homelab/vault/drone-vault.tf

54 lines
1.4 KiB
Terraform
Raw Normal View History

2022-11-27 14:25:26 +00:00
resource "vault_auth_backend" "approle" {
type = "approle"
}
resource "vault_approle_auth_backend_role" "drone-vault" {
backend = vault_auth_backend.approle.path
role_name = "drone-vault"
token_policies = ["drone-vault"]
}
data "vault_approle_auth_backend_role_id" "drone-vault" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.drone-vault.role_name
}
output "drone-vault-role-id" {
value = data.vault_approle_auth_backend_role_id.drone-vault.role_id
}
data "vault_policy_document" "drone-vault" {
rule {
2022-11-29 19:29:30 +00:00
path = "secrets/data/droneci/*"
2022-11-27 14:25:26 +00:00
capabilities = ["read", "list"]
}
rule {
2022-11-29 19:29:30 +00:00
path = "secrets/data/droneci"
capabilities = ["read", "list"]
}
2022-11-27 14:25:26 +00:00
}
resource "vault_policy" "drone-vault" {
name = "drone-vault"
2022-11-29 19:25:32 +00:00
policy = data.vault_policy_document.drone-vault.hcl
2022-11-27 14:25:26 +00:00
}
resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.drone-vault.role_name
}
resource "vault_kv_secret_v2" "drone-vault" {
mount = vault_mount.kvv2-secret.path
name = "nomad/droneCI/approle"
data_json = jsonencode(
{
approleID = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
approleSecretID = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
}
)
}