Page MenuHomeDevCentral
Files F24043717

D3923.id10168.diff
No OneTemporary
Actions

D3923.id10168.diff
View Options

diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -57,7 +57,6 @@
- salt-primary
- sentry
- vault_bootstrap
- - viperserv
# -------------------------------------------------------------
# Vault policies for Salt itself
diff --git a/roles/viperserv/eggdrop/files/dot.credentials b/roles/viperserv/eggdrop/files/dot.credentials
--- a/roles/viperserv/eggdrop/files/dot.credentials
+++ b/roles/viperserv/eggdrop/files/dot.credentials
@@ -26,6 +26,6 @@
set sql(host) {{ db.host }}
set sql(database) {{ db.database }}
-set vault(roleID) {{ vault.approle.roleID }}
-set vault(secretID) {{ vault.approle.secretID }}
+set vault(roleID) {{ vault.approle.role_id }}
+set vault(secretID) {{ vault.approle.secret_id }}
set vault(host) {{ vault.addr }}
diff --git a/terraform/openbao/modules/app_credentials/main.tf b/terraform/openbao/modules/app_credentials/main.tf
--- a/terraform/openbao/modules/app_credentials/main.tf
+++ b/terraform/openbao/modules/app_credentials/main.tf
@@ -18,6 +18,7 @@
secret_id_bound_cidrs = var.secret_id_bound_cidrs
token_policies = var.policies
token_ttl = var.token_ttl
+ token_max_ttl = var.token_max_ttl
}
data "vault_approle_auth_backend_role_id" "this" {
diff --git a/terraform/openbao/modules/app_credentials/variables.tf b/terraform/openbao/modules/app_credentials/variables.tf
--- a/terraform/openbao/modules/app_credentials/variables.tf
+++ b/terraform/openbao/modules/app_credentials/variables.tf
@@ -37,3 +37,9 @@
type = string
default = "300"
}
+
+variable "token_max_ttl" {
+ description = "Maximum token TTL for the AppRole in seconds (0 means use system default)"
+ type = number
+ default = 0
+}
diff --git a/roles/vault/policies/files/viperserv.hcl b/terraform/openbao/policies/viperserv.hcl
rename from roles/vault/policies/files/viperserv.hcl
rename to terraform/openbao/policies/viperserv.hcl
--- a/roles/vault/policies/files/viperserv.hcl
+++ b/terraform/openbao/policies/viperserv.hcl
@@ -3,7 +3,7 @@
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Project: Nasqueron
# License: Trivial work, not eligible to copyright
-# Source file: roles/vault/policies/files/viperserv.hcl
+# Source file: terraform/openbao/policies/viperserv.hcl
# -------------------------------------------------------------
#
# <auto-generated>
diff --git a/terraform/openbao/viperserv.tf b/terraform/openbao/viperserv.tf
new file mode 100644
--- /dev/null
+++ b/terraform/openbao/viperserv.tf
@@ -0,0 +1,40 @@
+# -------------------------------------------------------------
+# Terraform :: OpenBao :: ViperServ
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+# Project: Nasqueron
+# License: BSD-2-Clause
+# Provider: Vault / OpenBao
+# Target: completor.nasqueron.drake
+# -------------------------------------------------------------
+
+# -------------------------------------------------------------
+# Policy
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+resource "vault_policy" "viperserv" {
+ name = "viperserv"
+ policy = file("${path.module}/policies/viperserv.hcl")
+}
+
+# -------------------------------------------------------------
+# AppRole
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+module "viperserv_approle" {
+ source = "./modules/app_credentials"
+
+ role_name = "viperserv"
+ policies = ["viperserv"]
+
+ secret_id_bound_cidrs = [
+ # Windriver
+ "172.27.27.35/32"
+ ]
+
+ token_ttl = 3600 # 1h
+ token_max_ttl = 14400 # 4h
+
+ # Save credentials to
+ kv_mount = "ops"
+ kv_path = "secrets/nasqueron/viperserv/vault"
+}

File Metadata

Mime Type
text/plain
Expires
Tue, Feb 10, 01:00 (12 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
3438668
Default Alt Text
D3923.id10168.diff (3 KB)

Event Timeline

Nasqueron DevCentral · If it had been much bigger the moon would have had a core of ice. · Powered by Phabricator