Compare commits
2 Commits
50f8ea95be
...
2d5ec8a859
| Author | SHA1 | Date | |
|---|---|---|---|
| 2d5ec8a859 | |||
| c490d37fd7 |
25
hashicorp-vault/iac/factory_auth.tf
Normal file
25
hashicorp-vault/iac/factory_auth.tf
Normal file
@@ -0,0 +1,25 @@
|
||||
locals {
|
||||
factory_crowdsec_conf_sa_name = "factory-ansible-tool-crowdsec-traefik-plugin"
|
||||
}
|
||||
|
||||
|
||||
data "vault_policy_document" "factory_crowdsec_conf" {
|
||||
rule {
|
||||
path = "kvv2/data/cms/factory/*" # cms.git//cloudflare/iac.tf
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
}
|
||||
resource "vault_policy" "factory_crowdsec_conf" {
|
||||
name = "factory_crowdsec_conf"
|
||||
policy = data.vault_policy_document.factory_crowdsec_conf.hcl
|
||||
}
|
||||
resource "vault_kubernetes_auth_backend_role" "factory_crowdsec_conf" {
|
||||
backend = vault_auth_backend.kubernetes.path
|
||||
role_name = "factory_crowdsec_conf"
|
||||
bound_service_account_names = [local.factory_crowdsec_conf_sa_name]
|
||||
bound_service_account_namespaces = ["kube-system"]
|
||||
token_ttl = 3600
|
||||
token_policies = ["default", vault_policy.factory_crowdsec_conf.name]
|
||||
audience = "vault"
|
||||
alias_name_source = "serviceaccount_name"
|
||||
}
|
||||
@@ -78,7 +78,7 @@ module "app_policies" {
|
||||
source = "./modules/app_policy"
|
||||
for_each = { for app in var.applications : app.name => app }
|
||||
name = each.value.name
|
||||
policies = each.value.policies
|
||||
ops_policies = each.value.policies
|
||||
service_account_names = each.value.service_account_names
|
||||
service_account_namespaces = each.value.service_account_namespaces
|
||||
gitea_app_id = var.gitea_app_id
|
||||
|
||||
@@ -129,7 +129,7 @@ data "vault_auth_backend" "gitea_jwt" {
|
||||
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
||||
backend = data.vault_auth_backend.gitea_jwt.path
|
||||
role_name = "gitea_cicd_${local.name}"
|
||||
token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities
|
||||
token_policies = concat(["default"], var.ops_policies) # give "${local.name}-ops" role to group of entities
|
||||
|
||||
bound_audiences = [
|
||||
var.gitea_app_id,
|
||||
|
||||
@@ -4,7 +4,7 @@ variable "name" {
|
||||
variable "gitea_app_id" {
|
||||
type = string
|
||||
}
|
||||
variable "policies" {
|
||||
variable "ops_policies" {
|
||||
type = list(string)
|
||||
default = []
|
||||
}
|
||||
|
||||
@@ -3,7 +3,7 @@ applications = [
|
||||
{ name = "erp" },
|
||||
{
|
||||
name = "cms"
|
||||
policies = ["factory__cf_r2_arcodange_tf"]
|
||||
ops_policies = ["factory__cf_r2_arcodange_tf"]
|
||||
service_account_names = ["cloudflared"]
|
||||
},
|
||||
]
|
||||
Reference in New Issue
Block a user