configure ovh client and allow cms project to access zoho client
This commit is contained in:
@@ -31,6 +31,7 @@ concurrency:
|
||||
kvv1/google/credentials credentials | GOOGLE_CREDENTIALS ;
|
||||
kvv1/admin/gitea token | GITEA_TOKEN ;
|
||||
kvv1/admin/cloudflare iam_token | CLOUDFLARE_API_TOKEN ;
|
||||
kvv1/admin/ovh/app * | OVH_ ;
|
||||
jobs:
|
||||
gitea_vault_auth:
|
||||
name: Auth with gitea for vault
|
||||
|
||||
@@ -24,6 +24,9 @@ module "cf_r2_arcodange_tf_token" {
|
||||
"account:Workers R2 Storage Read",
|
||||
"bucket:Workers R2 Storage Bucket Item Write",
|
||||
]
|
||||
account = [
|
||||
"account:Account Settings Read",
|
||||
]
|
||||
}
|
||||
}
|
||||
resource "vault_kv_secret" "cf_r2_arcodange_tf" {
|
||||
@@ -40,6 +43,10 @@ data "vault_policy_document" "cf_r2_arcodange_tf" {
|
||||
path = "kvv1/cloudflare/r2/arcodange-tf"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
rule {
|
||||
path = "kvv1/zoho/self_client" # zoho mail client is created manually
|
||||
capabilities = ["read"]
|
||||
}
|
||||
}
|
||||
resource "vault_policy" "cf_r2_arcodange_tf" {
|
||||
name = "factory__cf_r2_arcodange_tf"
|
||||
@@ -59,6 +66,9 @@ module "cf_arcodange_cms_token" {
|
||||
account = [
|
||||
"account:Pages Write",
|
||||
"account:Account DNS Settings Write",
|
||||
"account:Account Settings Read",
|
||||
"zone:Zone Write",
|
||||
"zone:DNS Write",
|
||||
]
|
||||
}
|
||||
}
|
||||
@@ -68,6 +78,17 @@ resource "gitea_repository_actions_secret" "cf_arcodange_cms_token" {
|
||||
secret_name = "CLOUDFLARE_API_TOKEN"
|
||||
secret_value = module.cf_arcodange_cms_token.token
|
||||
}
|
||||
resource "gitea_repository_actions_secret" "cf_account_id_cms" {
|
||||
repository = data.gitea_repo.cms.name
|
||||
repository_owner = data.gitea_repo.cms.username
|
||||
secret_name = "CLOUDFLARE_ACCOUNT_ID"
|
||||
secret_value = local.cloudflare_account_id
|
||||
}
|
||||
|
||||
output "token" {
|
||||
value = module.cf_arcodange_cms_token.token
|
||||
sensitive = true
|
||||
}
|
||||
|
||||
resource "vault_kv_secret" "cf_arcodange_cms_token" {
|
||||
path = "kvv1/cloudflare/cms/cf_arcodange_cms_token"
|
||||
@@ -10,6 +10,7 @@ locals {
|
||||
for p in data.cloudflare_account_api_token_permission_groups_list.all.result :
|
||||
"${split(".", p.scopes[0])[length(split(".", p.scopes[0])) - 1]}:${p.name}" => p.id
|
||||
}
|
||||
permission_map_from_id = zipmap(values(local.permission_map), keys(local.permission_map))
|
||||
|
||||
# Résout les permissions (si présentes) pour chaque catégorie
|
||||
selected_account_permissions = var.permissions.account != null ? compact([
|
||||
@@ -63,8 +64,8 @@ resource "cloudflare_account_token" "token" {
|
||||
expires_on = null
|
||||
|
||||
lifecycle {
|
||||
ignore_changes = [expires_on]
|
||||
replace_triggered_by = [null_resource.cloudflare_account_token_replace]
|
||||
ignore_changes = [expires_on, policies] # ignore permission id change as unstable
|
||||
replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d
|
||||
precondition {
|
||||
condition = length(local.missing_permissions) == 0
|
||||
error_message = local.error_message
|
||||
@@ -72,8 +73,9 @@ resource "cloudflare_account_token" "token" {
|
||||
}
|
||||
}
|
||||
|
||||
resource "null_resource" "cloudflare_account_token_replace" {
|
||||
resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
|
||||
triggers = {
|
||||
"policies" = sha256(join("", local.selected_account_permissions, local.selected_bucket_permissions))
