homelab/vault/policy.tf

data "vault_policy_document" "nomad_server_policy" {
  rule {
    path = "auth/token/create/nomad-cluster"
    capabilities = ["update"]
  }
  rule {
    path = "auth/token/roles/nomad-cluster"
    capabilities = ["read"]
  }

  rule {
    path = "auth/token/lookup"
    capabilities = ["update"]
  }
  rule {
    path  = "sys/capabilities-self"
    capabilities = ["update"]
  }

  rule {
    path = "auth/token/revoke-accessor" 
    capabilities = ["update"]
  }

  rule {
    path = "sys/capabilities-self"
    capabilities = ["update"]
  }
  rule {
    path = "auth/token/renew-self"
    capabilities = ["update"]
  }
}

resource "vault_policy" "nomad-server-policy" {
  name = "nomad-server-policy"
  policy = data.vault_policy_document.nomad_server_policy.hcl
}

data "vault_policy_document" "ansible" {
  rule {
    path = "secrets/data/ansible/*"
    capabilities = ["read", "list"]
  }
  rule {
    path = "secrets/data/ansible"
    capabilities = ["read", "list"]
  }
  rule {
    path = "secrets/data/database"
    capabilities = ["read", "list"]
  }
  rule {
    path = "secrets/data/database/*"
    capabilities = ["read", "list"]
  }


}
resource "vault_policy" "ansible" {
  name = "ansible"
  policy= data.vault_policy_document.ansible.hcl
}

data "vault_policy_document" "admin_policy" {
  rule {
    path = "auth/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "sys/auth/*"
    capabilities = ["create", "update", "delete", "sudo"]
  }
  rule {
    path = "sys/auth"
    capabilities = ["read"]
  }
  rule {
    path = "sys/health"
    capabilities = ["read", "sudo"]
  }
  rule {
    path = "sys/policies/acl"
    capabilities = ["list"]
  }
  rule {
    path = "sys/policies/acl/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "sys/storage/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "secrets/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "database/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "pki/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "ssh/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "nomad/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "consul/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "sys/mounts/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
   } 
  rule {
    path = "sys/mounts"
    capabilities  = ["read","list"]
  }
  rule {
    path = "sys/leases/*"
    capabilities  = ["create", "read", "update", "delete", "list", "sudo"]
  }
  rule {
    path = "sys/leases/lookup"
    capabilities  = ["list","sudo"]
  }
}
resource "vault_policy" "admin_policy" {
  name = "admin_policy"
  policy= data.vault_policy_document.admin_policy.hcl
}
switch vault config in terraform 2022-07-15 12:06:31 +00:00			`data "vault_policy_document" "nomad_server_policy" {`
			`rule {`
			`path = "auth/token/create/nomad-cluster"`
			`capabilities = ["update"]`
			`}`
			`rule {`
			`path = "auth/token/roles/nomad-cluster"`
			`capabilities = ["read"]`
			`}`

			`rule {`
			`path = "auth/token/lookup"`
			`capabilities = ["update"]`
			`}`
			`rule {`
			`path = "sys/capabilities-self"`
			`capabilities = ["update"]`
			`}`

			`rule {`
			`path = "auth/token/revoke-accessor"`
			`capabilities = ["update"]`
			`}`

			`rule {`
			`path = "sys/capabilities-self"`
			`capabilities = ["update"]`
			`}`
			`rule {`
			`path = "auth/token/renew-self"`
			`capabilities = ["update"]`
			`}`
			`}`

			`resource "vault_policy" "nomad-server-policy" {`
			`name = "nomad-server-policy"`
			`policy = data.vault_policy_document.nomad_server_policy.hcl`
			`}`

			`data "vault_policy_document" "ansible" {`
			`rule {`
			`path = "secrets/data/ansible/*"`
			`capabilities = ["read", "list"]`
			`}`
			`rule {`
			`path = "secrets/data/ansible"`
			`capabilities = ["read", "list"]`
			`}`
vault policy segmentation 2022-10-30 08:33:39 +00:00			`rule {`
			`path = "secrets/data/database"`
			`capabilities = ["read", "list"]`
			`}`
fix vault: modify ansible policy 2023-08-25 08:14:29 +00:00			`rule {`
			`path = "secrets/data/database/*"`
			`capabilities = ["read", "list"]`
			`}`

vault policy segmentation 2022-10-30 08:33:39 +00:00
switch vault config in terraform 2022-07-15 12:06:31 +00:00			`}`
			`resource "vault_policy" "ansible" {`
			`name = "ansible"`
			`policy= data.vault_policy_document.ansible.hcl`
			`}`
add admin policy 2022-08-10 17:30:20 +00:00
			`data "vault_policy_document" "admin_policy" {`
			`rule {`
			`path = "auth/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "sys/auth/*"`
			`capabilities = ["create", "update", "delete", "sudo"]`
			`}`
			`rule {`
			`path = "sys/auth"`
			`capabilities = ["read"]`
			`}`
			`rule {`
			`path = "sys/health"`
			`capabilities = ["read", "sudo"]`
			`}`
			`rule {`
			`path = "sys/policies/acl"`
			`capabilities = ["list"]`
			`}`
			`rule {`
			`path = "sys/policies/acl/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
feat vault storage right for admin 2023-08-27 13:40:38 +00:00			`rule {`
			`path = "sys/storage/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
add admin policy 2022-08-10 17:30:20 +00:00			`rule {`
			`path = "secrets/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
vault backup cron in nomad 2023-11-01 17:58:42 +00:00			`rule {`
			`path = "database/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "pki/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "ssh/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "nomad/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "consul/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
add admin policy 2022-08-10 17:30:20 +00:00			`rule {`
			`path = "sys/mounts/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "sys/mounts"`
			`capabilities = ["read","list"]`
			`}`
feat vault: add lease right in policy 2022-11-29 20:08:13 +00:00			`rule {`
			`path = "sys/leases/*"`
			`capabilities = ["create", "read", "update", "delete", "list", "sudo"]`
			`}`
			`rule {`
			`path = "sys/leases/lookup"`
			`capabilities = ["list","sudo"]`
			`}`
add admin policy 2022-08-10 17:30:20 +00:00			`}`
			`resource "vault_policy" "admin_policy" {`
			`name = "admin_policy"`
			`policy= data.vault_policy_document.admin_policy.hcl`
			`}`