-
-
Save linuxbsdfreak/53774b3a26313d551f82e8202542bb72 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_version = ">= 0.14" | |
required_providers { | |
vault = { | |
source = "hashicorp/vault" | |
version = "~> 2.18.0" | |
} | |
} | |
} | |
variable "vault_address" {} | |
variable "vault_token" {} | |
variable "vault_base_namespace" {} | |
variable "role_name" {} | |
variable "policy_name" {} | |
variable "backend_path" {} | |
variable "create_secret_id" {} | |
variable "enable_login" {} | |
variable "secret_id_ttl" {} | |
variable "token_max_ttl" {} | |
variable "secret_id_num_uses" {} | |
variable "token_explicit_max_ttl" {} | |
variable "token_num_uses" {} | |
variable "token_period" {} | |
provider "vault" { | |
alias = "base_namespace" | |
address = var.vault_address | |
token = var.vault_token | |
namespace = var.vault_base_namespace | |
} | |
module "vault-approle" { | |
source = "./../modules/vault-approle" | |
role_name = var.role_name | |
policy_name = var.policy_name | |
backend_path = var.backend_path | |
secret_id_ttl = var.secret_id_ttl | |
token_max_ttl = var.token_max_ttl | |
secret_id_num_uses = var.secret_id_num_uses | |
token_explicit_max_ttl = var.token_explicit_max_ttl | |
token_num_uses = var.token_num_uses | |
token_period = var.token_period | |
create_secret_id = var.create_secret_id | |
enable_login = var.enable_login | |
policy = <<EOT | |
path "sys/namespaces/*" { | |
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
} | |
path "sys/policies/*" { | |
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
} | |
path "+/sys/mounts/*" { | |
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
} | |
# List available secrets engines | |
path "+/sys/mounts" { | |
capabilities = [ "read" ] | |
} | |
#Terraform tries to create a subtoken | |
path "auth/token/create" { | |
capabilities = [ "create", "update"] | |
} | |
# Terraform looks up the token used. Vault CLI does | |
# not require this capability | |
path "auth/token/lookup-self" { | |
capabilities = ["read"] | |
} | |
path "+/boostrapcredentials/auth/token/create" { | |
capabilities = [ "create", "update"] | |
} | |
path "+/boostrapcredentials/auth/token/lookup-self" { | |
capabilities = ["read"] | |
} | |
path "boostrapcredentials/+/+/*" { | |
capabilities = ["create", "read", "update", "delete", "list", "sudo"] | |
} | |
path "global/*" { | |
capabilities = ["read", "list"] | |
} | |
path "development/*" { | |
capabilities = ["read", "list"] | |
} | |
EOT | |
providers = { | |
vault.base_namespace = vault.base_namespace | |
} | |
} | |
cat terraform.tfvars | |
vault_address = "vault-server" | |
vault_token = "xxxxx" | |
vault_base_namespace = "i503158" | |
role_name = "jenkins_app" | |
policy_name = "jenkins_app" | |
backend_path = "jenkins_app" | |
create_secret_id = true | |
enable_login = true | |
secret_id_ttl = 0 | |
token_max_ttl = 0 | |
secret_id_num_uses = 0 | |
token_explicit_max_ttl = 0 | |
token_num_uses = 0 | |
token_period = 0 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
terraform { | |
required_version = ">= 0.14" | |
required_providers { | |
vault = { | |
source = "hashicorp/vault" | |
version = "~> 2.12" | |
} | |
kubectl = { | |
source = "gavinbunney/kubectl" | |
version = ">= 1.10.0" | |
} | |
kubernetes = { | |
source = "hashicorp/kubernetes" | |
version = ">= 2.0.1" | |
} | |
github = { | |
source = "hashicorp/github" | |
version = "~> 2.9.2" | |
} | |
} | |
} | |
variable "vault_address" {} | |
variable "vault_token" {} | |
variable "vault_bootstrap_namespace" {} | |
variable "vault_base_namespace" {} | |
variable "robot_k8s_credentials_file_path" {} | |
variable "robot_k8s_secret_path" {} | |
variable "robot_k8s_secret_key" {} | |
variable "robot_creds_secret_path" {} | |
variable "global_creds_secret_path" {} | |
variable "github_secret_path" {} | |
variable "github_secret_key" {} | |
variable "region" {} | |
variable "azure_secret_path" {} | |
variable "azure_secret_key" {} | |
variable "aws_secret_path" {} | |
variable "aws_secret_key" {} | |
variable "cloud_provider_aws" {} | |
variable "cloud_provider_azure" {} | |
variable "gardener_dashboard_secret_aws" {} | |
variable "gardener_dashboard_secret_azure" {} | |
variable "gardener_project_name" {} | |
variable "gardener_shoot_cluster_name" {} | |
