Page MenuHomeDevCentral
Files F11745178

D3693.id.diff
No OneTemporary
Actions

D3693.id.diff
View Options

diff --git a/.editorconfig b/.editorconfig
--- a/.editorconfig
+++ b/.editorconfig
@@ -8,7 +8,7 @@
charset = utf-8
# 4 space indentation
-[*.{conf, php, py, sh}]
+[*.{conf,php,py,sh,hcl,tf}]
indent_style = space
indent_size = 4
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -46,6 +46,8 @@
# - through _modules/credentials.py for policies to apply
# to Salt nodes, like e.g., vault_secrets_by_role
#
+# App policies can also be defined in terraform/openbao/
+#
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
vault_policies:
diff --git a/terraform/README.md b/terraform/README.md
new file mode 100644
--- /dev/null
+++ b/terraform/README.md
@@ -0,0 +1,21 @@
+# Terraform configurations
+
+## Providers
+
+### OpenBao / Vault
+
+Use this provider to interact with Vault.
+
+The following modules are available:
+
+ - **app_credentials:** create new AppRole credentials, save them in kv
+
+Policies can be found in the `policies/` directory.
+They supplement the policies defined in roles/vault/policies/ with Salt.
+
+When you read a policy through `vault policy read`, look at the `Source file:` field
+in headers block. That will tell you the exact path where the policy is defined.
+
+To run this provider, Terraform will automatically authenticate to Vault using
+the token defined in your `$HOME/.vault-token` file. Ensure it doesn't end with a
+newline. If so, you can use `tr -d '\n'` to remove it.
diff --git a/terraform/openbao/main.tf b/terraform/openbao/main.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/main.tf
@@ -0,0 +1,10 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Root Terraform configuration
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# Provider: Vault / OpenBao
+# Target: completor.nasqueron.drake
+# -------------------------------------------------------------
+
+# This file is intentionally left blank.
diff --git a/terraform/openbao/modules/app_credentials/main.tf b/terraform/openbao/modules/app_credentials/main.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/modules/app_credentials/main.tf
@@ -0,0 +1,51 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Modules :: App Credentials
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# Description: Module to create an AppRole and store its
+# credentials in KV v2.
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Create AppRole, fetch role_id and secret_id
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+resource "vault_approle_auth_backend_role" "this" {
+ backend = "approle"
+
+ role_name = var.role_name
+ secret_id_bound_cidrs = var.secret_id_bound_cidrs
+ token_policies = var.policies
+ token_ttl = var.token_ttl
+}
+
+data "vault_approle_auth_backend_role_id" "this" {
+ backend = "approle"
+ role_name = vault_approle_auth_backend_role.this.role_name
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "this" {
+ backend = "approle"
+ role_name = vault_approle_auth_backend_role.this.role_name
+
+ lifecycle {
+ ignore_changes = [
+ secret_id,
+ ]
+ }
+}
+
+# -------------------------------------------------------------
+# Store AppRole credentials in KV v2
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+resource "vault_kv_secret_v2" "this" {
+ mount = var.kv_mount
+ name = var.kv_path
+
+ data_json = jsonencode({
+ role_id = data.vault_approle_auth_backend_role_id.this.role_id
+ secret_id = vault_approle_auth_backend_role_secret_id.this.secret_id
+ })
+}
diff --git a/terraform/openbao/modules/app_credentials/variables.tf b/terraform/openbao/modules/app_credentials/variables.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/modules/app_credentials/variables.tf
@@ -0,0 +1,39 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Modules :: App Credentials
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+variable "role_name" {
+ description = "Name of the AppRole"
+ type = string
+}
+
+variable "kv_mount" {
+ description = "Mount path of KV v2 engine where to save the approle credentials"
+ type = string
+ default = "kv"
+}
+
+variable "kv_path" {
+ description = "KV v2 secret path where to save the approle credentials"
+ type = string
+}
+
+variable "policies" {
+ description = "List of policies attached to this AppRole"
+ type = list(string)
+}
+
+variable "secret_id_bound_cidrs" {
+ description = "List of CIDR blocks of IP addresses allowed to login."
+ type = list(string)
+ default = []
+}
+
+variable "token_ttl" {
+ description = "Default token TTL for the AppRole"
+ type = string
+ default = "300"
+}
diff --git a/terraform/openbao/policies/rhyne-wyse.hcl b/terraform/openbao/policies/rhyne-wyse.hcl
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/policies/rhyne-wyse.hcl
@@ -0,0 +1,22 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Policies :: Rhyne-Wyse
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: Trivial work, not eligible to copyright
+# Source file: terraform/openbao/policies/rhyne-wyse.hcl
+# -------------------------------------------------------------
+#
+# <auto-generated>
+# This file is managed by our rOPS SaltStack repository.
+#
+# Changes to this file may cause incorrect behavior
+# and will be lost if the state is redeployed.
+# </auto-generated>
+
+path "apps/data/rhyne-wyse/agora" {
+ capabilities = [ "read" ]
+}
+
+path "ops/data/secrets/dbserver/cluster-B/users/rhyne-wyse" {
+ capabilities = [ "read" ]
+}
diff --git a/terraform/openbao/providers.tf b/terraform/openbao/providers.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/providers.tf
@@ -0,0 +1,19 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Providers
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# -------------------------------------------------------------
+
+terraform {
+ required_providers {
+ vault = {
+ source = "hashicorp/vault"
+ version = "5.3.0"
+ }
+ }
+}
+
+provider "vault" {
+ token = file("~/.vault-token")
+}
diff --git a/terraform/openbao/rhyne_wyse.tf b/terraform/openbao/rhyne_wyse.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/rhyne_wyse.tf
@@ -0,0 +1,37 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: Rhyne-Wyse
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# Provider: Vault / OpenBao
+# Target: completor.nasqueron.drake
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Policy
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+resource "vault_policy" "rhyne_wyse" {
+ name = "rhyne-wyse"
+ policy = file("${path.module}/policies/rhyne-wyse.hcl")
+}
+
+# -------------------------------------------------------------
+# AppRole
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+module "rhyne_wyse_approle" {
+ source = "./modules/app_credentials"
+
+ role_name = "rhyne-wyse"
+ policies = ["rhyne-wyse"]
+
+ secret_id_bound_cidrs = [
+ # Windriver
+ "172.27.27.35/32"
+ ]
+
+ # Save credentials to
+ kv_mount = "ops"
+ kv_path = "secrets/nasqueron/rhyne-wyse/salt"
+}

File Metadata

Mime Type
text/plain
Expires
Sat, Sep 20, 10:29 (10 h, 34 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2998071
Default Alt Text
D3693.id.diff (8 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator