configure ovh client and allow cms project to access zoho client
This commit is contained in:
@@ -31,6 +31,7 @@ concurrency:
|
|||||||
kvv1/google/credentials credentials | GOOGLE_CREDENTIALS ;
|
kvv1/google/credentials credentials | GOOGLE_CREDENTIALS ;
|
||||||
kvv1/admin/gitea token | GITEA_TOKEN ;
|
kvv1/admin/gitea token | GITEA_TOKEN ;
|
||||||
kvv1/admin/cloudflare iam_token | CLOUDFLARE_API_TOKEN ;
|
kvv1/admin/cloudflare iam_token | CLOUDFLARE_API_TOKEN ;
|
||||||
|
kvv1/admin/ovh/app * | OVH_ ;
|
||||||
jobs:
|
jobs:
|
||||||
gitea_vault_auth:
|
gitea_vault_auth:
|
||||||
name: Auth with gitea for vault
|
name: Auth with gitea for vault
|
||||||
|
|||||||
@@ -24,6 +24,9 @@ module "cf_r2_arcodange_tf_token" {
|
|||||||
"account:Workers R2 Storage Read",
|
"account:Workers R2 Storage Read",
|
||||||
"bucket:Workers R2 Storage Bucket Item Write",
|
"bucket:Workers R2 Storage Bucket Item Write",
|
||||||
]
|
]
|
||||||
|
account = [
|
||||||
|
"account:Account Settings Read",
|
||||||
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
resource "vault_kv_secret" "cf_r2_arcodange_tf" {
|
resource "vault_kv_secret" "cf_r2_arcodange_tf" {
|
||||||
@@ -40,6 +43,10 @@ data "vault_policy_document" "cf_r2_arcodange_tf" {
|
|||||||
path = "kvv1/cloudflare/r2/arcodange-tf"
|
path = "kvv1/cloudflare/r2/arcodange-tf"
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
rule {
|
||||||
|
path = "kvv1/zoho/self_client" # zoho mail client is created manually
|
||||||
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
}
|
}
|
||||||
resource "vault_policy" "cf_r2_arcodange_tf" {
|
resource "vault_policy" "cf_r2_arcodange_tf" {
|
||||||
name = "factory__cf_r2_arcodange_tf"
|
name = "factory__cf_r2_arcodange_tf"
|
||||||
@@ -59,6 +66,9 @@ module "cf_arcodange_cms_token" {
|
|||||||
account = [
|
account = [
|
||||||
"account:Pages Write",
|
"account:Pages Write",
|
||||||
"account:Account DNS Settings Write",
|
"account:Account DNS Settings Write",
|
||||||
|
"account:Account Settings Read",
|
||||||
|
"zone:Zone Write",
|
||||||
|
"zone:DNS Write",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -68,6 +78,17 @@ resource "gitea_repository_actions_secret" "cf_arcodange_cms_token" {
|
|||||||
secret_name = "CLOUDFLARE_API_TOKEN"
|
secret_name = "CLOUDFLARE_API_TOKEN"
|
||||||
secret_value = module.cf_arcodange_cms_token.token
|
secret_value = module.cf_arcodange_cms_token.token
|
||||||
}
|
}
|
||||||
|
resource "gitea_repository_actions_secret" "cf_account_id_cms" {
|
||||||
|
repository = data.gitea_repo.cms.name
|
||||||
|
repository_owner = data.gitea_repo.cms.username
|
||||||
|
secret_name = "CLOUDFLARE_ACCOUNT_ID"
|
||||||
|
secret_value = local.cloudflare_account_id
|
||||||
|
}
|
||||||
|
|
||||||
|
output "token" {
|
||||||
|
value = module.cf_arcodange_cms_token.token
|
||||||
|
sensitive = true
|
||||||
|
}
|
||||||
|
|
||||||
resource "vault_kv_secret" "cf_arcodange_cms_token" {
|
resource "vault_kv_secret" "cf_arcodange_cms_token" {
|
||||||
path = "kvv1/cloudflare/cms/cf_arcodange_cms_token"
|
path = "kvv1/cloudflare/cms/cf_arcodange_cms_token"
|
||||||
@@ -10,6 +10,7 @@ locals {
|
|||||||
for p in data.cloudflare_account_api_token_permission_groups_list.all.result :
|
for p in data.cloudflare_account_api_token_permission_groups_list.all.result :
|
||||||
"${split(".", p.scopes[0])[length(split(".", p.scopes[0])) - 1]}:${p.name}" => p.id
|
"${split(".", p.scopes[0])[length(split(".", p.scopes[0])) - 1]}:${p.name}" => p.id
|
||||||
}
|
}
|
||||||
|
permission_map_from_id = zipmap(values(local.permission_map), keys(local.permission_map))
|
||||||
|
|
||||||
# Résout les permissions (si présentes) pour chaque catégorie
|
# Résout les permissions (si présentes) pour chaque catégorie
|
||||||
selected_account_permissions = var.permissions.account != null ? compact([
|
selected_account_permissions = var.permissions.account != null ? compact([
|
||||||
@@ -63,8 +64,8 @@ resource "cloudflare_account_token" "token" {
|
|||||||
expires_on = null
|
expires_on = null
|
||||||
|
|
||||||
lifecycle {
|
lifecycle {
|
||||||
ignore_changes = [expires_on]
|
ignore_changes = [expires_on, policies] # ignore permission id change as unstable
|
||||||
replace_triggered_by = [null_resource.cloudflare_account_token_replace]
|
replace_triggered_by = [null_resource.cloudflare_account_token_replace] # replace permission name change d
|
||||||
precondition {
|
precondition {
|
||||||
condition = length(local.missing_permissions) == 0
|
condition = length(local.missing_permissions) == 0
|
||||||
error_message = local.error_message
|
error_message = local.error_message
|
||||||
@@ -72,8 +73,9 @@ resource "cloudflare_account_token" "token" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "null_resource" "cloudflare_account_token_replace" {
|
resource "null_resource" "cloudflare_account_token_replace" { # replace token when permission names change
|
||||||
triggers = {
|
triggers = {
|
||||||
"policies" = sha256(join("", local.selected_account_permissions, local.selected_bucket_permissions))
|
"account_permissions" = sha256(join("",sort([for p_id in local.selected_account_permissions: lookup(local.permission_map_from_id, p_id)])))
|
||||||
|
"bucket_permissions" = sha256(join("",sort([for p_id in local.selected_bucket_permissions: lookup(local.permission_map_from_id, p_id)])))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
57
iac/ovh.tf
Normal file
57
iac/ovh.tf
Normal file
@@ -0,0 +1,57 @@
|
|||||||
|
data "ovh_me" "account" {}
|
||||||
|
data "ovh_iam_reference_actions" "domain" {
|
||||||
|
type = "domain"
|
||||||
|
}
|
||||||
|
locals {
|
||||||
|
domain_read_permissions = [ for a in data.ovh_iam_reference_actions.domain.actions: a if contains(a.categories, "READ") ]
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "ovh_me_api_oauth2_client" "cms" {
|
||||||
|
name = "cms repo"
|
||||||
|
description = "arcodange.fr management"
|
||||||
|
flow = "CLIENT_CREDENTIALS"
|
||||||
|
}
|
||||||
|
resource "ovh_iam_policy" "cms" {
|
||||||
|
name = "cms_manager"
|
||||||
|
description = "Permissions related to www.arcodange.fr domain"
|
||||||
|
identities = [ovh_me_api_oauth2_client.cms.identity]
|
||||||
|
resources = [
|
||||||
|
data.ovh_me.account.urn,
|
||||||
|
# ovh_me_api_oauth2_client.cms.identity,
|
||||||
|
"urn:v1:eu:resource:domain:arcodange.fr",
|
||||||
|
]
|
||||||
|
# these are all the actions
|
||||||
|
allow = concat([
|
||||||
|
"account:apiovh:me/get",
|
||||||
|
"account:apiovh:me/supportLevel/get",
|
||||||
|
"account:apiovh:me/certificates/get",
|
||||||
|
"account:apiovh:me/tag/get",
|
||||||
|
"account:apiovh:services/get",
|
||||||
|
],
|
||||||
|
local.domain_read_permissions[*].action,
|
||||||
|
[
|
||||||
|
"domain:apiovh:nameServer/edit",
|
||||||
|
])
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "gitea_repository_actions_secret" "ovh_cms_client_id" {
|
||||||
|
repository = data.gitea_repo.cms.name
|
||||||
|
repository_owner = data.gitea_repo.cms.username
|
||||||
|
secret_name = "OVH_CLIENT_ID"
|
||||||
|
secret_value = ovh_me_api_oauth2_client.cms.client_id
|
||||||
|
}
|
||||||
|
resource "gitea_repository_actions_secret" "ovh_cms_client_secret" {
|
||||||
|
repository = data.gitea_repo.cms.name
|
||||||
|
repository_owner = data.gitea_repo.cms.username
|
||||||
|
secret_name = "OVH_CLIENT_SECRET"
|
||||||
|
secret_value = ovh_me_api_oauth2_client.cms.client_secret
|
||||||
|
}
|
||||||
|
|
||||||
|
resource "vault_kv_secret" "ovh_cms_token" {
|
||||||
|
path = "kvv1/ovh/cms/app"
|
||||||
|
data_json = jsonencode({
|
||||||
|
client_id = ovh_me_api_oauth2_client.cms.client_id
|
||||||
|
client_secret = ovh_me_api_oauth2_client.cms.client_secret
|
||||||
|
urn = ovh_me_api_oauth2_client.cms.identity
|
||||||
|
})
|
||||||
|
}
|
||||||
@@ -16,6 +16,10 @@ terraform {
|
|||||||
source = "cloudflare/cloudflare"
|
source = "cloudflare/cloudflare"
|
||||||
version = "~> 5"
|
version = "~> 5"
|
||||||
}
|
}
|
||||||
|
ovh = {
|
||||||
|
source = "ovh/ovh"
|
||||||
|
version = "2.8.0"
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -26,10 +30,11 @@ provider "gitea" { # https://registry.terraform.io/providers/go-gitea/gitea/late
|
|||||||
|
|
||||||
provider "vault" {
|
provider "vault" {
|
||||||
address = "https://vault.arcodange.duckdns.org"
|
address = "https://vault.arcodange.duckdns.org"
|
||||||
auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
token = "hvs.CAESIH6uB0AKBdNoX5HdY4FQ8NlF1Dvrxoxo6fbMEnkhQ2zJGh4KHGh2cy40cFU1UHAzejl0bXB4VElJWGpobTNaQ3U"
|
||||||
mount = "gitea_jwt"
|
# auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
|
||||||
role = "gitea_cicd"
|
# mount = "gitea_jwt"
|
||||||
}
|
# role = "gitea_cicd"
|
||||||
|
# }
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "google" {
|
provider "google" {
|
||||||
@@ -37,4 +42,8 @@ provider "google" {
|
|||||||
region = "US-EAST1"
|
region = "US-EAST1"
|
||||||
}
|
}
|
||||||
|
|
||||||
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
|
provider "cloudflare" {} # CLOUDFLARE_API_TOKEN environment variable required
|
||||||
|
|
||||||
|
provider "ovh" { # OVH_APPLICATION_KEY OVH_APPLICATION_SECRET OVH_CONSUMER_KEY
|
||||||
|
endpoint = "ovh-eu"
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user