feat: add secretID automaticaly in KV for DroneCI
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
vincent 2022-11-29 18:10:25 +01:00
parent 510e1f14cb
commit 0ecb686bfc
3 changed files with 24 additions and 1 deletions

View File

@ -91,9 +91,10 @@ job "drone" {
DRONE_DEBUG=true DRONE_DEBUG=true
{{ with secret "secrets/data/nomad/droneCI"}} {{ with secret "secrets/data/nomad/droneCI"}}
DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}} DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
{{end}}
{{ with secret "secrets/data/nomad/droneCI/approle"}}
VAULT_APPROLE_ID= {{ .Data.data.approleID}} VAULT_APPROLE_ID= {{ .Data.data.approleID}}
VAULT_APPROLE_SECRET= {{ .Data.data.approleSecretID}} VAULT_APPROLE_SECRET= {{ .Data.data.approleSecretID}}
{{end}} {{end}}
VAULT_ADDR=http://active.vault.service.consul:8200 VAULT_ADDR=http://active.vault.service.consul:8200
VAULT_AUTH_TYPE=approle VAULT_AUTH_TYPE=approle

View File

@ -29,3 +29,21 @@ resource "vault_policy" "drone-vault" {
name = "drone-vault" name = "drone-vault"
policy = data.vault_policy_document.nomad_server_policy.hcl policy = data.vault_policy_document.nomad_server_policy.hcl
} }
resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.drone-vault.role_name
}
resource "vault_kv_secret_v2" "drone-vault" {
mount = vault_mount.kvv2-secret.path
name = "nomad/droneCI/approle"
data_json = jsonencode(
{
approleID = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
approleSecretID = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
}
)
}

View File

@ -47,6 +47,10 @@ data "vault_policy_document" "nomad_jobs" {
path = "secrets/data/nomad/${each.key}" path = "secrets/data/nomad/${each.key}"
capabilities = ["read"] capabilities = ["read"]
} }
rule {
path = "secrets/data/nomad/${each.key}/*"
capabilities = ["read"]
}
rule { rule {
path = "secrets/data/database/${each.key}" path = "secrets/data/database/${each.key}"
capabilities = ["read"] capabilities = ["read"]