switch vault config in terraform
This commit is contained in:
vincent
parent
4e5168d2b0
commit
5100e95930
37
.gitignore
vendored
37
.gitignore
vendored
@ -1 +1,38 @@
|
||||
nohup.out
|
||||
|
||||
# terraform gitignore
|
||||
# Local .terraform directories
|
||||
**/.terraform/*
|
||||
|
||||
# .tfstate files
|
||||
*.tfstate
|
||||
*.tfstate.*
|
||||
|
||||
# Crash log files
|
||||
crash.log
|
||||
crash.*.log
|
||||
|
||||
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
|
||||
# password, private keys, and other secrets. These should not be part of version
|
||||
# control as they are data points which are potentially sensitive and subject
|
||||
# to change depending on the environment.
|
||||
*.tfvars
|
||||
*.tfvars.json
|
||||
|
||||
# Ignore override files as they are usually used to override resources locally and so
|
||||
# are not checked in
|
||||
override.tf
|
||||
override.tf.json
|
||||
*_override.tf
|
||||
*_override.tf.json
|
||||
|
||||
# Include override files you do wish to add to version control using negated pattern
|
||||
# !example_override.tf
|
||||
|
||||
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
||||
# example: *tfplan*
|
||||
|
||||
# Ignore CLI configuration files
|
||||
.terraformrc
|
||||
terraform.rc
|
||||
|
||||
|
||||
36
infra/.gitignore
vendored
36
infra/.gitignore
vendored
@ -1,36 +0,0 @@
|
||||
# Local .terraform directories
|
||||
**/.terraform/*
|
||||
|
||||
# .tfstate files
|
||||
*.tfstate
|
||||
*.tfstate.*
|
||||
|
||||
# Crash log files
|
||||
crash.log
|
||||
crash.*.log
|
||||
|
||||
# Exclude all .tfvars files, which are likely to contain sensitive data, such as
|
||||
# password, private keys, and other secrets. These should not be part of version
|
||||
# control as they are data points which are potentially sensitive and subject
|
||||
# to change depending on the environment.
|
||||
*.tfvars
|
||||
*.tfvars.json
|
||||
|
||||
# Ignore override files as they are usually used to override resources locally and so
|
||||
# are not checked in
|
||||
override.tf
|
||||
override.tf.json
|
||||
*_override.tf
|
||||
*_override.tf.json
|
||||
|
||||
# Include override files you do wish to add to version control using negated pattern
|
||||
# !example_override.tf
|
||||
|
||||
# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
|
||||
# example: *tfplan*
|
||||
|
||||
# Ignore CLI configuration files
|
||||
.terraformrc
|
||||
.terraform.lock.hcl
|
||||
|
||||
terraform.rc
|
||||
23
infra/.terraform.lock.hcl
Normal file
23
infra/.terraform.lock.hcl
Normal file
@ -0,0 +1,23 @@
|
||||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hetznercloud/hcloud" {
|
||||
version = "1.33.2"
|
||||
hashes = [
|
||||
"h1:3Hx8p9LbcnHfBhy3nT7+unlc5rwkiSZjLt9SVQOSpB8=",
|
||||
"zh:0a5d0f332d7dfe77fa27301094af98a185aabfb9f56d71b81936e03211e4d66f",
|
||||
"zh:0e047859ee7296f335881933ccf8ce8c07aa47bef56d5449a81b85a2d9dac93a",
|
||||
"zh:1d3d0896f518df9e245c3207ed231e528f5dcfe628508e7c3ceba4a2bfefaa7a",
|
||||
"zh:1d7a31c8c490512896ce327ab220e950f1a2e30ee83cc2e58e69bbbfbbb87e72",
|
||||
"zh:67cbb2492683cb22f6c54f26bee72aec140c8dd2d0881b2815d2ef80959fc751",
|
||||
"zh:771062815e662979204ac2dc91c34c893f27670d67e02370e48124483d3c9838",
|
||||
"zh:957ebb146898cd059c0cc8b4c32e574b61041d8b6a11cd854b3cc1d3baaeb3a9",
|
||||
"zh:95dbd8634000b979213cb97b5d869cad78299ac994d0665d150c8dafc1390429",
|
||||
"zh:a21b22b2e9d835e1b8b3b7e0b41a4d199171d62e9e9be78c444c700e96b31316",
|
||||
"zh:aead1ba50640a51f20d574374f2c6065d9bfa4eea5ef044d1475873c33e58239",
|
||||
"zh:cefabd0a78af40ea5cd08e1ca436c753df9b1c6496eb27281b755a2de1f167ab",
|
||||
"zh:d98cffc5206b9a7550a23e13031a6f53566bd1ed3bf65314bc55ef12404d49ce",
|
||||
"zh:dddaaf95b6aba701153659feff12c7bce6acc78362cb5ff8321a1a1cbf780cd9",
|
||||
"zh:fd662b483250326a1bfbe5684c22c5083955a43e0773347eea35cd4c2cfe700e",
|
||||
]
|
||||
}
|
||||
21
vault/.terraform.lock.hcl
Normal file
21
vault/.terraform.lock.hcl
Normal file
@ -0,0 +1,21 @@
|
||||
# This file is maintained automatically by "terraform init".
|
||||
# Manual edits may be lost in future updates.
|
||||
|
||||
provider "registry.terraform.io/hashicorp/vault" {
|
||||
version = "3.7.0"
|
||||
hashes = [
|
||||
"h1:idawLPCbZgHIb+NRLJs4YdIcQgACqYiT5VwQfChkn+w=",
|
||||
"zh:256b82692c560c76ad51414a2c003cadfa10338a9df333dbe22dd14a9ed16f95",
|
||||
"zh:329ed8135a98bd6a000d014e40bc5981c6868cf50eedf454f1a1f72ac463bdf0",
|
||||
"zh:3b32c18b492a6ac8e1ccac40d28cd42a88892ef8f3515291676136e3faac351c",
|
||||
"zh:4c5ea8e80543b36b1999257a41c8b9cde852542251de82a94cff2f9d280ac2ec",
|
||||
"zh:5d968ed305cde7aa3567a943cb2f5f8def54b40a2292b66027b1405a1cf28585",
|
||||
"zh:60226d1a0a496a9a6c1d646800dd7e1bd1c4f5527e7307ff0bca9f4d0b5395e2",
|
||||
"zh:71b11def501c994ee5305f24bd47ebfcca2314c5acca3efcdd209373d0068ac0",
|
||||
"zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
|
||||
"zh:89be6b5db3be473bfd14422a9abf83245c4b22ce47a8fe463bbebf8e20958ab1",
|
||||
"zh:8f91051d43ae309bb8f3f6a9659f0fd26b1b239faf671c139b4e9ad0d208db05",
|
||||
"zh:b5114983273d3170878f657b92738b2c40953aedeef2e1840588ecaf1bc0827e",
|
||||
"zh:fd56db01c5444dc8ca2e0ad2f13fc4c17735d0fdeb5960e23176fb3f5a5114d3",
|
||||
]
|
||||
}
|
||||
33
vault/main.tf
Normal file
33
vault/main.tf
Normal file
@ -0,0 +1,33 @@
|
||||
terraform {
|
||||
backend "consul" {
|
||||
path = "terraform/vault"
|
||||
}
|
||||
}
|
||||
provider vault {
|
||||
token = var.vault_token
|
||||
}
|
||||
|
||||
locals {
|
||||
allowed_policies= [
|
||||
"access-tables"
|
||||
]
|
||||
|
||||
}
|
||||
resource "vault_token_auth_backend_role" "nomad-cluster" {
|
||||
role_name = "nomad-cluster"
|
||||
orphan = true
|
||||
renewable = true
|
||||
token_explicit_max_ttl = "0"
|
||||
token_period = "259200"
|
||||
allowed_policies = local.allowed_policies
|
||||
}
|
||||
|
||||
|
||||
|
||||
resource "vault_mount" "kvv2-secret" {
|
||||
path = "secrets"
|
||||
type = "kv"
|
||||
options = {
|
||||
version = "2"
|
||||
}
|
||||
}
|
||||
@ -1,9 +0,0 @@
|
||||
{
|
||||
"allowed_policies": "access-tables",
|
||||
"disallowed_policies": "",
|
||||
"token_explicit_max_ttl": 0,
|
||||
"name": "nomad-cluster",
|
||||
"orphan": true,
|
||||
"token_period": 259200,
|
||||
"renewable": true
|
||||
}
|
||||
@ -1,41 +0,0 @@
|
||||
# Allow creating tokens under "nomad-cluster" token role. The token role name
|
||||
# should be updated if "nomad-cluster" is not used.
|
||||
path "auth/token/create/nomad-cluster" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow looking up "nomad-cluster" token role. The token role name should be
|
||||
# updated if "nomad-cluster" is not used.
|
||||
path "auth/token/roles/nomad-cluster" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up the token passed to Nomad to validate # the token has the
|
||||
# proper capabilities. This is provided by the "default" policy.
|
||||
path "auth/token/lookup-self" {
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
# Allow looking up incoming tokens to validate they have permissions to access
|
||||
# the tokens they are requesting. This is only required if
|
||||
# `allow_unauthenticated` is set to false.
|
||||
path "auth/token/lookup" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow revoking tokens that should no longer exist. This allows revoking
|
||||
# tokens for dead tasks.
|
||||
path "auth/token/revoke-accessor" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow checking the capabilities of our own token. This is used to validate the
|
||||
# token upon startup.
|
||||
path "sys/capabilities-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
# Allow our own token to be renewed.
|
||||
path "auth/token/renew-self" {
|
||||
capabilities = ["update"]
|
||||
}
|
||||
73
vault/policy.tf
Normal file
73
vault/policy.tf
Normal file
@ -0,0 +1,73 @@
|
||||
|
||||
data "vault_policy_document" "nomad_server_policy" {
|
||||
rule {
|
||||
path = "auth/token/create/nomad-cluster"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
rule {
|
||||
path = "auth/token/roles/nomad-cluster"
|
||||
capabilities = ["read"]
|
||||
}
|
||||
|
||||
rule {
|
||||
path = "auth/token/lookup"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
rule {
|
||||
path = "sys/capabilities-self"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
rule {
|
||||
path = "auth/token/revoke-accessor"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
|
||||
rule {
|
||||
path = "sys/capabilities-self"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
rule {
|
||||
path = "auth/token/renew-self"
|
||||
capabilities = ["update"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_policy" "nomad-server-policy" {
|
||||
name = "nomad-server-policy"
|
||||
policy = data.vault_policy_document.nomad_server_policy.hcl
|
||||
}
|
||||
|
||||
|
||||
data "vault_policy_document" "access-tables" {
|
||||
|
||||
rule {
|
||||
path = "secrets/*"
|
||||
capabilities= ["read","list"]
|
||||
}
|
||||
|
||||
rule {
|
||||
path = "secrets/ansible"
|
||||
capabilities = ["deny"]
|
||||
}
|
||||
}
|
||||
|
||||
resource "vault_policy" "access-tables" {
|
||||
name = "access-tables"
|
||||
policy = data.vault_policy_document.access-tables.hcl
|
||||
}
|
||||
|
||||
data "vault_policy_document" "ansible" {
|
||||
rule {
|
||||
path = "secrets/data/ansible/*"
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
rule {
|
||||
path = "secrets/data/ansible"
|
||||
capabilities = ["read", "list"]
|
||||
}
|
||||
}
|
||||
resource "vault_policy" "ansible" {
|
||||
name = "ansible"
|
||||
policy= data.vault_policy_document.ansible.hcl
|
||||
}
|
||||
3
vault/variable.tf
Normal file
3
vault/variable.tf
Normal file
@ -0,0 +1,3 @@
|
||||
variable vault_token {
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user