From 24c3d925229a89defab95e0e52ea43305356f101 Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Thu, 30 Oct 2025 10:05:25 +0100 Subject: [PATCH] enable per app role list of policies --- hashicorp-vault/iac/main.tf | 7 ++++--- hashicorp-vault/iac/modules/app_policy/main.tf | 10 +++++++--- hashicorp-vault/iac/modules/app_policy/variables.tf | 4 ++++ hashicorp-vault/iac/terraform.tfvars | 6 +++--- hashicorp-vault/iac/variables.tf | 5 ++++- 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/hashicorp-vault/iac/main.tf b/hashicorp-vault/iac/main.tf index 34331fd..4b83b96 100644 --- a/hashicorp-vault/iac/main.tf +++ b/hashicorp-vault/iac/main.tf @@ -76,7 +76,8 @@ resource "vault_kubernetes_auth_backend_role" "vso" { module "app_policies" { source = "./modules/app_policy" - for_each = var.applications - name = each.value + for_each = { for app in var.applications : app.name => app } + name = each.value.name + policies = each.value.policies gitea_app_id = var.gitea_app_id -} \ No newline at end of file +} diff --git a/hashicorp-vault/iac/modules/app_policy/main.tf b/hashicorp-vault/iac/modules/app_policy/main.tf index b8d8d63..aed281d 100644 --- a/hashicorp-vault/iac/modules/app_policy/main.tf +++ b/hashicorp-vault/iac/modules/app_policy/main.tf @@ -29,8 +29,12 @@ data "vault_policy_document" "ops" { } # read cloudflare credentials for terraform cloudflare backend rule { - path = "kvv1/cloudflare" - capabilities = ["read"] + path = "kvv1/cloudflare/${local.name}*" + capabilities = ["read", "list", "create", "update", "delete"] + } + rule { + path = "kvv1/cloudflare/${local.name}*" + capabilities = ["read", "list", "create", "update", "delete"] } # read tofu_module_reader gitea bot user ssh keys rule { @@ -122,7 +126,7 @@ data "vault_auth_backend" "gitea_jwt" { resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" { backend = data.vault_auth_backend.gitea_jwt.path role_name = "gitea_cicd_${local.name}" - token_policies = ["default"] # give "${local.name}-ops" role to group of entities + token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities bound_audiences = [ var.gitea_app_id, diff --git a/hashicorp-vault/iac/modules/app_policy/variables.tf b/hashicorp-vault/iac/modules/app_policy/variables.tf index 78d27f5..c475c2a 100644 --- a/hashicorp-vault/iac/modules/app_policy/variables.tf +++ b/hashicorp-vault/iac/modules/app_policy/variables.tf @@ -3,4 +3,8 @@ variable "name" { } variable "gitea_app_id" { type = string +} +variable "policies" { + type = list(string) + default = [] } \ No newline at end of file diff --git a/hashicorp-vault/iac/terraform.tfvars b/hashicorp-vault/iac/terraform.tfvars index bcc2074..a9eeac7 100644 --- a/hashicorp-vault/iac/terraform.tfvars +++ b/hashicorp-vault/iac/terraform.tfvars @@ -1,5 +1,5 @@ applications = [ - "webapp", - "erp", - "cms", + { name = "webapp" }, + { name = "erp" }, + { name = "cms", policies = ["factory__cf_r2_arcodange_tf"] }, ] \ No newline at end of file diff --git a/hashicorp-vault/iac/variables.tf b/hashicorp-vault/iac/variables.tf index 89c2589..1139836 100644 --- a/hashicorp-vault/iac/variables.tf +++ b/hashicorp-vault/iac/variables.tf @@ -10,5 +10,8 @@ variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" { sensitive = true } variable "applications" { - type = set(string) + type = set(object({ + name = string + policies = optional(list(string), []) + })) } \ No newline at end of file