Page MenuHomeDevCentral
Files F24028091

D3926.diff
No OneTemporary
Actions

D3926.diff
View Options

diff --git a/roles/reports/rhyne-wyse/config.sls b/roles/reports/rhyne-wyse/config.sls
--- a/roles/reports/rhyne-wyse/config.sls
+++ b/roles/reports/rhyne-wyse/config.sls
@@ -9,12 +9,14 @@
# Configuration
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# This sls_id is declared in terraform/openbao/Makefile for secrets' rotation.
/usr/local/etc/secrets/rhyne-wyse.yaml:
file.managed:
- source: salt://roles/reports/rhyne-wyse/files/secrets.conf
- user: rhyne-wyse
- mode: 400
- makedirs: True
+ - show_changes: False
- template: jinja
- context:
vault:
diff --git a/roles/viperserv/eggdrop/config.sls b/roles/viperserv/eggdrop/config.sls
--- a/roles/viperserv/eggdrop/config.sls
+++ b/roles/viperserv/eggdrop/config.sls
@@ -52,12 +52,14 @@
- user: viperserv
- group: nasqueron-irc
+# This sls_id is declared in terraform/openbao/Makefile for secrets' rotation.
/srv/viperserv/.credentials:
file.managed:
- source: salt://roles/viperserv/eggdrop/files/dot.credentials
- user: viperserv
- group: nasqueron-irc
- mode: 400
+ - show_changes: False
- template: jinja
- context:
# Database is on cluster B
diff --git a/terraform/README.md b/terraform/README.md
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -17,5 +17,12 @@
in headers block. That will tell you the exact path where the policy is defined.
To run this provider, Terraform will automatically authenticate to Vault using
-the token defined in your `$HOME/.vault-token` file. Ensure it doesn't end with a
-newline. If so, you can use `tr -d '\n'` to remove it.
+the token defined in your `$HOME/.vault-token` file.
+
+#### AppRole credentials
+
+Run the provider through `make rotate` so you can regenerate, rotate and deploy
+all the secrets.
+
+If you add a new AppRole, remember to also add the Salt instructions in
+`openbao/Makefile`.
diff --git a/terraform/openbao/Makefile b/terraform/openbao/Makefile
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/Makefile
@@ -0,0 +1,27 @@
+TERRAFORM_STATES=terraform.tfstate terraform.tfstate.backup
+
+SALT=sudo -u salt salt
+RM=rm -f
+
+AUDIT_DATE != date -u +%Y-%m-%dT%H:%M:%SZ
+AUDIT_LOG=/var/log/deploy.log
+
+.PHONY: all rotate provision deploy clean
+
+all:
+ @echo "There is no default target. Use 'make rotate' to rotate all secrets."
+
+rotate: provision deploy clean
+ @echo "[$(AUDIT_DATE)] <$(USER)> Terraform :: Vault :: Full secrets rotation" >> $(AUDIT_LOG)
+
+provision:
+ terraform init
+ terraform plan
+ terraform apply -auto-approve
+
+deploy:
+ $(SALT) windriver state.sls_id /usr/local/etc/secrets/rhyne-wyse.yaml roles/reports/rhyne-wyse/config
+ $(SALT) windriver state.sls_id /srv/viperserv/.credentials roles/viperserv/eggdrop/config
+
+clean:
+ $(RM) $(TERRAFORM_STATES)
diff --git a/terraform/openbao/modules/app_credentials/main.tf b/terraform/openbao/modules/app_credentials/main.tf
--- a/terraform/openbao/modules/app_credentials/main.tf
+++ b/terraform/openbao/modules/app_credentials/main.tf
@@ -29,12 +29,6 @@
resource "vault_approle_auth_backend_role_secret_id" "this" {
backend = "approle"
role_name = vault_approle_auth_backend_role.this.role_name
-
- lifecycle {
- ignore_changes = [
- secret_id,
- ]
- }
}
# -------------------------------------------------------------

File Metadata

Mime Type
text/plain
Expires
Mon, Feb 9, 21:36 (21 h, 1 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3439394
Default Alt Text
D3926.diff (3 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator