Skip to content

Instantly share code, notes, and snippets.

@linuxbsdfreak

linuxbsdfreak/approle.tf Secret

Created February 12, 2021 14:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save linuxbsdfreak/53774b3a26313d551f82e8202542bb72 to your computer and use it in GitHub Desktop.
Save linuxbsdfreak/53774b3a26313d551f82e8202542bb72 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
approle.tf
terraform {
required_version = ">= 0.14"
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 2.18.0"
}
}
}
variable "vault_address" {}
variable "vault_token" {}
variable "vault_base_namespace" {}
variable "role_name" {}
variable "policy_name" {}
variable "backend_path" {}
variable "create_secret_id" {}
variable "enable_login" {}
variable "secret_id_ttl" {}
variable "token_max_ttl" {}
variable "secret_id_num_uses" {}
variable "token_explicit_max_ttl" {}
variable "token_num_uses" {}
variable "token_period" {}
provider "vault" {
alias = "base_namespace"
address = var.vault_address
token = var.vault_token
namespace = var.vault_base_namespace
}
module "vault-approle" {
source = "./../modules/vault-approle"
role_name = var.role_name
policy_name = var.policy_name
backend_path = var.backend_path
secret_id_ttl = var.secret_id_ttl
token_max_ttl = var.token_max_ttl
secret_id_num_uses = var.secret_id_num_uses
token_explicit_max_ttl = var.token_explicit_max_ttl
token_num_uses = var.token_num_uses
token_period = var.token_period
create_secret_id = var.create_secret_id
enable_login = var.enable_login
policy = <<EOT
path "sys/namespaces/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "sys/policies/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "+/sys/mounts/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
# List available secrets engines
path "+/sys/mounts" {
capabilities = [ "read" ]
}
#Terraform tries to create a subtoken
path "auth/token/create" {
capabilities = [ "create", "update"]
}
# Terraform looks up the token used. Vault CLI does
# not require this capability
path "auth/token/lookup-self" {
capabilities = ["read"]
}
path "+/boostrapcredentials/auth/token/create" {
capabilities = [ "create", "update"]
}
path "+/boostrapcredentials/auth/token/lookup-self" {
capabilities = ["read"]
}
path "boostrapcredentials/+/+/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
path "global/*" {
capabilities = ["read", "list"]
}
path "development/*" {
capabilities = ["read", "list"]
}
EOT
providers = {
vault.base_namespace = vault.base_namespace
}
}
cat terraform.tfvars
vault_address = "vault-server"
vault_token = "xxxxx"
vault_base_namespace = "i503158"
role_name = "jenkins_app"
policy_name = "jenkins_app"
backend_path = "jenkins_app"
create_secret_id = true
enable_login = true
secret_id_ttl = 0
token_max_ttl = 0
secret_id_num_uses = 0
token_explicit_max_ttl = 0
token_num_uses = 0
token_period = 0
Raw
preboot.tf
terraform {
required_version = ">= 0.14"
required_providers {
vault = {
source = "hashicorp/vault"
version = "~> 2.12"
}
kubectl = {
source = "gavinbunney/kubectl"
version = ">= 1.10.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.0.1"
}
github = {
source = "hashicorp/github"
version = "~> 2.9.2"
}
}
}
variable "vault_address" {}
variable "vault_token" {}
variable "vault_bootstrap_namespace" {}
variable "vault_base_namespace" {}
variable "robot_k8s_credentials_file_path" {}
variable "robot_k8s_secret_path" {}
variable "robot_k8s_secret_key" {}
variable "robot_creds_secret_path" {}
variable "global_creds_secret_path" {}
variable "github_secret_path" {}
variable "github_secret_key" {}
variable "region" {}
variable "azure_secret_path" {}
variable "azure_secret_key" {}
variable "aws_secret_path" {}
variable "aws_secret_key" {}
variable "cloud_provider_aws" {}
variable "cloud_provider_azure" {}
variable "gardener_dashboard_secret_aws" {}
variable "gardener_dashboard_secret_azure" {}
