Compare commits

..

No commits in common. "2a98c0b2955e4a1027d292103908e005e44838a3" and "db88c3773b4284ce064f74b7229a5561e110e018" have entirely different histories.

4 changed files with 21 additions and 85 deletions

View File

@ -44,16 +44,15 @@ No modules.
| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy_document.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/policy_document) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = file("path/to/policy.hcl")<br> admins = data.vault_policy_document.admins.hcl<br> } | `map(string)` | `{}` | no |
| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = {<br> policy_file = "/some/path/to/policy.hcl"<br> }<br> admins = {...}<br> } | <pre>map(object({<br> policy_file = string<br> }))</pre> | `{}` | no |
| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
| <a name="input_root_policy_extra_rules"></a> [root_policy_extra_rules](#input_root_policy_extra_rules) | A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs | <pre>map(<br> object({<br> path = string<br> capabilities = list(string)<br> description = optional(string)<br> required_parameters = optional(list(string))<br> allowed_parameter = optional(map(list(any)))<br> denied_parameter = optional(map(list(any)))<br> min_wrapping_ttl = optional(number)<br> max_wrapping_ttl = optional(number)<br> })<br> )</pre> | `{}` | no |
| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
### Outputs

View File

@ -20,7 +20,7 @@ resource "vault_policy" "extra" {
for_each = var.additional_roles
name = "${var.prefix}-${each.key}"
policy = each.value
policy = file(each.value.policy_file)
}
resource "vault_identity_entity" "extra" {

66
root.tf
View File

@ -1,64 +1,3 @@
locals {
root_policy_default_rules = {
tenant_prefix_rw = {
path = "${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_mount = {
path = "sys/mounts/${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_remount = {
path = "sys/remount"
capabilities = ["update", "sudo"]
allowed_parameter = {
"from" = ["${var.prefix}/*"]
"to" = ["${var.prefix}/*"]
}
}
tenant_prefix_remount_status = {
path = "sys/remount/status/*"
capabilities = ["read"]
}
}
root_policy_rules = merge(local.root_policy_default_rules, var.root_policy_extra_rules)
}
data "vault_policy_document" "root" {
dynamic "rule" {
for_each = local.root_policy_rules
content {
path = rule.value.path
capabilities = rule.value.capabilities
description = try(rule.value.description, null)
min_wrapping_ttl = try(rule.value.min_wrapping_ttl, null)
max_wrapping_ttl = try(rule.value.max_wrapping_ttl, null)
required_parameters = try(rule.value.required_parameters, [])
dynamic "allowed_parameter" {
for_each = try(rule.value.allowed_parameter, null) != null ? rule.value.allowed_parameter : {}
content {
key = allowed_parameter.key
value = allowed_parameter.value
}
}
dynamic "denied_parameter" {
for_each = try(rule.value.denied_parameter, null) != null ? rule.value.denied_parameter : {}
content {
key = denied_parameter.key
value = denied_parameter.value
}
}
}
}
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = data.vault_policy_document.root.hcl
}
resource "vault_approle_auth_backend_role" "root" {
backend = vault_auth_backend.approle.path
role_name = "${var.name}-root"
@ -73,6 +12,11 @@ resource "vault_approle_auth_backend_role_secret_id" "root" {
secret_id = random_uuid.root_secret_id.result
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
}
resource "vault_identity_entity" "root" {
name = "${var.prefix}-root"
}

View File

@ -12,33 +12,26 @@ variable "prefix" {
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
}
variable "root_policy_file" {
type = string
default = null
description = "The path to the admin policy file for this tenant"
}
variable "additional_roles" {
type = map(string)
type = map(object({
policy_file = string
}))
default = {}
description = <<EOT
A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = file("path/to/policy.hcl")
admins = data.vault_policy_document.admins.hcl
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
}
EOT
}
variable "root_policy_extra_rules" {
type = map(
object({
path = string
capabilities = list(string)
description = optional(string)
required_parameters = optional(list(string))
allowed_parameter = optional(map(list(any)))
denied_parameter = optional(map(list(any)))
min_wrapping_ttl = optional(number)
max_wrapping_ttl = optional(number)
})
)
description = "A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs"
default = {}
}