enable per app role list of policies

2025-10-30 10:05:25 +01:00
parent ea9e41ff1a
commit 24c3d92522
5 changed files with 22 additions and 10 deletions
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -76,7 +76,8 @@ resource "vault_kubernetes_auth_backend_role" "vso" {

 module "app_policies" {
  source       = "./modules/app_policy"
-  for_each     = var.applications
-  name         = each.value
+  for_each     = { for app in var.applications : app.name => app }
+  name         = each.value.name
+  policies     = each.value.policies
  gitea_app_id = var.gitea_app_id
 }
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -29,8 +29,12 @@ data "vault_policy_document" "ops" {
  }
  # read cloudflare credentials for terraform cloudflare backend
  rule {
-    path         = "kvv1/cloudflare"
-    capabilities = ["read"]
+    path         = "kvv1/cloudflare/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
+  }
+  rule {
+    path         = "kvv1/cloudflare/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
  }
  # read tofu_module_reader gitea bot user ssh keys
  rule {
@@ -122,7 +126,7 @@ data "vault_auth_backend" "gitea_jwt" {
 resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
  backend        = data.vault_auth_backend.gitea_jwt.path
  role_name      = "gitea_cicd_${local.name}"
-  token_policies = ["default"] # give "${local.name}-ops" role to group of entities
+  token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities

  bound_audiences = [
    var.gitea_app_id,
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -4,3 +4,7 @@ variable "name" {
 variable "gitea_app_id" {
  type = string
 }
+variable "policies" {
+  type    = list(string)
+  default = []
+}
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,5 +1,5 @@
 applications = [
-  "webapp",
-  "erp",
-  "cms",
+  { name = "webapp" },
+  { name = "erp" },
+  { name = "cms", policies = ["factory__cf_r2_arcodange_tf"] },
 ]
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -10,5 +10,8 @@ variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
  sensitive = true
 }
 variable "applications" {
-  type = set(string)
+  type = set(object({
+    name     = string
+    policies = optional(list(string), [])
+  }))
 }