feat: add first roles and approle auth method for tenant

.cz.toml

@@ -0,0 +1,6 @@
+[tool.commitizen]
+name = "cz_conventional_commits"
+version_provider = "scm"
+# version_files = ["galaxy.yml:^version"]
+update_changelog_on_bump = true
+major_version_zero = true

.gitea/workflows/development.yml

@@ -0,0 +1,26 @@
+---
+name: development
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  commit-check:
+    name: Check commit compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - name: Verify commit message compliance
+        run: |
+          echo "cz check --message '${{ github.event.head_commit.message }}'"
+          cz check --message "${{ github.event.head_commit.message }}"
+        shell: bash
+        working-directory: ./

.gitea/workflows/pull-request-open.yml

@@ -0,0 +1,35 @@
+---
+name: pull-requests-open
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+    branches:
+      - main
+
+jobs:
+  commit-history-check:
+    name: Check commit compliance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - run: git log origin/${{ github.event.pull_request.base.ref }}..
+
+      - name: Verify commit message compliance
+        run: |
+          echo "cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.."
+          cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}..
+        shell: bash
+        working-directory: ./

.gitea/workflows/release.yml

@@ -0,0 +1,54 @@
+---
+name: release
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  do-release:
+    if: "!startsWith(github.event.head_commit.message, 'bump:')"
+    runs-on: ubuntu-latest
+    name: Bump version and create changelog with commitizen
+    steps:
+      - name: Get secrets from vault
+        id: import-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: "https://vault.ednz.fr"
+          method: approle
+          roleId: ${{ secrets.VAULT_APPROLE_ID }}
+          secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
+          secrets: |
+            kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
+            kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
+
+      - name: Install commitizen
+        run: pip3 install commitizen
+        shell: bash
+        working-directory: ./
+
+      - name: Configure git credentials
+        uses: oleksiyrudenko/gha-git-credentials@v2
+        with:
+          global: true
+          name: "Gitea-Actions Bot"
+          email: "gitea-actions@ednz.fr"
+          actor: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
+          token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
+
+      - name: Do release
+        run: cz -nr 21 bump --yes
+        shell: bash
+        working-directory: ./
+
+      - name: Push release
+        run: git push && git push --tags
+        shell: bash
+        working-directory: ./

.pre-commit-config.yaml

@@ -0,0 +1,27 @@
+repos:
+  - repo: https://github.com/antonbabenko/pre-commit-terraform
+    rev: v1.86.0
+    hooks:
+      - id: terraform_fmt
+      - id: terraform_docs
+        args:
+          - "--hook-config=--path-to-file=README.md"
+          - "--hook-config=--add-to-existing-file=true"
+          - "--hook-config=--create-file-if-not-exist=true"
+          - "--args=--escape=false"
+          - "--args=--lockfile=false"
+          - "--args=--indent 3"
+          - "--args=--show all"
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.5.0
+    hooks:
+      - id: trailing-whitespace
+      - id: end-of-file-fixer
+  - repo: https://github.com/commitizen-tools/commitizen
+    rev: v3.24.0
+    hooks:
+      - id: commitizen
+      - id: commitizen-branch
+        stages:
+          - post-commit
+          - push

README.md

@@ -1,3 +1,50 @@
 # terraform-vault-tenant
 
-Terraform module to deploy tenant in Hashicorp Vault community version.
+Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider_random) | n/a |
+| <a name="provider_vault"></a> [vault](#provider_vault) | n/a |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
+| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
+| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
+| [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
+| [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
+| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br>    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br>    The variable should look like:<br>    tenant_additional_roles = {<br>      devs = {<br>        policy_file = "/some/path/to/policy.hcl"<br>      }<br>      admins = {...}<br>    } | <pre>map(object({<br>    policy_file = string<br>  }))</pre> | `{}` | no |
+| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
+| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
+| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
+
+### Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

admin_approle.tf

@@ -0,0 +1,26 @@
+resource "vault_approle_auth_backend_role" "tenant_admin" {
+  backend        = var.global_approle_mount
+  role_name      = "${var.tenant_name}-admin"
+  token_policies = ["default", "${vault_policy.tenant_admin.name}"]
+}
+
+resource "random_uuid" "tenant_admin_secret_id" {}
+
+resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
+  backend   = var.global_approle_mount
+  role_name = vault_approle_auth_backend_role.tenant_admin.role_name
+  secret_id = random_uuid.tenant_admin_secret_id.result
+}
+
+resource "vault_identity_entity" "tenant_admin" {
+  name = "${each.value.prefix}-admin"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
+
+resource "vault_policy" "tenant_admin" {
+  name   = "${var.tenant_name}-admin"
+  policy = file(var.tenant_admin_policy_file)
+}

extra_policies.tf

@@ -0,0 +1,43 @@
+resource "vault_policy" "extra_policies" {
+  for_each = var.tenant_additional_roles
+
+  name   = "${var.tenant_prefix}-${each.key}"
+  policy = file(each.value.policy_file)
+}
+
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "${var.tenant_prefix}-approle"
+  tune {
+    default_lease_ttl = "3600s"
+    max_lease_ttl     = "14400s"
+  }
+}
+
+resource "vault_approle_auth_backend_role" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  backend        = vault_auth_backend.approle.path
+  role_name      = each.key
+  token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
+}
+
+resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
+
+resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
+  secret_id = random_uuid.extra_roles_secret_id[each.key].result
+}
+
+resource "vault_identity_entity" "extra_roles" {
+  for_each = var.tenant_additional_roles
+
+  name = "${var.tenant_prefix}-${each.key}"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}

main.tf

@@ -0,0 +1,11 @@
+terraform {
+  required_version = ">= 1.0.0"
+  required_providers {
+    vault = {
+      source = "hashicorp/vault"
+    }
+    random = {
+      source = "hashicorp/random"
+    }
+  }
+}

variables.tf

@@ -0,0 +1,42 @@
+variable "global_approle_mount" {
+  type        = string
+  default     = "approle"
+  description = "The mount path for the global AppRole authentication method"
+}
+
+variable "tenant_name" {
+  type        = string
+  description = "The name of the tenant you want to create"
+  validation {
+    condition     = can(regex("^[-a-zA-Z0-9_]*$", var.tenant_name))
+    error_message = "The tenant name must only contain alphanumeric characters, dashes, and underscores."
+  }
+}
+
+variable "tenant_prefix" {
+  type        = string
+  description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
+}
+
+variable "tenant_admin_policy_file" {
+  type        = string
+  description = "The path to the admin policy file for this tenant"
+}
+
+variable "tenant_additional_roles" {
+  type = map(object({
+    policy_file = string
+  }))
+  default     = {}
+  description = <<EOT
+    A map of additional role names, with the path to the associated policy file to add for this tenant.
+    A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
+    The variable should look like:
+    tenant_additional_roles = {
+      devs = {
+        policy_file = "/some/path/to/policy.hcl"
+      }
+      admins = {...}
+    }
+  EOT
+}