Compare commits
2 Commits
50f8ea95be
...
2d5ec8a859
| Author | SHA1 | Date | |
|---|---|---|---|
| 2d5ec8a859 | |||
| c490d37fd7 |
25
hashicorp-vault/iac/factory_auth.tf
Normal file
25
hashicorp-vault/iac/factory_auth.tf
Normal file
@@ -0,0 +1,25 @@
|
|||||||
|
locals {
|
||||||
|
factory_crowdsec_conf_sa_name = "factory-ansible-tool-crowdsec-traefik-plugin"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
data "vault_policy_document" "factory_crowdsec_conf" {
|
||||||
|
rule {
|
||||||
|
path = "kvv2/data/cms/factory/*" # cms.git//cloudflare/iac.tf
|
||||||
|
capabilities = ["read", "list"]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
resource "vault_policy" "factory_crowdsec_conf" {
|
||||||
|
name = "factory_crowdsec_conf"
|
||||||
|
policy = data.vault_policy_document.factory_crowdsec_conf.hcl
|
||||||
|
}
|
||||||
|
resource "vault_kubernetes_auth_backend_role" "factory_crowdsec_conf" {
|
||||||
|
backend = vault_auth_backend.kubernetes.path
|
||||||
|
role_name = "factory_crowdsec_conf"
|
||||||
|
bound_service_account_names = [local.factory_crowdsec_conf_sa_name]
|
||||||
|
bound_service_account_namespaces = ["kube-system"]
|
||||||
|
token_ttl = 3600
|
||||||
|
token_policies = ["default", vault_policy.factory_crowdsec_conf.name]
|
||||||
|
audience = "vault"
|
||||||
|
alias_name_source = "serviceaccount_name"
|
||||||
|
}
|
||||||
@@ -78,7 +78,7 @@ module "app_policies" {
|
|||||||
source = "./modules/app_policy"
|
source = "./modules/app_policy"
|
||||||
for_each = { for app in var.applications : app.name => app }
|
for_each = { for app in var.applications : app.name => app }
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
policies = each.value.policies
|
ops_policies = each.value.policies
|
||||||
service_account_names = each.value.service_account_names
|
service_account_names = each.value.service_account_names
|
||||||
service_account_namespaces = each.value.service_account_namespaces
|
service_account_namespaces = each.value.service_account_namespaces
|
||||||
gitea_app_id = var.gitea_app_id
|
gitea_app_id = var.gitea_app_id
|
||||||
|
|||||||
@@ -129,7 +129,7 @@ data "vault_auth_backend" "gitea_jwt" {
|
|||||||
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
||||||
backend = data.vault_auth_backend.gitea_jwt.path
|
backend = data.vault_auth_backend.gitea_jwt.path
|
||||||
role_name = "gitea_cicd_${local.name}"
|
role_name = "gitea_cicd_${local.name}"
|
||||||
token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities
|
token_policies = concat(["default"], var.ops_policies) # give "${local.name}-ops" role to group of entities
|
||||||
|
|
||||||
bound_audiences = [
|
bound_audiences = [
|
||||||
var.gitea_app_id,
|
var.gitea_app_id,
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ variable "name" {
|
|||||||
variable "gitea_app_id" {
|
variable "gitea_app_id" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
variable "policies" {
|
variable "ops_policies" {
|
||||||
type = list(string)
|
type = list(string)
|
||||||
default = []
|
default = []
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -3,7 +3,7 @@ applications = [
|
|||||||
{ name = "erp" },
|
{ name = "erp" },
|
||||||
{
|
{
|
||||||
name = "cms"
|
name = "cms"
|
||||||
policies = ["factory__cf_r2_arcodange_tf"]
|
ops_policies = ["factory__cf_r2_arcodange_tf"]
|
||||||
service_account_names = ["cloudflared"]
|
service_account_names = ["cloudflared"]
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
Reference in New Issue
Block a user