add app_roles terraform module for vault and declare erp app

2024-11-04 17:30:37 +01:00
parent bbb0bc7d5f
commit 784c014224
10 changed files with 105 additions and 30 deletions
--- a/hashicorp-vault/iac/backend.tf
+++ b/hashicorp-vault/iac/backend.tf
@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket  = "arcodange-tf"
+    prefix  = "tools/hashicorp_vault/main"
+  }
+}
--- a/hashicorp-vault/iac/main.tf
+++ b/hashicorp-vault/iac/main.tf
@@ -1,27 +1,3 @@
-terraform {
-  backend "gcs" {
-    bucket  = "arcodange-tf"
-    prefix  = "tools/hashicorp_vault/main"
-  }
-}
-
-terraform {
-    required_providers {
-      vault = {
-        source = "vault"
-        version = "4.4.0"
-      }
-    }
-}
-
-provider vault {
-    address = "https://vault.arcodange.duckdns.org"
-    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-        mount = "gitea_jwt"
-        role = "gitea_cicd"
-    }
-}
-
 resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
 }
@@ -98,14 +74,9 @@ resource "vault_kubernetes_auth_backend_role" "vso" {
  alias_name_source                = "serviceaccount_name"
 }

-locals { # turn into *.tfvars ?
-  apps = toset([
-    "webapp",
-  ])
-}
 module "app_policies" {
  source = "./modules/app_policy"
-  for_each = local.apps
+  for_each = var.applications
  name = each.value
  gitea_app_id = var.gitea_app_id
 }
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -27,6 +27,11 @@ data "vault_policy_document" "ops" {
    path = "kvv1/google/credentials"
    capabilities = [ "read" ]
  }
+  # read tofu_module_reader gitea bot user ssh keys
+  rule {
+    path = "kvv1/gitea/tofu_module_reader"
+    capabilities = [ "read" ]
+  }

  # edit postgres credentials access permissions
  rule {
--- a/hashicorp-vault/iac/modules/app_roles/main.tf
+++ b/hashicorp-vault/iac/modules/app_roles/main.tf
@@ -0,0 +1,38 @@
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+
+locals {
+  name = lower(var.name)
+  database = var.database == null ? local.name : var.database
+
+  vault_mount_postgres = { path = "postgres" }
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+
+resource "vault_database_secret_backend_role" "role" {
+  backend             = local.vault_mount_postgres.path
+  name                = "${local.name}"
+  db_name             = "postgres"
+  creation_statements = [
+    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+    "GRANT ${local.name}_role TO \"{{name}}\";",
+  ] 
+  revocation_statements = [
+    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
+    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ?
+  ]
+  renew_statements=[]
+  rollback_statements=[]
+}
+
+resource "vault_kubernetes_auth_backend_role" "role" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = local.name
+  bound_service_account_names      = [local.name]
+  bound_service_account_namespaces = [local.name]
+  token_ttl                        = 3600
+  token_policies                   = ["default", local.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}
--- a/hashicorp-vault/iac/modules/app_roles/outputs.tf
+++ b/hashicorp-vault/iac/modules/app_roles/outputs.tf
@@ -0,0 +1,16 @@
+output "name" {
+  value = local.name
+}
+output "database" {
+  value = local.database
+}
+output "mount_paths" {
+  value = {
+    k8s = data.vault_auth_backend.kubernetes.path
+    pg = local.vault_mount_postgres.path
+    kvv2 = local.vault_mount_kvv2.path
+  }
+}
+output "kvv2_path_prefix" {
+  value = format("%s/", local.name)
+}
--- a/hashicorp-vault/iac/modules/app_roles/providers.tf
+++ b/hashicorp-vault/iac/modules/app_roles/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = ">= 4.4.0"
+      }
+    }
+}
--- a/hashicorp-vault/iac/modules/app_roles/variables.tf
+++ b/hashicorp-vault/iac/modules/app_roles/variables.tf
@@ -0,0 +1,8 @@
+variable "name" {
+  type = string
+}
+variable "database" {
+  type = string
+  nullable = true
+  default = null
+}
--- a/hashicorp-vault/iac/providers.tf
+++ b/hashicorp-vault/iac/providers.tf
@@ -0,0 +1,16 @@
+terraform {
+    required_providers {
+      vault = {
+        source = "vault"
+        version = "4.4.0"
+      }
+    }
+}
+
+provider vault {
+    address = "https://vault.arcodange.duckdns.org"
+    auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+        mount = "gitea_jwt"
+        role = "gitea_cicd"
+    }
+}
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -0,0 +1,4 @@
+applications = [
+    "webapp",
+    "erp",
+]
--- a/hashicorp-vault/iac/variables.tf
+++ b/hashicorp-vault/iac/variables.tf
@@ -8,4 +8,7 @@ variable "POSTGRES_CREDENTIALS_EDITOR_USERNAME" {
 variable "POSTGRES_CREDENTIALS_EDITOR_PASSWORD" {
  type = string
  sensitive = true
+}
+variable "applications" {
+  type = set(string)
 }