lightcode/main.tf

## main.tf
variable gitlab_url {
  type        = string
  description = "URL to Gitlab (example: https://gitlab.example.com)"
}
variable vault_url {
  type        = string
  description = "URL to Vault (example: https://vault.example.com)"
}
variable oidc_client_id {
  type = string
}
variable oidc_client_secret {
  type = string
}
variable gitlab_group_name {
  type = string
}

resource "vault_jwt_auth_backend" "gitlab_oidc" {
  path               = "oidc"
  type               = "oidc"
  oidc_discovery_url = var.gitlab_url
  oidc_client_id     = var.oidc_client_id
  oidc_client_secret = var.oidc_client_secret
  bound_issuer       = "localhost"
  default_role       = "demo"
}

resource "vault_jwt_auth_backend_role" "gitlab_oidc_demo" {
  backend   = vault_jwt_auth_backend.gitlab_oidc.path
  role_type = vault_jwt_auth_backend.gitlab_oidc.type
  role_name = "demo"

  user_claim   = "nickname"
  groups_claim = "groups"
  oidc_scopes  = ["openid"]
  allowed_redirect_uris = [
    "http://localhost:8250/oidc/callback",
    "${var.vault_url}/ui/vault/auth/oidc/oidc/callback"
  ]

  token_policies = ["default"]
  token_ttl      = 3600
}

resource "vault_identity_group" "group" {
  name     = var.gitlab_group_name
  type     = "external"
  policies = ["default", "gitlab-${var.gitlab_group_name}"]
}

resource "vault_identity_group_alias" "alias" {
  name           = vault_identity_group.group.name
  mount_accessor = vault_jwt_auth_backend.gitlab_oidc.accessor
  canonical_id   = vault_identity_group.group.id
}

resource "vault_policy" "demo" {
  name = "gitlab-${var.gitlab_group_name}"

  policy = <<EOT
path "kv" {
  capabilities = ["list"]
}

path "kv/demo/*" {
  capabilities = ["list", "read", "create", "update", "delete"]
}
EOT
}
	variable gitlab_url {
	type = string
	description = "URL to Gitlab (example: https://gitlab.example.com)"
	}
	variable vault_url {
	type = string
	description = "URL to Vault (example: https://vault.example.com)"
	}
	variable oidc_client_id {
	type = string
	}
	variable oidc_client_secret {
	type = string
	}
	variable gitlab_group_name {
	type = string
	}

	resource "vault_jwt_auth_backend" "gitlab_oidc" {
	path = "oidc"
	type = "oidc"
	oidc_discovery_url = var.gitlab_url
	oidc_client_id = var.oidc_client_id
	oidc_client_secret = var.oidc_client_secret
	bound_issuer = "localhost"
	default_role = "demo"
	}

	resource "vault_jwt_auth_backend_role" "gitlab_oidc_demo" {
	backend = vault_jwt_auth_backend.gitlab_oidc.path
	role_type = vault_jwt_auth_backend.gitlab_oidc.type
	role_name = "demo"

	user_claim = "nickname"
	groups_claim = "groups"
	oidc_scopes = ["openid"]
	allowed_redirect_uris = [
	"http://localhost:8250/oidc/callback",
	"${var.vault_url}/ui/vault/auth/oidc/oidc/callback"
	]

	token_policies = ["default"]
	token_ttl = 3600
	}

	resource "vault_identity_group" "group" {
	name = var.gitlab_group_name
	type = "external"
	policies = ["default", "gitlab-${var.gitlab_group_name}"]
	}

	resource "vault_identity_group_alias" "alias" {
	name = vault_identity_group.group.name
	mount_accessor = vault_jwt_auth_backend.gitlab_oidc.accessor
	canonical_id = vault_identity_group.group.id
	}

	resource "vault_policy" "demo" {
	name = "gitlab-${var.gitlab_group_name}"

	policy = <<EOT
	path "kv" {
	capabilities = ["list"]
	}

	path "kv/demo/*" {
	capabilities = ["list", "read", "create", "update", "delete"]
	}
	EOT
	}