Compare commits
1 Commits
claude/mul
...
vibe/batch
| Author | SHA1 | Date | |
|---|---|---|---|
| 7a62cebc92 |
@@ -78,7 +78,6 @@ module "app_policies" {
|
|||||||
source = "./modules/app_policy"
|
source = "./modules/app_policy"
|
||||||
for_each = { for app in var.applications : app.name => app }
|
for_each = { for app in var.applications : app.name => app }
|
||||||
name = each.value.name
|
name = each.value.name
|
||||||
envs = each.value.envs
|
|
||||||
ops_policies = each.value.policies
|
ops_policies = each.value.policies
|
||||||
service_account_names = each.value.service_account_names
|
service_account_names = each.value.service_account_names
|
||||||
service_account_namespaces = each.value.service_account_namespaces
|
service_account_namespaces = each.value.service_account_namespaces
|
||||||
|
|||||||
@@ -7,15 +7,8 @@
|
|||||||
|
|
||||||
locals {
|
locals {
|
||||||
name = lower(var.name)
|
name = lower(var.name)
|
||||||
envs = [for e in var.envs : lower(e)]
|
bound_service_account_names = concat([var.name], var.service_account_names)
|
||||||
|
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
|
||||||
# Elision rule: env=prod → bare name; else <name>-<env>
|
|
||||||
instances = [for e in local.envs : e == "prod" ? local.name : "${local.name}-${e}"]
|
|
||||||
non_prod_instances = [for e in local.envs : "${local.name}-${e}" if e != "prod"]
|
|
||||||
|
|
||||||
# Per-instance SA name/namespace sets used by the CI policy's allowed_parameter blocks.
|
|
||||||
per_instance_sa_names = { for inst in local.instances : inst => concat([inst], var.service_account_names) }
|
|
||||||
per_instance_sa_namespaces = { for inst in local.instances : inst => concat([inst], var.service_account_namespaces) }
|
|
||||||
}
|
}
|
||||||
|
|
||||||
data "vault_policy_document" "ops" {
|
data "vault_policy_document" "ops" {
|
||||||
@@ -67,62 +60,42 @@ data "vault_policy_document" "ops" {
|
|||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_names"
|
key = "bound_service_account_names"
|
||||||
value = [for inst in local.instances : jsonencode(local.per_instance_sa_names[inst])]
|
value = [jsonencode(local.bound_service_account_names)]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "bound_service_account_namespaces"
|
key = "bound_service_account_namespaces"
|
||||||
value = [for inst in local.instances : jsonencode(local.per_instance_sa_namespaces[inst])]
|
value = [jsonencode(local.bound_service_account_namespaces)]
|
||||||
}
|
}
|
||||||
allowed_parameter {
|
allowed_parameter {
|
||||||
key = "token_policies"
|
key = "token_policies"
|
||||||
value = flatten([
|
value = [
|
||||||
for inst in local.instances : [
|
jsonencode(["default", local.name]),
|
||||||
jsonencode(["default", inst]),
|
jsonencode([local.name, "default"])
|
||||||
jsonencode([inst, "default"])
|
|
||||||
]
|
]
|
||||||
])
|
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
# allow editing app secrets — one rule per (capability × instance) preserves the
|
# allow editing app secrets
|
||||||
# original rule order (data, delete, undelete, destroy, metadata) so prod-only apps
|
rule {
|
||||||
# render a byte-identical policy document (no Vault state diff). Multi-env apps add
|
path = "kvv2/data/${local.name}/*"
|
||||||
# extra rules per non-prod instance.
|
|
||||||
dynamic "rule" {
|
|
||||||
for_each = local.instances
|
|
||||||
content {
|
|
||||||
path = "kvv2/data/${rule.value}/*"
|
|
||||||
capabilities = ["create", "update", "read", "delete"]
|
capabilities = ["create", "update", "read", "delete"]
|
||||||
}
|
}
|
||||||
}
|
rule {
|
||||||
dynamic "rule" {
|
path = "kvv2/delete/${local.name}/*"
|
||||||
for_each = local.instances
|
|
||||||
content {
|
|
||||||
path = "kvv2/delete/${rule.value}/*"
|
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
}
|
rule {
|
||||||
dynamic "rule" {
|
path = "kvv2/undelete/${local.name}/*"
|
||||||
for_each = local.instances
|
|
||||||
content {
|
|
||||||
path = "kvv2/undelete/${rule.value}/*"
|
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
}
|
rule {
|
||||||
dynamic "rule" {
|
path = "kvv2/destroy/${local.name}/*"
|
||||||
for_each = local.instances
|
|
||||||
content {
|
|
||||||
path = "kvv2/destroy/${rule.value}/*"
|
|
||||||
capabilities = ["update"]
|
capabilities = ["update"]
|
||||||
}
|
}
|
||||||
}
|
rule {
|
||||||
dynamic "rule" {
|
path = "kvv2/metadata/${local.name}/*"
|
||||||
for_each = local.instances
|
|
||||||
content {
|
|
||||||
path = "kvv2/metadata/${rule.value}/*"
|
|
||||||
capabilities = ["read", "list", "delete"]
|
capabilities = ["read", "list", "delete"]
|
||||||
}
|
}
|
||||||
}
|
|
||||||
# allow edit vault role (risky ?)
|
# allow edit vault role (risky ?)
|
||||||
}
|
}
|
||||||
resource "vault_policy" "ops" {
|
resource "vault_policy" "ops" {
|
||||||
@@ -166,9 +139,6 @@ resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
|
|||||||
role_type = "jwt"
|
role_type = "jwt"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Runtime policy for the env=prod instance — kept at its single-env address
|
|
||||||
# (data.vault_policy_document.app, vault_policy.app, name = local.name) so existing
|
|
||||||
# state isn't disturbed when this module is upgraded.
|
|
||||||
data "vault_policy_document" "app" {
|
data "vault_policy_document" "app" {
|
||||||
rule {
|
rule {
|
||||||
path = "kvv2/data/${local.name}/*"
|
path = "kvv2/data/${local.name}/*"
|
||||||
@@ -183,22 +153,3 @@ resource "vault_policy" "app" {
|
|||||||
name = local.name
|
name = local.name
|
||||||
policy = data.vault_policy_document.app.hcl
|
policy = data.vault_policy_document.app.hcl
|
||||||
}
|
}
|
||||||
|
|
||||||
# Runtime policies for non-prod envs. Each one is named <name>-<env> and reads
|
|
||||||
# only its own kvv2 + postgres creds paths.
|
|
||||||
data "vault_policy_document" "app_non_prod" {
|
|
||||||
for_each = toset(local.non_prod_instances)
|
|
||||||
rule {
|
|
||||||
path = "kvv2/data/${each.key}/*"
|
|
||||||
capabilities = ["read", "list"]
|
|
||||||
}
|
|
||||||
rule {
|
|
||||||
path = "postgres/creds/${each.key}*"
|
|
||||||
capabilities = ["read"]
|
|
||||||
}
|
|
||||||
}
|
|
||||||
resource "vault_policy" "app_non_prod" {
|
|
||||||
for_each = toset(local.non_prod_instances)
|
|
||||||
name = each.key
|
|
||||||
policy = data.vault_policy_document.app_non_prod[each.key].hcl
|
|
||||||
}
|
|
||||||
@@ -1,11 +1,6 @@
|
|||||||
variable "name" {
|
variable "name" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
variable "envs" {
|
|
||||||
type = list(string)
|
|
||||||
default = ["prod"]
|
|
||||||
description = "List of environments this app deploys to. The CI policy + JWT role + identity group are created ONCE per repo regardless. One runtime policy is created per env; the env=prod runtime policy keeps its single-env address for backwards compatibility (no state move)."
|
|
||||||
}
|
|
||||||
variable "gitea_app_id" {
|
variable "gitea_app_id" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -4,18 +4,10 @@ data "vault_auth_backend" "kubernetes" {
|
|||||||
|
|
||||||
locals {
|
locals {
|
||||||
name = lower(var.name)
|
name = lower(var.name)
|
||||||
env = lower(var.env)
|
database = var.database == null ? local.name : var.database
|
||||||
database = var.database == null ? local.instance : var.database
|
|
||||||
|
|
||||||
# Elision rule (factory runbook conventions.md):
|
bound_service_account_names = concat([var.name], var.service_account_names)
|
||||||
# env == prod → identical to the single-env baseline (no suffix)
|
bound_service_account_namespaces = concat([var.name], var.service_account_namespaces)
