arcodange-org/tools
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
a3e121b468c69b71afab40bbade6ec3f9e5703af
tools/hashicorp-vault/iac/main.tf
Gabriel Radureau a3e121b468
All checks were successful
Helm Charts / Detect changed charts (push) Successful in 23s
Details
Helm Charts / Detect changed charts (pull_request) Successful in 22s
Details
Helm Charts / Library charts tool (push) Has been skipped
Details
Helm Charts / Library charts tool (pull_request) Has been skipped
Details
Helm Charts / Application charts pgcat (push) Has been skipped
Details
Helm Charts / Application charts pgcat (pull_request) Has been skipped
Details
modules: add env/envs parameter to app_roles + app_policy (multi-env) 
Phase A of the multi-environment evolution agreed in the erp repo design
thread. Both modules gain an optional env coordinate that defaults to
"prod"; by the elision rule, env=prod produces the existing single-env
derived names character-for-character, so every existing app's tofu plan
is a no-op.

app_roles (per-instance module — caller iterates over envs):
- variables.tf: add optional env = "prod"
- main.tf: compute local.instance via elision rule + local.owner_role
  (snake-case <name>_<env>_role for the Postgres owner). The name/env/
  database locals are grouped so fmt keeps the existing `name` alignment
  (no whitespace churn on unchanged keys).
- main.tf: substitute local.name -> local.instance / local.owner_role in
  the dynamic role name, k8s role name, SA bindings, token_policies
- outputs.tf: add env + instance outputs; kvv2_path_prefix derives from
  local.instance (== local.name when env=prod → backwards-compat)

app_policy (per-repo module — accepts list of envs):
- variables.tf: add optional envs = ["prod"]
- main.tf: compute local.instances + local.non_prod_instances; remove the
  now-dead bound_service_account_* alias locals (the allowed_parameter
  blocks build their values from per_instance_sa_* maps instead)
- main.tf: kvv2 ops rules become dynamic blocks iterating local.instances
  in the original order (data, delete, undelete, destroy, metadata), so a
  prod-only app renders a byte-identical policy document
- main.tf: allowed_parameter for bound_service_account_* + token_policies
  use comprehensions over local.instances (1-element → identical to old
  static values for prod-only apps)
- main.tf: keep vault_policy.app (env=prod runtime policy) at its original
  address; add vault_policy.app_non_prod via for_each over non_prod_instances
  (empty set for prod-only apps → no new resources)

Top-level wiring:
- iac/variables.tf: add envs = optional(list(string), ["prod"]) to the
  applications set(object) type
- iac/main.tf: pass envs = each.value.envs to app_policies

Verified: `tofu fmt -check` clean on all touched files, `tofu validate`
passes. Backwards-compat reasoning for the no-op plan is in the PR body.

Phase B (factory postgres iac + argocd + runbook docs) and Phase D
(erp iac/main.tf for_each + activate sandbox) follow in their own PRs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-15 14:29:11 +02:00

87 lines
3.0 KiB
HCL
Raw Blame History

resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
}
resource "vault_kubernetes_auth_backend_config" "config" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = "https://kubernetes.default.svc:443"
}
resource "vault_mount" "kvv2" {
path = "kvv2"
type = "kv"
options = { version = "2" }
description = "KV Version 2 secret engine mount"
}
resource "vault_mount" "postgres" {
path = "postgres"
type = "database"
}
resource "vault_database_secret_backend_connection" "postgres" {
backend = vault_mount.postgres.path
name = "postgres"
allowed_roles = ["*"]
root_rotation_statements = [
"ALTER USER \"{{name}}\" WITH PASSWORD '{{password}}';",
]
postgresql {
connection_url = "postgresql://{{username}}:{{password}}@pgbouncer.tools:5432/postgres?sslmode=disable"
username = var.POSTGRES_CREDENTIALS_EDITOR_USERNAME
password = var.POSTGRES_CREDENTIALS_EDITOR_PASSWORD
}
}
resource "vault_mount" "transit" {
path = "transit"
type = "transit"
description = "Pour le vault secret operator (vso) dans k3s en cas de redemarrage par exemple"
# default_lease_ttl_seconds = 3600
# max_lease_ttl_seconds = 86400
}
resource "vault_transit_secret_backend_key" "vso_client_cache" {
backend = vault_mount.transit.path
name = "vso-client-cache"
}
data "vault_policy_document" "vso_client_cache" {
rule {
path = "${vault_mount.transit.path}/encrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
capabilities = ["create", "update"]
}
rule {
path = "${vault_mount.transit.path}/decrypt/${vault_transit_secret_backend_key.vso_client_cache.name}"
capabilities = ["create", "update"]
}
}
resource "vault_policy" "vso_client_cache" {
name = "edit-vso-client-cache"
policy = data.vault_policy_document.vso_client_cache.hcl
}
resource "vault_kubernetes_auth_backend_role" "vso" {
backend = vault_auth_backend.kubernetes.path
role_name = "vault-secret-operator"
bound_service_account_names = ["hashicorp-vault-vault-secrets-operator-controller-manager"]
bound_service_account_namespaces = ["tools"]
token_ttl = 0
token_period = 120
token_policies = ["default", vault_policy.vso_client_cache.name]
audience = "vault"
alias_name_source = "serviceaccount_name"
}
module "app_policies" {
source = "./modules/app_policy"
for_each = { for app in var.applications : app.name => app }
name = each.value.name
envs = each.value.envs
ops_policies = each.value.policies
service_account_names = each.value.service_account_names
service_account_namespaces = each.value.service_account_namespaces
gitea_app_id = var.gitea_app_id
}
Reference in New Issue View Git Blame Copy Permalink