From e0af30a2f58fac01b179921adf5354afc2959e4a Mon Sep 17 00:00:00 2001 From: Bertrand Lanson Date: Wed, 29 May 2024 20:21:47 +0200 Subject: [PATCH] feat: allow passing extra policies to the tenant root role, start migrating away from old 'extra roles' approach --- root.tf | 52 +++++++++++++++++++++++++++++++++++++++++++++++----- variables.tf | 33 ++++++++++++++++++++------------- 2 files changed, 67 insertions(+), 18 deletions(-) diff --git a/root.tf b/root.tf index 6a756cb..529fc6f 100644 --- a/root.tf +++ b/root.tf @@ -1,3 +1,50 @@ +locals { + root_policy_default_rules = { + tenant_prefix_rw = { + path = "${var.prefix}/*" + capabilities = ["create", "update", "read", "delete", "list"] + } + tenant_prefix_mount = { + path = "sys/mounts/${var.prefix}/*" + capabilities = ["create", "update", "read", "delete", "list"] + } + tenant_prefix_remount = { + path = "sys/remount" + capabilities = ["update", "sudo"] + allowed_parameters = { + "from" = ["${var.prefix}/*"] + "to" = ["${var.prefix}/*"] + } + } + tenant_prefix_remount_status = { + path = "sys/remount/status/*" + capabilities = ["read"] + } + } + root_policy_rules = merge(local.root_policy_default_rules, var.root_policy_extra_rules) +} + +data "vault_policy_document" "root" { + dynamic "rule" { + for_each = local.root_policy_rules + content { + path = each.value.path + capabilities = each.value.capabilities + description = try(each.value.description, null) + required_parameters = try(each.value.required_parameters, null) + allowed_parameter = try(each.value.allowed_parameter, null) + denied_parameter = try(each.value.denied_parameter, null) + min_wrapping_ttl = try(each.value.min_wrapping_ttl, null) + max_wrapping_ttl = try(each.value.max_wrapping_ttl, null) + } + } +} + +resource "vault_policy" "root" { + name = "${var.name}-root" + policy = data.vault_policy_document.root.hcl +} + resource "vault_approle_auth_backend_role" "root" { backend = vault_auth_backend.approle.path role_name = "${var.name}-root" @@ -12,11 +59,6 @@ resource "vault_approle_auth_backend_role_secret_id" "root" { secret_id = random_uuid.root_secret_id.result } -resource "vault_policy" "root" { - name = "${var.name}-root" - policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file) -} - resource "vault_identity_entity" "root" { name = "${var.prefix}-root" } diff --git a/variables.tf b/variables.tf index 89cc6a1..2461365 100644 --- a/variables.tf +++ b/variables.tf @@ -12,26 +12,33 @@ variable "prefix" { description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)" } -variable "root_policy_file" { - type = string - default = null - description = "The path to the admin policy file for this tenant" -} - variable "additional_roles" { - type = map(object({ - policy_file = string - })) + type = map(string) default = {} description = <-approle) including all the roles declared in this variable. The variable should look like: additional_roles = { - devs = { - policy_file = "/some/path/to/policy.hcl" - } - admins = {...} + devs = file("path/to/policy.hcl") + admins = data.vault_policy_document.admins.hcl } EOT } + +variable "root_policy_extra_rules" { + type = map( + object({ + path = string + capabilities = list(string) + description = optional(string) + required_parameters = optional(map(list(any))) + allowed_parameter = optional(map(list(any))) + denied_parameter = optional(map(list(any))) + min_wrapping_ttl = optional(number) + max_wrapping_ttl = optional(number) + }) + ) + description = "A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that oyu can customize it to your needs" + default = {} +}