terraform-registry/terraform-vault-tenant
terraform-registry/terraform-vault-tenant
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: terraform-registry:db88c3773b4284ce064f74b7229a5561e110e018
Branches Tags
terraform-registry:main
terraform-registry:v0.2.0
terraform-registry:v0.1.0
...
compare: terraform-registry:d28fe5c0994351a02af0def1a4e608d54d2e7583
Branches Tags
terraform-registry:main
terraform-registry:v0.2.0
terraform-registry:v0.1.0

2 Commits
db88c3773b ... d28fe5c099

Author SHA1 Message Date
Bertrand Lanson
d28fe5c099
feat: pass extra roles as key value pairs, required the full policy as value
All checks were successful
development / Check commit compliance (push) Successful in 29s
Details
pull-requests-open / Check commit compliance (pull_request) Successful in 31s
Details
2024-05-29 20:22:24 +02:00
Bertrand Lanson
e0af30a2f5
feat: allow passing extra policies to the tenant root role, start migrating away from old 'extra roles' approach 2024-05-29 20:21:47 +02:00
4 changed files with 71 additions and 21 deletions
Show Stats Expand all files Collapse all files

5
README.md
View File

@ -44,15 +44,16 @@ No modules.
| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy_document.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/policy_document) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = {<br> policy_file = "/some/path/to/policy.hcl"<br> }<br> admins = {...}<br> } | <pre>map(object({<br> policy_file = string<br> }))</pre> | `{}` | no |
| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = file("path/to/policy.hcl")<br> admins = data.vault_policy_document.admins.hcl<br> } | `map(string)` | `{}` | no |
| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no |
| <a name="input_root_policy_extra_rules"></a> [root_policy_extra_rules](#input_root_policy_extra_rules) | A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that oyu can customize it to your needs | <pre>map(<br> object({<br> path = string<br> capabilities = list(string)<br> description = optional(string)<br> required_parameters = optional(map(list(any)))<br> allowed_parameter = optional(map(list(any)))<br> denied_parameter = optional(map(list(any)))<br> min_wrapping_ttl = optional(number)<br> max_wrapping_ttl = optional(number)<br> })<br> )</pre> | `{}` | no |
### Outputs

2
extra_policies.tf
View File

@ -20,7 +20,7 @@ resource "vault_policy" "extra" {
for_each = var.additional_roles
name = "${var.prefix}-${each.key}"
policy = file(each.value.policy_file)
policy = each.value
}
resource "vault_identity_entity" "extra" {

52
root.tf
View File

@ -1,3 +1,50 @@
locals {
root_policy_default_rules = {
tenant_prefix_rw = {
path = "${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_mount = {
path = "sys/mounts/${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_remount = {
path = "sys/remount"
capabilities = ["update", "sudo"]
allowed_parameters = {
"from" = ["${var.prefix}/*"]
"to" = ["${var.prefix}/*"]
}
}
tenant_prefix_remount_status = {
path = "sys/remount/status/*"
capabilities = ["read"]
}
}
root_policy_rules = merge(local.root_policy_default_rules, var.root_policy_extra_rules)
}
data "vault_policy_document" "root" {
dynamic "rule" {
for_each = local.root_policy_rules
content {
path = each.value.path
capabilities = each.value.capabilities
description = try(each.value.description, null)
required_parameters = try(each.value.required_parameters, null)
allowed_parameter = try(each.value.allowed_parameter, null)
denied_parameter = try(each.value.denied_parameter, null)
min_wrapping_ttl = try(each.value.min_wrapping_ttl, null)
max_wrapping_ttl = try(each.value.max_wrapping_ttl, null)
}
}
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = data.vault_policy_document.root.hcl
}
resource "vault_approle_auth_backend_role" "root" {
backend = vault_auth_backend.approle.path
role_name = "${var.name}-root"
@ -12,11 +59,6 @@ resource "vault_approle_auth_backend_role_secret_id" "root" {
secret_id = random_uuid.root_secret_id.result
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
}
resource "vault_identity_entity" "root" {
name = "${var.prefix}-root"
}

33
variables.tf
View File

@ -12,26 +12,33 @@ variable "prefix" {
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
}
variable "root_policy_file" {
type = string
default = null
description = "The path to the admin policy file for this tenant"
}
variable "additional_roles" {
type = map(object({
policy_file = string
}))
type = map(string)
default = {}
description = <<EOT
A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
The variable should look like:
additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
devs = file("path/to/policy.hcl")
admins = data.vault_policy_document.admins.hcl
}
EOT
}
variable "root_policy_extra_rules" {
type = map(
object({
path = string
capabilities = list(string)
description = optional(string)
required_parameters = optional(map(list(any)))
allowed_parameter = optional(map(list(any)))
denied_parameter = optional(map(list(any)))
min_wrapping_ttl = optional(number)
max_wrapping_ttl = optional(number)
})
)
description = "A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that oyu can customize it to your needs"
default = {}
}