variable "gardener_project_name" {}
variable "gardener_shoot_cluster_name" {}
variable "repository_name" {}
variable "branch" {}
provider "vault" {
alias = "base"
address = var.vault_address
token = var.vault_token
namespace = var.vault_base_namespace
}
provider "vault" {
alias = "bootstrap"
address = var.vault_address
token = var.vault_token
namespace = var.vault_bootstrap_namespace
}
provider "github" {
alias = "gitops"
token = module.vault-bootstrap.github_token
organization = module.vault-bootstrap.github_organization
base_url = module.vault-bootstrap.github_api_url
}
provider "kubectl" {
alias = "robot"
host = module.vault-bootstrap.robot_host
client_key = module.vault-bootstrap.robot_client_key
token = module.vault-bootstrap.robot_token
config_context_cluster = module.vault-bootstrap.robot_context_cluster
config_context_auth_info = module.vault-bootstrap.robot_context_auth_info
insecure = true
}
provider "kubernetes" {
alias = "robot"
host = module.vault-bootstrap.robot_host
client_key = module.vault-bootstrap.robot_client_key
token = module.vault-bootstrap.robot_token
config_context_cluster = module.vault-bootstrap.robot_context_cluster
config_context_auth_info = module.vault-bootstrap.robot_context_auth_info
insecure = true
}
module "vault-bootstrap" {
source = "./../modules/vault-bootstrap"
vault_bootstrap_namespace = var.vault_bootstrap_namespace
github_secret_path = var.github_secret_path
azure_secret_path = var.azure_secret_path
azure_secret_key = var.azure_secret_key
aws_secret_path = var.aws_secret_path
aws_secret_key = var.aws_secret_key
robot_creds_secret_path = var.robot_creds_secret_path
robot_k8s_credentials_file_path = var.robot_k8s_credentials_file_path
global_creds_secret_path = var.global_creds_secret_path
robot_k8s_secret_key = var.robot_k8s_secret_key
github_secret_key = var.github_secret_key
vault_address = var.vault_address
vault_token = var.vault_token
providers = {
vault.bootstrap = vault.bootstrap
vault.base = vault.base
}
}
module "github-repo" {
source = "./../modules/github-repo"
repository_name = var.repository_name
branch = var.branch
providers = {
github.gitops = github.gitops
}
}
module "gardener-dashboard-credentials-azure" {
source = "./../modules/gardener-dashboard-credentials-azure"
gardener_project_name = var.gardener_project_name
gardener_dashboard_secret = var.gardener_dashboard_secret_azure
cloud_provider = var.cloud_provider_azure
region = var.region
azure_clientid = module.vault-bootstrap.azure_clientid
azure_clientsecret = module.vault-bootstrap.azure_clientsecret
azure_subscriptionid = module.vault-bootstrap.azure_subscriptionid
azure_tenantid = module.vault-bootstrap.azure_tenantid
providers = {
kubernetes.robot = kubernetes.robot
kubectl.robot = kubectl.robot
}
}
module "gardener-dashboard-credentials-aws" {
source = "./../modules/gardener-dashboard-credentials-aws"
gardener_project_name = var.gardener_project_name
gardener_dashboard_secret = var.gardener_dashboard_secret_aws
cloud_provider = var.cloud_provider_aws
region = var.region
access_key = module.vault-bootstrap.aws_accesskeyid
secret_key = module.vault-bootstrap.aws_secretaccesskey
providers = {
kubernetes.robot = kubernetes.robot
kubectl.robot = kubectl.robot
}
}
output "aws_gardener_dashboard_secret" {
value = module.gardener-dashboard-credentials-aws.gardener_dashboard_credentials_name
description = "Gardener Dashboard AWS Secret Name"
}
output "azure_gardener_dashboard_secret" {
value = module.gardener-dashboard-credentials-azure.gardener_dashboard_credentials_name
description = "Gardener Dashboard Azure Secret Name"
}
output "github_repository_url" {
value = module.github-repo.github_repo_url
description = "Github Repo Url"
}
output "robot_k8s_credentials_path" {
value = var.robot_k8s_credentials_file_path
description = "Robot Creds file path"
}
@linuxbsdfreak
Copy link
Author

module/vault-bootstrap/main.tf

provider "vault" {
  alias  = "base"
}

provider "vault" {
  alias = "bootstrap"
  address = var.vault_address
  token   = var.vault_token
  namespace = trimsuffix(vault_namespace.bootstrap_namespace.id, "/")
}

resource "vault_namespace" "bootstrap_namespace" {
  provider = vault.base
  path = var.vault_bootstrap_namespace
}

resource "vault_mount" "github_secret_kvv2" {
  provider = vault.bootstrap
  path = var.github_secret_path
  type = "kv"
  options = {
    version = "2"
  }
  depends_on = [ vault_namespace.bootstrap_namespace ]
}

resource "vault_mount" "azure_secret_kvv2" {
  provider = vault.bootstrap
  path = var.azure_secret_path
  type = "kv"
  options = {
    version = "2"
  }
  depends_on = [ vault_namespace.bootstrap_namespace ]
}

resource "vault_mount" "aws_secret_kvv2" {
  provider = vault.bootstrap
  path = var.aws_secret_path
  type = "kv"
  options = {
    version = "2"
  }
  depends_on = [ vault_namespace.bootstrap_namespace ]
}

resource "vault_mount" "robot_creds_secret_kvv2" {
  provider = vault.bootstrap
  path = var.robot_creds_secret_path
  type = "kv"
  options = {
    version = "2"
  }
  depends_on = [ vault_namespace.bootstrap_namespace ]
}

resource "vault_mount" "global_creds_secret_kvv2" {
  provider = vault.bootstrap
  path = var.global_creds_secret_path
  type = "kv"
  options = {
    version = "2"
  }
  depends_on = [ vault_namespace.bootstrap_namespace ]
}

resource "vault_generic_secret" "github_secret" {
  provider = vault.bootstrap
  path = join("/", [ var.github_secret_path, "credentials" ])

  data_json = <<EOT
{
  "org": "${var.github_credentials.org}",
  "api_url": "${var.github_credentials.api_url}",
  "token": "${var.github_credentials.token}",
  "owner": "${var.github_credentials.owner}"
}
EOT

  depends_on = [ vault_mount.github_secret_kvv2 ]
}

resource "vault_generic_secret" "azure_secret" {
  provider = vault.bootstrap
  path = join("/", [ var.azure_secret_path, "credentials" ])

  data_json = <<EOT
{
  "clientid": "${var.azure_credentials.clientid}",
  "clientsecret":  "${var.azure_credentials.clientsecret}",
  "subscriptionid": "${var.azure_credentials.subscriptionid}",
  "tenantid": "${var.azure_credentials.tenantid}"
}
EOT

  depends_on = [ vault_mount.azure_secret_kvv2 ]
}

resource "vault_generic_secret" "aws_secret" {
  provider = vault.bootstrap
  path = join("/", [ var.aws_secret_path, "credentials" ])

  data_json = <<EOT
{
  "accesskeyid": "${var.aws_credentials.accesskeyid}",
  "secretaccesskey":  "${var.aws_credentials.secretaccesskey}"
}
EOT

  depends_on = [ vault_mount.aws_secret_kvv2 ]
}

resource "vault_generic_secret" "global_secret" {
  provider = vault.bootstrap
  path = join("/", [ var.global_creds_secret_path, "credentials" ])

  data_json = <<EOT
{
  "foo": "bar"
}
EOT

  depends_on = [ vault_mount.global_creds_secret_kvv2 ]
}

resource "vault_generic_secret" "robot_k8config_secret" {
  provider = vault.bootstrap
  path = join("/", [ var.robot_creds_secret_path, "credentials" ])

  data_json = jsonencode({
      config = data.local_file.robot_k8s_credentials_file_path.content
  })

  depends_on = [ vault_mount.robot_creds_secret_kvv2 ]
}

data "vault_generic_secret" "robot_k8s_config_creds_read" {
  provider = vault.bootstrap
  depends_on = [ vault_generic_secret.robot_k8config_secret ]
  path = join("/", [ var.robot_k8s_secret_path, var.robot_k8s_secret_key ])
}

data "vault_generic_secret" "github_creds_read" {
  provider = vault.bootstrap
  depends_on = [ vault_generic_secret.github_secret ]
  path = join("/", [ var.github_secret_path, var.github_secret_key ])
}

data "vault_generic_secret" "azure_creds_read" {
  provider = vault.bootstrap
  depends_on = [ vault_generic_secret.azure_secret ]
  path = join("/", [ var.azure_secret_path, var.azure_secret_key ])
}

data "vault_generic_secret" "aws_creds_read" {
  provider = vault.bootstrap
  depends_on = [ vault_generic_secret.aws_secret ]
  path = join("/", [ var.aws_secret_path, var.aws_secret_key ])
}


output "github_token" {
  value = data.vault_generic_secret.github_creds_read.data.token
  sensitive = true
  description = "GithHubToken"
}

output "github_organization" {
  value = data.vault_generic_secret.github_creds_read.data.org
  sensitive = true
  description = "GithHubOrg"
}

output "github_api_url" {
  value = data.vault_generic_secret.github_creds_read.data.api_url
  sensitive = true
  description = "GithHubApiUrl"
}

output "github_owner" {
  value = data.vault_generic_secret.github_creds_read.data.owner
  sensitive = true
  description = "GithHub Owner"
}

output "azure_clientid" {
  value = data.vault_generic_secret.azure_creds_read.data.clientid
  sensitive = true
  description = "Azure Clientid"
}

output "azure_clientsecret" {
  value = data.vault_generic_secret.azure_creds_read.data.clientsecret
  sensitive = true
  description = "Azure Client Secret"
}

output "azure_subscriptionid" {
  value = data.vault_generic_secret.azure_creds_read.data.subscriptionid
  sensitive = true
  description = "Azure Subscription ID"
}

output "azure_tenantid" {
  value = data.vault_generic_secret.azure_creds_read.data.tenantid
  sensitive = true
  description = "Azure Tenant ID"
}

output "aws_accesskeyid" {
  value = data.vault_generic_secret.aws_creds_read.data.accesskeyid
  sensitive = true
  description = "AWS AccessKey ID"
}

output "aws_secretaccesskey" {
  value = data.vault_generic_secret.aws_creds_read.data.secretaccesskey
  sensitive = true
  description = "AWS SecretAccess Key"
}

output "robot_host" {
  value = yamldecode(data.vault_generic_secret.robot_k8s_config_creds_read.data.config).clusters[0].cluster.server
  sensitive = true
  description = "Robot Host"
}

output "robot_token" {
  value = yamldecode(data.vault_generic_secret.robot_k8s_config_creds_read.data.config).users[0].user.token
  sensitive = true
  description = "Robot Token"
}

output "robot_client_key" {
  value = yamldecode(data.vault_generic_secret.robot_k8s_config_creds_read.data.config).clusters[0].cluster.certificate-authority-data
  sensitive = true
  description = "Robot Client Key"
}

output "robot_context_cluster" {
  value  = yamldecode(data.vault_generic_secret.robot_k8s_config_creds_read.data.config).contexts[0].context.cluster
  sensitive = true
  description = "Robot Context Cluster"
}

output "robot_context_auth_info" {
  value  = yamldecode(data.vault_generic_secret.robot_k8s_config_creds_read.data.config).contexts[0].context.user
  sensitive = true
  description = "Robot Context Auth Info"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment