From 70c53fbef767fd78fe5d30fb3d3f47946b7efa03 Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Sun, 26 May 2024 16:22:18 +0200 Subject: [PATCH] feat: move every approle role to dedicated backend, and add group to pass metadata along --- README.md | 3 +++ admin_approle.tf => admin_role.tf | 9 +++++++-- approle_auth.tf | 23 +++++++++++++++++++++++ extra_policies.tf | 9 --------- 4 files changed, 33 insertions(+), 11 deletions(-) rename admin_approle.tf => admin_role.tf (81%) create mode 100644 approle_auth.tf diff --git a/README.md b/README.md index 27e8f99..74ce42c 100644 --- a/README.md +++ b/README.md @@ -39,6 +39,9 @@ No modules. | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource | | [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource | | [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource | +| [vault_identity_group.tenant_group](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource | +| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource | +| [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource | | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | diff --git a/admin_approle.tf b/admin_role.tf similarity index 81% rename from admin_approle.tf rename to admin_role.tf index 3c866d3..cbbd489 100644 --- a/admin_approle.tf +++ b/admin_role.tf @@ -1,5 +1,5 @@ resource "vault_approle_auth_backend_role" "tenant_admin" { - backend = var.global_approle_mount + backend = vault_auth_backend.approle.path role_name = "${var.tenant_name}-admin" token_policies = ["default", vault_policy.tenant_admin.name] } @@ -7,11 +7,16 @@ resource "vault_approle_auth_backend_role" "tenant_admin" { resource "random_uuid" "tenant_admin_secret_id" {} resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" { - backend = var.global_approle_mount + backend = vault_auth_backend.approle.path role_name = vault_approle_auth_backend_role.tenant_admin.role_name secret_id = random_uuid.tenant_admin_secret_id.result } +resource "vault_identity_group" "tenant_group" { + name = var.tenant_name + type = "internal" +} + resource "vault_identity_entity" "tenant_admin" { name = "${var.tenant_prefix}-admin" metadata = { diff --git a/approle_auth.tf b/approle_auth.tf new file mode 100644 index 0000000..cb28e2b --- /dev/null +++ b/approle_auth.tf @@ -0,0 +1,23 @@ +resource "vault_auth_backend" "approle" { + type = "approle" + path = "${var.tenant_prefix}-approle" + tune { + default_lease_ttl = "3600s" + max_lease_ttl = "14400s" + } +} + +resource "vault_identity_group" "this" { + name = var.tenant_name + type = "internal" + metadata = { + tenant = var.tenant_name + prefix = var.tenant_prefix + } +} + +resource "vault_identity_group_alias" "this" { + name = var.tenant_name + mount_accessor = vault_auth_backend.approle.accessor + canonical_id = vault_identity_group.this.id +} diff --git a/extra_policies.tf b/extra_policies.tf index 4695fdb..4ed68d0 100644 --- a/extra_policies.tf +++ b/extra_policies.tf @@ -1,12 +1,3 @@ -resource "vault_auth_backend" "approle" { - type = "approle" - path = "${var.tenant_prefix}-approle" - tune { - default_lease_ttl = "3600s" - max_lease_ttl = "14400s" - } -} - resource "vault_approle_auth_backend_role" "extra_roles" { for_each = var.tenant_additional_roles