diff --git a/hashicorp-vault/iac/modules/app_policy/main.tf b/hashicorp-vault/iac/modules/app_policy/main.tf index 332b3f0..b8d8d63 100644 --- a/hashicorp-vault/iac/modules/app_policy/main.tf +++ b/hashicorp-vault/iac/modules/app_policy/main.tf @@ -13,46 +13,51 @@ data "vault_policy_document" "ops" { # use terraform vault provider rule { - path = "auth/token/create" - capabilities = ["create","update"] + path = "auth/token/create" + capabilities = ["create", "update"] } # check on mounted auth backend (such as k8s) rule { - path = "sys/mounts/auth/*" - capabilities = [ "read" ] + path = "sys/mounts/auth/*" + capabilities = ["read"] } # read google credentials for terraform gcs backend rule { - path = "kvv1/google/credentials" - capabilities = [ "read" ] + path = "kvv1/google/credentials" + capabilities = ["read"] + } + # read cloudflare credentials for terraform cloudflare backend + rule { + path = "kvv1/cloudflare" + capabilities = ["read"] } # read tofu_module_reader gitea bot user ssh keys rule { - path = "kvv1/gitea/tofu_module_reader" - capabilities = [ "read" ] + path = "kvv1/gitea/tofu_module_reader" + capabilities = ["read"] } # edit postgres credentials access permissions rule { - path = "postgres/roles/${local.name}*" - capabilities = [ "read", "list", "create", "update", "delete" ] + path = "postgres/roles/${local.name}*" + capabilities = ["read", "list", "create", "update", "delete"] } # edit k8s role rule { - path = "auth/kubernetes/role/${local.name}*" - capabilities = [ "read", "list", "create", "update", "delete" ] + path = "auth/kubernetes/role/${local.name}*" + capabilities = ["read", "list", "create", "update", "delete"] allowed_parameter { - key = "*" + key = "*" value = [] } allowed_parameter { - key = "bound_service_account_names" - value = [ jsonencode([local.name]) ] + key = "bound_service_account_names" + value = [jsonencode([local.name])] } allowed_parameter { - key = "bound_service_account_namespaces" - value = [ jsonencode([local.name]) ] + key = "bound_service_account_namespaces" + value = [jsonencode([local.name])] } allowed_parameter { key = "token_policies" @@ -61,28 +66,28 @@ data "vault_policy_document" "ops" { jsonencode([local.name, "default"]) ] } - + } # allow editing app secrets rule { - path = "kvv2/data/${local.name}/*" - capabilities = [ "create", "update", "read", "delete" ] + path = "kvv2/data/${local.name}/*" + capabilities = ["create", "update", "read", "delete"] } rule { - path = "kvv2/delete/${local.name}/*" - capabilities = [ "update" ] + path = "kvv2/delete/${local.name}/*" + capabilities = ["update"] } rule { - path = "kvv2/undelete/${local.name}/*" - capabilities = [ "update" ] + path = "kvv2/undelete/${local.name}/*" + capabilities = ["update"] } rule { - path = "kvv2/destroy/${local.name}/*" - capabilities = [ "update" ] + path = "kvv2/destroy/${local.name}/*" + capabilities = ["update"] } rule { - path = "kvv2/metadata/${local.name}/*" - capabilities = [ "read", "list", "delete" ] + path = "kvv2/metadata/${local.name}/*" + capabilities = ["read", "list", "delete"] } # allow edit vault role (risky ?) } @@ -94,7 +99,7 @@ resource "vault_policy" "ops" { + "bound_service_account_names" = [["webapp"]] } */ - + policy = replace( replace( data.vault_policy_document.ops.hcl, @@ -105,26 +110,26 @@ resource "vault_policy" "ops" { } resource "vault_identity_group" "ops" { - name = "${local.name}-ops" - type = "internal" + name = "${local.name}-ops" + type = "internal" external_member_entity_ids = true - policies = [vault_policy.ops.name] + policies = [vault_policy.ops.name] } data "vault_auth_backend" "gitea_jwt" { path = "gitea_jwt" } resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" { - backend = data.vault_auth_backend.gitea_jwt.path - role_name = "gitea_cicd_${local.name}" - token_policies = ["default"] # give "${local.name}-ops" role to group of entities + backend = data.vault_auth_backend.gitea_jwt.path + role_name = "gitea_cicd_${local.name}" + token_policies = ["default"] # give "${local.name}-ops" role to group of entities bound_audiences = [ var.gitea_app_id, ] - - user_claim = "email" - role_type = "jwt" + + user_claim = "email" + role_type = "jwt" } data "vault_policy_document" "app" { @@ -138,6 +143,6 @@ data "vault_policy_document" "app" { } } resource "vault_policy" "app" { - name = "${local.name}" - policy = data.vault_policy_document.app.hcl + name = local.name + policy = data.vault_policy_document.app.hcl } \ No newline at end of file diff --git a/hashicorp-vault/iac/modules/app_roles/main.tf b/hashicorp-vault/iac/modules/app_roles/main.tf index 2288b3c..9b052f5 100644 --- a/hashicorp-vault/iac/modules/app_roles/main.tf +++ b/hashicorp-vault/iac/modules/app_roles/main.tf @@ -3,27 +3,27 @@ data "vault_auth_backend" "kubernetes" { } locals { - name = lower(var.name) + name = lower(var.name) database = var.database == null ? local.name : var.database vault_mount_postgres = { path = "postgres" } - vault_mount_kvv2 = { path = "kvv2" } + vault_mount_kvv2 = { path = "kvv2" } } resource "vault_database_secret_backend_role" "role" { - backend = local.vault_mount_postgres.path - name = "${local.name}" - db_name = "postgres" + backend = local.vault_mount_postgres.path + name = local.name + db_name = "postgres" creation_statements = [ "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';", "GRANT ${local.name}_role TO \"{{name}}\";", - ] + ] revocation_statements = [ "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;", "REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ? ] - renew_statements=[] - rollback_statements=[] + renew_statements = [] + rollback_statements = [] } resource "vault_kubernetes_auth_backend_role" "role" { diff --git a/hashicorp-vault/iac/modules/app_roles/outputs.tf b/hashicorp-vault/iac/modules/app_roles/outputs.tf index ad4dc45..e6b7531 100644 --- a/hashicorp-vault/iac/modules/app_roles/outputs.tf +++ b/hashicorp-vault/iac/modules/app_roles/outputs.tf @@ -6,8 +6,8 @@ output "database" { } output "mount_paths" { value = { - k8s = data.vault_auth_backend.kubernetes.path - pg = local.vault_mount_postgres.path + k8s = data.vault_auth_backend.kubernetes.path + pg = local.vault_mount_postgres.path kvv2 = local.vault_mount_kvv2.path } } diff --git a/hashicorp-vault/iac/modules/app_roles/providers.tf b/hashicorp-vault/iac/modules/app_roles/providers.tf index beaa32f..2890b8e 100644 --- a/hashicorp-vault/iac/modules/app_roles/providers.tf +++ b/hashicorp-vault/iac/modules/app_roles/providers.tf @@ -1,8 +1,8 @@ terraform { - required_providers { - vault = { - source = "vault" - version = ">= 4.4.0" - } + required_providers { + vault = { + source = "vault" + version = ">= 4.4.0" } + } } \ No newline at end of file diff --git a/hashicorp-vault/iac/modules/app_roles/variables.tf b/hashicorp-vault/iac/modules/app_roles/variables.tf index eacebd1..8b2f5f5 100644 --- a/hashicorp-vault/iac/modules/app_roles/variables.tf +++ b/hashicorp-vault/iac/modules/app_roles/variables.tf @@ -2,7 +2,7 @@ variable "name" { type = string } variable "database" { - type = string + type = string nullable = true - default = null + default = null } \ No newline at end of file diff --git a/hashicorp-vault/iac/terraform.tfvars b/hashicorp-vault/iac/terraform.tfvars index 8a1dd5c..bcc2074 100644 --- a/hashicorp-vault/iac/terraform.tfvars +++ b/hashicorp-vault/iac/terraform.tfvars @@ -1,4 +1,5 @@ applications = [ "webapp", "erp", + "cms", ] \ No newline at end of file