From 5100e95930489faccc6ce10c46f3fb58bf347a63 Mon Sep 17 00:00:00 2001 From: vincent Date: Fri, 15 Jul 2022 14:06:31 +0200 Subject: [PATCH] switch vault config in terraform --- .gitignore | 37 ++++++++++++++++++ infra/.gitignore | 36 ----------------- infra/.terraform.lock.hcl | 23 +++++++++++ vault/.terraform.lock.hcl | 21 ++++++++++ vault/main.tf | 33 ++++++++++++++++ vault/nomad-cluster-role.json | 9 ----- vault/nomad-server-policy.hcl | 41 -------------------- vault/policy.tf | 73 +++++++++++++++++++++++++++++++++++ vault/variable.tf | 3 ++ 9 files changed, 190 insertions(+), 86 deletions(-) delete mode 100644 infra/.gitignore create mode 100644 infra/.terraform.lock.hcl create mode 100644 vault/.terraform.lock.hcl create mode 100644 vault/main.tf delete mode 100644 vault/nomad-cluster-role.json delete mode 100644 vault/nomad-server-policy.hcl create mode 100644 vault/policy.tf create mode 100644 vault/variable.tf diff --git a/.gitignore b/.gitignore index 8d4bfcf..7b17f74 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,38 @@ nohup.out + +# terraform gitignore +# Local .terraform directories +**/.terraform/* + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log +crash.*.log + +# Exclude all .tfvars files, which are likely to contain sensitive data, such as +# password, private keys, and other secrets. These should not be part of version +# control as they are data points which are potentially sensitive and subject +# to change depending on the environment. +*.tfvars +*.tfvars.json + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Ignore CLI configuration files +.terraformrc +terraform.rc + diff --git a/infra/.gitignore b/infra/.gitignore deleted file mode 100644 index 93c58f9..0000000 --- a/infra/.gitignore +++ /dev/null @@ -1,36 +0,0 @@ -# Local .terraform directories -**/.terraform/* - -# .tfstate files -*.tfstate -*.tfstate.* - -# Crash log files -crash.log -crash.*.log - -# Exclude all .tfvars files, which are likely to contain sensitive data, such as -# password, private keys, and other secrets. These should not be part of version -# control as they are data points which are potentially sensitive and subject -# to change depending on the environment. -*.tfvars -*.tfvars.json - -# Ignore override files as they are usually used to override resources locally and so -# are not checked in -override.tf -override.tf.json -*_override.tf -*_override.tf.json - -# Include override files you do wish to add to version control using negated pattern -# !example_override.tf - -# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan -# example: *tfplan* - -# Ignore CLI configuration files -.terraformrc -.terraform.lock.hcl - -terraform.rc diff --git a/infra/.terraform.lock.hcl b/infra/.terraform.lock.hcl new file mode 100644 index 0000000..62b0363 --- /dev/null +++ b/infra/.terraform.lock.hcl @@ -0,0 +1,23 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hetznercloud/hcloud" { + version = "1.33.2" + hashes = [ + "h1:3Hx8p9LbcnHfBhy3nT7+unlc5rwkiSZjLt9SVQOSpB8=", + "zh:0a5d0f332d7dfe77fa27301094af98a185aabfb9f56d71b81936e03211e4d66f", + "zh:0e047859ee7296f335881933ccf8ce8c07aa47bef56d5449a81b85a2d9dac93a", + "zh:1d3d0896f518df9e245c3207ed231e528f5dcfe628508e7c3ceba4a2bfefaa7a", + "zh:1d7a31c8c490512896ce327ab220e950f1a2e30ee83cc2e58e69bbbfbbb87e72", + "zh:67cbb2492683cb22f6c54f26bee72aec140c8dd2d0881b2815d2ef80959fc751", + "zh:771062815e662979204ac2dc91c34c893f27670d67e02370e48124483d3c9838", + "zh:957ebb146898cd059c0cc8b4c32e574b61041d8b6a11cd854b3cc1d3baaeb3a9", + "zh:95dbd8634000b979213cb97b5d869cad78299ac994d0665d150c8dafc1390429", + "zh:a21b22b2e9d835e1b8b3b7e0b41a4d199171d62e9e9be78c444c700e96b31316", + "zh:aead1ba50640a51f20d574374f2c6065d9bfa4eea5ef044d1475873c33e58239", + "zh:cefabd0a78af40ea5cd08e1ca436c753df9b1c6496eb27281b755a2de1f167ab", + "zh:d98cffc5206b9a7550a23e13031a6f53566bd1ed3bf65314bc55ef12404d49ce", + "zh:dddaaf95b6aba701153659feff12c7bce6acc78362cb5ff8321a1a1cbf780cd9", + "zh:fd662b483250326a1bfbe5684c22c5083955a43e0773347eea35cd4c2cfe700e", + ] +} diff --git a/vault/.terraform.lock.hcl b/vault/.terraform.lock.hcl new file mode 100644 index 0000000..d264696 --- /dev/null +++ b/vault/.terraform.lock.hcl @@ -0,0 +1,21 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/vault" { + version = "3.7.0" + hashes = [ + "h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=", + "zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95", + "zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0", + "zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c", + "zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec", + "zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585", + "zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2", + "zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1", + "zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05", + "zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e", + "zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3", + ] +} diff --git a/vault/main.tf b/vault/main.tf new file mode 100644 index 0000000..34b055b --- /dev/null +++ b/vault/main.tf @@ -0,0 +1,33 @@ +terraform { + backend "consul" { + path = "terraform/vault" + } +} +provider vault { + token = var.vault_token +} + +locals { + allowed_policies= [ + "access-tables" + ] + +} +resource "vault_token_auth_backend_role" "nomad-cluster" { + role_name = "nomad-cluster" + orphan = true + renewable = true + token_explicit_max_ttl = "0" + token_period = "259200" + allowed_policies = local.allowed_policies +} + + + +resource "vault_mount" "kvv2-secret" { + path = "secrets" + type = "kv" + options = { + version = "2" + } +} diff --git a/vault/nomad-cluster-role.json b/vault/nomad-cluster-role.json deleted file mode 100644 index ee26414..0000000 --- a/vault/nomad-cluster-role.json +++ /dev/null @@ -1,9 +0,0 @@ -{ - "allowed_policies": "access-tables", - "disallowed_policies": "", - "token_explicit_max_ttl": 0, - "name": "nomad-cluster", - "orphan": true, - "token_period": 259200, - "renewable": true -} diff --git a/vault/nomad-server-policy.hcl b/vault/nomad-server-policy.hcl deleted file mode 100644 index 9511475..0000000 --- a/vault/nomad-server-policy.hcl +++ /dev/null @@ -1,41 +0,0 @@ -# Allow creating tokens under "nomad-cluster" token role. The token role name -# should be updated if "nomad-cluster" is not used. -path "auth/token/create/nomad-cluster" { - capabilities = ["update"] -} - -# Allow looking up "nomad-cluster" token role. The token role name should be -# updated if "nomad-cluster" is not used. -path "auth/token/roles/nomad-cluster" { - capabilities = ["read"] -} - -# Allow looking up the token passed to Nomad to validate # the token has the -# proper capabilities. This is provided by the "default" policy. -path "auth/token/lookup-self" { - capabilities = ["read"] -} - -# Allow looking up incoming tokens to validate they have permissions to access -# the tokens they are requesting. This is only required if -# `allow_unauthenticated` is set to false. -path "auth/token/lookup" { - capabilities = ["update"] -} - -# Allow revoking tokens that should no longer exist. This allows revoking -# tokens for dead tasks. -path "auth/token/revoke-accessor" { - capabilities = ["update"] -} - -# Allow checking the capabilities of our own token. This is used to validate the -# token upon startup. -path "sys/capabilities-self" { - capabilities = ["update"] -} - -# Allow our own token to be renewed. -path "auth/token/renew-self" { - capabilities = ["update"] -} diff --git a/vault/policy.tf b/vault/policy.tf new file mode 100644 index 0000000..4919dcd --- /dev/null +++ b/vault/policy.tf @@ -0,0 +1,73 @@ + +data "vault_policy_document" "nomad_server_policy" { + rule { + path = "auth/token/create/nomad-cluster" + capabilities = ["update"] + } + rule { + path = "auth/token/roles/nomad-cluster" + capabilities = ["read"] + } + + rule { + path = "auth/token/lookup" + capabilities = ["update"] + } + rule { + path = "sys/capabilities-self" + capabilities = ["update"] + } + + rule { + path = "auth/token/revoke-accessor" + capabilities = ["update"] + } + + rule { + path = "sys/capabilities-self" + capabilities = ["update"] + } + rule { + path = "auth/token/renew-self" + capabilities = ["update"] + } +} + +resource "vault_policy" "nomad-server-policy" { + name = "nomad-server-policy" + policy = data.vault_policy_document.nomad_server_policy.hcl +} + + +data "vault_policy_document" "access-tables" { + + rule { + path = "secrets/*" + capabilities= ["read","list"] + } + + rule { + path = "secrets/ansible" + capabilities = ["deny"] + } +} + +resource "vault_policy" "access-tables" { + name = "access-tables" + policy = data.vault_policy_document.access-tables.hcl +} + +data "vault_policy_document" "ansible" { + rule { + path = "secrets/data/ansible/*" + capabilities = ["read", "list"] + } + rule { + path = "secrets/data/ansible" + capabilities = ["read", "list"] + } +} +resource "vault_policy" "ansible" { + name = "ansible" + policy= data.vault_policy_document.ansible.hcl +} diff --git a/vault/variable.tf b/vault/variable.tf new file mode 100644 index 0000000..94947eb --- /dev/null +++ b/vault/variable.tf @@ -0,0 +1,3 @@ +variable vault_token { + +}