arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

tofu fmt -recursive and kvv1/cloudflare permission for cms project
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 55s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gabriel Radureau
2025-10-24 18:00:16 +02:00
parent be6e6135d7
commit ea9e41ff1a
6 changed files with 63 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
hashicorp-vault/iac/modules/app_policy/main.tf
View File

@@ -14,45 +14,50 @@ data "vault_policy_document" "ops" {
# use terraform vault provider
rule {
path = "auth/token/create"
capabilities = ["create","update"]
capabilities = ["create", "update"]
}
# check on mounted auth backend (such as k8s)
rule {
path = "sys/mounts/auth/*"
capabilities = [ "read" ]
capabilities = ["read"]
}
# read google credentials for terraform gcs backend
rule {
path = "kvv1/google/credentials"
capabilities = [ "read" ]
capabilities = ["read"]
}
# read cloudflare credentials for terraform cloudflare backend
rule {
path = "kvv1/cloudflare"
capabilities = ["read"]
}
# read tofu_module_reader gitea bot user ssh keys
rule {
path = "kvv1/gitea/tofu_module_reader"
capabilities = [ "read" ]
capabilities = ["read"]
}
# edit postgres credentials access permissions
rule {
path = "postgres/roles/${local.name}*"
capabilities = [ "read", "list", "create", "update", "delete" ]
capabilities = ["read", "list", "create", "update", "delete"]
}
# edit k8s role
rule {
path = "auth/kubernetes/role/${local.name}*"
capabilities = [ "read", "list", "create", "update", "delete" ]
capabilities = ["read", "list", "create", "update", "delete"]
allowed_parameter {
key = "*"
value = []
}
allowed_parameter {
key = "bound_service_account_names"
value = [ jsonencode([local.name]) ]
value = [jsonencode([local.name])]
}
allowed_parameter {
key = "bound_service_account_namespaces"
value = [ jsonencode([local.name]) ]
value = [jsonencode([local.name])]
}
allowed_parameter {
key = "token_policies"
@@ -66,23 +71,23 @@ data "vault_policy_document" "ops" {
# allow editing app secrets
rule {
path = "kvv2/data/${local.name}/*"
capabilities = [ "create", "update", "read", "delete" ]
capabilities = ["create", "update", "read", "delete"]
}
rule {
path = "kvv2/delete/${local.name}/*"
capabilities = [ "update" ]
capabilities = ["update"]
}
rule {
path = "kvv2/undelete/${local.name}/*"
capabilities = [ "update" ]
capabilities = ["update"]
}
rule {
path = "kvv2/destroy/${local.name}/*"
capabilities = [ "update" ]
capabilities = ["update"]
}
rule {
path = "kvv2/metadata/${local.name}/*"
capabilities = [ "read", "list", "delete" ]
capabilities = ["read", "list", "delete"]
}
# allow edit vault role (risky ?)
}
@@ -138,6 +143,6 @@ data "vault_policy_document" "app" {
}
}
resource "vault_policy" "app" {
name = "${local.name}"
name = local.name
policy = data.vault_policy_document.app.hcl
}

6
hashicorp-vault/iac/modules/app_roles/main.tf
View File

@@ -12,7 +12,7 @@ locals {
resource "vault_database_secret_backend_role" "role" {
backend = local.vault_mount_postgres.path
name = "${local.name}"
name = local.name
db_name = "postgres"
creation_statements = [
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
@@ -22,8 +22,8 @@ resource "vault_database_secret_backend_role" "role" {
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ?
]
renew_statements=[]
rollback_statements=[]
renew_statements = []
rollback_statements = []
}
resource "vault_kubernetes_auth_backend_role" "role" {

1
hashicorp-vault/iac/terraform.tfvars
View File

@@ -1,4 +1,5 @@
applications = [
"webapp",
"erp",
"cms",
]