variable "repository_name" {} | |
variable "branch" {} | |
provider "vault" { | |
alias = "base" | |
address = var.vault_address | |
token = var.vault_token | |
namespace = var.vault_base_namespace | |
} | |
provider "vault" { | |
alias = "bootstrap" | |
address = var.vault_address | |
token = var.vault_token | |
namespace = var.vault_bootstrap_namespace | |
} | |
provider "github" { | |
alias = "gitops" | |
token = module.vault-bootstrap.github_token | |
organization = module.vault-bootstrap.github_organization | |
base_url = module.vault-bootstrap.github_api_url | |
} | |
provider "kubectl" { | |
alias = "robot" | |
host = module.vault-bootstrap.robot_host | |
client_key = module.vault-bootstrap.robot_client_key | |
token = module.vault-bootstrap.robot_token | |
config_context_cluster = module.vault-bootstrap.robot_context_cluster | |
config_context_auth_info = module.vault-bootstrap.robot_context_auth_info | |
insecure = true | |
} | |
provider "kubernetes" { | |
alias = "robot" | |
host = module.vault-bootstrap.robot_host | |
client_key = module.vault-bootstrap.robot_client_key | |
token = module.vault-bootstrap.robot_token | |
config_context_cluster = module.vault-bootstrap.robot_context_cluster | |
config_context_auth_info = module.vault-bootstrap.robot_context_auth_info | |
insecure = true | |
} | |
module "vault-bootstrap" { | |
source = "./../modules/vault-bootstrap" | |
vault_bootstrap_namespace = var.vault_bootstrap_namespace | |
github_secret_path = var.github_secret_path | |
azure_secret_path = var.azure_secret_path | |
azure_secret_key = var.azure_secret_key | |
aws_secret_path = var.aws_secret_path | |
aws_secret_key = var.aws_secret_key | |
robot_creds_secret_path = var.robot_creds_secret_path | |
robot_k8s_credentials_file_path = var.robot_k8s_credentials_file_path | |
global_creds_secret_path = var.global_creds_secret_path | |
robot_k8s_secret_key = var.robot_k8s_secret_key | |
github_secret_key = var.github_secret_key | |
vault_address = var.vault_address | |
vault_token = var.vault_token | |
providers = { | |
vault.bootstrap = vault.bootstrap | |
vault.base = vault.base | |
} | |
} | |
module "github-repo" { | |
source = "./../modules/github-repo" | |
repository_name = var.repository_name | |
branch = var.branch | |
providers = { | |
github.gitops = github.gitops | |
} | |
} | |
module "gardener-dashboard-credentials-azure" { | |
source = "./../modules/gardener-dashboard-credentials-azure" | |
gardener_project_name = var.gardener_project_name | |
gardener_dashboard_secret = var.gardener_dashboard_secret_azure | |
cloud_provider = var.cloud_provider_azure | |
region = var.region | |
azure_clientid = module.vault-bootstrap.azure_clientid | |
azure_clientsecret = module.vault-bootstrap.azure_clientsecret | |
azure_subscriptionid = module.vault-bootstrap.azure_subscriptionid | |
azure_tenantid = module.vault-bootstrap.azure_tenantid | |
providers = { | |
kubernetes.robot = kubernetes.robot | |
kubectl.robot = kubectl.robot | |
} | |
} | |
module "gardener-dashboard-credentials-aws" { | |
source = "./../modules/gardener-dashboard-credentials-aws" | |
gardener_project_name = var.gardener_project_name | |
gardener_dashboard_secret = var.gardener_dashboard_secret_aws | |
cloud_provider = var.cloud_provider_aws | |
region = var.region | |
access_key = module.vault-bootstrap.aws_accesskeyid | |
secret_key = module.vault-bootstrap.aws_secretaccesskey | |
providers = { | |
kubernetes.robot = kubernetes.robot | |
kubectl.robot = kubectl.robot | |
} | |
} | |
output "aws_gardener_dashboard_secret" { | |
value = module.gardener-dashboard-credentials-aws.gardener_dashboard_credentials_name | |
description = "Gardener Dashboard AWS Secret Name" | |
} | |
output "azure_gardener_dashboard_secret" { | |
value = module.gardener-dashboard-credentials-azure.gardener_dashboard_credentials_name | |
description = "Gardener Dashboard Azure Secret Name" | |
} | |
output "github_repository_url" { | |
value = module.github-repo.github_repo_url | |
description = "Github Repo Url" | |
} | |
output "robot_k8s_credentials_path" { | |
value = var.robot_k8s_credentials_file_path | |
description = "Robot Creds file path" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
module/vault-bootstrap/main.tf