25 lines
998 B
HCL
25 lines
998 B
HCL
locals {
|
|
factory_crowdsec_conf_sa_name = "factory-ansible-tool-crowdsec-traefik-plugin"
|
|
}
|
|
|
|
|
|
data "vault_policy_document" "factory_crowdsec_conf" {
|
|
rule {
|
|
path = "kvv2/data/cms/factory/*" # cms.git//cloudflare/iac.tf
|
|
capabilities = ["read", "list"]
|
|
}
|
|
}
|
|
resource "vault_policy" "factory_crowdsec_conf" {
|
|
name = "factory_crowdsec_conf"
|
|
policy = data.vault_policy_document.factory_crowdsec_conf.hcl
|
|
}
|
|
resource "vault_kubernetes_auth_backend_role" "factory_crowdsec_conf" {
|
|
backend = vault_auth_backend.kubernetes.path
|
|
role_name = "factory_crowdsec_conf"
|
|
bound_service_account_names = [local.factory_crowdsec_conf_sa_name]
|
|
bound_service_account_namespaces = ["kube-system"]
|
|
token_ttl = 3600
|
|
token_policies = ["default", vault_policy.factory_crowdsec_conf.name]
|
|
audience = "vault"
|
|
alias_name_source = "serviceaccount_name"
|
|
} |