arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tofu fmt -recursive and kvv1/cloudflare permission for cms project
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 55s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-10-24 18:00:16 +02:00
parent be6e6135d7
commit ea9e41ff1a
6 changed files with 63 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -13,46 +13,51 @@ data "vault_policy_document" "ops" {
# use terraform vault provider
rule {
path = "auth/token/create"
capabilities = ["create","update"]
path = "auth/token/create"
capabilities = ["create", "update"]
}
# check on mounted auth backend (such as k8s)
rule {
path = "sys/mounts/auth/*"
capabilities = [ "read" ]
path = "sys/mounts/auth/*"
capabilities = ["read"]
}
# read google credentials for terraform gcs backend
rule {
path = "kvv1/google/credentials"
capabilities = [ "read" ]
path = "kvv1/google/credentials"
capabilities = ["read"]
}
# read cloudflare credentials for terraform cloudflare backend
rule {
path = "kvv1/cloudflare"
capabilities = ["read"]
}
# read tofu_module_reader gitea bot user ssh keys
rule {
path = "kvv1/gitea/tofu_module_reader"
capabilities = [ "read" ]
path = "kvv1/gitea/tofu_module_reader"
capabilities = ["read"]
}
# edit postgres credentials access permissions
rule {
path = "postgres/roles/${local.name}*"
capabilities = [ "read", "list", "create", "update", "delete" ]
path = "postgres/roles/${local.name}*"
capabilities = ["read", "list", "create", "update", "delete"]
}
# edit k8s role
rule {
path = "auth/kubernetes/role/${local.name}*"
capabilities = [ "read", "list", "create", "update", "delete" ]
path = "auth/kubernetes/role/${local.name}*"
capabilities = ["read", "list", "create", "update", "delete"]
allowed_parameter {
key = "*"
key = "*"
value = []
}
allowed_parameter {
key = "bound_service_account_names"
value = [ jsonencode([local.name]) ]
key = "bound_service_account_names"
value = [jsonencode([local.name])]
}
allowed_parameter {
key = "bound_service_account_namespaces"
value = [ jsonencode([local.name]) ]
key = "bound_service_account_namespaces"
value = [jsonencode([local.name])]
}
allowed_parameter {
key = "token_policies"
@@ -61,28 +66,28 @@ data "vault_policy_document" "ops" {
jsonencode([local.name, "default"])
]
}
}
# allow editing app secrets
rule {
path = "kvv2/data/${local.name}/*"
capabilities = [ "create", "update", "read", "delete" ]
path = "kvv2/data/${local.name}/*"
capabilities = ["create", "update", "read", "delete"]
}
rule {
path = "kvv2/delete/${local.name}/*"
capabilities = [ "update" ]
path = "kvv2/delete/${local.name}/*"
capabilities = ["update"]
}
rule {
path = "kvv2/undelete/${local.name}/*"
capabilities = [ "update" ]
path = "kvv2/undelete/${local.name}/*"
capabilities = ["update"]
}
rule {
path = "kvv2/destroy/${local.name}/*"
capabilities = [ "update" ]
path = "kvv2/destroy/${local.name}/*"
capabilities = ["update"]
}
rule {
path = "kvv2/metadata/${local.name}/*"
capabilities = [ "read", "list", "delete" ]
path = "kvv2/metadata/${local.name}/*"
capabilities = ["read", "list", "delete"]
}
# allow edit vault role (risky ?)
}
@@ -94,7 +99,7 @@ resource "vault_policy" "ops" {
+ "bound_service_account_names" = [["webapp"]]
}
*/
policy = replace(
replace(
data.vault_policy_document.ops.hcl,
@@ -105,26 +110,26 @@ resource "vault_policy" "ops" {
}
resource "vault_identity_group" "ops" {
name = "${local.name}-ops"
type = "internal"
name = "${local.name}-ops"
type = "internal"
external_member_entity_ids = true
policies = [vault_policy.ops.name]
policies = [vault_policy.ops.name]
}
data "vault_auth_backend" "gitea_jwt" {
path = "gitea_jwt"
}
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
backend = data.vault_auth_backend.gitea_jwt.path
role_name = "gitea_cicd_${local.name}"
token_policies = ["default"] # give "${local.name}-ops" role to group of entities
backend = data.vault_auth_backend.gitea_jwt.path
role_name = "gitea_cicd_${local.name}"
token_policies = ["default"] # give "${local.name}-ops" role to group of entities
bound_audiences = [
var.gitea_app_id,
]
user_claim = "email"
role_type = "jwt"
user_claim = "email"
role_type = "jwt"
}
data "vault_policy_document" "app" {
@@ -138,6 +143,6 @@ data "vault_policy_document" "app" {
}
}
resource "vault_policy" "app" {
name = "${local.name}"
policy = data.vault_policy_document.app.hcl
name = local.name
policy = data.vault_policy_document.app.hcl
}