From 3597adb2fb39bf279f8142b85f1bcac6cbf8ed84 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sat, 25 May 2024 12:59:54 +0200 Subject: [PATCH] feat: add default admin policy --- README.md | 10 ++++++++-- extra_policies.tf | 14 +++++++------- policies/tenant-admins.policy.hcl | 7 +++++++ variables.tf | 1 + 4 files changed, 23 insertions(+), 9 deletions(-) create mode 100644 policies/tenant-admins.policy.hcl diff --git a/README.md b/README.md index cab2b10..f3f72ae 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,12 @@ # terraform-vault-tenant -Terraform module to deploy tenant in Hashicorp Vault community version. +This module aims to provide a way for companies and individuals running the community version of vault, to segregate accesses between teams. + +This "tenant" module requires that you have at least one approle auth method mounted prior to deploying it. It will create a tenant admin approle role on these mount, and apply the policy you define. It can also create an additional tenant-scoped approle auth mount, and create roles based on policies that you define. + +The idea behind this is that outside of access control, a tenant is free to create whatever secret engine, secrets, etc... As long as those are prefixed with their tenant prefix. + + ### Requirements | Name | Version | @@ -42,7 +48,7 @@ No modules. |------|-------------|------|---------|:--------:| | [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no | | [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} | 
map(object({
    policy_file = string
  }))
| `{}` | no | -| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes | +| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no | | [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes | | [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes | diff --git a/extra_policies.tf b/extra_policies.tf index 634f8c1..4695fdb 100644 --- a/extra_policies.tf +++ b/extra_policies.tf @@ -1,10 +1,3 @@ -resource "vault_policy" "extra_policies" { - for_each = var.tenant_additional_roles - - name = "${var.tenant_prefix}-${each.key}" - policy = file(each.value.policy_file) -} - resource "vault_auth_backend" "approle" { type = "approle" path = "${var.tenant_prefix}-approle" @@ -41,3 +34,10 @@ resource "vault_identity_entity" "extra_roles" { prefix = var.tenant_prefix } } + +resource "vault_policy" "extra_policies" { + for_each = var.tenant_additional_roles + + name = "${var.tenant_prefix}-${each.key}" + policy = file(each.value.policy_file) +} diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl new file mode 100644 index 0000000..a0b93de --- /dev/null +++ b/policies/tenant-admins.policy.hcl @@ -0,0 +1,7 @@ +path "{{identity.entity.metadata.prefix}}/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} + +path "sys/mounts/{{identity.entity.metadata.prefix}}/*" { + capabilities = ["create", "update", "read", "delete", "list"] +} diff --git a/variables.tf b/variables.tf index 90cd9cb..3d060c9 100644 --- a/variables.tf +++ b/variables.tf @@ -20,6 +20,7 @@ variable "tenant_prefix" { variable "tenant_admin_policy_file" { type = string + default = "./policies/tenant-admins.policy.hcl" description = "The path to the admin policy file for this tenant" }