Skip to content

Instantly share code, notes, and snippets.

@devops-adeel

devops-adeel/boundary.tf

Created June 22, 2023 15:08
Show Gist options
  • Save devops-adeel/784b751923ce0f7313e65a788a952fa7 to your computer and use it in GitHub Desktop.
Save devops-adeel/784b751923ce0f7313e65a788a952fa7 to your computer and use it in GitHub Desktop.
Download ZIP
collection of TF configs that would amount to be a part of platform foundations build.
Raw
boundary.tf
resource "boundary_scope" "default" {
name = "organization_one"
description = "My first scope!"
scope_id = "global"
auto_create_admin_role = true
auto_create_default_role = true
}
resource "boundary_auth_method_oidc" "default" {
scope_id = boundary_scope.default.id
}
Raw
github.tf
data "github_enterprise" "default" {
slug = replace(var.domain, ".", "-")
}
data "vault_generic_secret" "github_org_secret" {
path = "secret/github_org_secret"
}
data "vault_generic_secret" "github_dependabot" {
path = "secret/github_dependabot"
}
resource "github_actions_organization_oidc_subject_claim_customization_template" "default" {
include_claim_keys = ["actor", "context", "repository_owner"]
}
resource "github_actions_organization_secret" "default" {
secret_name = var.org_secret
visibility = "private"
plaintext_value = data.vault_generic_secret.github_org_secret.data["token"]
}
resource "github_actions_organization_variable" "default" {
variable_name = "example_variable_name"
visibility = "private"
value = "example_variable_value"
}
resource "github_dependabot_organization_secret" "default" {
secret_name = var.org_secret
visibility = "private"
plaintext_value = data.vault_generic_secret.github_dependabot.data["token"]
}
resource "github_enterprise_organization" "default" {
enterprise_id = data.github_enterprise.default.id
name = var.org
billing_email = var.org_admin
admin_logins = [
"jon-snow"
]
}
resource "github_organization_settings" "default" {
billing_email = var.org_admin
company = "Test Company"
email = var.org_admin
location = "Test Location"
name = "Test Name"
has_organization_projects = true
has_repository_projects = true
default_repository_permission = "read"
members_can_create_repositories = true
members_can_create_public_repositories = true
members_can_create_private_repositories = true
members_can_create_internal_repositories = true
members_can_create_pages = true
members_can_create_public_pages = true
members_can_create_private_pages = true
members_can_fork_private_repositories = true
web_commit_signoff_required = true
advanced_security_enabled_for_new_repositories = false
dependabot_alerts_enabled_for_new_repositories = false
dependabot_security_updates_enabled_for_new_repositories = false
dependency_graph_enabled_for_new_repositories = false
secret_scanning_enabled_for_new_repositories = false
secret_scanning_push_protection_enabled_for_new_repositories = false
}
resource "github_organization_webhook" "default" {
name = "web"
active = false
events = ["issues"]
configuration {
url = "https://google.de/"
content_type = "form"
insecure_ssl = false
}
}
Raw
google.tf
data "google_billing_account" "default" {
display_name = "My Billing Account"
open = true
}
data "google_organization" "default" {
domain = var.domain
}
resource "google_folder" "prod" {
display_name = "prod"
parent = data.google_organization.default.name
}
resource "google_folder" "uat" {
display_name = "uat"
parent = data.google_organization.default.name
}
resource "google_folder" "dev" {
display_name = "dev"
parent = data.google_organization.default.name
}
resource "google_organization_policy" "default" {
org_id = data.google_organization.default.id
constraint = "compute.disableSerialPortAccess"
boolean_policy {
enforced = true
}
}
Raw
new_relic.tf
resource "newrelic_account_management" "default" {
name = var.organisation
region = var.default_region
}
resource "newrelic_api_access_key" "default" {
account_id = 1234567
key_type = "INGEST"
ingest_type = "LICENSE"
name = "APM Ingest License Key"
notes = "CICD Integration"
}
resource "newrelic_cloud_gcp_link_account" "default" {
account_id = var.new_relic_account_id
project_id = google_project.default.id
name = data.google_billing_account.default.name
}
Raw
tfe.tf
locals {
data_json = json_encode(
{
org_token = tfe_organization_token.default.token
}
)
}
data "tfe_ip_ranges" "default" {}
data "tfe_github_app_installation" "default" {
name = "installation_name"
}
resource "tfe_organization" "default" {
name = var.org
email = var.org_admin
}
resource "tfe_organization_token" "default" {
organization = tfe_organization.default.name
}
resource "vault_generic_secret" "default" {
path = "secret/tfe_org_token"
data_json = local.data_json
}
resource "tfe_admin_organization_settings" "default" {
organization = tfe_organization.default.name
module_sharing_consumer_organizations = [tfe_organization.default.name]
provider = tfe.admin
workspace_limit = 15
access_beta_tools = false
global_module_sharing = false
}
resource "tfe_agent_pool" "default" {
organization = tfe_organization.default.name
name = "my-agent-pool-name"
}
data "vault_generic_secret" "oauth_token" {
path = "secret/github_oauth_token"
}
resource "tfe_oauth_client" "default" {
organization = tfe_organization.default.name
oauth_token = data.vault_generic_secret.oauth_token.data["token"]
name = "my-github-oauth-client"
api_url = "https://api.github.com"
http_url = "https://github.com"
service_provider = "github"
}
resource "tfe_organization_run_task" "default" {
organization = tfe_organization.default.name
url = "https://external.service.com"
name = "task-name"
enabled = true
}
resource "tfe_variable_set" "default" {
organization = tfe_organization.default.name
name = "Test Varset"
description = "Some description."
}
Raw
vault_aws_base.tf
data "aws_kms_key" "auto_unseal" {
key_id = "alias/my-key"
}
data "aws_iam_policy_document" "auto_unseal" {
version = "2012-10-17"
statement {
effect = "Allow"
resources = [data.aws_kms_key.auto_unseal.arn]
actions = [
"kms:DescribeKey",
"kms:Encrypt",
"kms:Decrypt",
"kms:EnableKeyRotation"
]
}
}
data "aws_iam_policy_document" "raft_auto_join" {
version = "2012-10-17"
statement {
sid = "ListInstancesWithTags"
effect = "Allow"
actions = ["ec2:DescribeInstances"]
resources = ["*"]
condition {
test = "StringEquals"
variable = "ec2:ResourceTag/app"
values = ["vault"]
}
}
}
data "aws_iam_policy_document" "default" {
source_policy_documents = [data.aws_iam_policy_document.raft_auto_join.json]
}
resource "aws_iam_policy" "default" {
name = "vault_server_policy"
path = "/"
policy = data.aws_iam_policy_document.default.json
}
data "aws_s3_bucket" "default" {
bucket = var.bucket_name
}
data "aws_iam_policy_document" "raft_snapshot" {
version = "2012-10-17"
statement {
sid = "ListObjectsInBucket"
effect = "Allow"
actions = ["s3:ListBucket"]
resources = [data.aws_s3_bucket.default.arn]
}
statement {
sid = "AllObjectActions"
effect = "Allow"
actions = ["s3:*Object"]
resources = [data.aws_s3_bucket.default.arn]
}
}
data "aws_iam_policy_document" "default" {
source_policy_documents = [data.aws_iam_policy_document.raft_snapshot.json]
}
resource "aws_s3_bucket_policy" "default" {
bucket = data.aws_s3_bucket.default.id
policy = data.aws_iam_policy_document.default.json
}
Raw
vault_azure_base.tf
data "azuread_application_published_app_ids" "default" {}
data "azuread_client_config" "default" {}
resource "azuread_service_principal" "graph" {
application_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph
use_existing = true
}
resource "azuread_application" "default" {
display_name = "hashicorp-vault-app"
prevent_duplicate_names = true
owners = [data.azuread_client_config.default.object_id]
group_membership_claims = ["SecurityGroup"]
web {
redirect_uris = [
"https://vault.com:8200/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback"
]
implicit_grant {
id_token_issuance_enabled = true
}
}
optional_claims {
id_token {
name = "groups"
additional_properties = []
}
}
required_resource_access {
resource_app_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph
resource_access {
id = azuread_service_principal.graph.app_role_ids["GroupMember.Read.All"]
type = "Scope"
}
}
}
resource "azuread_service_principal" "vault" {
application_id = azuread_application.default.application_id
owners = [data.azuread_client_config.default.object_id]
}
Raw
vault_base.tf
data "aws_region" "default" {}
locals {
role_name = "failover-handler"
}
resource "vault_raft_snapshot_agent_config" "local" {
name = "local"
interval_seconds = 86400
retain = 7
path_prefix = "/opt/vault/snapshots/"
storage_type = "local"
local_max_space = 10000000
}
resource "vault_raft_snapshot_agent_config" "gcs" {
name = "s3"
interval_seconds = 86400
retain = 7
path_prefix = "/vault/snapshots/"
storage_type = "gcp-gcs"
aws_s3_bucket = "vault_snapshots"
aws_s3_region = data.aws_region.default.name
}
resource "vault_raft_autopilot" "default" {
cleanup_dead_servers = true
dead_server_last_contact_threshold = "10s"
last_contact_threshold = "10s"
max_trailing_logs = 1000
min_quorum = 3
server_stabilization_time = "10s"
}
resource "vault_audit" "file" {
type = "file"
description = "Vault Audit to File"
options = {
file_path = "/var/log/vault_audit.log"
format = "json"
mode = "0000"
prefix = "vault"
}
}
resource "vault_audit" "syslog" {
type = "syslog"
description = "Vault Audit to syslog"
options = {
tag = "vault"
facility = "AUTH"
format = "json"
prefix = "vault"
}
}
data "vault_policy_document" "default" {
rule {
path = "sys/replication/dr/secondary/promote"
capabilities = ["update"]
description = "Create and manage ACL policies"
}
rule {
path = "sys/replication/dr/secondary/update-primary"
capabilities = ["update"]
description = "To update the primary to connect"
}
rule {
path = "sys/storage/raft/autopilot/state"
capabilities = ["read", "update"]
description = "To read the current autopilot status"
}
}
resource "vault_policy" "default" {
name = "dr-secondary-promotion"
policy = data.vault_policy_document.default.hcl
}
resource "vault_token_auth_backend_role" "default" {
role_name = local.role_name
allowed_policies = [vault_policy.default.name]
orphan = true
renewable = false
token_type = "batch"
}
resource "vault_token" "default" {
role_name = vault_token_auth_backend_role.default.name
display_name = local.role_name
ttl = "8h"
}
output "batch_token" {
description = "create batch token"
value = vault_token.default.client_token
}
locals {
oidc_url = format(
"https://login.microsoftonline.com/%s/v2.0",
data.azuread_client_config.default.tenant_id
)
}
data "azuread_client_config" "default" {}
data "azuread_application" "default" {
display_name = var.application_name
}
resource "azuread_application_password" "default" {
display_name = var.application_name
application_object_id = data.azuread_application.default.object_id
end_date_relative = "17250h"
}
resource "vault_jwt_auth_backend" "default" {
description = "Vault OIDC Auth Method"
path = "oidc"
type = "oidc"
default_role = var.application_name
provider_config = { provider = "azure" }
oidc_discovery_url = local.oidc_url
oidc_client_id = data.azuread_application.default.application_id
oidc_client_secret = azuread_application_password.default.client_secret
tune {
default_lease_ttl = "768h"
max_lease_ttl = "768h"
token_type = "default-service"
}
}
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.default.path
role_type = vault_jwt_auth_backend.default.path
role_name = var.application_name
oidc_scopes = ["profile", "https://graph.microsoft.com/.default"]
allowed_redirect_uris = element(data.azuread_application.default.web[*].redirect_uris, 0)
user_claim = "email"
groups_claim = "groups"
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment