tofu fmt -recursive and kvv1/cloudflare permission for cms project
This commit is contained in:
@@ -14,45 +14,50 @@ data "vault_policy_document" "ops" {
|
|||||||
# use terraform vault provider
|
# use terraform vault provider
|
||||||
rule {
|
rule {
|
||||||
path = "auth/token/create"
|
path = "auth/token/create"
|
||||||
capabilities = ["create","update"]
|
capabilities = ["create", "update"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# check on mounted auth backend (such as k8s)
|
# check on mounted auth backend (such as k8s)
|
||||||
rule {
|
rule {
|
||||||
path = "sys/mounts/auth/*"
|
path = "sys/mounts/auth/*"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# read google credentials for terraform gcs backend
|
# read google credentials for terraform gcs backend
|
||||||
rule {
|
rule {
|
||||||
path = "kvv1/google/credentials"
|
path = "kvv1/google/credentials"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
# read cloudflare credentials for terraform cloudflare backend
|
||||||
|
rule {
|
||||||
|
path = "kvv1/cloudflare"
|
||||||
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# read tofu_module_reader gitea bot user ssh keys
|
# read tofu_module_reader gitea bot user ssh keys
|
||||||
rule {
|
rule {
|
||||||
path = "kvv1/gitea/tofu_module_reader"
|
path = "kvv1/gitea/tofu_module_reader"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# edit postgres credentials access permissions
|
# edit postgres credentials access permissions
|
||||||
rule {
|
rule {
|
||||||
path = "postgres/roles/${local.name}*"
|
path = "postgres/roles/${local.name}*"
|
||||||
capabilities = [ "read", "list", "create", "update", "delete" ]
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
}
|
}
|
||||||
# edit k8s role
|
# edit k8s role
|
||||||
rule {
|
rule {
|
||||||
path = "auth/kubernetes/role/${local.name}*"
|
path = "auth/kubernetes/role/${local.name}*"
|
||||||
capabilities = [ "read", "list", "create", "update", "delete" ]
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "*"
|
key = "*"
|
||||||
value = []
|
value = []
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_names"
|
key = "bound_service_account_names"
|
||||||
value = [ jsonencode([local.name]) ]
|
value = [jsonencode([local.name])]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_namespaces"
|
key = "bound_service_account_namespaces"
|
||||||
value = [ jsonencode([local.name]) ]
|
value = [jsonencode([local.name])]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "token_policies"
|
key = "token_policies"
|
||||||
@@ -66,23 +71,23 @@ data "vault_policy_document" "ops" {
|
|||||||
# allow editing app secrets
|
# allow editing app secrets
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/data/${local.name}/*"
|
path = "kvv2/data/${local.name}/*"
|
||||||
capabilities = [ "create", "update", "read", "delete" ]
|
capabilities = ["create", "update", "read", "delete"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/delete/${local.name}/*"
|
path = "kvv2/delete/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/undelete/${local.name}/*"
|
path = "kvv2/undelete/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/destroy/${local.name}/*"
|
path = "kvv2/destroy/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/metadata/${local.name}/*"
|
path = "kvv2/metadata/${local.name}/*"
|
||||||
capabilities = [ "read", "list", "delete" ]
|
capabilities = ["read", "list", "delete"]
|
||||||
}
|
}
|
||||||
# allow edit vault role (risky ?)
|
# allow edit vault role (risky ?)
|
||||||
}
|
}
|
||||||
@@ -138,6 +143,6 @@ data "vault_policy_document" "app" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
resource "vault_policy" "app" {
|
resource "vault_policy" "app" {
|
||||||
name = "${local.name}"
|
name = local.name
|
||||||
policy = data.vault_policy_document.app.hcl
|
policy = data.vault_policy_document.app.hcl
|
||||||
}
|
}
|
||||||
@@ -12,7 +12,7 @@ locals {
|
|||||||
|
|
||||||
resource "vault_database_secret_backend_role" "role" {
|
resource "vault_database_secret_backend_role" "role" {
|
||||||
backend = local.vault_mount_postgres.path
|
backend = local.vault_mount_postgres.path
|
||||||
name = "${local.name}"
|
name = local.name
|
||||||
db_name = "postgres"
|
db_name = "postgres"
|
||||||
creation_statements = [
|
creation_statements = [
|
||||||
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
||||||
@@ -22,8 +22,8 @@ resource "vault_database_secret_backend_role" "role" {
|
|||||||
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
|
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
|
||||||
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ?
|
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ?
|
||||||
]
|
]
|
||||||
renew_statements=[]
|
renew_statements = []
|
||||||
rollback_statements=[]
|
rollback_statements = []
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "role" {
|
resource "vault_kubernetes_auth_backend_role" "role" {
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
applications = [
|
applications = [
|
||||||
"webapp",
|
"webapp",
|
||||||
"erp",
|
"erp",
|
||||||
|
"cms",
|
||||||
]
|
]
|
||||||
Reference in New Issue
Block a user