feat: add first roles and approle auth method for tenant

This commit is contained in:
Bertrand Lanson 2024-05-24 23:50:51 +02:00
parent 462b679996
commit f51a8bf1f1
Signed by: lanson
SSH Key Fingerprint: SHA256:/nqc6HGqld/PS208F6FUOvZlUzTS0rGpNNwR5O2bQBw
11 changed files with 318 additions and 1 deletions

6
.cz.toml Normal file
View File

@ -0,0 +1,6 @@
[tool.commitizen]
name = "cz_conventional_commits"
version_provider = "scm"
# version_files = ["galaxy.yml:^version"]
update_changelog_on_bump = true
major_version_zero = true

View File

@ -0,0 +1,26 @@
---
name: development
on:
push:
branches-ignore:
- main
jobs:
commit-check:
name: Check commit compliance
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install commitizen
run: pip3 install commitizen
shell: bash
working-directory: ./
- name: Verify commit message compliance
run: |
echo "cz check --message '${{ github.event.head_commit.message }}'"
cz check --message "${{ github.event.head_commit.message }}"
shell: bash
working-directory: ./

View File

@ -0,0 +1,35 @@
---
name: pull-requests-open
on:
pull_request:
types:
- opened
- edited
- synchronize
branches:
- main
jobs:
commit-history-check:
name: Check commit compliance
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
fetch-depth: 0
- name: Install commitizen
run: pip3 install commitizen
shell: bash
working-directory: ./
- run: git log origin/${{ github.event.pull_request.base.ref }}..
- name: Verify commit message compliance
run: |
echo "cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}.."
cz check --rev-range origin/${{ gitea.event.pull_request.base.ref }}..
shell: bash
working-directory: ./

View File

@ -0,0 +1,54 @@
---
name: release
on:
push:
branches:
- main
jobs:
do-release:
if: "!startsWith(github.event.head_commit.message, 'bump:')"
runs-on: ubuntu-latest
name: Bump version and create changelog with commitizen
steps:
- name: Get secrets from vault
id: import-secrets
uses: hashicorp/vault-action@v3
with:
url: "https://vault.ednz.fr"
method: approle
roleId: ${{ secrets.VAULT_APPROLE_ID }}
secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
secrets: |
kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
- name: Install commitizen
run: pip3 install commitizen
shell: bash
working-directory: ./
- name: Configure git credentials
uses: oleksiyrudenko/gha-git-credentials@v2
with:
global: true
name: "Gitea-Actions Bot"
email: "gitea-actions@ednz.fr"
actor: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
- name: Do release
run: cz -nr 21 bump --yes
shell: bash
working-directory: ./
- name: Push release
run: git push && git push --tags
shell: bash
working-directory: ./

27
.pre-commit-config.yaml Normal file
View File

@ -0,0 +1,27 @@
repos:
- repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.86.0
hooks:
- id: terraform_fmt
- id: terraform_docs
args:
- "--hook-config=--path-to-file=README.md"
- "--hook-config=--add-to-existing-file=true"
- "--hook-config=--create-file-if-not-exist=true"
- "--args=--escape=false"
- "--args=--lockfile=false"
- "--args=--indent 3"
- "--args=--show all"
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.5.0
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- repo: https://github.com/commitizen-tools/commitizen
rev: v3.24.0
hooks:
- id: commitizen
- id: commitizen-branch
stages:
- post-commit
- push

