Files
terraform-vault/environments/au/syd1/terragrunt.hcl
T
unkinben 0c188118a5
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Register and mount the GPG secrets engine at gpg/
Puppet installs the openbao-plugin-secrets-gpg RPM onto the OpenBao nodes; this
registers that binary in the plugin catalog and enables the secrets engine so
gpg/ is actually usable (encrypt/decrypt/sign/verify).

- Add a gpg_secret_backend module using the standard vault provider:
  vault_plugin (catalog register with a pinned sha256) + vault_mount.
- Wire it through vault_cluster (variable + module) and the config discovery
  (config.hcl + syd1 terragrunt input), mirroring litellm_secret_backend.
- Add config/gpg_secret_backend/gpg.yaml pinning the released v0.1.0 binary
  sha256 (0e92d740...a7b20). Puppet installs the RPM floating, so this sha
  must be bumped in lockstep on any plugin upgrade.

Granting non-root access to gpg/* (auth roles + policies) is a follow-up,
scoped to whoever consumes the engine.
2026-07-16 22:54:27 +10:00

82 lines
3.0 KiB
HCL

include "root" {
path = find_in_parent_folders("root.hcl")
expose = true
}
include "config" {
path = "${get_repo_root()}/config/config.hcl"
expose = true
}
include "policies" {
path = "${get_repo_root()}/policies/policies.hcl"
expose = true
}
include "resources" {
path = "${get_repo_root()}/resources/resources.hcl"
expose = true
}
locals {
# Extract country and region from path
path_parts = split("/", dirname(get_terragrunt_dir()))
country = basename(dirname(get_terragrunt_dir())) # "au"
region = basename(get_terragrunt_dir()) # "syd1"
# Include configuration from config.hcl
config = include.config.locals.config
# Include policies from policies.hcl
policies = include.policies.locals
# Include resources from resources.hcl
resources = include.resources.locals
# Create sanitized backend name mapping for Consul providers
# Provider aliases can't contain slashes, so replace them with underscores
consul_backend_aliases = {
for backend_name, _ in local.config.consul_secret_backend :
backend_name => replace(backend_name, "/", "_")
}
}
terraform {
source = "../../../modules/vault_cluster"
}
inputs = {
country = local.country
region = local.region
# Pass configuration maps to vault_cluster module
auth_approle_backend = local.config.auth_approle_backend
auth_approle_role = local.config.auth_approle_role
auth_ldap_backend = local.config.auth_ldap_backend
auth_ldap_group = local.config.auth_ldap_group
auth_kubernetes_backend = local.config.auth_kubernetes_backend
auth_kubernetes_role = local.config.auth_kubernetes_role
kv_secret_backend = local.config.kv_secret_backend
transit_secret_backend = local.config.transit_secret_backend
transit_secret_backend_key = local.config.transit_secret_backend_key
ssh_secret_backend = local.config.ssh_secret_backend
ssh_secret_backend_role = local.config.ssh_secret_backend_role
pki_secret_backend = local.config.pki_secret_backend
pki_secret_backend_role = local.config.pki_secret_backend_role
consul_secret_backend = local.config.consul_secret_backend
consul_secret_backend_role = local.config.consul_secret_backend_role
kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only
litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role
gpg_secret_backend = local.config.gpg_secret_backend
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
policy_rules_map = local.policies.policy_rules_map
# Pass sanitized consul backend aliases for provider configuration
consul_backend_aliases = local.consul_backend_aliases
}