2022-11-27 14:25:26 +00:00
|
|
|
resource "vault_auth_backend" "approle" {
|
|
|
|
type = "approle"
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "vault_approle_auth_backend_role" "drone-vault" {
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
|
|
role_name = "drone-vault"
|
|
|
|
token_policies = ["drone-vault"]
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
data "vault_approle_auth_backend_role_id" "drone-vault" {
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
|
|
role_name = vault_approle_auth_backend_role.drone-vault.role_name
|
|
|
|
}
|
|
|
|
output "drone-vault-role-id" {
|
|
|
|
value = data.vault_approle_auth_backend_role_id.drone-vault.role_id
|
|
|
|
}
|
|
|
|
|
|
|
|
data "vault_policy_document" "drone-vault" {
|
|
|
|
rule {
|
2022-11-29 19:29:30 +00:00
|
|
|
path = "secrets/data/droneci/*"
|
2022-11-27 14:25:26 +00:00
|
|
|
capabilities = ["read", "list"]
|
|
|
|
}
|
2022-11-29 18:02:29 +00:00
|
|
|
rule {
|
2022-11-29 19:29:30 +00:00
|
|
|
path = "secrets/data/droneci"
|
2022-11-29 18:02:29 +00:00
|
|
|
capabilities = ["read", "list"]
|
|
|
|
}
|
2022-11-27 14:25:26 +00:00
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "vault_policy" "drone-vault" {
|
|
|
|
name = "drone-vault"
|
2022-11-29 19:25:32 +00:00
|
|
|
policy = data.vault_policy_document.drone-vault.hcl
|
2022-11-27 14:25:26 +00:00
|
|
|
}
|
2022-11-29 17:10:25 +00:00
|
|
|
|
|
|
|
|
|
|
|
resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
|
|
role_name = vault_approle_auth_backend_role.drone-vault.role_name
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
resource "vault_kv_secret_v2" "drone-vault" {
|
|
|
|
mount = vault_mount.kvv2-secret.path
|
|
|
|
name = "nomad/droneCI/approle"
|
|
|
|
data_json = jsonencode(
|
|
|
|
{
|
|
|
|
approleID = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
|
|
|
|
approleSecretID = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
|
|
|
|
}
|
|
|
|
)
|
|
|
|
}
|