_path)).auth[auth_mount], []), auth_role)
]
}
}
}
Reference in New Issue View Git Blame Copy Permalink