refactor vault: dedicated teraform file
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
vincent 2022-11-29 19:02:29 +01:00
parent 0ecb686bfc
commit d9719a0077
3 changed files with 63 additions and 58 deletions

View File

@ -22,6 +22,10 @@ data "vault_policy_document" "drone-vault" {
path = "secrets/data/droneCI/*" path = "secrets/data/droneCI/*"
capabilities = ["read", "list"] capabilities = ["read", "list"]
} }
rule {
path = "secrets/data/droneCI"
capabilities = ["read", "list"]
}
} }

View File

@ -6,64 +6,6 @@ terraform {
provider vault { provider vault {
} }
locals {
allowed_policies= concat(local.nomad_policy, [
])
nomad_policy=[
"crowdsec",
"dump",
"dentrite",
"droneCI",
"gandi",
"gitea",
"nextcloud",
"paperless",
"pihole",
"prometheus",
"rsyncd",
"seedbox",
"supysonic",
"ttrss",
"vaultwarden",
"wikijs",
"vikunja",
]
}
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
orphan = true
renewable = true
token_explicit_max_ttl = "0"
token_period = "259200"
allowed_policies = local.allowed_policies
}
data "vault_policy_document" "nomad_jobs" {
for_each = toset(local.nomad_policy)
rule {
path = "secrets/data/nomad/${each.key}"
capabilities = ["read"]
}
rule {
path = "secrets/data/nomad/${each.key}/*"
capabilities = ["read"]
}
rule {
path = "secrets/data/database/${each.key}"
capabilities = ["read"]
}
}
resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy)
name = each.key
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
}
resource "vault_mount" "kvv2-secret" { resource "vault_mount" "kvv2-secret" {
path = "secrets" path = "secrets"
type = "kv" type = "kv"

59
vault/nomad.tf Normal file
View File

@ -0,0 +1,59 @@
locals {
allowed_policies= concat(local.nomad_policy, [
])
nomad_policy=[
"crowdsec",
"dump",
"dentrite",
"droneCI",
"gandi",
"gitea",
"nextcloud",
"paperless",
"pihole",
"prometheus",
"rsyncd",
"seedbox",
"supysonic",
"ttrss",
"vaultwarden",
"wikijs",
"vikunja",
]
}
resource "vault_token_auth_backend_role" "nomad-cluster" {
role_name = "nomad-cluster"
orphan = true
renewable = true
token_explicit_max_ttl = "0"
token_period = "259200"
allowed_policies = local.allowed_policies
}
data "vault_policy_document" "nomad_jobs" {
for_each = toset(local.nomad_policy)
rule {
path = "secrets/data/nomad/${each.key}"
capabilities = ["read"]
}
rule {
path = "secrets/data/nomad/${each.key}/*"
capabilities = ["read"]
}
rule {
path = "secrets/data/database/${each.key}"
capabilities = ["read"]
}
}
resource "vault_policy" "nomad_jobs" {
for_each = toset(local.nomad_policy)
name = each.key
policy = data.vault_policy_document.nomad_jobs[each.key].hcl
}