Chore: Refactor Authen (#7)

guyzsarun · web-flow · commit 35155d5741e7 · 2025-06-21T13:49:21.000+07:00
* Update template

* migrate policy

* update template

* add example

* update ci

* remove validate
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -11,16 +11,14 @@ jobs:
       - uses: actions/checkout@v3
         name: Checkout source code
 
+      - uses: hashicorp/setup-terraform@v3
+
       - name: init
         run: terraform init
 
       - name: fmt
         run: terraform fmt -recursive -check
 
-      - name: validate
-        run: terraform validate
-        env:
-          VAULT_ADDR: https://example.com
   tflint:
     runs-on: ubuntu-latest
     steps:
diff --git a/authentication/policy.tf b/authentication/policy.tf
@@ -0,0 +1,5 @@
+resource "vault_policy" "policies" {
+  name     = split(".", each.value)[0]
+  policy   = file("${path.module}/templates/policy/${each.value}")
+  for_each = fileset("${path.module}/templates/policy/", "*.hcl")
+}
diff --git a/authentication/templates/default_template.tftpl b/authentication/templates/default_template.tftpl
@@ -1,4 +1,4 @@
 {
     "policies": [%{ for i,policy in policies ~}"${policy}"%{if i < length(policies) -1 }, %{ endif }%{~ endfor ~}],
-    "password": "password"
+    "password": "${password}"
 }
diff --git a/authentication/templates/policy/admin_policy.hcl b/authentication/templates/policy/admin_policy.hcl
@@ -74,4 +74,11 @@ path "kv-v2/*"
 path "sys/health"
 {
   capabilities = ["read", "sudo"]
-}
+}
+
+# Update Certs
+path "certs_int/*"
+{
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
diff --git a/authentication/templates/policy/root_policy.hcl b/authentication/templates/policy/root_policy.hcl
diff --git a/authentication/templates/policy/view_policy.hcl b/authentication/templates/policy/view_policy.hcl
diff --git a/authentication/templates/users.json.example b/authentication/templates/users.json.example
@@ -0,0 +1,7 @@
+[
+    {
+        "username": "viewer",
+        "password": "password123",
+        "policies": ["view_policy"]
+    }
+]
diff --git a/authentication/userpass.tf b/authentication/userpass.tf
@@ -1,29 +1,18 @@
+locals {
+  users = jsondecode(file("${path.module}/templates/users.json"))
+}
+
 resource "vault_auth_backend" "userpass" {
   type        = "userpass"
   path        = var.path
   description = "Main userpass authentication"
 }
 
-resource "vault_generic_endpoint" "devops_user" {
+resource "vault_generic_endpoint" "users" {
+  for_each             = { for user in local.users : user.username => user }
   depends_on           = [vault_auth_backend.userpass]
-  path                 = "auth/userpass/users/devops_user"
+  path                 = "auth/userpass/users/${each.value.username}"
   ignore_absent_fields = true
 
-  data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "admin_policy"]) })
+  data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(each.value.policies), password = each.value.password })
 }
-
-resource "vault_generic_endpoint" "root_user" {
-  depends_on           = [vault_auth_backend.userpass]
-  path                 = "auth/userpass/users/root"
-  ignore_absent_fields = true
-
-  data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "root_policy"]) })
-}
-
-resource "vault_generic_endpoint" "view_user" {
-  depends_on           = [vault_auth_backend.userpass]
-  path                 = "auth/userpass/users/viewer"
-  ignore_absent_fields = true
-
-  data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "view_policy"]) })
-}
diff --git a/main.tf b/main.tf
@@ -1,7 +1,3 @@
-module "policy" {
-  source = "./policy"
-}
-
 module "authentication" {
   source = "./authentication"
   path   = "userpass"
diff --git a/policy/main.tf b/policy/main.tf

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`	`1`	`{`
`2`	`2`	`"policies": [%{ for i,policy in policies ~}"${policy}"%{if i < length(policies) -1 }, %{ endif }%{~ endfor ~}],`
`3`		`- "password": "password"`
	`3`	`+ "password": "${password}"`
`4`	`4`	`}`