tofu fmt -recursive and kvv1/cloudflare permission for cms project
This commit is contained in:
@@ -13,46 +13,51 @@ data "vault_policy_document" "ops" {
|
|||||||
|
|
||||||
# use terraform vault provider
|
# use terraform vault provider
|
||||||
rule {
|
rule {
|
||||||
path = "auth/token/create"
|
path = "auth/token/create"
|
||||||
capabilities = ["create","update"]
|
capabilities = ["create", "update"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# check on mounted auth backend (such as k8s)
|
# check on mounted auth backend (such as k8s)
|
||||||
rule {
|
rule {
|
||||||
path = "sys/mounts/auth/*"
|
path = "sys/mounts/auth/*"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# read google credentials for terraform gcs backend
|
# read google credentials for terraform gcs backend
|
||||||
rule {
|
rule {
|
||||||
path = "kvv1/google/credentials"
|
path = "kvv1/google/credentials"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
|
}
|
||||||
|
# read cloudflare credentials for terraform cloudflare backend
|
||||||
|
rule {
|
||||||
|
path = "kvv1/cloudflare"
|
||||||
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
# read tofu_module_reader gitea bot user ssh keys
|
# read tofu_module_reader gitea bot user ssh keys
|
||||||
rule {
|
rule {
|
||||||
path = "kvv1/gitea/tofu_module_reader"
|
path = "kvv1/gitea/tofu_module_reader"
|
||||||
capabilities = [ "read" ]
|
capabilities = ["read"]
|
||||||
}
|
}
|
||||||
|
|
||||||
# edit postgres credentials access permissions
|
# edit postgres credentials access permissions
|
||||||
rule {
|
rule {
|
||||||
path = "postgres/roles/${local.name}*"
|
path = "postgres/roles/${local.name}*"
|
||||||
capabilities = [ "read", "list", "create", "update", "delete" ]
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
}
|
}
|
||||||
# edit k8s role
|
# edit k8s role
|
||||||
rule {
|
rule {
|
||||||
path = "auth/kubernetes/role/${local.name}*"
|
path = "auth/kubernetes/role/${local.name}*"
|
||||||
capabilities = [ "read", "list", "create", "update", "delete" ]
|
capabilities = ["read", "list", "create", "update", "delete"]
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "*"
|
key = "*"
|
||||||
value = []
|
value = []
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_names"
|
key = "bound_service_account_names"
|
||||||
value = [ jsonencode([local.name]) ]
|
value = [jsonencode([local.name])]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_namespaces"
|
key = "bound_service_account_namespaces"
|
||||||
value = [ jsonencode([local.name]) ]
|
value = [jsonencode([local.name])]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "token_policies"
|
key = "token_policies"
|
||||||
@@ -61,28 +66,28 @@ data "vault_policy_document" "ops" {
|
|||||||
jsonencode([local.name, "default"])
|
jsonencode([local.name, "default"])
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
# allow editing app secrets
|
# allow editing app secrets
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/data/${local.name}/*"
|
path = "kvv2/data/${local.name}/*"
|
||||||
capabilities = [ "create", "update", "read", "delete" ]
|
capabilities = ["create", "update", "read", "delete"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/delete/${local.name}/*"
|
path = "kvv2/delete/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/undelete/${local.name}/*"
|
path = "kvv2/undelete/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/destroy/${local.name}/*"
|
path = "kvv2/destroy/${local.name}/*"
|
||||||
capabilities = [ "update" ]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/metadata/${local.name}/*"
|
path = "kvv2/metadata/${local.name}/*"
|
||||||
capabilities = [ "read", "list", "delete" ]
|
capabilities = ["read", "list", "delete"]
|
||||||
}
|
}
|
||||||
# allow edit vault role (risky ?)
|
# allow edit vault role (risky ?)
|
||||||
}
|
}
|
||||||
@@ -94,7 +99,7 @@ resource "vault_policy" "ops" {
|
|||||||
+ "bound_service_account_names" = [["webapp"]]
|
+ "bound_service_account_names" = [["webapp"]]
|
||||||
}
|
}
|
||||||
*/
|
*/
|
||||||
|
|
||||||
policy = replace(
|
policy = replace(
|
||||||
replace(
|
replace(
|
||||||
data.vault_policy_document.ops.hcl,
|
data.vault_policy_document.ops.hcl,
|
||||||
@@ -105,26 +110,26 @@ resource "vault_policy" "ops" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_identity_group" "ops" {
|
resource "vault_identity_group" "ops" {
|
||||||
name = "${local.name}-ops"
|
name = "${local.name}-ops"
|
||||||
type = "internal"
|
type = "internal"
|
||||||
external_member_entity_ids = true
|
external_member_entity_ids = true
|
||||||
policies = [vault_policy.ops.name]
|
policies = [vault_policy.ops.name]
|
||||||
}
|
}
|
||||||
|
|
||||||
data "vault_auth_backend" "gitea_jwt" {
|
data "vault_auth_backend" "gitea_jwt" {
|
||||||
path = "gitea_jwt"
|
path = "gitea_jwt"
|
||||||
}
|
}
|
||||||
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
||||||
backend = data.vault_auth_backend.gitea_jwt.path
|
backend = data.vault_auth_backend.gitea_jwt.path
|
||||||
role_name = "gitea_cicd_${local.name}"
|
role_name = "gitea_cicd_${local.name}"
|
||||||
token_policies = ["default"] # give "${local.name}-ops" role to group of entities
|
token_policies = ["default"] # give "${local.name}-ops" role to group of entities
|
||||||
|
|
||||||
bound_audiences = [
|
bound_audiences = [
|
||||||
var.gitea_app_id,
|
var.gitea_app_id,
|
||||||
]
|
]
|
||||||
|
|
||||||
user_claim = "email"
|
user_claim = "email"
|
||||||
role_type = "jwt"
|
role_type = "jwt"
|
||||||
}
|
}
|
||||||
|
|
||||||
data "vault_policy_document" "app" {
|
data "vault_policy_document" "app" {
|
||||||
@@ -138,6 +143,6 @@ data "vault_policy_document" "app" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
resource "vault_policy" "app" {
|
resource "vault_policy" "app" {
|
||||||
name = "${local.name}"
|
name = local.name
|
||||||
policy = data.vault_policy_document.app.hcl
|
policy = data.vault_policy_document.app.hcl
|
||||||
}
|
}
|
||||||
@@ -3,27 +3,27 @@ data "vault_auth_backend" "kubernetes" {
|
|||||||
}
|
}
|
||||||
|
|
||||||
locals {
|
locals {
|
||||||
name = lower(var.name)
|
name = lower(var.name)
|
||||||
database = var.database == null ? local.name : var.database
|
database = var.database == null ? local.name : var.database
|
||||||
|
|
||||||
vault_mount_postgres = { path = "postgres" }
|
vault_mount_postgres = { path = "postgres" }
|
||||||
vault_mount_kvv2 = { path = "kvv2" }
|
vault_mount_kvv2 = { path = "kvv2" }
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_database_secret_backend_role" "role" {
|
resource "vault_database_secret_backend_role" "role" {
|
||||||
backend = local.vault_mount_postgres.path
|
backend = local.vault_mount_postgres.path
|
||||||
name = "${local.name}"
|
name = local.name
|
||||||
db_name = "postgres"
|
db_name = "postgres"
|
||||||
creation_statements = [
|
creation_statements = [
|
||||||
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
||||||
"GRANT ${local.name}_role TO \"{{name}}\";",
|
"GRANT ${local.name}_role TO \"{{name}}\";",
|
||||||
]
|
]
|
||||||
revocation_statements = [
|
revocation_statements = [
|
||||||
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
|
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
|
||||||
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ?
|
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ?
|
||||||
]
|
]
|
||||||
renew_statements=[]
|
renew_statements = []
|
||||||
rollback_statements=[]
|
rollback_statements = []
|
||||||
}
|
}
|
||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "role" {
|
resource "vault_kubernetes_auth_backend_role" "role" {
|
||||||
|
|||||||
@@ -6,8 +6,8 @@ output "database" {
|
|||||||
}
|
}
|
||||||
output "mount_paths" {
|
output "mount_paths" {
|
||||||
value = {
|
value = {
|
||||||
k8s = data.vault_auth_backend.kubernetes.path
|
k8s = data.vault_auth_backend.kubernetes.path
|
||||||
pg = local.vault_mount_postgres.path
|
pg = local.vault_mount_postgres.path
|
||||||
kvv2 = local.vault_mount_kvv2.path
|
kvv2 = local.vault_mount_kvv2.path
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,8 +1,8 @@
|
|||||||
terraform {
|
terraform {
|
||||||
required_providers {
|
required_providers {
|
||||||
vault = {
|
vault = {
|
||||||
source = "vault"
|
source = "vault"
|
||||||
version = ">= 4.4.0"
|
version = ">= 4.4.0"
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@@ -2,7 +2,7 @@ variable "name" {
|
|||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
variable "database" {
|
variable "database" {
|
||||||
type = string
|
type = string
|
||||||
nullable = true
|
nullable = true
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
@@ -1,4 +1,5 @@
|
|||||||
applications = [
|
applications = [
|
||||||
"webapp",
|
"webapp",
|
||||||
"erp",
|
"erp",
|
||||||
|
"cms",
|
||||||
]
|
]
|
||||||
Reference in New Issue
Block a user