Ben Vincent
5536869a38
This commit message captures the major architectural change of implementing Consul ACL management with proper provider aliasing, along with the supporting configuration files and policy definitions for various terraform services. - add consul_acl_management module to manage consul acl policies and roles - add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault) - add consul provider configuration to root.hcl - add policies to generate credentials for each role - simplify consul_secret_backend_role module to reference acl-managed roles - switch to opentofu for provider foreach support - update terragrunt configuration to support consul backend aliases - update pre-commit hooks to use opentofu instead of terraform - configure tflint exceptions for consul acl management module
341 lines
12 KiB
HCL
341 lines
12 KiB
HCL
module "auth_approle_backend" {
|
|
source = "./modules/auth_approle_backend"
|
|
|
|
for_each = var.auth_approle_backend
|
|
|
|
country = var.country
|
|
region = var.region
|
|
path = each.key
|
|
listing_visibility = each.value.listing_visibility
|
|
default_lease_ttl = each.value.default_lease_ttl
|
|
max_lease_ttl = each.value.max_lease_ttl
|
|
}
|
|
|
|
module "auth_approle_role" {
|
|
source = "./modules/auth_approle_role"
|
|
|
|
for_each = var.auth_approle_role
|
|
|
|
country = var.country
|
|
region = var.region
|
|
approle_name = each.value.approle_name
|
|
mount_path = each.value.mount_path
|
|
token_policies = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
|
|
token_ttl = each.value.token_ttl
|
|
token_max_ttl = each.value.token_max_ttl
|
|
bind_secret_id = each.value.bind_secret_id
|
|
secret_id_ttl = each.value.secret_id_ttl
|
|
token_bound_cidrs = each.value.token_bound_cidrs
|
|
alias_metadata = each.value.alias_metadata
|
|
use_deterministic_role_id = each.value.use_deterministic_role_id
|
|
|
|
depends_on = [module.auth_approle_backend]
|
|
}
|
|
|
|
module "auth_ldap_backend" {
|
|
source = "./modules/auth_ldap_backend"
|
|
|
|
for_each = var.auth_ldap_backend
|
|
|
|
country = var.country
|
|
region = var.region
|
|
path = each.key
|
|
userdn = each.value.userdn
|
|
userattr = each.value.userattr
|
|
upndomain = each.value.upndomain
|
|
discoverdn = each.value.discoverdn
|
|
groupdn = each.value.groupdn
|
|
groupfilter = each.value.groupfilter
|
|
groupattr = each.value.groupattr
|
|
alias_metadata = each.value.alias_metadata
|
|
username_as_alias = each.value.username_as_alias
|
|
listing_visibility = each.value.listing_visibility
|
|
default_lease_ttl = each.value.default_lease_ttl
|
|
max_lease_ttl = each.value.max_lease_ttl
|
|
}
|
|
|
|
module "auth_ldap_group" {
|
|
source = "./modules/auth_ldap_group"
|
|
|
|
for_each = var.auth_ldap_group
|
|
|
|
groupname = each.value.groupname
|
|
backend = each.value.backend
|
|
policies = var.policy_auth_map[each.value.backend][each.value.groupname]
|
|
|
|
depends_on = [module.auth_ldap_backend]
|
|
}
|
|
|
|
module "auth_kubernetes_backend" {
|
|
source = "./modules/auth_kubernetes_backend"
|
|
|
|
for_each = var.auth_kubernetes_backend
|
|
|
|
country = var.country
|
|
region = var.region
|
|
path = each.key
|
|
kubernetes_host = each.value.kubernetes_host
|
|
disable_iss_validation = each.value.disable_iss_validation
|
|
use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
|
|
listing_visibility = each.value.listing_visibility
|
|
default_lease_ttl = each.value.default_lease_ttl
|
|
max_lease_ttl = each.value.max_lease_ttl
|
|
}
|
|
|
|
module "auth_kubernetes_role" {
|
|
source = "./modules/auth_kubernetes_role"
|
|
|
|
for_each = var.auth_kubernetes_role
|
|
|
|
role_name = each.value.role_name
|
|
backend = each.value.backend
|
|
bound_service_account_names = each.value.bound_service_account_names
|
|
bound_service_account_namespaces = each.value.bound_service_account_namespaces
|
|
token_ttl = each.value.token_ttl
|
|
token_policies = var.policy_auth_map[each.value.backend][each.value.role_name]
|
|
audience = each.value.audience
|
|
|
|
depends_on = [module.auth_kubernetes_backend]
|
|
}
|
|
|
|
module "kv_secret_backend" {
|
|
source = "./modules/kv_secret_backend"
|
|
|
|
for_each = var.kv_secret_backend
|
|
|
|
path = each.key
|
|
type = each.value.type
|
|
description = each.value.description
|
|
kv_version = each.value.version
|
|
max_versions = each.value.max_versions
|
|
}
|
|
|
|
module "transit_secret_backend" {
|
|
source = "./modules/transit_secret_backend"
|
|
|
|
for_each = var.transit_secret_backend
|
|
|
|
path = each.key
|
|
description = each.value.description
|
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
}
|
|
|
|
module "transit_secret_backend_key" {
|
|
source = "./modules/transit_secret_backend_key"
|
|
|
|
for_each = var.transit_secret_backend_key
|
|
|
|
name = each.value.name
|
|
backend = each.value.backend
|
|
type = each.value.type
|
|
deletion_allowed = each.value.deletion_allowed
|
|
derived = each.value.derived
|
|
exportable = each.value.exportable
|
|
allow_plaintext_backup = each.value.allow_plaintext_backup
|
|
auto_rotate_period = each.value.auto_rotate_period
|
|
|
|
depends_on = [module.transit_secret_backend]
|
|
}
|
|
|
|
module "ssh_secret_backend" {
|
|
source = "./modules/ssh_secret_backend"
|
|
|
|
for_each = var.ssh_secret_backend
|
|
|
|
path = each.key
|
|
description = each.value.description
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
generate_signing_key = each.value.generate_signing_key
|
|
key_type = each.value.key_type
|
|
}
|
|
|
|
module "ssh_secret_backend_role" {
|
|
source = "./modules/ssh_secret_backend_role"
|
|
|
|
for_each = var.ssh_secret_backend_role
|
|
|
|
name = each.value.name
|
|
backend = each.value.backend
|
|
key_type = each.value.key_type
|
|
algorithm_signer = each.value.algorithm_signer
|
|
ttl = each.value.ttl
|
|
allow_host_certificates = each.value.allow_host_certificates
|
|
allow_user_certificates = each.value.allow_user_certificates
|
|
allowed_domains = each.value.allowed_domains
|
|
allow_subdomains = each.value.allow_subdomains
|
|
allow_bare_domains = each.value.allow_bare_domains
|
|
|
|
depends_on = [module.ssh_secret_backend]
|
|
}
|
|
|
|
module "pki_secret_backend" {
|
|
source = "./modules/pki_secret_backend"
|
|
|
|
for_each = var.pki_secret_backend
|
|
|
|
path = each.key
|
|
description = each.value.description
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
common_name = each.value.common_name
|
|
issuer_name = each.value.issuer_name
|
|
ttl = each.value.ttl
|
|
format = each.value.format
|
|
issuing_certificates = each.value.issuing_certificates
|
|
crl_distribution_points = each.value.crl_distribution_points
|
|
ocsp_servers = each.value.ocsp_servers
|
|
enable_templating = each.value.enable_templating
|
|
default_issuer_ref = each.value.default_issuer_ref
|
|
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
|
crl_expiry = each.value.crl_expiry
|
|
crl_disable = each.value.crl_disable
|
|
ocsp_disable = each.value.ocsp_disable
|
|
auto_rebuild = each.value.auto_rebuild
|
|
enable_delta = each.value.enable_delta
|
|
delta_rebuild_interval = each.value.delta_rebuild_interval
|
|
}
|
|
|
|
module "pki_secret_backend_role" {
|
|
source = "./modules/pki_secret_backend_role"
|
|
|
|
for_each = var.pki_secret_backend_role
|
|
|
|
name = each.value.name
|
|
backend = each.value.backend
|
|
allow_ip_sans = each.value.allow_ip_sans
|
|
allowed_domains = each.value.allowed_domains
|
|
allow_subdomains = each.value.allow_subdomains
|
|
allow_glob_domains = each.value.allow_glob_domains
|
|
allow_bare_domains = each.value.allow_bare_domains
|
|
enforce_hostnames = each.value.enforce_hostnames
|
|
allow_any_name = each.value.allow_any_name
|
|
max_ttl = each.value.max_ttl
|
|
key_bits = each.value.key_bits
