configure vault secrets operator

hashicorp-vault/iac/main.tf

@@ -5,11 +5,6 @@ terraform {
   }
 }
 
-variable "vault_address" {
-  type = string
-  default = "http://127.0.0.1:8200"
-}
-
 terraform {
     required_providers {
       vault = {
@@ -20,20 +15,97 @@ terraform {
 }
 
 provider vault {
-    address = var.vault_address
+    address = "https://vault.arcodange.duckdns.org"
     auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-        role = "admin"
+        mount = "gitea_jwt"
+        role = "gitea_cicd"
     }
 }
 
-data "vault_policy_document" "admin" {
-  rule {
-    path         = "*"
-    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
-    description  = "admin privileges"
+resource "vault_auth_backend" "kubernetes" {
+  type = "kubernetes"
+}
+resource "vault_kubernetes_auth_backend_config" "config" {
+  backend                = vault_auth_backend.kubernetes.path
+  kubernetes_host        = "https://kubernetes.default.svc:443"
+}
+
+resource "vault_mount" "kvv2" {
+  path        = "kvv2"
+  type        = "kv"
+  options     = { version = "2" }
+  description = "KV Version 2 secret engine mount"
+}
+
+
+resource "vault_mount" "postgres" {
+  path = "postgres"
+  type = "database"
+}
+
+resource "vault_database_secret_backend_connection" "postgres" {
+  backend       = vault_mount.postgres.path
+  name          = "postgres"
+  allowed_roles = ["*"]
+  root_rotation_statements = [
+    "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
+  ]
+
+  postgresql {
+    connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
+    username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
+    password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
   }
 }
-resource "vault_policy" "admin" {
-    name = "admin"
-    policy = data.vault_policy_document.admin.hcl
+
+
+resource "vault_mount" "transit" {
+  path                      = "transit"
+  type                      = "transit"
+  description               = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
+#   default_lease_ttl_seconds = 3600
+#   max_lease_ttl_seconds     = 86400
+}
+resource "vault_transit_secret_backend_key" "vso_client_cache" {
+  backend = vault_mount.transit.path
+  name    = "vso-client-cache"
+}
+
+data "vault_policy_document" "vso_client_cache" {
+  rule {
+    path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
+    capabilities = ["create", "update"]
+  }
+  rule {
+    path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
+    capabilities = ["create", "update"]
+  }
+}
+resource "vault_policy" "vso_client_cache" {
+    name = "edit-vso-client-cache"
+    policy = data.vault_policy_document.vso_client_cache.hcl
+}
+
+resource "vault_kubernetes_auth_backend_role" "vso" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "vault-secret-operator"
+  bound_service_account_names      = ["hashicorp-vault-vault-secrets-operator-controller-manager"]
+  bound_service_account_namespaces = ["tools"]
+  token_ttl                        = 0
+  token_period                     = 120
+  token_policies                   = ["default", vault_policy.vso_client_cache.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}
+
+locals { # turn into *.tfvars ?
+  apps = toset([
+    "webapp",
+  ])
+}
+module "app_policies" {
+  source = "./modules/app_policy"
+  for_each = local.apps
+  name = each.value
+  gitea_app_id = var.gitea_app_id
 }