switch vault config in terraform

This commit is contained in:
vincent 2022-07-15 14:06:31 +02:00
parent 4e5168d2b0
commit 5100e95930
9 changed files with 190 additions and 86 deletions

37
.gitignore vendored
View File

@ -1 +1,38 @@
nohup.out
# terraform gitignore
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
terraform.rc

36
infra/.gitignore vendored
View File

@ -1,36 +0,0 @@
# Local .terraform directories
**/.terraform/*
# .tfstate files
*.tfstate
*.tfstate.*
# Crash log files
crash.log
crash.*.log
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
# password, private keys, and other secrets. These should not be part of version
# control as they are data points which are potentially sensitive and subject
# to change depending on the environment.
*.tfvars
*.tfvars.json
# Ignore override files as they are usually used to override resources locally and so
# are not checked in
override.tf
override.tf.json
*_override.tf
*_override.tf.json
# Include override files you do wish to add to version control using negated pattern
# !example_override.tf
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
# example: *tfplan*
# Ignore CLI configuration files
.terraformrc
.terraform.lock.hcl
terraform.rc

23
infra/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,23 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hetznercloud/hcloud" {
version = "1.33.2"
hashes = [
"h1:3Hx8p9LbcnHfBhy3nT7+unlc5rwkiSZjLt9SVQOSpB8=",
"zh:0a5d0f332d7dfe77fa27301094af98a185aabfb9f56d71b81936e03211e4d66f",
"zh:0e047859ee7296f335881933ccf8ce8c07aa47bef56d5449a81b85a2d9dac93a",
"zh:1d3d0896f518df9e245c3207ed231e528f5dcfe628508e7c3ceba4a2bfefaa7a",
"zh:1d7a31c8c490512896ce327ab220e950f1a2e30ee83cc2e58e69bbbfbbb87e72",
"zh:67cbb2492683cb22f6c54f26bee72aec140c8dd2d0881b2815d2ef80959fc751",
"zh:771062815e662979204ac2dc91c34c893f27670d67e02370e48124483d3c9838",
"zh:957ebb146898cd059c0cc8b4c32e574b61041d8b6a11cd854b3cc1d3baaeb3a9",
"zh:95dbd8634000b979213cb97b5d869cad78299ac994d0665d150c8dafc1390429",
"zh:a21b22b2e9d835e1b8b3b7e0b41a4d199171d62e9e9be78c444c700e96b31316",
"zh:aead1ba50640a51f20d574374f2c6065d9bfa4eea5ef044d1475873c33e58239",
"zh:cefabd0a78af40ea5cd08e1ca436c753df9b1c6496eb27281b755a2de1f167ab",
"zh:d98cffc5206b9a7550a23e13031a6f53566bd1ed3bf65314bc55ef12404d49ce",
"zh:dddaaf95b6aba701153659feff12c7bce6acc78362cb5ff8321a1a1cbf780cd9",
"zh:fd662b483250326a1bfbe5684c22c5083955a43e0773347eea35cd4c2cfe700e",
]
}

21
vault/.terraform.lock.hcl Normal file
View File

@ -0,0 +1,21 @@
# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.
provider "registry.terraform.io/hashicorp/vault" {
version = "3.7.0"
hashes = [
"h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=",
"zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95",
"zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0",
"zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c",
"zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec",
"zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585",
"zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2",
"zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0",
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
"zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1",
"zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05",
"zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e",
"zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3",
]
}

33
vault/main.tf Normal file
View File

@ -0,0 +1,33 @@
terraform {
backend "consul" {
path = "terraform/vault"
}
}
provider vault {
token = var.vault_token
}
locals {
allowed_policies= [
"access-tables"
]
}
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
orphan = true
renewable = true
token_explicit_max_ttl = "0"
token_period = "259200"
allowed_policies = local.allowed_policies
}
resource "vault_mount" "kvv2-secret" {
path = "secrets"
type = "kv"
options = {
version = "2"
}
}

View File

@ -1,9 +0,0 @@
{
"allowed_policies": "access-tables",
"disallowed_policies": "",
"token_explicit_max_ttl": 0,
"name": "nomad-cluster",
"orphan": true,
"token_period": 259200,
"renewable": true
}

View File

@ -1,41 +0,0 @@
# Allow creating tokens under "nomad-cluster" token role. The token role name
# should be updated if "nomad-cluster" is not used.
path "auth/token/create/nomad-cluster" {
capabilities = ["update"]
}
# Allow looking up "nomad-cluster" token role. The token role name should be
# updated if "nomad-cluster" is not used.
path "auth/token/roles/nomad-cluster" {
capabilities = ["read"]
}
# Allow looking up the token passed to Nomad to validate # the token has the
# proper capabilities. This is provided by the "default" policy.
path "auth/token/lookup-self" {
capabilities = ["read"]
}
# Allow looking up incoming tokens to validate they have permissions to access
# the tokens they are requesting. This is only required if
# `allow_unauthenticated` is set to false.
path "auth/token/lookup" {
capabilities = ["update"]
}
# Allow revoking tokens that should no longer exist. This allows revoking
# tokens for dead tasks.
path "auth/token/revoke-accessor" {
capabilities = ["update"]
}
# Allow checking the capabilities of our own token. This is used to validate the
# token upon startup.
path "sys/capabilities-self" {
capabilities = ["update"]
}
# Allow our own token to be renewed.
path "auth/token/renew-self" {
capabilities = ["update"]
}

73
vault/policy.tf Normal file
View File

@ -0,0 +1,73 @@
data "vault_policy_document" "nomad_server_policy" {
rule {
path = "auth/token/create/nomad-cluster"
capabilities = ["update"]
}
rule {
path = "auth/token/roles/nomad-cluster"
capabilities = ["read"]
}
rule {
path = "auth/token/lookup"
capabilities = ["update"]
}
rule {
path = "sys/capabilities-self"
capabilities = ["update"]
}
rule {
path = "auth/token/revoke-accessor"
capabilities = ["update"]
}
rule {
path = "sys/capabilities-self"
capabilities = ["update"]
}
rule {
path = "auth/token/renew-self"
capabilities = ["update"]
}
}
resource "vault_policy" "nomad-server-policy" {
name = "nomad-server-policy"
policy = data.vault_policy_document.nomad_server_policy.hcl
}
data "vault_policy_document" "access-tables" {
rule {
path = "secrets/*"
capabilities= ["read","list"]
}
rule {
path = "secrets/ansible"
capabilities = ["deny"]
}
}
resource "vault_policy" "access-tables" {
name = "access-tables"
policy = data.vault_policy_document.access-tables.hcl
}
data "vault_policy_document" "ansible" {
rule {
path = "secrets/data/ansible/*"
capabilities = ["read", "list"]
}
rule {
path = "secrets/data/ansible"
capabilities = ["read", "list"]
}
}
resource "vault_policy" "ansible" {
name = "ansible"
policy= data.vault_policy_document.ansible.hcl
}

3
vault/variable.tf Normal file
View File

@ -0,0 +1,3 @@
variable vault_token {
}