Compare commits

..

11 Commits

Author SHA1 Message Date
2a98c0b295 Merge pull request 'feat/allow-extra-root-policies' (#3) from feat/allow-extra-root-policies into main
Some checks failed
release / Bump version and create changelog with commitizen (push) Has been cancelled
Reviewed-on: #3
2024-05-29 22:33:04 +00:00
ecd09aa07d
fix: required_parameters type in root_policy_extra_rules
All checks were successful
development / Check commit compliance (push) Successful in 4s
pull-requests-open / Check commit compliance (pull_request) Successful in 5s
2024-05-30 00:15:16 +02:00
f9acfc4675
fix: required_parameters type in root_policy_extra_rules
All checks were successful
pull-requests-open / Check commit compliance (pull_request) Successful in 6s
development / Check commit compliance (push) Successful in 24s
2024-05-30 00:12:41 +02:00
e91376012e
fix: evaluate parameters against null to avoid failing when null values are injected in place of optionals
All checks were successful
development / Check commit compliance (push) Successful in 36s
pull-requests-open / Check commit compliance (pull_request) Successful in 34s
2024-05-30 00:11:39 +02:00
71eef0590e
chore: removed old code comments
All checks were successful
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 6s
2024-05-29 23:45:12 +02:00
3a5ce135ea
fix: typo in default root permissions
All checks were successful
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 4s
2024-05-29 23:24:22 +02:00
670b0f2480
fix: use try on dynamic block to not raise errors on non-existent attributes
All checks were successful
development / Check commit compliance (push) Successful in 5s
pull-requests-open / Check commit compliance (pull_request) Successful in 4s
2024-05-29 23:21:09 +02:00
c9a7ea7908
fix: use rule context for block scoped values
All checks were successful
development / Check commit compliance (push) Successful in 4s
pull-requests-open / Check commit compliance (pull_request) Successful in 4s
2024-05-29 23:13:30 +02:00
7b337f47f5
fix: adjust code for root policy document to generate blocks instead of map of lists
All checks were successful
development / Check commit compliance (push) Successful in 6s
pull-requests-open / Check commit compliance (pull_request) Successful in 30s
2024-05-29 23:09:53 +02:00
d28fe5c099
feat: pass extra roles as key value pairs, required the full policy as value
All checks were successful
development / Check commit compliance (push) Successful in 29s
pull-requests-open / Check commit compliance (pull_request) Successful in 31s
2024-05-29 20:22:24 +02:00
e0af30a2f5
feat: allow passing extra policies to the tenant root role, start migrating away from old 'extra roles' approach 2024-05-29 20:21:47 +02:00
4 changed files with 85 additions and 21 deletions

View File

@ -44,15 +44,16 @@ No modules.
| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource | | [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
| [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | | [vault_policy.extra](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource | | [vault_policy.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
| [vault_policy_document.root](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/data-sources/policy_document) | data source |
### Inputs ### Inputs
| Name | Description | Type | Default | Required | | Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:| |------|-------------|------|---------|:--------:|
| <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = {<br> policy_file = "/some/path/to/policy.hcl"<br> }<br> admins = {...}<br> } | <pre>map(object({<br> policy_file = string<br> }))</pre> | `{}` | no | | <a name="input_additional_roles"></a> [additional_roles](#input_additional_roles) | A map of additional role names, with the path to the associated policy file to add for this tenant.<br> A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.<br> The variable should look like:<br> additional_roles = {<br> devs = file("path/to/policy.hcl")<br> admins = data.vault_policy_document.admins.hcl<br> } | `map(string)` | `{}` | no |
| <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes | | <a name="input_name"></a> [name](#input_name) | The name of the tenant you want to create | `string` | n/a | yes |
| <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes | | <a name="input_prefix"></a> [prefix](#input_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
| <a name="input_root_policy_file"></a> [root_policy_file](#input_root_policy_file) | The path to the admin policy file for this tenant | `string` | `null` | no | | <a name="input_root_policy_extra_rules"></a> [root_policy_extra_rules](#input_root_policy_extra_rules) | A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs | <pre>map(<br> object({<br> path = string<br> capabilities = list(string)<br> description = optional(string)<br> required_parameters = optional(list(string))<br> allowed_parameter = optional(map(list(any)))<br> denied_parameter = optional(map(list(any)))<br> min_wrapping_ttl = optional(number)<br> max_wrapping_ttl = optional(number)<br> })<br> )</pre> | `{}` | no |
### Outputs ### Outputs

View File

@ -20,7 +20,7 @@ resource "vault_policy" "extra" {
for_each = var.additional_roles for_each = var.additional_roles
name = "${var.prefix}-${each.key}" name = "${var.prefix}-${each.key}"
policy = file(each.value.policy_file) policy = each.value
} }
resource "vault_identity_entity" "extra" { resource "vault_identity_entity" "extra" {

66
root.tf
View File

@ -1,3 +1,64 @@
locals {
root_policy_default_rules = {
tenant_prefix_rw = {
path = "${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_mount = {
path = "sys/mounts/${var.prefix}/*"
capabilities = ["create", "update", "read", "delete", "list"]
}
tenant_prefix_remount = {
path = "sys/remount"
capabilities = ["update", "sudo"]
allowed_parameter = {
"from" = ["${var.prefix}/*"]
"to" = ["${var.prefix}/*"]
}
}
tenant_prefix_remount_status = {
path = "sys/remount/status/*"
capabilities = ["read"]
}
}
root_policy_rules = merge(local.root_policy_default_rules, var.root_policy_extra_rules)
}
data "vault_policy_document" "root" {
dynamic "rule" {
for_each = local.root_policy_rules
content {
path = rule.value.path
capabilities = rule.value.capabilities
description = try(rule.value.description, null)
min_wrapping_ttl = try(rule.value.min_wrapping_ttl, null)
max_wrapping_ttl = try(rule.value.max_wrapping_ttl, null)
required_parameters = try(rule.value.required_parameters, [])
dynamic "allowed_parameter" {
for_each = try(rule.value.allowed_parameter, null) != null ? rule.value.allowed_parameter : {}
content {
key = allowed_parameter.key
value = allowed_parameter.value
}
}
dynamic "denied_parameter" {
for_each = try(rule.value.denied_parameter, null) != null ? rule.value.denied_parameter : {}
content {
key = denied_parameter.key
value = denied_parameter.value
}
}
}
}
}
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = data.vault_policy_document.root.hcl
}
resource "vault_approle_auth_backend_role" "root" { resource "vault_approle_auth_backend_role" "root" {
backend = vault_auth_backend.approle.path backend = vault_auth_backend.approle.path
role_name = "${var.name}-root" role_name = "${var.name}-root"
@ -12,11 +73,6 @@ resource "vault_approle_auth_backend_role_secret_id" "root" {
secret_id = random_uuid.root_secret_id.result secret_id = random_uuid.root_secret_id.result
} }
resource "vault_policy" "root" {
name = "${var.name}-root"
policy = var.root_policy_file == null ? templatefile("${path.module}/policies/root.policy.hcl", { tenant_prefix = var.prefix }) : file(var.root_policy_file)
}
resource "vault_identity_entity" "root" { resource "vault_identity_entity" "root" {
name = "${var.prefix}-root" name = "${var.prefix}-root"
} }

View File

@ -12,26 +12,33 @@ variable "prefix" {
description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)" description = "The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..)"
} }
variable "root_policy_file" {
type = string
default = null
description = "The path to the admin policy file for this tenant"
}
variable "additional_roles" { variable "additional_roles" {
type = map(object({ type = map(string)
policy_file = string
}))
default = {} default = {}
description = <<EOT description = <<EOT
A map of additional role names, with the path to the associated policy file to add for this tenant. A map of additional role names, with the path to the associated policy file to add for this tenant.
A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable. A separate approle auth method is created for this tenant (mounted at auth/<prefix>-approle) including all the roles declared in this variable.
The variable should look like: The variable should look like:
additional_roles = { additional_roles = {
devs = { devs = file("path/to/policy.hcl")
policy_file = "/some/path/to/policy.hcl" admins = data.vault_policy_document.admins.hcl
}
admins = {...}
} }
EOT EOT
} }
variable "root_policy_extra_rules" {
type = map(
object({
path = string
capabilities = list(string)
description = optional(string)
required_parameters = optional(list(string))
allowed_parameter = optional(map(list(any)))
denied_parameter = optional(map(list(any)))
min_wrapping_ttl = optional(number)
max_wrapping_ttl = optional(number)
})
)
description = "A map of additional policies to attach to the root policy. These are merged with the default policies for the root role so that you can customize it to your needs"
default = {}
}