tofu fmt -recursive and kvv1/cloudflare permission for cms project

2025-10-24 18:00:16 +02:00
parent be6e6135d7
commit ea9e41ff1a
6 changed files with 63 additions and 57 deletions
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -13,46 +13,51 @@ data "vault_policy_document" "ops" {

  # use terraform vault provider
  rule {
-    path = "auth/token/create"
-    capabilities = ["create","update"]
+    path         = "auth/token/create"
+    capabilities = ["create", "update"]
  }

  # check on mounted auth backend (such as k8s)
  rule {
-    path = "sys/mounts/auth/*"
-    capabilities = [ "read" ]
+    path         = "sys/mounts/auth/*"
+    capabilities = ["read"]
  }
  # read google credentials for terraform gcs backend
  rule {
-    path = "kvv1/google/credentials"
-    capabilities = [ "read" ]
+    path         = "kvv1/google/credentials"
+    capabilities = ["read"]
+  }
+  # read cloudflare credentials for terraform cloudflare backend
+  rule {
+    path         = "kvv1/cloudflare"
+    capabilities = ["read"]
  }
  # read tofu_module_reader gitea bot user ssh keys
  rule {
-    path = "kvv1/gitea/tofu_module_reader"
-    capabilities = [ "read" ]
+    path         = "kvv1/gitea/tofu_module_reader"
+    capabilities = ["read"]
  }

  # edit postgres credentials access permissions
  rule {
-    path = "postgres/roles/${local.name}*"
-    capabilities = [ "read", "list", "create", "update", "delete" ]
+    path         = "postgres/roles/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
  }
  # edit k8s role
  rule {
-    path = "auth/kubernetes/role/${local.name}*"
-    capabilities = [ "read", "list", "create", "update", "delete" ]
+    path         = "auth/kubernetes/role/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
    allowed_parameter {
-      key = "*"
+      key   = "*"
      value = []
    }
    allowed_parameter {
-      key = "bound_service_account_names"
-      value = [ jsonencode([local.name]) ]
+      key   = "bound_service_account_names"
+      value = [jsonencode([local.name])]
    }
    allowed_parameter {
-      key = "bound_service_account_namespaces"
-      value = [ jsonencode([local.name]) ]
+      key   = "bound_service_account_namespaces"
+      value = [jsonencode([local.name])]
    }
    allowed_parameter {
      key = "token_policies"
@@ -61,28 +66,28 @@ data "vault_policy_document" "ops" {
        jsonencode([local.name, "default"])
      ]
    }
-    
+
  }
  # allow editing app secrets
  rule {
-    path = "kvv2/data/${local.name}/*"
-    capabilities = [ "create", "update", "read", "delete" ]
+    path         = "kvv2/data/${local.name}/*"
+    capabilities = ["create", "update", "read", "delete"]
  }
  rule {
-    path = "kvv2/delete/${local.name}/*"
-    capabilities = [ "update" ]
+    path         = "kvv2/delete/${local.name}/*"
+    capabilities = ["update"]
  }
  rule {
-    path = "kvv2/undelete/${local.name}/*"
-    capabilities = [ "update" ]
+    path         = "kvv2/undelete/${local.name}/*"
+    capabilities = ["update"]
  }
  rule {
-    path = "kvv2/destroy/${local.name}/*"
-    capabilities = [ "update" ]
+    path         = "kvv2/destroy/${local.name}/*"
+    capabilities = ["update"]
  }
  rule {
-    path = "kvv2/metadata/${local.name}/*"
-    capabilities = [ "read", "list", "delete" ]
+    path         = "kvv2/metadata/${local.name}/*"
+    capabilities = ["read", "list", "delete"]
  }
  # allow edit vault role (risky ?)
 }
@@ -94,7 +99,7 @@ resource "vault_policy" "ops" {
  +   "bound_service_account_names" = [["webapp"]]
    }
  */
-  
+
  policy = replace(
    replace(
      data.vault_policy_document.ops.hcl,
@@ -105,26 +110,26 @@ resource "vault_policy" "ops" {
 }

 resource "vault_identity_group" "ops" {
-  name     = "${local.name}-ops"
-  type     = "internal"
+  name                       = "${local.name}-ops"
+  type                       = "internal"
  external_member_entity_ids = true
-  policies = [vault_policy.ops.name]
+  policies                   = [vault_policy.ops.name]
 }

 data "vault_auth_backend" "gitea_jwt" {
  path = "gitea_jwt"
 }
 resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
-  backend         = data.vault_auth_backend.gitea_jwt.path
-  role_name       = "gitea_cicd_${local.name}"
-  token_policies  = ["default"] # give "${local.name}-ops" role to group of entities
+  backend        = data.vault_auth_backend.gitea_jwt.path
+  role_name      = "gitea_cicd_${local.name}"
+  token_policies = ["default"] # give "${local.name}-ops" role to group of entities

  bound_audiences = [
    var.gitea_app_id,
  ]
-  
-  user_claim      = "email"
-  role_type       = "jwt"
+
+  user_claim = "email"
+  role_type  = "jwt"
 }

 data "vault_policy_document" "app" {
@@ -138,6 +143,6 @@ data "vault_policy_document" "app" {
  }
 }
 resource "vault_policy" "app" {
-    name = "${local.name}"
-    policy = data.vault_policy_document.app.hcl
+  name   = local.name
+  policy = data.vault_policy_document.app.hcl
 }
--- a/hashicorp-vault/iac/modules/app_roles/main.tf
+++ b/hashicorp-vault/iac/modules/app_roles/main.tf
@@ -3,27 +3,27 @@ data "vault_auth_backend" "kubernetes" {
 }

 locals {
-  name = lower(var.name)
+  name     = lower(var.name)
  database = var.database == null ? local.name : var.database

  vault_mount_postgres = { path = "postgres" }
-  vault_mount_kvv2 = { path = "kvv2" }
+  vault_mount_kvv2     = { path = "kvv2" }
 }

 resource "vault_database_secret_backend_role" "role" {
-  backend             = local.vault_mount_postgres.path
-  name                = "${local.name}"
-  db_name             = "postgres"
+  backend = local.vault_mount_postgres.path
+  name    = local.name
+  db_name = "postgres"
  creation_statements = [
    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
    "GRANT ${local.name}_role TO \"{{name}}\";",
-  ] 
+  ]
  revocation_statements = [
    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ?
  ]
-  renew_statements=[]
-  rollback_statements=[]
+  renew_statements    = []
+  rollback_statements = []
 }

 resource "vault_kubernetes_auth_backend_role" "role" {
--- a/hashicorp-vault/iac/modules/app_roles/outputs.tf
+++ b/hashicorp-vault/iac/modules/app_roles/outputs.tf
@@ -6,8 +6,8 @@ output "database" {
 }
 output "mount_paths" {
  value = {
-    k8s = data.vault_auth_backend.kubernetes.path
-    pg = local.vault_mount_postgres.path
+    k8s  = data.vault_auth_backend.kubernetes.path
+    pg   = local.vault_mount_postgres.path
    kvv2 = local.vault_mount_kvv2.path
  }
 }
--- a/hashicorp-vault/iac/modules/app_roles/providers.tf
+++ b/hashicorp-vault/iac/modules/app_roles/providers.tf
@@ -1,8 +1,8 @@
 terraform {
-    required_providers {
-      vault = {
-        source = "vault"
-        version = ">= 4.4.0"
-      }
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = ">= 4.4.0"
    }
+  }
 }
--- a/hashicorp-vault/iac/modules/app_roles/variables.tf
+++ b/hashicorp-vault/iac/modules/app_roles/variables.tf
@@ -2,7 +2,7 @@ variable "name" {
  type = string
 }
 variable "database" {
-  type = string
+  type     = string
  nullable = true
-  default = null
+  default  = null
 }
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,4 +1,5 @@
 applications = [
  "webapp",
  "erp",
+  "cms",
 ]