apply vault config from CI

.gitea/workflows/vault.yaml

@@ -0,0 +1,106 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Hashicorp Vault
+
+on: [push,pull_request]
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.duckdns.org
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+          echo "### Hello world! :rocket:" >> $GITHUB_STEP_SUMMARY
+      # - name: Step following 'Import Secrets'
+      #   run: |
+      #     echo "${{ env.GOOGLE_BACKEND_CREDENTIALS }}" | base64 -d | jq
+      #     echo $GOOGLE_BACKEND_CREDENTIALS | base64 -d | jq
+      #     echo "${{ steps.vault-secrets.outputs.GOOGLE_BACKEND_CREDENTIALS }}" | base64 -d | jq
+
+      # - uses: actions/checkout@v4
+  
+  # validate:
+  #   runs-on: ubuntu-latest
+  #   name: Validate terraform configuration
+  #   env:
+  #     OPENTOFU_VERSION: 1.8.2
+  #     TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.access_token }}
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+
+  #     - name: terraform validate
+  #       uses: dflook/terraform-validate@v1
+  #       with:
+  #         path: hashicorp-vault/iac
+
+  # fmt-check:
+  #   runs-on: ubuntu-latest
+  #   name: Check formatting of terraform files
+  #   env:
+  #     OPENTOFU_VERSION: 1.8.2
+  #     TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.access_token }}
+  #   steps:
+  #     - name: Checkout
+  #       uses: actions/checkout@v4
+
+  #     - name: terraform fmt
+  #       uses: dflook/terraform-fmt-check@v1
+  #       with:
+  #         path: hashicorp-vault/iac
+
+  tofu:
+    name: Tofu - Vault IAC
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - uses: dflook/terraform-plan@v1
+        with:
+          path: hashicorp-vault/iac
+      # - name: terraform apply
+      #   uses: dflook/terraform-apply@v1
+      #   with:
+      #     path: hashicorp-vault/iac
+
+  # - name: init
+  #   uses: docker://ghcr.io/opentofu/opentofu:latest
+  #   run: |
+  #     tofu -chdir=hashicorp-vault/iac init
+  # - name: plan
+  #   uses: docker://ghcr.io/opentofu/opentofu:latest
+  #   run: |
+  #     tofu -chdir=hashicorp-vault/iac plan -no-color -lock=false
+  # - name: apply
+  #   uses: docker://ghcr.io/opentofu/opentofu:latest
+  #   run: |
+  #     tofu -chdir=hashicorp-vault/iac apply -no-color -auto-approve

.gitignore

@@ -1,3 +1,5 @@
 .DS_Store
 Chart.lock
 */charts/*.tgz
+.terraform
+.terraform.lock.hcl

hashicorp-vault/.helmignore

@@ -21,3 +21,4 @@
 .idea/
 *.tmproj
 .vscode/
+iac/

hashicorp-vault/iac/main.tf

@@ -0,0 +1,39 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "tools/hashicorp_vault/main"
+  }
+}
+
+variable "vault_address" {
+  type = string
+  default = "http://127.0.0.1:8200"
+}
+
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = "4.4.0"
+      }
+    }
+}
+
+provider vault {
+    address = var.vault_address
+    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+        role = "admin"
+    }
+}
+
+data "vault_policy_document" "admin" {
+  rule {
+    path         = "*"
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+    description  = "admin privileges"
+  }
+}
+resource "vault_policy" "admin" {
+    name = "admin"
+    policy = data.vault_policy_document.admin.hcl
+}

hashicorp-vault/values.yaml

@@ -5,7 +5,7 @@ vault: &vault_config
   
   server:
     enabled: true
-    logLevel: debug
+    logLevel: trace
   
     ingress:
       enabled: true