feat: add secretID automaticaly in KV for DroneCI

2022-11-29 18:10:25 +01:00 · 2022-11-29 18:10:25 +01:00 · 0ecb686bfc
commit 0ecb686bfc
parent 510e1f14cb
3 changed files with 24 additions and 1 deletions
--- a/nomad-job/drone.nomad
+++ b/nomad-job/drone.nomad
@ -91,9 +91,10 @@ job "drone" {
        DRONE_DEBUG=true
        {{ with secret "secrets/data/nomad/droneCI"}}
        DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
+        {{end}}
+        {{ with secret "secrets/data/nomad/droneCI/approle"}}
        VAULT_APPROLE_ID=  {{ .Data.data.approleID}}
        VAULT_APPROLE_SECRET=  {{ .Data.data.approleSecretID}}
-
        {{end}}
        VAULT_ADDR=http://active.vault.service.consul:8200
        VAULT_AUTH_TYPE=approle
--- a/vault/approle.tf
+++ b/vault/approle.tf
@ -29,3 +29,21 @@ resource "vault_policy" "drone-vault" {
    name = "drone-vault"
    policy = data.vault_policy_document.nomad_server_policy.hcl
 }
+
+
+resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
+    backend   = vault_auth_backend.approle.path
+    role_name = vault_approle_auth_backend_role.drone-vault.role_name
+}
+
+
+resource "vault_kv_secret_v2" "drone-vault" {
+  mount                      = vault_mount.kvv2-secret.path
+  name                       = "nomad/droneCI/approle"
+  data_json                  = jsonencode(
+  {
+    approleID       = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
+    approleSecretID       = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
+  }
+  )
+}
--- a/vault/main.tf
+++ b/vault/main.tf
@ -47,6 +47,10 @@ data "vault_policy_document" "nomad_jobs" {
    path         = "secrets/data/nomad/${each.key}"
    capabilities = ["read"]
  }
+  rule {
+    path         = "secrets/data/nomad/${each.key}/*"
+    capabilities = ["read"]
+  }
  rule {
    path = "secrets/data/database/${each.key}"
    capabilities = ["read"]