feat: refactor module, simplify naming and create additional entities for extra roles

README.md

@@ -30,37 +30,37 @@ No modules.
 
 | Name | Type |
 |------|------|
-| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.extra_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.root_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
-| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
-| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
-| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
-| [vault_identity_entity.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
-| [vault_identity_entity_alias.admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity_alias.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
+| [vault_identity_entity_alias.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity_alias) | resource |
 | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
-| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
-| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
+| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
-| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
+| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
-| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
+| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
-| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
-| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
 
 ### Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_approle_mount"></a> [approle_mount](#output_approle_mount) | The approle mount for the tenant |
 | <a name="output_extra_role_policies"></a> [extra_role_policies](#output_extra_role_policies) | The tenant extra role policy names |
 | <a name="output_extra_roles"></a> [extra_roles](#output_extra_roles) | The tenant extra approle roles |
-| <a name="output_tenant_admin_policy"></a> [tenant_admin_policy](#output_tenant_admin_policy) | The tenant admin policy name |
+| <a name="output_root_policy"></a> [root_policy](#output_root_policy) | The tenant root policy name |
-| <a name="output_tenant_admin_role"></a> [tenant_admin_role](#output_tenant_admin_role) | The tenant admin approle role |
+| <a name="output_root_role"></a> [root_role](#output_root_role) | The tenant root approle role |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

admin_role.tf

@@ -1,28 +0,0 @@
-resource "vault_approle_auth_backend_role" "tenant_admin" {
-  backend        = vault_auth_backend.approle.path
-  role_name      = "${var.tenant_name}-admin"
-  token_policies = ["default", vault_policy.tenant_admin.name]
-}
-
-resource "random_uuid" "tenant_admin_secret_id" {}
-
-resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
-  backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.tenant_admin.role_name
-  secret_id = random_uuid.tenant_admin_secret_id.result
-}
-
-resource "vault_policy" "tenant_admin" {
-  name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_prefix = var.tenant_prefix }) : file(var.tenant_admin_policy_file)
-}
-
-resource "vault_identity_entity" "admin" {
-  name = "${var.tenant_prefix}-admin"
-}
-
-resource "vault_identity_entity_alias" "admin" {
-  name           = vault_approle_auth_backend_role.tenant_admin.role_id
-  mount_accessor = vault_auth_backend.approle.accessor
-  canonical_id   = vault_identity_entity.admin.id
-}

auth.tf

@@ -1,6 +1,6 @@
 resource "vault_auth_backend" "approle" {
   type = "approle"
-  path = "${var.tenant_prefix}/approle"
+  path = "${var.prefix}/approle"
   tune {
     default_lease_ttl = "3600s"
     max_lease_ttl     = "14400s"
@@ -8,10 +8,10 @@ resource "vault_auth_backend" "approle" {
 }
 
 resource "vault_identity_group" "this" {
-  name = var.tenant_name
+  name = var.name
   type = "internal"
   metadata = {
-    tenant = var.tenant_name
+    tenant = var.name
-    prefix = var.tenant_prefix
+    prefix = var.prefix
   }
 }

extra_policies.tf

@@ -1,38 +1,38 @@
-resource "vault_approle_auth_backend_role" "extra_roles" {
+resource "vault_approle_auth_backend_role" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
   backend        = vault_auth_backend.approle.path
   role_name      = each.key
-  token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+  token_policies = ["default", "${vault_policy.extra[each.key].name}"]
 }
 
-resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+resource "random_uuid" "extra_secret_id" { for_each = var.additional_roles }
 
-resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
+resource "vault_approle_auth_backend_role_secret_id" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
   backend   = vault_auth_backend.approle.path
-  role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
+  role_name = vault_approle_auth_backend_role.extra[each.key].role_name
-  secret_id = random_uuid.extra_roles_secret_id[each.key].result
+  secret_id = random_uuid.extra_secret_id[each.key].result
 }
 
-resource "vault_policy" "extra_policies" {
+resource "vault_policy" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name   = "${var.tenant_prefix}-${each.key}"
+  name   = "${var.prefix}-${each.key}"
   policy = file(each.value.policy_file)
 }
 
 resource "vault_identity_entity" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name = "${var.tenant_prefix}-${each.key}"
+  name = "${var.prefix}-${each.key}"
 }
 
 resource "vault_identity_entity_alias" "extra" {
-  for_each = var.tenant_additional_roles
+  for_each = var.additional_roles
 
-  name           = vault_approle_auth_backend_role.extra_roles[each.key].role_id
+  name           = vault_approle_auth_backend_role.extra[each.key].role_id
   mount_accessor = vault_auth_backend.approle.accessor
   canonical_id   = vault_identity_entity.extra[each.key].id
 }

outputs.tf

@@ -1,21 +1,28 @@
-output "tenant_admin_role" {
+output "approle_mount" {
+  value       = vault_auth_backend.approle
+  sensitive   = true
+  description = "The approle mount for the tenant"
+}
+
+
+output "root_role" {
   value = {
-    role_id   = vault_approle_auth_backend_role.tenant_admin.role_name
+    role_id   = vault_approle_auth_backend_role.root.role_name
-    secret_id = vault_approle_auth_backend_role_secret_id.tenant_admin.secret_id
+    secret_id = vault_approle_auth_backend_role_secret_id.root.secret_id
   }
   sensitive   = true
-  description = "The tenant admin approle role"
+  description = "The tenant root approle role"
   depends_on = [
-    vault_approle_auth_backend_role.tenant_admin,
+    vault_approle_auth_backend_role.root,
-    vault_approle_auth_backend_role_secret_id.tenant_admin
+    vault_approle_auth_backend_role_secret_id.root
   ]
 }
 
-output "tenant_admin_policy" {
+output "root_policy" {
-  value       = vault_policy.tenant_admin.name
+  value       = vault_policy.root.name
   sensitive   = false
-  description = "The tenant admin policy name"
+  description = "The tenant root policy name"
-  depends_on  = [vault_policy.tenant_admin]
+  depends_on  = [vault_policy.root]
 }
 
 output "extra_roles" {

root.tf

@@ -0,0 +1,28 @@
+resource "vault_approle_auth_backend_role" "root" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "${var.name}-admin"
+  token_policies = ["default", vault_policy.tenant_admin.name]
+}
+
+resource "random_uuid" "root_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "root" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.root.role_name
+  secret_id = random_uuid.root_secret_id.result
+}
+
+resource "vault_policy" "root" {
+  name   = "${var.name}-root"
+  policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
+}
+
+resource "vault_identity_entity" "root" {
+  name = "${var.prefix}-root"
+}
+
+resource "vault_identity_entity_alias" "root" {
+  name           = vault_approle_auth_backend_role.root.role_id
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_entity.root.id
+}

variables.tf

@@ -1,10 +1,4 @@
-variable "global_approle_mount" {
+variable "name" {
-  type        = string
-  default     = "approle"
-  description = "The mount path for the global AppRole authentication method"
-}
-
-variable "tenant_name" {
   type        = string
   description = "The name of the tenant you want to create"
   validation {
@@ -13,18 +7,18 @@ variable "tenant_name" {
   }
 }
 
-variable "tenant_prefix" {
+variable "prefix" {
   type        = string
   description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
 }
 
-variable "tenant_admin_policy_file" {
+variable "root_policy_file" {
   type        = string
   default     = null
   description = "The path to the admin policy file for this tenant"
 }
 
-variable "tenant_additional_roles" {
+variable "additional_roles" {
   type = map(object({
     policy_file = string
   }))
@@ -33,7 +27,7 @@ variable "tenant_additional_roles" {
     A map of additional role names, with the path to the associated policy file to add for this tenant.
     A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
     The variable should look like:
-    tenant_additional_roles = {
+    additional_roles = {
       devs = {
         policy_file = "/some/path/to/policy.hcl"
       }