|
|
country = each.value.country
|
|
use_csr_common_name = each.value.use_csr_common_name
|
|
use_csr_sans = each.value.use_csr_sans
|
|
|
|
depends_on = [module.pki_secret_backend]
|
|
}
|
|
|
|
module "consul_secret_backend" {
|
|
source = "./modules/consul_secret_backend"
|
|
|
|
for_each = var.consul_secret_backend
|
|
|
|
country = var.country
|
|
region = var.region
|
|
path = each.key
|
|
description = each.value.description
|
|
address = each.value.address
|
|
bootstrap = each.value.bootstrap
|
|
scheme = each.value.scheme
|
|
ca_cert = each.value.ca_cert
|
|
client_cert = each.value.client_cert
|
|
client_key = each.value.client_key
|
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
}
|
|
|
|
# Create data sources for consul backend tokens
|
|
data "vault_kv_secret_v2" "consul_backend_configs" {
|
|
for_each = {
|
|
for k, v in var.consul_secret_backend : k => v
|
|
if !v.bootstrap
|
|
}
|
|
|
|
mount = "kv"
|
|
name = "service/vault/${var.country}/${var.region}/secret_backend/${each.key}"
|
|
}
|
|
|
|
# Create Consul ACL management module
|
|
module "consul_acl_management" {
|
|
source = "./modules/consul_acl_management"
|
|
|
|
country = var.country
|
|
region = var.region
|
|
consul_backends = var.consul_secret_backend
|
|
consul_roles = var.consul_secret_backend_role
|
|
consul_backend_aliases = var.consul_backend_aliases
|
|
}
|
|
|
|
# Create consul secret backend roles (Vault resources only)
|
|
module "consul_secret_backend_role" {
|
|
source = "./modules/consul_secret_backend_role"
|
|
|
|
for_each = var.consul_secret_backend_role
|
|
|
|
name = each.value.name
|
|
backend = each.value.backend
|
|
consul_roles = each.value.consul_roles
|
|
ttl = each.value.ttl
|
|
max_ttl = each.value.max_ttl
|
|
local = each.value.local
|
|
|
|
depends_on = [module.consul_secret_backend, module.consul_acl_management]
|
|
}
|
|
|
|
module "kubernetes_secret_backend" {
|
|
source = "./modules/kubernetes_secret_backend"
|
|
|
|
for_each = var.kubernetes_secret_backend
|
|
|
|
country = var.country
|
|
region = var.region
|
|
path = each.key
|
|
description = each.value.description
|
|
default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
kubernetes_host = each.value.kubernetes_host
|
|
disable_local_ca_jwt = each.value.disable_local_ca_jwt
|
|
}
|
|
|
|
module "kubernetes_secret_backend_role" {
|
|
source = "./modules/kubernetes_secret_backend_role"
|
|
|
|
for_each = var.kubernetes_secret_backend_role
|
|
|
|
country = var.country
|
|
region = var.region
|
|
name = each.value.name
|
|
backend = each.value.backend
|
|
allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
|
|
kubernetes_role_type = each.value.kubernetes_role_type
|
|
extra_labels = each.value.extra_labels
|
|
|
|
depends_on = [module.kubernetes_secret_backend]
|
|
}
|
|
|
|
module "vault_policy" {
|
|
source = "./modules/vault_policy"
|
|
|
|
for_each = var.policy_rules_map
|
|
|
|
policy_name = each.key
|
|
policy_rules = each.value
|
|
}
|
|
|
|
module "pki_mount_only" {
|
|
source = "./modules/pki_mount_only"
|
|
|
|
for_each = var.pki_mount_only
|
|
|
|
path = each.key
|
|
description = each.value.description
|
|
max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
|
|
issuer_ref = each.value.issuer_ref
|
|
issuing_certificates = each.value.issuing_certificates
|
|
crl_distribution_points = each.value.crl_distribution_points
|
|
ocsp_servers = each.value.ocsp_servers
|
|
enable_templating = each.value.enable_templating
|
|
default_issuer_ref = each.value.default_issuer_ref
|
|
default_follows_latest_issuer = each.value.default_follows_latest_issuer
|
|
crl_expiry = each.value.crl_expiry
|
|
crl_disable = each.value.crl_disable
|
|
ocsp_disable = each.value.ocsp_disable
|
|
auto_rebuild = each.value.auto_rebuild
|
|
enable_delta = each.value.enable_delta
|
|
delta_rebuild_interval = each.value.delta_rebuild_interval
|
|
}
|
|
|