role management for postgres synergy with vault dynamic credentials

ansible/arcodange/factory/playbooks/tools/hashicorp_vault.yml

@@ -17,6 +17,12 @@
   - name: Setup Hashicorp Vault
     include_role:
       name: hashicorp_vault
+    vars:
+      pg_conf: >-
+        {{ hostvars[groups.hard_disk[0]].postgres.dockercompose.services.postgres.environment }}
+      postgres_admin_credentials:
+        username: '{{ pg_conf.POSTGRES_USER }}'
+        password: '{{ pg_conf.POSTGRES_PASSWORD }}'
   
   - name: share VAULT CA
     block:

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/defaults/main.yml

@@ -7,4 +7,10 @@ vault_address: https://vault.arcodange.duckdns.org
 vault_oidc_gitea_setupGiteaAppJS: '{{ role_path }}/files/playwright_setupGiteaApp.js'
 
 gitea_admin_user: arcodange@gmail.com
-gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+gitea_admin_password: "{{ undef(hint='You must specify the gitea user admin password') }}"
+
+# kvv1 secrets for later admin operations
+
+postgres_admin_credentials:
+  username: postgres
+  password: postgres

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/files/hashicorp_vault.tf

@@ -11,6 +11,7 @@ variable "vault_address" {
 }
 variable "vault_token" {
   type = string
+  sensitive = true
 }
 variable "admin_email" {
   type = string
@@ -23,6 +24,14 @@ variable "gitea_app" {
     secret = string
     description = optional(string, "Arcodange Gitea Auth")
   })
+  sensitive = true
+}
+variable "postgres_admin_credentials" {
+  type = object({
+    username = optional(string, "postgres")
+    password = string
+  })
+  sensitive = true
 }
 
 # kubectl -n kube-system exec $(kubectl -n kube-system get pod -l app.kubernetes.io/name=traefik -o jsonpath="{.items[0]['.metadata.name']}") -- cat /data/acme.json | jq '(.letsencrypt.Certificates | map(select(.domain.main=="arcodange.duckdns.org")))[0]' | jq '.certificate' -r | base64 -d | openssl x509
@@ -148,11 +157,36 @@ resource "vault_mount" "kvv1" {
   description = "KV Version 1 secret engine mount"
 }
 
-resource "vault_kv_secret" "google_credential" {
+resource "vault_kv_secret" "google_credentials" {
   path = "${vault_mount.kvv1.path}/google/credentials"
   data_json = jsonencode(
   {
     credentials = file("~/.config/gcloud/application_default_credentials.json")
   }
   )
+}
+
+resource "vault_kv_secret" "gitea_app_id" {
+  path = "${vault_mount.kvv1.path}/gitea/app"
+  data_json = jsonencode(
+  {
+    id = var.gitea_app.id
+  }
+  )
+}
+
+resource "vault_kv_secret" "postgres_admin_credentials" {
+  path = "${vault_mount.kvv1.path}/postgres/credentials"
+  data_json = jsonencode(var.postgres_admin_credentials)
+}
+
+resource "vault_audit" "stdout" {
+  type  = "file"
+  local = true
+
+  options = {
+    file_path = "stdout"
+    hmac_accessor = false
+    log_raw = true
+  }
 }

ansible/arcodange/factory/playbooks/tools/roles/hashicorp_vault/tasks/gitea_oidc_auth.yml

@@ -37,16 +37,12 @@
     register: last_tofu_command
     loop:
       - tofu init -no-color
-      # - >-
-      #   tofu destroy -auto-approve -no-color
-      #   -var='gitea_app={{ gitea_app | to_json }}'
-      #   -var='vault_address={{ vault_address }}'
-      #   -var='vault_token={{ vault_root_token }}'
       - >-
         tofu apply -auto-approve -no-color
         -var='gitea_app={{ gitea_app | to_json }}'
         -var='vault_address={{ vault_address }}'
         -var='vault_token={{ vault_root_token }}'
+        -var='postgres_admin_credentials={{ postgres_admin_credentials | to_json }}'
     loop_control:
       loop_var: command
       extended: true