View File

@ -1,3 +1,50 @@
# terraform-vault-tenant # terraform-vault-tenant
Terraform module to deploy tenant in Hashicorp Vault community version. Terraform module to deploy tenant in Hashicorp Vault community version.<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
### Requirements
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement_terraform) | >= 1.0.0 |
### Providers
| Name | Version |
|------|---------|
| <a name="provider_random"></a> [random](#provider_random) | n/a |
| <a name="provider_vault"></a> [vault](#provider_vault) | n/a |
### Modules
No modules.
### Resources
| Name | Type |
|------|------|
| [random_uuid.extra_roles_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [random_uuid.tenant_admin_secret_id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/uuid) | resource |
| [vault_approle_auth_backend_role.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
| [vault_approle_auth_backend_role.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role) | resource |
| [vault_approle_auth_backend_role_secret_id.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
| [vault_approle_auth_backend_role_secret_id.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/approle_auth_backend_role_secret_id) | resource |
| [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
| [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
| [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
| [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_global_approle_mount"></a> [global_approle_mount](#input_global_approle_mount) | The mount path for the global AppRole authentication method | `string` | `"approle"` | no |
| <a name="input_tenant_additional_roles"></a> [tenant_additional_roles](#input_tenant_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> tenant_additional_roles = {<br> devs = {<br> policy_file = "/some/path/to/policy.hcl"<br> }<br> admins = {...}<br> } | <pre>map(object({<br> policy_file = string<br> }))</pre> | `{}` | no |
| <a name="input_tenant_admin_policy_file"></a> [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
| <a name="input_tenant_name"></a> [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
| <a name="input_tenant_prefix"></a> [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
### Outputs
No outputs.
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

26
admin_approle.tf Normal file
View File

@ -0,0 +1,26 @@
resource "vault_approle_auth_backend_role" "tenant_admin" {
backend = var.global_approle_mount
role_name = "${var.tenant_name}-admin"
token_policies = ["default", "${vault_policy.tenant_admin.name}"]
}
resource "random_uuid" "tenant_admin_secret_id" {}
resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
backend = var.global_approle_mount
role_name = vault_approle_auth_backend_role.tenant_admin.role_name
secret_id = random_uuid.tenant_admin_secret_id.result
}
resource "vault_identity_entity" "tenant_admin" {
name = "${each.value.prefix}-admin"
metadata = {
tenant = var.tenant_name
prefix = var.tenant_prefix
}
}
resource "vault_policy" "tenant_admin" {
name = "${var.tenant_name}-admin"
policy = file(var.tenant_admin_policy_file)
}

43
extra_policies.tf Normal file
View File

@ -0,0 +1,43 @@
resource "vault_policy" "extra_policies" {
for_each = var.tenant_additional_roles
name = "${var.tenant_prefix}-${each.key}"
policy = file(each.value.policy_file)
}
resource "vault_auth_backend" "approle" {
type = "approle"
path = "${var.tenant_prefix}-approle"
tune {
default_lease_ttl = "3600s"
max_lease_ttl = "14400s"
}
}
resource "vault_approle_auth_backend_role" "extra_roles" {
for_each = var.tenant_additional_roles
backend = vault_auth_backend.approle.path
role_name = each.key
token_policies = ["default", "${vault_policy.extra_policies[each.key].name}"]
}
resource "random_uuid" "extra_roles_secret_id" { for_each = var.tenant_additional_roles }
resource "vault_approle_auth_backend_role_secret_id" "extra_roles" {
for_each = var.tenant_additional_roles
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.extra_roles[each.key].role_name
secret_id = random_uuid.extra_roles_secret_id[each.key].result
}
resource "vault_identity_entity" "extra_roles" {
for_each = var.tenant_additional_roles
name = "${var.tenant_prefix}-${each.key}"
metadata = {
tenant = var.tenant_name
prefix = var.tenant_prefix
}
}

11
main.tf Normal file
View File

@ -0,0 +1,11 @@
terraform {
required_version = ">= 1.0.0"
required_providers {
vault = {
source = "hashicorp/vault"
}
random = {
source = "hashicorp/random"
}
}
}

0
outputs.tf Normal file
View File

42
variables.tf Normal file
View File

@ -0,0 +1,42 @@
variable "global_approle_mount" {
type = string
default = "approle"
description = "The mount path for the global AppRole authentication method"
}
variable "tenant_name" {
type = string
description = "The name of the tenant you want to create"
validation {
condition = can(regex("^[-a-zA-Z0-9_]*$", var.tenant_name))
error_message = "The tenant name must only contain alphanumeric characters, dashes, and underscores."
}
}
variable "tenant_prefix" {
type = string
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
}
variable "tenant_admin_policy_file" {
type = string
description = "The path to the admin policy file for this tenant"
}
variable "tenant_additional_roles" {
type = map(object({
policy_file = string
}))
default = {}
description = <<EOT
A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
}
EOT
}