Files
terraform-vault/environments/root.hcl
T
unkinben 87e3ada14f
ci/woodpecker/push/apply Pipeline was successful
Mount the rancher secrets engine + seed a service account + roles (#93)
## Why

Deploy the new Rancher token secrets engine into the cluster (the last of the 4 wiring PRs), mirroring the litellm/gpg pattern. Users can then `vault read rancher/creds/<role>` for short-lived, cluster-scoped Rancher tokens, backed by a seeded admin token the engine auto-rotates before Rancher's 90-day cap.

## Changes

- Add `rancher_secret_backend` module — mount + config via the ranchervaultsecret provider (rancher_url `https://rancher.k8s.syd1.au.unkin.net`).
- Add `rancher_secret_backend_service_account` module — seeds an auto-rotated token (90d TTL / 45d rotation); the seed token is read from KV, not git.
- Add `rancher_secret_backend_role` module + a `ci` role (1h/8h, cluster+TTL scoped).
- Wire `config.hcl` discovery, module variables, `main.tf` blocks, terragrunt inputs, and the `rancher` provider in `root.hcl`.
- Config: `config/rancher_secret_backend/rancher.yaml`, `.../service_account/rancher/admin.yaml`, `.../role/rancher/ci.yaml`.

## Prerequisite

Populate `kv/service/vault/au/syd1/secret_backend/rancher/service_account/admin` with a live Rancher admin token (keys: `token`, optional `token_name`) **before** apply, exactly as litellm's `master_key` is seeded in KV.

## Merge order

Part 4 of 4 (last). Requires: puppet install (#483) → deployer policy (#91) → plugin import (#92) → this. The `plan` needs the KV seed present, so seed KV first.

---------

Co-authored-by: Ben Vincent <neotheo@gmail.com>
Reviewed-on: #93
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
2026-07-18 16:16:54 +10:00

66 lines
1.6 KiB
HCL

# Generate root backend.tf
generate "backend" {
path = "backend.tf"
if_exists = "overwrite"
contents = <<EOF
locals {
vault_addr = "https://vault.service.consul:8200"
}
provider "vault" {
address = local.vault_addr
}
# The LiteLLM secrets engine is managed through its own provider, which talks to
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
provider "litellm" {
address = local.vault_addr
}
# The gpg secrets engine's keys are managed through its own provider (same Vault
# server; token falls back to VAULT_TOKEN).
provider "gpg" {
address = local.vault_addr
}
# The rancher token secrets engine is managed through its own provider (same
# Vault server; token falls back to VAULT_TOKEN).
provider "rancher" {
address = local.vault_addr
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
path = "infra/terraform/vault/${path_relative_to_include()}/state"
scheme = "https"
lock = true
ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
}
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
consul = {
source = "hashicorp/consul"
version = "2.23.0"
}
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
rancher = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/ranchervaultsecret"
version = "0.1.0"
}
}
}
EOF
}