5536869a38
This commit message captures the major architectural change of implementing Consul ACL management with proper provider aliasing, along with the supporting configuration files and policy definitions for various terraform services. - add consul_acl_management module to manage consul acl policies and roles - add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault) - add consul provider configuration to root.hcl - add policies to generate credentials for each role - simplify consul_secret_backend_role module to reference acl-managed roles - switch to opentofu for provider foreach support - update terragrunt configuration to support consul backend aliases - update pre-commit hooks to use opentofu instead of terraform - configure tflint exceptions for consul acl management module
79 lines
2.8 KiB
HCL
79 lines
2.8 KiB
HCL
include "root" {
|
|
path = find_in_parent_folders("root.hcl")
|
|
expose = true
|
|
}
|
|
|
|
include "config" {
|
|
path = "${get_repo_root()}/config/config.hcl"
|
|
expose = true
|
|
}
|
|
|
|
include "policies" {
|
|
path = "${get_repo_root()}/policies/policies.hcl"
|
|
expose = true
|
|
}
|
|
|
|
include "resources" {
|
|
path = "${get_repo_root()}/resources/resources.hcl"
|
|
expose = true
|
|
}
|
|
|
|
locals {
|
|
# Extract country and region from path
|
|
path_parts = split("/", dirname(get_terragrunt_dir()))
|
|
country = basename(dirname(get_terragrunt_dir())) # "au"
|
|
region = basename(get_terragrunt_dir()) # "syd1"
|
|
|
|
# Include configuration from config.hcl
|
|
config = include.config.locals.config
|
|
|
|
# Include policies from policies.hcl
|
|
policies = include.policies.locals
|
|
|
|
# Include resources from resources.hcl
|
|
resources = include.resources.locals
|
|
|
|
# Create sanitized backend name mapping for Consul providers
|
|
# Provider aliases can't contain slashes, so replace them with underscores
|
|
consul_backend_aliases = {
|
|
for backend_name, _ in local.config.consul_secret_backend :
|
|
backend_name => replace(backend_name, "/", "_")
|
|
}
|
|
}
|
|
|
|
terraform {
|
|
source = "../../../modules/vault_cluster"
|
|
}
|
|
|
|
inputs = {
|
|
country = local.country
|
|
region = local.region
|
|
|
|
# Pass configuration maps to vault_cluster module
|
|
auth_approle_backend = local.config.auth_approle_backend
|
|
auth_approle_role = local.config.auth_approle_role
|
|
auth_ldap_backend = local.config.auth_ldap_backend
|
|
auth_ldap_group = local.config.auth_ldap_group
|
|
auth_kubernetes_backend = local.config.auth_kubernetes_backend
|
|
auth_kubernetes_role = local.config.auth_kubernetes_role
|
|
kv_secret_backend = local.config.kv_secret_backend
|
|
transit_secret_backend = local.config.transit_secret_backend
|
|
transit_secret_backend_key = local.config.transit_secret_backend_key
|
|
ssh_secret_backend = local.config.ssh_secret_backend
|
|
ssh_secret_backend_role = local.config.ssh_secret_backend_role
|
|
pki_secret_backend = local.config.pki_secret_backend
|
|
pki_secret_backend_role = local.config.pki_secret_backend_role
|
|
consul_secret_backend = local.config.consul_secret_backend
|
|
consul_secret_backend_role = local.config.consul_secret_backend_role
|
|
kubernetes_secret_backend = local.config.kubernetes_secret_backend
|
|
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
|
|
pki_mount_only = local.config.pki_mount_only
|
|
|
|
# Pass policy maps to vault_cluster module
|
|
policy_auth_map = local.policies.policy_auth_map
|
|
policy_rules_map = local.policies.policy_rules_map
|
|
|
|
# Pass sanitized consul backend aliases for provider configuration
|
|
consul_backend_aliases = local.consul_backend_aliases
|
|
}
|