Skip to content

Instantly share code, notes, and snippets.

@devops-adeel

devops-adeel/groups.tf

Last active November 30, 2022 14:35
Show Gist options
  • Save devops-adeel/880d795711cfdb732e230ae3be449a08 to your computer and use it in GitHub Desktop.
Save devops-adeel/880d795711cfdb732e230ae3be449a08 to your computer and use it in GitHub Desktop.
Download ZIP
quick gist on having okta users request ssh signing
Raw
groups.tf
data "okta_group" "default" {
name = var.group_name
}
resource "vault_identity_group" "default" {
name = data.okta_group.default.name
type = "external"
external_policies = true
}
resource "vault_identity_group_alias" "default" {
name = data.okta_group.default.name
mount_accessor = local.mount_accessor
canonical_id = vault_identity_group.default.id
}
resource "vault_identity_group_policies" "default" {
group_id = vault_identity_group.default.id
exclusive = false
policies = ["ssh"]
}
Raw
oidc.tf
data "okta_auth_server" "default" {
name = var.application
}
data "okta_app_oauth" "default" {
label = var.application
}
locals {
audiences = concat(
data.okta_auth_server.default.audiences,
tolist(data.okta_app_oauth.default.client_id)
)
}
resource "vault_jwt_auth_backend" "default" {
description = "Okta OIDC Auth Method"
path = "oidc"
type = "oidc"
default_role = var.application
bound_issuer = data.okta_auth_server.default.issuer
oidc_discovery_url = data.okta_auth_server.default.issuer
oidc_client_id = data.okta_app_oauth.default.client_id
oidc_client_secret = data.okta_app_oauth.default.client_secret
tune {
default_lease_ttl = "768h"
max_lease_ttl = "768h"
token_type = "default-service"
}
}
resource "vault_jwt_auth_backend_role" "default" {
backend = vault_jwt_auth_backend.default.path
role_type = vault_jwt_auth_backend.default.path
role_name = var.application_name
bound_audiences = local.audiences
bound_claims_type = "glob"
allowed_redirect_uris = data.okta_app_oauth.default.redirect_uris
user_claim = "sub"
oidc_scopes = ["profile", "groups"]
groups_claim = ["groups"]
claim_mappings = {
email = "email"
name = "name"
given_name = "first_name"
middle_name = "middle_name"
family_name = "last_name"
okta_app_id = "aud"
issuer = "iss"
}
}
Raw
okta.tf
locals {
vault_url = "https://vault.com"
}
resource "okta_user" "default" {
first_name = "John"
last_name = "Smith"
login = "example@example.com"
email = "example@example.com"
}
resource "okta_group" "default" {
name = "vault-admin"
}
resource "okta_group_membership" "default" {
group_id = okta_group.default.id
user_id = okta_user.default.id
}
resource "okta_auth_server" "default" {
audiences = ["api://vault"]
name = "vault"
issuer_mode = "CUSTOM_URL"
status = "ACTIVE"
}
resource "okta_auth_server_scope" "default" {
name = "profile"
auth_server_id = okta_auth_server.default.id
}
resource "okta_auth_server_claim" "default" {
auth_server_id = okta_auth_server.default.id
name = "groups"
value = "vault-"
value_type = "GROUPS"
group_filter_type = "STARTS_WITH"
claim_type = "IDENTITY"
scopes = [okta_auth_server_scope.default.name]
always_include_in_token = true
}
resource "okta_auth_server_policy" "default" {
name = "vault"
auth_server_id = okta_auth_server.default.id
priority = 1
client_whitelist = [okta_app_oauth.default.client_id]
status = "ACTIVE"
}
resource "okta_auth_server_policy_rule" "default" {
name = "vault"
auth_server_id = okta_auth_server.default.id
policy_id = okta_auth_server_policy.id
priority = 1
group_whitelist = [okta_group.default.id]
scope_whitelist = [okta_auth_server_scope.default.name]
grant_type_whitelist = [
"client_credentials",
"authorization_code",
"implicit"
]
}
resource "okta_app_oauth" "default" {
label = "hashicorp-vault-app"
type = "web"
grant_types = ["authorization_code", "implicit", "refresh_token"]
response_types = ["id_token", "code"]
redirect_uris = [
format("%s:8200/ui/vault/auth/oidc/oidc/callback", local.vault_url)
]
}
resource "okta_app_oauth_redirect_uri" "default" {
app_id = okta_app_oauth.default.id
uri = "http://localhost:8250/oidc/callback"
}
resource "okta_app_group_assignment" "default" {
app_id = okta_app_oauth.default.id
group_id = okta_group.default.id
}
resource "okta_app_oauth_api_scope" "default" {
app_id = okta_app_oauth.default.id
issuer = okta_auth_server.default.issuer
scopes = ["okta.groups.read", "okta.users.read.self"]
}
Raw
ssh.tf
locals {
ssh_path = format(
"ssh/sign/%s",
vault_ssh_secret_backend_role.default.name
)
ssh_user = format(
"{{identity.entity.aliases.%s.metadata.first_name}}",
vault_jwt_auth_backend.default.accessor
)
}
resource "vault_mount" "default" {
type = "ssh"
description = "SSH secrets engine"
default_lease_ttl_seconds = 3600
max_lease_ttl_seconds = 86400
}
resource "vault_ssh_secret_backend_ca" "default" {
backend = vault_mount.default.path
generate_signing_key = true
}
resource "vault_ssh_secret_backend_role" "default" {
name = var.role
backend = vault_mount.default.path
key_type = "ca"
algorithm_signer = "rsa-sha2-512"
allow_user_certificates = true
allowed_users_template = true
allowed_users = [local.ssh_user]
allowed_extensions = ["permit-pty"]
default_user = local.ssh_user
max_ttl = "604800"
ttl = "30m0s"
default_extensions = {
permit-pty = ""
}
}
data "vault_policy_document" "default" {
rule {
capabilities = ["create", "update"]
path = local.ssh_path
}
}
resource "vault_policy" "default" {
name = "ssh"
policy = data.vault_policy_document.default.hcl
}
Raw
trusted-user-ca-key.pem.ctmpl
{{- with pkiCert "ssh-client-signer/config/ca" -}}
{{ .Data.public_key }}
{{- end -}}
Raw
vault-agent.hcl
template_config {
exit_on_retry_failure = true
static_secret_render_interval = "10m"
}
template {
source = "/tmp/agent/trusted-user-ca-key.pem.ctmpl"
destination = "/etc/ssh/trusted-user-ca-keys.pem"
error_on_missing_key = true
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment