torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
b6c41aa910ef724a3d53fd544b14a197c7f10285
nixos-servers/terraform/vault/policies.tf
Torjus Håkestad e9857afc11
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m12s
Details
Run nix flake check / flake-check (pull_request) Successful in 2m19s
Details
monitoring: use AppRole token for OpenBao metrics scraping 
Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 23:51:11 +01:00

11 lines
204 B
HCL
Raw Blame History

# Generic policies for services (not host-specific)
resource "vault_policy" "prometheus_metrics" {
name = "prometheus-metrics"
policy = <<EOT
path "sys/metrics" {
capabilities = ["read"]
}
EOT
}
Reference in New Issue View Git Blame Copy Permalink