enable per app role list of policies
This commit is contained in:
@@ -76,7 +76,8 @@ resource "vault_kubernetes_auth_backend_role" "vso" {
|
|||||||
|
|
||||||
module "app_policies" {
|
module "app_policies" {
|
||||||
source = "./modules/app_policy"
|
source = "./modules/app_policy"
|
||||||
for_each = var.applications
|
for_each = { for app in var.applications : app.name => app }
|
||||||
name = each.value
|
name = each.value.name
|
||||||
|
policies = each.value.policies
|
||||||
gitea_app_id = var.gitea_app_id
|
gitea_app_id = var.gitea_app_id
|
||||||
}
|
}
|
||||||
@@ -29,8 +29,12 @@ data "vault_policy_document" "ops" {
|
|||||||
}
|
}
|
||||||
# read cloudflare credentials for terraform cloudflare backend
|
# read cloudflare credentials for terraform cloudflare backend
|
||||||
rule {
|
rule {
|
||||||
path = "kvv1/cloudflare"
|
path = "kvv1/cloudflare/${local.name}*"
|
||||||
capabilities = ["read"]
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
|
}
|
||||||
|
rule {
|
||||||
|
path = "kvv1/cloudflare/${local.name}*"
|
||||||
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
}
|
}
|
||||||
# read tofu_module_reader gitea bot user ssh keys
|
# read tofu_module_reader gitea bot user ssh keys
|
||||||
rule {
|
rule {
|
||||||
@@ -122,7 +126,7 @@ data "vault_auth_backend" "gitea_jwt" {
|
|||||||
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
||||||
backend = data.vault_auth_backend.gitea_jwt.path
|
backend = data.vault_auth_backend.gitea_jwt.path
|
||||||
role_name = "gitea_cicd_${local.name}"
|
role_name = "gitea_cicd_${local.name}"
|
||||||
token_policies = ["default"] # give "${local.name}-ops" role to group of entities
|
token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities
|
||||||
|
|
||||||
bound_audiences = [
|
bound_audiences = [
|
||||||
var.gitea_app_id,
|
var.gitea_app_id,
|
||||||
|
|||||||
@@ -4,3 +4,7 @@ variable "name" {
|
|||||||
variable "gitea_app_id" {
|
variable "gitea_app_id" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
|
variable "policies" {
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
}
|
||||||
@@ -1,5 +1,5 @@
|
|||||||
applications = [
|
applications = [
|
||||||
"webapp",
|
{ name = "webapp" },
|
||||||
"erp",
|
{ name = "erp" },
|
||||||
"cms",
|
{ name = "cms", policies = ["factory__cf_r2_arcodange_tf"] },
|
||||||
]
|
]
|
||||||
@@ -10,5 +10,8 @@ variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
|
|||||||
sensitive = true
|
sensitive = true
|
||||||
}
|
}
|
||||||
variable "applications" {
|
variable "applications" {
|
||||||
type = set(string)
|
type = set(object({
|
||||||
|
name = string
|
||||||
|
policies = optional(list(string), [])
|
||||||
|
}))
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user