From e55dc0d43b22875ffec6099a20f7c20afd39b708 Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Thu, 19 Jun 2025 10:33:30 +0700 Subject: [PATCH 1/6] Update template --- authentication/templates/default_template.tftpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/authentication/templates/default_template.tftpl b/authentication/templates/default_template.tftpl index 63811e4..36ccbb8 100644 --- a/authentication/templates/default_template.tftpl +++ b/authentication/templates/default_template.tftpl @@ -1,4 +1,4 @@ { "policies": [%{ for i,policy in policies ~}"${policy}"%{if i < length(policies) -1 }, %{ endif }%{~ endfor ~}], - "password": "password" + "password": "${password}" } \ No newline at end of file From 21f53f2a8d5f3b842d0f197f53470452d98bc042 Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Thu, 19 Jun 2025 12:54:06 +0700 Subject: [PATCH 2/6] migrate policy --- authentication/policy.tf | 5 +++++ .../templates/policy}/admin_policy.hcl | 9 ++++++++- .../templates/policy}/root_policy.hcl | 0 .../templates/policy}/view_policy.hcl | 0 policy/main.tf | 5 ----- 5 files changed, 13 insertions(+), 6 deletions(-) create mode 100644 authentication/policy.tf rename {policy/templates => authentication/templates/policy}/admin_policy.hcl (93%) rename {policy/templates => authentication/templates/policy}/root_policy.hcl (100%) rename {policy/templates => authentication/templates/policy}/view_policy.hcl (100%) delete mode 100644 policy/main.tf diff --git a/authentication/policy.tf b/authentication/policy.tf new file mode 100644 index 0000000..5d0ef7f --- /dev/null +++ b/authentication/policy.tf @@ -0,0 +1,5 @@ +resource "vault_policy" "policies" { + name = split(".", each.value)[0] + policy = file("${path.module}/templates/policy/${each.value}") + for_each = fileset("${path.module}/templates/policy/", "*.hcl") +} \ No newline at end of file diff --git a/policy/templates/admin_policy.hcl b/authentication/templates/policy/admin_policy.hcl similarity index 93% rename from policy/templates/admin_policy.hcl rename to authentication/templates/policy/admin_policy.hcl index a375d3c..a297186 100644 --- a/policy/templates/admin_policy.hcl +++ b/authentication/templates/policy/admin_policy.hcl @@ -74,4 +74,11 @@ path "kv-v2/*" path "sys/health" { capabilities = ["read", "sudo"] -} \ No newline at end of file +} + +# Update Certs +path "certs_int/*" +{ + capabilities = ["create", "read", "update", "delete", "list", "sudo"] +} + diff --git a/policy/templates/root_policy.hcl b/authentication/templates/policy/root_policy.hcl similarity index 100% rename from policy/templates/root_policy.hcl rename to authentication/templates/policy/root_policy.hcl diff --git a/policy/templates/view_policy.hcl b/authentication/templates/policy/view_policy.hcl similarity index 100% rename from policy/templates/view_policy.hcl rename to authentication/templates/policy/view_policy.hcl diff --git a/policy/main.tf b/policy/main.tf deleted file mode 100644 index 2653b4f..0000000 --- a/policy/main.tf +++ /dev/null @@ -1,5 +0,0 @@ -resource "vault_policy" "policies" { - name = split(".", each.value)[0] - policy = file("${path.module}/templates/${each.value}") - for_each = fileset("${path.module}/templates/", "*.hcl") -} \ No newline at end of file From 3c743e36ebb5b486202104f453a7b9d77d2fc307 Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Thu, 19 Jun 2025 14:35:41 +0700 Subject: [PATCH 3/6] update template --- authentication/userpass.tf | 27 ++++++++------------------- main.tf | 4 ---- 2 files changed, 8 insertions(+), 23 deletions(-) diff --git a/authentication/userpass.tf b/authentication/userpass.tf index 072aeef..1530a7b 100644 --- a/authentication/userpass.tf +++ b/authentication/userpass.tf @@ -1,29 +1,18 @@ +locals { + users = jsondecode(file("${path.module}/templates/users.json")) +} + resource "vault_auth_backend" "userpass" { type = "userpass" path = var.path description = "Main userpass authentication" } -resource "vault_generic_endpoint" "devops_user" { +resource "vault_generic_endpoint" "users" { + for_each = { for user in local.users : user.username => user } depends_on = [vault_auth_backend.userpass] - path = "auth/userpass/users/devops_user" + path = "auth/userpass/users/${each.value.username}" ignore_absent_fields = true - data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "admin_policy"]) }) + data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(each.value.policies), password = each.value.password }) } - -resource "vault_generic_endpoint" "root_user" { - depends_on = [vault_auth_backend.userpass] - path = "auth/userpass/users/root" - ignore_absent_fields = true - - data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "root_policy"]) }) -} - -resource "vault_generic_endpoint" "view_user" { - depends_on = [vault_auth_backend.userpass] - path = "auth/userpass/users/viewer" - ignore_absent_fields = true - - data_json = templatefile("${path.module}/templates/default_template.tftpl", { policies = sort(["default", "view_policy"]) }) -} \ No newline at end of file diff --git a/main.tf b/main.tf index 2c9bff1..6a4a3e2 100644 --- a/main.tf +++ b/main.tf @@ -1,7 +1,3 @@ -module "policy" { - source = "./policy" -} - module "authentication" { source = "./authentication" path = "userpass" From fb707ac34fedb29cb7ce5e90d1d7f3078e2583d5 Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Thu, 19 Jun 2025 14:42:05 +0700 Subject: [PATCH 4/6] add example --- authentication/templates/users.json.example | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 authentication/templates/users.json.example diff --git a/authentication/templates/users.json.example b/authentication/templates/users.json.example new file mode 100644 index 0000000..378fae3 --- /dev/null +++ b/authentication/templates/users.json.example @@ -0,0 +1,7 @@ +[ + { + "username": "viewer", + "password": "password123", + "policies": ["view_policy"] + } +] \ No newline at end of file From d882ac820c249c2381edab552e9df86f46fe858b Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Sat, 21 Jun 2025 13:44:16 +0700 Subject: [PATCH 5/6] update ci --- .github/workflows/lint.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index da400ba..edcc2c4 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -11,6 +11,8 @@ jobs: - uses: actions/checkout@v3 name: Checkout source code + - uses: hashicorp/setup-terraform@v3 + - name: init run: terraform init From 94bfdb7b5e72c4df54fc5313a4e66e316aca380e Mon Sep 17 00:00:00 2001 From: guyzsarun Date: Sat, 21 Jun 2025 13:48:58 +0700 Subject: [PATCH 6/6] remove validate --- .github/workflows/lint.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index edcc2c4..9ad0af1 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -19,10 +19,6 @@ jobs: - name: fmt run: terraform fmt -recursive -check - - name: validate - run: terraform validate - env: - VAULT_ADDR: https://example.com tflint: runs-on: ubuntu-latest steps: