Skip to content

Instantly share code, notes, and snippets.

View devops-adeel's full-sized avatar
🎯
Focusing

Adeel Ahmad devops-adeel

🎯
Focusing
79 followers · 166 following
View GitHub Profile
@devops-adeel
devops-adeel / gcp_config.tf
Created April 28, 2022 13:54
Vault-Terraform-GCP integration
variable "approle_id" {}
variable "approle_secret" {}
provider "vault" {
auth_login {
namespace = "admin/terraform-vault-secrets-gcp"
path = "auth/approle/login"
parameters = {
role_id = var.approle_id
@devops-adeel
devops-adeel / vault_dr_acl.tf
Last active April 21, 2022 10:13
Vault DR replication ACL following: https://learn.hashicorp.com/tutorials/vault/disaster-recovery?in=vault/day-one-raft#dr-operation-token-strategy
locals {
role_name = "failover-handler"
}
data "vault_policy_document" "default" {
rule {
path = "sys/replication/dr/secondary/promote"
capabilities = ["update"]
description = "Create and manage ACL policies"
}
@devops-adeel
devops-adeel / auth0_app.tf
Created April 20, 2022 17:38
Create a Web App in Auth0 for Vault
locals {
oidc_app = "hashicorp-vault-app"
}
data "auth0_tenant" "default" {}
resource "auth0_connection" "default" {
name = local.oidc_app
strategy = "auth0"
}
@devops-adeel
devops-adeel / vault_aws_auth.tf
Created April 20, 2022 11:59
Setting AWS Auth Method
resource "aws_iam_access_key" "default" {
user = var.user
}
resource "vault_auth_backend" "default" {
type = "aws"
}
resource "vault_aws_auth_backend_client" "default" {
backend = vault_auth_backend.default.path
@devops-adeel
devops-adeel / cicd_admin.tf
Last active April 20, 2022 09:30
Lean Vault CICD Admin Policy to begin with.
locals {
member_entity_ids = var.entity_ids
}
data "vault_policy_document" "default" {
rule {
path = "sys/namespaces/"
capabilities = ["list"]
description = "List namespaces in root"
}
@devops-adeel
devops-adeel / aws_kms_auto_unseal.tf
Last active April 20, 2022 18:00
Minimal AWS IAM permissions on S3 for raft auto-snapshot
data "aws_kms_key" "auto_unseal" {
key_id = "alias/my-key"
}
data "aws_iam_policy_document" "auto_unseal" {
version = "2012-10-17"
statement {
effect = "Allow"
actions = [
"kms:DescribeKey",
@devops-adeel
devops-adeel / github_actions_snippet.yaml
Last active April 20, 2022 17:51
Github Actions OIDC Auth Method For Vault.
jobs:
build:
permissions:
contents: read
id-token: write
steps:
- name: Retrieve secret from Vault
uses: hashicorp/vault-action@v2.4.0
with:
url: https://vault-cluster-private-url.aws.hashicorp.cloud:8200
@devops-adeel
devops-adeel / aad_oidc_grp.tf
Last active October 11, 2023 15:30
Terraform snippet to setup AzureAD Auth Method.
locals {
aad_group = var.aad_group
application = var.application_name
mount_accessor = var.mount_accessor
}
data "azuread_group" "default" {
display_name = local.aad_group
}
@devops-adeel
devops-adeel / kubernetes.tf
Last active March 21, 2022 14:21
Vault Auth for Kubernetes
locals {
namespace = format(
"{{identity.entity.aliases.%s.metadata.service_account_namespace}}",
vault_auth_backend.default.accessor
)
}
data "kubernetes_service_account_v1" "default" {
metadata {
name = "vault-auth"
@devops-adeel
devops-adeel / ldap.tf
Created February 24, 2022 14:25
vault ldap configuration
resource "vault_ldap_auth_backend" "default" {
path = "ldap"
url = "ldaps://dc-01.example.org"
userdn = "OU=Users,OU=Accounts,DC=example,DC=org"
userattr = "sAMAccountName"
upndomain = "EXAMPLE.ORG"
discoverdn = false
groupdn = "OU=Groups,DC=example,DC=org"
groupfilter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))"
}