tools/hashicorp-vault/iac/main.tf

resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_config" "config" {
  backend         = vault_auth_backend.kubernetes.path
  kubernetes_host = "https://kubernetes.default.svc:443"
}

resource "vault_mount" "kvv2" {
  path        = "kvv2"
  type        = "kv"
  options     = { version = "2" }
  description = "KV Version 2 secret engine mount"
}


resource "vault_mount" "postgres" {
  path = "postgres"
  type = "database"
}

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = vault_mount.postgres.path
  name          = "postgres"
  allowed_roles = ["*"]
  root_rotation_statements = [
    "ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
  ]

  postgresql {
    connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
    username       = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
    password       = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
  }
}


resource "vault_mount" "transit" {
  path        = "transit"
  type        = "transit"
  description = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
  #   default_lease_ttl_seconds = 3600
  #   max_lease_ttl_seconds     = 86400
}
resource "vault_transit_secret_backend_key" "vso_client_cache" {
  backend = vault_mount.transit.path
  name    = "vso-client-cache"
}

data "vault_policy_document" "vso_client_cache" {
  rule {
    path         = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
    capabilities = ["create", "update"]
  }
  rule {
    path         = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
    capabilities = ["create", "update"]
  }
}
resource "vault_policy" "vso_client_cache" {
  name   = "edit-vso-client-cache"
  policy = data.vault_policy_document.vso_client_cache.hcl
}

resource "vault_kubernetes_auth_backend_role" "vso" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "vault-secret-operator"
  bound_service_account_names      = ["hashicorp-vault-vault-secrets-operator-controller-manager"]
  bound_service_account_namespaces = ["tools"]
  token_ttl                        = 0
  token_period                     = 120
  token_policies                   = ["default", vault_policy.vso_client_cache.name]
  audience                         = "vault"
  alias_name_source                = "serviceaccount_name"
}

module "app_policies" {
  source       = "./modules/app_policy"
  for_each     = { for app in var.applications : app.name => app }
  name         = each.value.name
  policies     = each.value.policies
  gitea_app_id = var.gitea_app_id
}