49 lines
1.2 KiB
HCL
49 lines
1.2 KiB
HCL
# WARNING: Auto-generated by create-host tool
|
|
# Manual edits will be overwritten when create-host is run
|
|
|
|
# Generated host policies
|
|
# Each host gets access to its own secrets under hosts/<hostname>/*
|
|
locals {
|
|
generated_host_policies = {
|
|
"vaulttest01" = {
|
|
paths = [
|
|
"secret/data/hosts/vaulttest01/*",
|
|
]
|
|
}
|
|
|
|
}
|
|
|
|
# Placeholder secrets - user should add actual secrets manually or via tofu
|
|
generated_secrets = {
|
|
}
|
|
}
|
|
|
|
# Create policies for generated hosts
|
|
resource "vault_policy" "generated_host_policies" {
|
|
for_each = local.generated_host_policies
|
|
|
|
name = "host-${each.key}"
|
|
|
|
policy = <<-EOT
|
|
# Allow host to read its own secrets
|
|
%{for path in each.value.paths~}
|
|
path "${path}" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
%{endfor~}
|
|
EOT
|
|
}
|
|
|
|
# Create AppRoles for generated hosts
|
|
resource "vault_approle_auth_backend_role" "generated_hosts" {
|
|
for_each = local.generated_host_policies
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = each.key
|
|
token_policies = ["host-${each.key}"]
|
|
secret_id_ttl = 0 # Never expire (wrapped tokens provide time limit)
|
|
token_ttl = 3600
|
|
token_max_ttl = 3600
|
|
secret_id_num_uses = 0 # Unlimited uses
|
|
}
|