-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} | map(object({
policy_file = string
}))
| `{}` | no |
-| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
-| [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
-| [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} | map(object({
policy_file = string
}))
| `{}` | no |
+| [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+| [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
### Outputs
| Name | Description |
|------|-------------|
+| [approle_mount](#output_approle_mount) | The approle mount for the tenant |
| [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names |
| [extra_roles](#output_extra_roles) | The tenant extra approle roles |
-| [tenant_admin_policy](#output_tenant_admin_policy) | The tenant admin policy name |
-| [tenant_admin_role](#output_tenant_admin_role) | The tenant admin approle role |
+| [root_policy](#output_root_policy) | The tenant root policy name |
+| [root_role](#output_root_role) | The tenant root approle role |
diff --git a/admin_role.tf b/admin_role.tf
deleted file mode 100644
index b71aab1..0000000
--- a/admin_role.tf
+++ /dev/null
@@ -1,28 +0,0 @@
-resource "vault_approle_auth_backend_role" "tenant_admin" {
- backend = vault_auth_backend.approle.path
- role_name = "${var.tenant_name}-admin"
- token_policies = ["default", vault_policy.tenant_admin.name]
-}
-
-resource "random_uuid" "tenant_admin_secret_id" {}
-
-resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
- backend = vault_auth_backend.approle.path
- role_name = vault_approle_auth_backend_role.tenant_admin.role_name
- secret_id = random_uuid.tenant_admin_secret_id.result
-}
-
-resource "vault_policy" "tenant_admin" {
- name = "${var.tenant_name}-admin"
- policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
-}
-
-resource "vault_identity_entity" "admin" {
- name = "${var.tenant_prefix}-admin"
-}
-
-resource "vault_identity_entity_alias" "admin" {
- name = vault_approle_auth_backend_role.tenant_admin.role_id
- mount_accessor = vault_auth_backend.approle.accessor
- canonical_id = vault_identity_entity.admin.id
-}
diff --git a/approle_auth.tf b/auth.tf
similarity index 64%
rename from approle_auth.tf
rename to auth.tf
index 66e33a8..f554194 100644
--- a/approle_auth.tf
+++ b/auth.tf
@@ -1,6 +1,6 @@
resource "vault_auth_backend" "approle" {
type = "approle"
- path = "${var.tenant_prefix}/approle"
+ path = "${var.prefix}/approle"
tune {
default_lease_ttl = "3600s"
max_lease_ttl = "14400s"
@@ -8,10 +8,10 @@ resource "vault_auth_backend" "approle" {
}
resource "vault_identity_group" "this" {
- name = var.tenant_name
+ name = var.name
type = "internal"
metadata = {
- tenant = var.tenant_name
- prefix = var.tenant_prefix
+ tenant = var.name
+ prefix = var.prefix
}
}
diff --git a/extra_policies.tf b/extra_policies.tf
index 7f1be1b..4d9535c 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,38 +1,38 @@
-resource "vault_approle_auth_backend_role" "extra_roles" {
- for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role" "extra" {
+ for_each = var.additional_roles
backend = vault_auth_backend.approle.path
role_name = each.key
- token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+ token_policies = ["default", "${vault_policy.extra[each.key].name}"]
}
-resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+resource "random_uuid" "extra_secret_id" { for_each = var.additional_roles }
-resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
- for_each = var.tenant_additional_roles
+resource "vault_approle_auth_backend_role_secret_id" "extra" {
+ for_each = var.additional_roles
backend = vault_auth_backend.approle.path
- role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
- secret_id = random_uuid.extra_roles_secret_id[each.key].result
+ role_name = vault_approle_auth_backend_role.extra[each.key].role_name
+ secret_id = random_uuid.extra_secret_id[each.key].result
}
-resource "vault_policy" "extra_policies" {
- for_each = var.tenant_additional_roles
+resource "vault_policy" "extra" {
+ for_each = var.additional_roles
- name = "${var.tenant_prefix}-${each.key}"
+ name = "${var.prefix}-${each.key}"
policy = file(each.value.policy_file)
}
resource "vault_identity_entity" "extra" {
- for_each = var.tenant_additional_roles
+ for_each = var.additional_roles
- name = "${var.tenant_prefix}-${each.key}"
+ name = "${var.prefix}-${each.key}"
}
resource "vault_identity_entity_alias" "extra" {
- for_each = var.tenant_additional_roles
+ for_each = var.additional_roles
- name = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+ name = vault_approle_auth_backend_role.extra[each.key].role_id
mount_accessor = vault_auth_backend.approle.accessor
canonical_id = vault_identity_entity.extra[each.key].id
}
diff --git a/outputs.tf b/outputs.tf
index d7cb775..89d5969 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -1,21 +1,28 @@
-output "tenant_admin_role" {
+output "approle_mount" {
+ value = vault_auth_backend.approle
+ sensitive = true
+ description = "The approle mount for the tenant"
+}
+
+
+output "root_role" {
value = {
- role_id = vault_approle_auth_backend_role.tenant_admin.role_name
- secret_id = vault_approle_auth_backend_role_secret_id.tenant_admin.secret_id
+ role_id = vault_approle_auth_backend_role.root.role_name
+ secret_id = vault_approle_auth_backend_role_secret_id.root.secret_id
}
sensitive = true
- description = "The tenant admin approle role"
+ description = "The tenant root approle role"
depends_on = [
- vault_approle_auth_backend_role.tenant_admin,
- vault_approle_auth_backend_role_secret_id.tenant_admin
+ vault_approle_auth_backend_role.root,
+ vault_approle_auth_backend_role_secret_id.root
]
}
-output "tenant_admin_policy" {
- value = vault_policy.tenant_admin.name
+output "root_policy" {
+ value = vault_policy.root.name
sensitive = false
- description = "The tenant admin policy name"
- depends_on = [vault_policy.tenant_admin]
+ description = "The tenant root policy name"
+ depends_on = [vault_policy.root]
}
output "extra_roles" {
diff --git a/policies/tenant-admins.policy.hcl b/policies/root.policy.hcl
similarity index 100%
rename from policies/tenant-admins.policy.hcl
rename to policies/root.policy.hcl
diff --git a/root.tf b/root.tf
new file mode 100644
index 0000000..245c02d
--- /dev/null
+++ b/root.tf
@@ -0,0 +1,28 @@
+resource "vault_approle_auth_backend_role" "root" {
+ backend = vault_auth_backend.approle.path
+ role_name = "${var.name}-admin"
+ token_policies = ["default", vault_policy.tenant_admin.name]
+}
+
+resource "random_uuid" "root_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "root" {
+ backend = vault_auth_backend.approle.path
+ role_name = vault_approle_auth_backend_role.root.role_name
+ secret_id = random_uuid.root_secret_id.result
+}
+
+resource "vault_policy" "root" {
+ name = "${var.name}-root"
+ policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
+}
+
+resource "vault_identity_entity" "root" {
+ name = "${var.prefix}-root"
+}
+
+resource "vault_identity_entity_alias" "root" {
+ name = vault_approle_auth_backend_role.root.role_id
+ mount_accessor = vault_auth_backend.approle.accessor
+ canonical_id = vault_identity_entity.root.id
+}
diff --git a/variables.tf b/variables.tf
index 92a4ebc..65d9375 100644
--- a/variables.tf
+++ b/variables.tf
@@ -1,10 +1,4 @@
-variable "global_approle_mount" {
- type = string
- default = "approle"
- description = "The mount path for the global AppRole authentication method"
-}
-
-variable "tenant_name" {
+variable "name" {
type = string
description = "The name of the tenant you want to create"
validation {
@@ -13,18 +7,18 @@ variable "tenant_name" {
}
}
-variable "tenant_prefix" {
+variable "prefix" {
type = string
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
}
-variable "tenant_admin_policy_file" {
+variable "root_policy_file" {
type = string
default = null
description = "The path to the admin policy file for this tenant"
}
-variable "tenant_additional_roles" {
+variable "additional_roles" {
type = map(object({
policy_file = string
}))
@@ -33,7 +27,7 @@ variable "tenant_additional_roles" {
A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/-approle) including all the roles declared in this variable.
The variable should look like:
- tenant_additional_roles = {
+ additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}