|
||||||
# else → kebab-case "<name>-<env>" for K8s/Vault paths.
|
|
||||||
# Postgres owner role stays snake-case for consistency with the existing "_role" suffix.
|
|
||||||
instance = local.env == "prod" ? local.name : "${local.name}-${local.env}"
|
|
||||||
owner_role = local.env == "prod" ? "${local.name}_role" : "${local.name}_${local.env}_role"
|
|
||||||
|
|
||||||
bound_service_account_names = concat([local.instance], var.service_account_names)
|
|
||||||
bound_service_account_namespaces = concat([local.instance], var.service_account_namespaces)
|
|
||||||
|
|
||||||
vault_mount_postgres = { path = "postgres" }
|
vault_mount_postgres = { path = "postgres" }
|
||||||
vault_mount_kvv2 = { path = "kvv2" }
|
vault_mount_kvv2 = { path = "kvv2" }
|
||||||
@@ -28,14 +20,14 @@ moved {
|
|||||||
resource "vault_database_secret_backend_role" "role" {
|
resource "vault_database_secret_backend_role" "role" {
|
||||||
count = var.disable_database ? 0 : 1
|
count = var.disable_database ? 0 : 1
|
||||||
backend = local.vault_mount_postgres.path
|
backend = local.vault_mount_postgres.path
|
||||||
name = local.instance
|
name = local.name
|
||||||
db_name = "postgres"
|
db_name = "postgres"
|
||||||
creation_statements = [
|
creation_statements = [
|
||||||
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
"CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
|
||||||
"GRANT ${local.owner_role} TO \"{{name}}\";",
|
"GRANT ${local.name}_role TO \"{{name}}\";",
|
||||||
]
|
]
|
||||||
revocation_statements = [
|
revocation_statements = [
|
||||||
"REASSIGN OWNED BY \"{{name}}\" TO ${local.owner_role};", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
|
"REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
|
||||||
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ? -> YES after fixing reassign
|
"REVOKE ALL ON DATABASE ${local.database} FROM \"{{name}}\";", # should we drop the role ? -> YES after fixing reassign
|
||||||
]
|
]
|
||||||
renew_statements = []
|
renew_statements = []
|
||||||
@@ -44,11 +36,11 @@ resource "vault_database_secret_backend_role" "role" {
|
|||||||
|
|
||||||
resource "vault_kubernetes_auth_backend_role" "role" {
|
resource "vault_kubernetes_auth_backend_role" "role" {
|
||||||
backend = data.vault_auth_backend.kubernetes.path
|
backend = data.vault_auth_backend.kubernetes.path
|
||||||
role_name = local.instance
|
role_name = local.name
|
||||||
bound_service_account_names = local.bound_service_account_names
|
bound_service_account_names = local.bound_service_account_names
|
||||||
bound_service_account_namespaces = local.bound_service_account_namespaces
|
bound_service_account_namespaces = local.bound_service_account_namespaces
|
||||||
token_ttl = 3600
|
token_ttl = 3600
|
||||||
token_policies = ["default", local.instance]
|
token_policies = ["default", local.name]
|
||||||
audience = "vault"
|
audience = "vault"
|
||||||
alias_name_source = "serviceaccount_name"
|
alias_name_source = "serviceaccount_name"
|
||||||
}
|
}
|
||||||
@@ -1,13 +1,6 @@
|
|||||||
output "name" {
|
output "name" {
|
||||||
value = local.name
|
value = local.name
|
||||||
}
|
}
|
||||||
output "env" {
|
|
||||||
value = local.env
|
|
||||||
}
|
|
||||||
output "instance" {
|
|
||||||
value = local.instance
|
|
||||||
description = "Derived id by the elision rule: equals name when env=prod, else <name>-<env>."
|
|
||||||
}
|
|
||||||
output "database" {
|
output "database" {
|
||||||
value = local.database
|
value = local.database
|
||||||
}
|
}
|
||||||
@@ -19,6 +12,5 @@ output "mount_paths" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
output "kvv2_path_prefix" {
|
output "kvv2_path_prefix" {
|
||||||
# Identical to format("%s/", local.name) when env=prod (backwards compat).
|
value = format("%s/", local.name)
|
||||||
value = format("%s/", local.instance)
|
|
||||||
}
|
}
|
||||||
@@ -1,11 +1,6 @@
|
|||||||
variable "name" {
|
variable "name" {
|
||||||
type = string
|
type = string
|
||||||
}
|
}
|
||||||
variable "env" {
|
|
||||||
type = string
|
|
||||||
default = "prod"
|
|
||||||
description = "Deployment environment. By the elision rule (factory runbook conventions.md), env=prod produces names identical to the single-env baseline; non-prod values produce <name>-<env> kebab-case and <name>_<env>_role for the Postgres owner role."
|
|
||||||
}
|
|
||||||
variable "database" {
|
variable "database" {
|
||||||
type = string
|
type = string
|
||||||
nullable = true
|
nullable = true
|
||||||
|
|||||||
@@ -15,9 +15,5 @@ variable "applications" {
|
|||||||
policies = optional(list(string), [])
|
policies = optional(list(string), [])
|
||||||
service_account_names = optional(list(string), [])
|
service_account_names = optional(list(string), [])
|
||||||
service_account_namespaces = optional(list(string), [])
|
service_account_namespaces = optional(list(string), [])
|
||||||
# Multi-env extension: list of envs this app deploys to. Defaults to ["prod"] for
|
|
||||||
# every existing app — backwards compatible by the elision rule. Non-prod envs
|
|
||||||
# produce additional runtime policies named "<name>-<env>".
|
|
||||||
envs = optional(list(string), ["prod"])
|
|
||||||
}))
|
}))
|
||||||
}
|
}
|
||||||
Reference in New Issue
Block a user