75 lines
1.5 KiB
HCL
75 lines
1.5 KiB
HCL
# Enable AppRole auth backend
|
|
resource "vault_auth_backend" "approle" {
|
|
type = "approle"
|
|
path = "approle"
|
|
}
|
|
|
|
# Define host access policies
|
|
locals {
|
|
host_policies = {
|
|
# Example: monitoring01 host
|
|
# "monitoring01" = {
|
|
# paths = [
|
|
# "secret/data/hosts/monitoring01/*",
|
|
# "secret/data/services/prometheus/*",
|
|
# "secret/data/services/grafana/*",
|
|
# "secret/data/shared/smtp/*"
|
|
# ]
|
|
# }
|
|
|
|
# Example: ha1 host
|
|
# "ha1" = {
|
|
# paths = [
|
|
# "secret/data/hosts/ha1/*",
|
|
# "secret/data/shared/mqtt/*"
|
|
# ]
|
|
# }
|
|
|
|
# TODO: actually use this policy
|
|
"ha1" = {
|
|
paths = [
|
|
"secret/data/hosts/ha1/*",
|
|
]
|
|
}
|
|
|
|
# TODO: actually use this policy
|
|
"monitoring01" = {
|
|
paths = [
|
|
"secret/data/hosts/monitoring01/*",
|
|
]
|
|
}
|
|
}
|
|
}
|
|
|
|
# Generate policies for each host
|
|
resource "vault_policy" "host_policies" {
|
|
for_each = local.host_policies
|
|
|
|
name = "${each.key}-policy"
|
|
|
|
policy = <<EOT
|
|
%{~for path in each.value.paths~}
|
|
path "${path}" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
%{~endfor~}
|
|
EOT
|
|
}
|
|
|
|
# Generate AppRoles for each host
|
|
resource "vault_approle_auth_backend_role" "hosts" {
|
|
for_each = local.host_policies
|
|
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = each.key
|
|
token_policies = ["${each.key}-policy"]
|
|
|
|
# Token configuration
|
|
token_ttl = 3600 # 1 hour
|
|
token_max_ttl = 86400 # 24 hours
|
|
|
|
# Security settings
|
|
bind_secret_id = true
|
|
secret_id_ttl = 0 # Never expire (we'll rotate manually)
|
|
}
|