try vault postgres secret engine

2024-10-18 15:42:31 +02:00
parent 5da0f2150b
commit 3bb67fc2c1
8 changed files with 165 additions and 2 deletions
--- a/iac/main.tf
+++ b/iac/main.tf
@@ -0,0 +1,58 @@
+data "vault_auth_backend" "kubernetes" {
+  path = "kubernetes"
+}
+variable "name" {
+  type = string
+  default = "webapp"
+}
+variable "database" {
+  type = string
+  nullable = true
+  default = null
+}
+locals {
+  name = lower(var.name)
+  database = var.database == null ? local.name : var.database
+
+  vault_mount_postgres = { path = "postgres" }
+  vault_mount_kvv2 = { path = "kvv2" }
+}
+
+resource "vault_database_secret_backend_role" "role" {
+  backend             = local.vault_mount_postgres.path
+  name                = "${local.name}"
+  db_name             = "postgres"
+  creation_statements = [
+    "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
+    "GRANT ${local.name}_role TO \"{{name}}\";",
+  ] 
+  revocation_statements = [
+    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";" # should we drop the role ?
+  ]
+  renew_statements=[]
+  rollback_statements=[]
+}
+
+resource "vault_kv_secret_v2" "webapp_config" {
+  mount                      = local.vault_mount_kvv2.path
+  name                       = "webapp/config"
+  cas                        = 1
+#   delete_all_versions        = true
+  data_json                  = jsonencode(
+  {
+    zip       = "zap",
+    foo       = "bar"
+  }
+  )
+}
+
+resource "vault_kubernetes_auth_backend_role" "role" {
+  backend                          = data.vault_auth_backend.kubernetes.path
+  role_name                        = local.name
+  bound_service_account_names      = [local.name]
+  bound_service_account_namespaces = [local.name]
+  token_ttl                        = 3600
+  token_policies                   = ["default", local.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}