feat: add secretID automaticaly in KV for DroneCI

nomad-job/drone.nomad

@@ -91,9 +91,10 @@ job "drone" {
         DRONE_DEBUG=true
         {{ with secret "secrets/data/nomad/droneCI"}}
         DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
+        {{end}}
+        {{ with secret "secrets/data/nomad/droneCI/approle"}}
         VAULT_APPROLE_ID=  {{ .Data.data.approleID}}
         VAULT_APPROLE_SECRET=  {{ .Data.data.approleSecretID}}
-
         {{end}}
         VAULT_ADDR=http://active.vault.service.consul:8200
         VAULT_AUTH_TYPE=approle

vault/approle.tf

@@ -29,3 +29,21 @@ resource "vault_policy" "drone-vault" {
     name = "drone-vault"
     policy = data.vault_policy_document.nomad_server_policy.hcl
 }
+
+
+resource "vault_approle_auth_backend_role_secret_id" "drone-vault" {
+    backend   = vault_auth_backend.approle.path
+    role_name = vault_approle_auth_backend_role.drone-vault.role_name
+}
+
+
+resource "vault_kv_secret_v2" "drone-vault" {
+  mount                      = vault_mount.kvv2-secret.path
+  name                       = "nomad/droneCI/approle"
+  data_json                  = jsonencode(
+  {
+    approleID       = data.vault_approle_auth_backend_role_id.drone-vault.role_id,
+    approleSecretID       = vault_approle_auth_backend_role_secret_id.drone-vault.secret_id
+  }
+  )
+}

vault/main.tf

@@ -47,6 +47,10 @@ data "vault_policy_document" "nomad_jobs" {
     path         = "secrets/data/nomad/${each.key}"
     capabilities = ["read"]
   }
+  rule {
+    path         = "secrets/data/nomad/${each.key}/*"
+    capabilities = ["read"]
+  }
   rule {
     path = "secrets/data/database/${each.key}"
     capabilities = ["read"]