Created
February 2, 2019 13:49
-
-
Save gmaliar/553c9bfa0135e1ad5096dcd8a5e5eaf6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Step 1: Fetch Kubernetes' service ClusterIP | |
data "kubernetes_service" "kubernetes" { | |
metadata { | |
name = "kubernetes" | |
} | |
} | |
# Step 2: Mount Vault Kubernetes authentication backend | |
resource "vault_auth_backend" "kubernetes" { | |
type = "kubernetes" | |
} | |
# Step 3: Create Vault Kubernetes authentication backend configuration | |
resource "vault_kubernetes_auth_backend_config" "vault-tokenreview-config" { | |
kubernetes_host = "https://${data.kubernetes_service.kubernetes.spec.0.cluster_ip}:443" | |
kubernetes_ca_cert = "${trimspace(file("vault/kubernetes_ca_cert"))}" | |
token_reviewer_jwt = "${trimspace(file("vault/token_reviewer_jwt"))}" | |
} | |
# Step 4: Mount Vault serets database backend | |
resource "vault_mount" "database" { | |
path = "database" | |
type = "database" | |
} | |
# Step 5: Create a policy that can read, renew and revoke credentials | |
resource "vault_policy" "postgres-policy" { | |
name = "postgres-policy" | |
policy = <<EOT | |
path "database/creds/postgres-role" { | |
capabilities = ["read"] | |
} | |
path "sys/leases/renew" { | |
capabilities = ["create"] | |
} | |
path "sys/leases/revoke" { | |
capabilities = ["update"] | |
} | |
EOT | |
} | |
# Step 6: Attach the policy to backend authentication role | |
resource "vault_kubernetes_auth_backend_role" "postgres-role" { | |
backend = "${vault_auth_backend.kubernetes.path}" | |
role_name = "postgres-role" | |
bound_service_account_names = ["${kubernetes_service_account.vault-tokenreview.metadata.0.name}"] | |
bound_service_account_namespaces = ["default"] | |
ttl = 3600 | |
policies = ["${vault_policy.postgres-policy.name}"] | |
} | |
# Step 7: Create a backend connection and backend role and bind it to the former authentication role | |
resource "vault_database_secret_backend_connection" "postgres" { | |
backend = "${vault_mount.database.path}" | |
name = "postgres" | |
allowed_roles = ["${vault_kubernetes_auth_backend_role.postgres-role.role_name}"] | |
postgresql { | |
connection_url = "postgres://${google_sql_user.postgres-user.name}:${google_sql_user.postgres-user.password}@sqlproxy-postgres:5432/${google_sql_database.postgres-database.name}?sslmode=disable" | |
} | |
} | |
resource "vault_database_secret_backend_role" "postgres" { | |
backend = "${vault_mount.database.path}" | |
name = "${vault_kubernetes_auth_backend_role.postgres-role.role_name}" | |
db_name = "${vault_database_secret_backend_connection.postgres.name}" | |
creation_statements = "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" | |
default_ttl = 24 | |
max_ttl = 24 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment