refactor vault: dedicated teraform file

2022-11-29 19:02:29 +01:00 · 2022-11-29 19:02:29 +01:00 · d9719a0077
commit d9719a0077
parent 0ecb686bfc
3 changed files with 63 additions and 58 deletions
--- a/vault/drone-vault.tf
+++ b/vault/drone-vault.tf
@ -22,6 +22,10 @@ data "vault_policy_document" "drone-vault" {
      path = "secrets/data/droneCI/*"
      capabilities = ["read", "list"]
   }
+  rule {
+      path = "secrets/data/droneCI"
+      capabilities = ["read", "list"]
+   }

 }

--- a/vault/main.tf
+++ b/vault/main.tf
@ -6,64 +6,6 @@ terraform {
 provider vault {
 }

-locals {
-  allowed_policies= concat(local.nomad_policy, [
-  ])
- 
-  nomad_policy=[
-    "crowdsec",
-    "dump",
-    "dentrite",
-    "droneCI",
-    "gandi",
-    "gitea",
-    "nextcloud",
-    "paperless",
-    "pihole",
-    "prometheus",
-    "rsyncd",
-    "seedbox",
-    "supysonic",
-    "ttrss",
-    "vaultwarden",
-    "wikijs",
-    "vikunja",
-  ]
-
-}
-resource "vault_token_auth_backend_role" "nomad-cluster" {
-  role_name              = "nomad-cluster"
-  orphan                 = true
-  renewable              = true
-  token_explicit_max_ttl = "0"
-  token_period           = "259200"
-  allowed_policies       = local.allowed_policies
-}
-
-data "vault_policy_document" "nomad_jobs" {
-  for_each = toset(local.nomad_policy)
-
-  rule {
-    path         = "secrets/data/nomad/${each.key}"
-    capabilities = ["read"]
-  }
-  rule {
-    path         = "secrets/data/nomad/${each.key}/*"
-    capabilities = ["read"]
-  }
-  rule {
-    path = "secrets/data/database/${each.key}"
-    capabilities = ["read"]
-  }
-}
-resource "vault_policy" "nomad_jobs" {
-    for_each = toset(local.nomad_policy)
-
-    name   = each.key
-    policy = data.vault_policy_document.nomad_jobs[each.key].hcl
-}
-
-
 resource "vault_mount" "kvv2-secret" {
  path = "secrets"
  type = "kv"
--- a/vault/nomad.tf
+++ b/vault/nomad.tf
@ -0,0 +1,59 @@
+locals {
+  allowed_policies= concat(local.nomad_policy, [
+  ])
+ 
+  nomad_policy=[
+    "crowdsec",
+    "dump",
+    "dentrite",
+    "droneCI",
+    "gandi",
+    "gitea",
+    "nextcloud",
+    "paperless",
+    "pihole",
+    "prometheus",
+    "rsyncd",
+    "seedbox",
+    "supysonic",
+    "ttrss",
+    "vaultwarden",
+    "wikijs",
+    "vikunja",
+  ]
+
+}
+resource "vault_token_auth_backend_role" "nomad-cluster" {
+  role_name              = "nomad-cluster"
+  orphan                 = true
+  renewable              = true
+  token_explicit_max_ttl = "0"
+  token_period           = "259200"
+  allowed_policies       = local.allowed_policies
+}
+
+data "vault_policy_document" "nomad_jobs" {
+  for_each = toset(local.nomad_policy)
+
+  rule {
+    path         = "secrets/data/nomad/${each.key}"
+    capabilities = ["read"]
+  }
+  rule {
+    path         = "secrets/data/nomad/${each.key}/*"
+    capabilities = ["read"]
+  }
+  rule {
+    path = "secrets/data/database/${each.key}"
+    capabilities = ["read"]
+  }
+}
+resource "vault_policy" "nomad_jobs" {
+    for_each = toset(local.nomad_policy)
+
+    name   = each.key
+    policy = data.vault_policy_document.nomad_jobs[each.key].hcl
+}
+
+
+