gmaliar/vault-config.tf

## vault-config.tf
# Step 1: Fetch Kubernetes' service ClusterIP

data "kubernetes_service" "kubernetes" {
  metadata {
    name = "kubernetes"
  }
}

# Step 2: Mount Vault Kubernetes authentication backend

resource "vault_auth_backend" "kubernetes" {
  type = "kubernetes"
}

# Step 3: Create Vault Kubernetes authentication backend configuration

resource "vault_kubernetes_auth_backend_config" "vault-tokenreview-config" {
  kubernetes_host    = "https://${data.kubernetes_service.kubernetes.spec.0.cluster_ip}:443"
  kubernetes_ca_cert = "${trimspace(file("vault/kubernetes_ca_cert"))}"
  token_reviewer_jwt = "${trimspace(file("vault/token_reviewer_jwt"))}"
}

# Step 4: Mount Vault serets database backend

resource "vault_mount" "database" {
  path = "database"
  type = "database"
}

# Step 5: Create a policy that can read, renew and revoke credentials

resource "vault_policy" "postgres-policy" {
  name = "postgres-policy"

  policy = <<EOT
path "database/creds/postgres-role" {
  capabilities = ["read"]
}
path "sys/leases/renew" {
  capabilities = ["create"]
}
path "sys/leases/revoke" {
  capabilities = ["update"]
}
EOT
}

# Step 6: Attach the policy to backend authentication role

resource "vault_kubernetes_auth_backend_role" "postgres-role" {
  backend                          = "${vault_auth_backend.kubernetes.path}"
  role_name                        = "postgres-role"
  bound_service_account_names      = ["${kubernetes_service_account.vault-tokenreview.metadata.0.name}"]
  bound_service_account_namespaces = ["default"]
  ttl                              = 3600
  policies                         = ["${vault_policy.postgres-policy.name}"]
}

# Step 7: Create a backend connection and backend role and bind it to the former authentication role

resource "vault_database_secret_backend_connection" "postgres" {
  backend       = "${vault_mount.database.path}"
  name          = "postgres"
  allowed_roles = ["${vault_kubernetes_auth_backend_role.postgres-role.role_name}"]

  postgresql {
    connection_url = "postgres://${google_sql_user.postgres-user.name}:${google_sql_user.postgres-user.password}@sqlproxy-postgres:5432/${google_sql_database.postgres-database.name}?sslmode=disable"
  }
}

resource "vault_database_secret_backend_role" "postgres" {
  backend             = "${vault_mount.database.path}"
  name                = "${vault_kubernetes_auth_backend_role.postgres-role.role_name}"
  db_name             = "${vault_database_secret_backend_connection.postgres.name}"
  creation_statements = "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
  default_ttl         = 24
  max_ttl             = 24
}
	# Step 1: Fetch Kubernetes' service ClusterIP

	data "kubernetes_service" "kubernetes" {
	metadata {
	name = "kubernetes"
	}
	}

	# Step 2: Mount Vault Kubernetes authentication backend

	resource "vault_auth_backend" "kubernetes" {
	type = "kubernetes"
	}

	# Step 3: Create Vault Kubernetes authentication backend configuration

	resource "vault_kubernetes_auth_backend_config" "vault-tokenreview-config" {
	kubernetes_host = "https://${data.kubernetes_service.kubernetes.spec.0.cluster_ip}:443"
	kubernetes_ca_cert = "${trimspace(file("vault/kubernetes_ca_cert"))}"
	token_reviewer_jwt = "${trimspace(file("vault/token_reviewer_jwt"))}"
	}

	# Step 4: Mount Vault serets database backend

	resource "vault_mount" "database" {
	path = "database"
	type = "database"
	}

	# Step 5: Create a policy that can read, renew and revoke credentials

	resource "vault_policy" "postgres-policy" {
	name = "postgres-policy"

	policy = <<EOT
	path "database/creds/postgres-role" {
	capabilities = ["read"]
	}
	path "sys/leases/renew" {
	capabilities = ["create"]
	}
	path "sys/leases/revoke" {
	capabilities = ["update"]
	}
	EOT
	}

	# Step 6: Attach the policy to backend authentication role

	resource "vault_kubernetes_auth_backend_role" "postgres-role" {
	backend = "${vault_auth_backend.kubernetes.path}"
	role_name = "postgres-role"
	bound_service_account_names = ["${kubernetes_service_account.vault-tokenreview.metadata.0.name}"]
	bound_service_account_namespaces = ["default"]
	ttl = 3600
	policies = ["${vault_policy.postgres-policy.name}"]
	}

	# Step 7: Create a backend connection and backend role and bind it to the former authentication role

	resource "vault_database_secret_backend_connection" "postgres" {
	backend = "${vault_mount.database.path}"
	name = "postgres"
	allowed_roles = ["${vault_kubernetes_auth_backend_role.postgres-role.role_name}"]

	postgresql {
	connection_url = "postgres://${google_sql_user.postgres-user.name}:${google_sql_user.postgres-user.password}@sqlproxy-postgres:5432/${google_sql_database.postgres-database.name}?sslmode=disable"
	}
	}

	resource "vault_database_secret_backend_role" "postgres" {
	backend = "${vault_mount.database.path}"
	name = "${vault_kubernetes_auth_backend_role.postgres-role.role_name}"
	db_name = "${vault_database_secret_backend_connection.postgres.name}"
	creation_statements = "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
	default_ttl = 24
	max_ttl = 24
	}