devops-adeel/acl_policies.tf

## acl_policies.tf
locals {
  engine = [
    "secret",
    "oracle",
    "postgres",
    "mysql"
  ]
}

data "vault_policy_document" "read" {
  dynamic "rule" {
    for_each = local.engine
    content {
      path         = format("%s/{{identity.entity.metadata.lockbox}}/*", rule.value)
      capabilities = ["read", "list"]
      description  = format("allow read access to %s secrets", rule.value)
    }
  }
}

resource "vault_policy" "read" {
  name   = "read_access"
  policy = data.vault_policy_document.read.hcl
}

data "vault_policy_document" "write" {
  dynamic "rule" {
    for_each = local.engine
    content {
      path         = format("%s/{{identity.entity.metadata.lockbox}}/*", rule.value)
      capabilities = ["create", "read", "update", "delete", "list"]
      description  = format("allow write access to %s secrets", rule.value)
    }
  }
}

resource "vault_policy" "write" {
  name   = "write_access"
  policy = data.vault_policy_document.write.hcl
}

## entity.tf
resource "vault_identity_entity" "default" {
  name     = var.service_principal
  policies = [format("%s_access", var.capability)]
  metadata = {
    lockbox = var.lockbox_id
  }
}

resource "vault_identity_entity_alias" "default" {
  name           = var.service_principal
  mount_accessor = vault_jwt_auth_backend.default.accessor
  canonical_id   = vault_identity_entity.default.id
}

## jwt.tf
resource "vault_jwt_auth_backend" "default" {
  path         = "jwt"
  type         = "jwt"
  default_role = "default"

  tune {
    default_lease_ttl = "768h"
    max_lease_ttl     = "768h"
    token_type        = "default-service"
  }
}

resource "vault_jwt_auth_backend_role" "default" {
  backend   = vault_jwt_auth_backend.default.path
  role_type = vault_jwt_auth_backend.default.type
  role_name = "default"
}

## variables.tf
variable "service_principal" {
  description = "Service principal id"
  type        = string
}

variable "capability" {
  description = "permissions against secret"
  type        = string
  default     = "read"
}

variable "lockbox_id" {
  description = "lockbox id to render as metadata/path"
  type        = string
}
	locals {
	engine = [
	"secret",
	"oracle",
	"postgres",
	"mysql"
	]
	}

	data "vault_policy_document" "read" {
	dynamic "rule" {
	for_each = local.engine
	content {
	path = format("%s/{{identity.entity.metadata.lockbox}}/*", rule.value)
	capabilities = ["read", "list"]
	description = format("allow read access to %s secrets", rule.value)
	}
	}
	}

	resource "vault_policy" "read" {
	name = "read_access"
	policy = data.vault_policy_document.read.hcl
	}

	data "vault_policy_document" "write" {
	dynamic "rule" {
	for_each = local.engine
	content {
	path = format("%s/{{identity.entity.metadata.lockbox}}/*", rule.value)
	capabilities = ["create", "read", "update", "delete", "list"]
	description = format("allow write access to %s secrets", rule.value)
	}
	}
	}

	resource "vault_policy" "write" {
	name = "write_access"
	policy = data.vault_policy_document.write.hcl
	}
	resource "vault_identity_entity" "default" {
	name = var.service_principal
	policies = [format("%s_access", var.capability)]
	metadata = {
	lockbox = var.lockbox_id
	}
	}

	resource "vault_identity_entity_alias" "default" {
	name = var.service_principal
	mount_accessor = vault_jwt_auth_backend.default.accessor
	canonical_id = vault_identity_entity.default.id
	}
	resource "vault_jwt_auth_backend" "default" {
	path = "jwt"
	type = "jwt"
	default_role = "default"

	tune {
	default_lease_ttl = "768h"
	max_lease_ttl = "768h"
	token_type = "default-service"
	}
	}

	resource "vault_jwt_auth_backend_role" "default" {
	backend = vault_jwt_auth_backend.default.path
	role_type = vault_jwt_auth_backend.default.type
	role_name = "default"
	}
	variable "service_principal" {
	description = "Service principal id"
	type = string
	}

	variable "capability" {
	description = "permissions against secret"
	type = string
	default = "read"
	}

	variable "lockbox_id" {
	description = "lockbox id to render as metadata/path"
	type = string
	}