configure vault secrets operator

2024-10-16 09:09:02 +02:00
parent 3a506543ce
commit bbb0bc7d5f
10 changed files with 438 additions and 74 deletions
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -0,0 +1,138 @@
+
+# jwt cicd app ops
+# allow creating
+# - vault role
+# - backend k8s
+# - postgres role
+
+locals {
+  name = lower(var.name)
+}
+
+data "vault_policy_document" "ops" {
+
+  # use terraform vault provider
+  rule {
+    path = "auth/token/create"
+    capabilities = ["create","update"]
+  }
+
+  # check on mounted auth backend (such as k8s)
+  rule {
+    path = "sys/mounts/auth/*"
+    capabilities = [ "read" ]
+  }
+  # read google credentials for terraform gcs backend
+  rule {
+    path = "kvv1/google/credentials"
+    capabilities = [ "read" ]
+  }
+
+  # edit postgres credentials access permissions
+  rule {
+    path = "postgres/roles/${local.name}*"
+    capabilities = [ "read", "list", "create", "update", "delete" ]
+  }
+  # edit k8s role
+  rule {
+    path = "auth/kubernetes/role/${local.name}*"
+    capabilities = [ "read", "list", "create", "update", "delete" ]
+    allowed_parameter {
+      key = "*"
+      value = []
+    }
+    allowed_parameter {
+      key = "bound_service_account_names"
+      value = [ jsonencode([local.name]) ]
+    }
+    allowed_parameter {
+      key = "bound_service_account_namespaces"
+      value = [ jsonencode([local.name]) ]
+    }
+    allowed_parameter {
+      key = "token_policies"
+      value = [
+        jsonencode(["default", local.name]),
+        jsonencode([local.name, "default"])
+      ]
+    }
+    
+  }
+  # allow editing app secrets
+  rule {
+    path = "kvv2/data/${local.name}/*"
+    capabilities = [ "create", "update", "read", "delete" ]
+  }
+  rule {
+    path = "kvv2/delete/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/undelete/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/destroy/${local.name}/*"
+    capabilities = [ "update" ]
+  }
+  rule {
+    path = "kvv2/metadata/${local.name}/*"
+    capabilities = [ "read", "list", "delete" ]
+  }
+  # allow edit vault role (risky ?)
+}
+resource "vault_policy" "ops" {
+  name = "${local.name}-ops"
+  /*
+    allowed_parameters = {
+  -   "bound_service_account_names" = ["["webapp"]"]
+  +   "bound_service_account_names" = [["webapp"]]
+    }
+  */
+  
+  policy = replace(
+    replace(
+      data.vault_policy_document.ops.hcl,
+      "\"[\"", "[\""
+    ),
+    "\"]\"", "\"]"
+  )
+}
+
+resource "vault_identity_group" "ops" {
+  name     = "${local.name}-ops"
+  type     = "internal"
+  external_member_entity_ids = true
+  policies = [vault_policy.ops.name]
+}
+
+data "vault_auth_backend" "gitea_jwt" {
+  path = "gitea_jwt"
+}
+resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
+  backend         = data.vault_auth_backend.gitea_jwt.path
+  role_name       = "gitea_cicd_${local.name}"
+  token_policies  = ["default"] # give "${local.name}-ops" role to group of entities
+
+  bound_audiences = [
+    var.gitea_app_id,
+  ]
+  
+  user_claim      = "email"
+  role_type       = "jwt"
+}
+
+data "vault_policy_document" "app" {
+  rule {
+    path         = "kvv2/data/${local.name}/*"
+    capabilities = ["read", "list"]
+  }
+  rule {
+    path         = "postgres/creds/${local.name}*"
+    capabilities = ["read"]
+  }
+}
+resource "vault_policy" "app" {
+    name = "${local.name}"
+    policy = data.vault_policy_document.app.hcl
+}
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -0,0 +1,6 @@
+variable "name" {
+  type = string
+}
+variable "gitea_app_id" {
+  type = string
+}