feat: allow passing extra policies to the tenant root role, start migrating away from old 'extra roles' approach

This commit is contained in:
Bertrand Lanson 2024-05-29 20:21:47 +02:00
parent db88c3773b
commit e0af30a2f5
Signed by: lanson
SSH Key Fingerprint: SHA256:/nqc6HGqld/PS208F6FUOvZlUzTS0rGpNNwR5O2bQBw
2 changed files with 67 additions and 18 deletions

52
root.tf
View File

@ -1,3 +1,50 @@
locals {
root_policy_default_rules = {
tenant_prefix_rw = {
path = "${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_mount = {
path = "sys/mounts/${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_remount = {
path = "sys/remount"
capabilities = ["update", "sudo"]
allowed_parameters = {
"from" = ["${var.prefix}/*"]
"to" = ["${var.prefix}/*"]
}
}
tenant_prefix_remount_status = {
path = "sys/remount/status/*"
capabilities = ["read"]
}
}
root_policy_rules = merge(local.root_policy_default_rules, var.root_policy_extra_rules)
}
data "vault_policy_document" "root" {
dynamic "rule" {
for_each = local.root_policy_rules
content {
path = each.value.path
capabilities = each.value.capabilities
description = try(each.value.description, null)
required_parameters = try(each.value.required_parameters, null)
allowed_parameter = try(each.value.allowed_parameter, null)
denied_parameter = try(each.value.denied_parameter, null)
min_wrapping_ttl = try(each.value.min_wrapping_ttl, null)
max_wrapping_ttl = try(each.value.max_wrapping_ttl, null)
}
}
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = data.vault_policy_document.root.hcl
}
resource "vault_approle_auth_backend_role" "root" { resource "vault_approle_auth_backend_role" "root" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = "${var.name}-root" role_name = "${var.name}-root"
@ -12,11 +59,6 @@ resource "vault_approle_auth_backend_role_secret_id" "root" {
secret_id = random_uuid.root_secret_id.result secret_id = random_uuid.root_secret_id.result
} }
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
}
resource "vault_identity_entity" "root" { resource "vault_identity_entity" "root" {
name = "${var.prefix}-root" name = "${var.prefix}-root"
} }

View File

@ -12,26 +12,33 @@ variable "prefix" {
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)" description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
} }
variable "root_policy_file" {
type = string
default = null
description = "The path to the admin policy file for this tenant"
}
variable "additional_roles" { variable "additional_roles" {
type = map(object({ type = map(string)
policy_file = string
}))
default = {} default = {}
description = <<EOT description = <<EOT
A map of additional role names, with the path to the associated policy file to add for this tenant. A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable. A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
The variable should look like: The variable should look like:
additional_roles = { additional_roles = {
devs = { devs = file("path/to/policy.hcl")
policy_file = "/some/path/to/policy.hcl" admins = data.vault_policy_document.admins.hcl
}
admins = {...}
} }
EOT EOT
} }
variable "root_policy_extra_rules" {
type = map(
object({
path = string
capabilities = list(string)
description = optional(string)
required_parameters = optional(map(list(any)))
allowed_parameter = optional(map(list(any)))
denied_parameter = optional(map(list(any)))
min_wrapping_ttl = optional(number)
max_wrapping_ttl = optional(number)
})
)
description = "A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that oyu can customize it to your needs"
default = {}
}