Merge pull request 'feat(vault): erp prod runtime may read the shared GCS backup creds (kv_read_paths)' (#5) from claude/erp-backup-vault-read into main
This commit was merged in pull request #5.
This commit is contained in:
@@ -80,6 +80,7 @@ module "app_policies" {
|
|||||||
name = each.value.name
|
name = each.value.name
|
||||||
envs = each.value.envs
|
envs = each.value.envs
|
||||||
ops_policies = each.value.ops_policies
|
ops_policies = each.value.ops_policies
|
||||||
|
kv_read_paths = each.value.kv_read_paths
|
||||||
service_account_names = each.value.service_account_names
|
service_account_names = each.value.service_account_names
|
||||||
service_account_namespaces = each.value.service_account_namespaces
|
service_account_namespaces = each.value.service_account_namespaces
|
||||||
gitea_app_id = var.gitea_app_id
|
gitea_app_id = var.gitea_app_id
|
||||||
|
|||||||
@@ -178,6 +178,14 @@ data "vault_policy_document" "app" {
|
|||||||
path = "postgres/creds/${local.name}*"
|
path = "postgres/creds/${local.name}*"
|
||||||
capabilities = ["read"]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
# Extra shared paths this app's prod runtime may read (e.g. backup creds).
|
||||||
|
dynamic "rule" {
|
||||||
|
for_each = var.kv_read_paths
|
||||||
|
content {
|
||||||
|
path = rule.value
|
||||||
|
capabilities = ["read", "list"]
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
resource "vault_policy" "app" {
|
resource "vault_policy" "app" {
|
||||||
name = local.name
|
name = local.name
|
||||||
|
|||||||
@@ -23,3 +23,8 @@ variable "service_account_namespaces" {
|
|||||||
default = []
|
default = []
|
||||||
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
|
description = "var.name will always be included by default - whitelist service account namespaces that can take this policy"
|
||||||
}
|
}
|
||||||
|
variable "kv_read_paths" {
|
||||||
|
type = list(string)
|
||||||
|
default = []
|
||||||
|
description = "Extra kvv2 data paths the env=prod runtime policy may read (read,list) — e.g. a shared backup-creds path owned by another app (kvv2/data/longhorn/gcs-backup). Default none."
|
||||||
|
}
|
||||||
@@ -1,18 +1,22 @@
|
|||||||
applications = [
|
applications = [
|
||||||
{ name = "webapp" },
|
{ name = "webapp" },
|
||||||
{ name = "erp", envs = ["prod", "sandbox"] },
|
{
|
||||||
|
name = "erp"
|
||||||
|
envs = ["prod", "sandbox"]
|
||||||
|
kv_read_paths = ["kvv2/data/longhorn/gcs-backup"] # backup CronJob reads the shared GCS creds
|
||||||
|
},
|
||||||
{ name = "dance-lessons-coach" },
|
{ name = "dance-lessons-coach" },
|
||||||
{
|
{
|
||||||
name = "cms"
|
name = "cms"
|
||||||
ops_policies = ["factory__cf_r2_arcodange_tf"]
|
ops_policies = ["factory__cf_r2_arcodange_tf"]
|
||||||
service_account_names = ["cloudflared"]
|
service_account_names = ["cloudflared"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name = "crowdsec"
|
name = "crowdsec"
|
||||||
service_account_namespaces = ["tools"]
|
service_account_namespaces = ["tools"]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name = "plausible"
|
name = "plausible"
|
||||||
service_account_namespaces = ["tools"]
|
service_account_namespaces = ["tools"]
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
@@ -19,5 +19,8 @@ variable "applications" {
|
|||||||
# every existing app — backwards compatible by the elision rule. Non-prod envs
|
# every existing app — backwards compatible by the elision rule. Non-prod envs
|
||||||
# produce additional runtime policies named "<name>-<env>".
|
# produce additional runtime policies named "<name>-<env>".
|
||||||
envs = optional(list(string), ["prod"])
|
envs = optional(list(string), ["prod"])
|
||||||
|
# Extra kvv2 data paths the app's prod runtime policy may read (read,list) —
|
||||||
|
# e.g. a shared backup-creds path owned by another app. Default none.
|
||||||
|
kv_read_paths = optional(list(string), [])
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user