|
||||
"account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)])))
|
||||
"bucket_permissions" = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)])))
|
||||
}
|
||||
}
|
||||
|
||||
57
iac/ovh.tf
Normal file
57
iac/ovh.tf
Normal file
@@ -0,0 +1,57 @@
|
||||
data "ovh_me" "account" {}
|
||||
data "ovh_iam_reference_actions" "domain" {
|
||||
type = "domain"
|
||||
}
|
||||
locals {
|
||||
domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
|
||||
}
|
||||
|
||||
resource "ovh_me_api_oauth2_client" "cms" {
|
||||
name = "cms repo"
|
||||
description = "arcodange.fr management"
|
||||
flow = "CLIENT_CREDENTIALS"
|
||||
}
|
||||
resource "ovh_iam_policy" "cms" {
|
||||
name = "cms_manager"
|
||||
description = "Permissions related to www.arcodange.fr domain"
|
||||
identities = [ovh_me_api_oauth2_client.cms.identity]
|
||||
resources = [
|
||||
data.ovh_me.account.urn,
|
||||
# ovh_me_api_oauth2_client.cms.identity,
|
||||
"urn:v1:eu:resource:domain:arcodange.fr",
|
||||
]
|
||||
# these are all the actions
|
||||
allow = concat([
|
||||
"account:apiovh:me/get",
|
||||
"account:apiovh:me/supportLevel/get",
|
||||
"account:apiovh:me/certificates/get",
|
||||
"account:apiovh:me/tag/get",
|
||||
"account:apiovh:services/get",
|
||||
],
|
||||
local.domain_read_permissions[*].action,
|
||||
[
|
||||
"domain:apiovh:nameServer/edit",
|
||||
])
|
||||
}
|
||||
|
||||
resource "gitea_repository_actions_secret" "ovh_cms_client_id" {
|
||||
repository = data.gitea_repo.cms.name
|
||||
repository_owner = data.gitea_repo.cms.username
|
||||
secret_name = "OVH_CLIENT_ID"
|
||||
secret_value = ovh_me_api_oauth2_client.cms.client_id
|
||||
}
|
||||
resource "gitea_repository_actions_secret" "ovh_cms_client_secret" {
|
||||
repository = data.gitea_repo.cms.name
|
||||
repository_owner = data.gitea_repo.cms.username
|
||||
secret_name = "OVH_CLIENT_SECRET"
|
||||
secret_value = ovh_me_api_oauth2_client.cms.client_secret
|
||||
}
|
||||
|
||||
resource "vault_kv_secret" "ovh_cms_token" {
|
||||
path = "kvv1/ovh/cms/app"
|
||||
data_json = jsonencode({
|
||||
client_id = ovh_me_api_oauth2_client.cms.client_id
|
||||
client_secret = ovh_me_api_oauth2_client.cms.client_secret
|
||||
urn = ovh_me_api_oauth2_client.cms.identity
|
||||
})
|
||||
}
|
||||
@@ -16,6 +16,10 @@ terraform {
|
||||
source = "cloudflare/cloudflare"
|
||||
version = "~> 5"
|
||||
}
|
||||
ovh = {
|
||||
source = "ovh/ovh"
|
||||
version = "2.8.0"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -26,10 +30,11 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
|
||||
|
||||
provider "vault" {
|
||||
address = "https://vault.arcodange.duckdns.org"
|
||||
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
||||
mount = "gitea_jwt"
|
||||
role = "gitea_cicd"
|
||||
}
|
||||
token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
|
||||
# auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
||||
# mount = "gitea_jwt"
|
||||
# role = "gitea_cicd"
|
||||
# }
|
||||
}
|
||||
|
||||
provider "google" {
|
||||
@@ -37,4 +42,8 @@ provider "google" {
|
||||
region = "US-EAST1"
|
||||
}
|
||||
|
||||
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
|
||||
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
|
||||
|
||||
provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
|
||||
endpoint = "ovh-eu"
|
||||
}
|
||||
Reference in New Issue
Block a user