Wire Forge-native release infrastructure
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s

This commit is contained in:
Conrad Kramer 2026-06-07 05:51:12 -07:00
parent 97c569fb35
commit 002bd382e9
199 changed files with 14268 additions and 185 deletions

137
infra/openbao/variables.tf Normal file
View file

@ -0,0 +1,137 @@
variable "openbao_address" {
description = "OpenBao API address. The Vault provider reads the token from VAULT_TOKEN."
type = string
default = "https://vault.burrow.net"
}
variable "openbao_skip_tls_verify" {
description = "Skip TLS verification for local bootstrap only."
type = bool
default = false
}
variable "age_mount_path" {
description = "KV v2 mount path for migrated age-managed runtime secrets."
type = string
default = "age"
}
variable "manage_openbao_config" {
description = "Manage OpenBao mounts, policies, and Authentik OIDC auth. Requires VAULT_TOKEN."
type = bool
default = false
}
variable "authentik_issuer" {
description = "Authentik OpenBao OIDC issuer."
type = string
default = "https://auth.burrow.net/application/o/openbao/"
}
variable "authentik_client_id" {
description = "Public Authentik OpenBao OIDC client id."
type = string
default = "vault.burrow.net"
}
variable "authentik_admin_group" {
description = "Authentik group allowed to administer OpenBao."
type = string
default = "burrow-admins"
}
variable "authentik_runtime_group" {
description = "Authentik group allowed to read runtime secrets."
type = string
default = "burrow-automation"
}
variable "approle_auth_path" {
description = "OpenBao AppRole auth mount path for machine consumers."
type = string
default = "approle"
}
variable "runtime_approle_role_name" {
description = "AppRole role name used by Burrow runtime secret consumers."
type = string
default = "burrow-runtime"
}
variable "runtime_approle_token_ttl_seconds" {
description = "Token TTL for runtime AppRole login."
type = number
default = 3600
}
variable "runtime_approle_token_max_ttl_seconds" {
description = "Maximum token TTL for runtime AppRole login."
type = number
default = 7200
}
variable "runtime_approle_secret_id_ttl_seconds" {
description = "SecretID TTL for runtime AppRole. Zero means no expiry; rotate manually."
type = number
default = 0
}
variable "runtime_approle_secret_id_num_uses" {
description = "SecretID use limit for runtime AppRole. Zero means unlimited uses; rotate manually."
type = number
default = 0
}
variable "manage_google" {
description = "Manage Google Cloud KMS resources for OpenBao seal wrapping."
type = bool
default = false
}
variable "google_project_id" {
description = "Google Cloud project id for OpenBao seal wrapping."
type = string
default = "project-88c23ce9-918a-470a-b33"
}
variable "manage_google_kms_key_ring" {
description = "Create/manage the Google KMS key ring. Existing rings should be imported before enabling this."
type = bool
default = false
}
variable "google_kms_key_ring_name" {
description = "Google KMS key ring for OpenBao seal wrapping."
type = string
default = "burrow-identity"
}
variable "google_kms_key_ring_location" {
description = "Google KMS key ring location."
type = string
default = "global"
}
variable "google_kms_key_ring_id" {
description = "Existing Google KMS key ring id."
type = string
default = ""
}
variable "google_openbao_seal_key_name" {
description = "Google KMS symmetric key used for OpenBao seal wrapping."
type = string
default = "openbao-seal"
}
variable "google_openbao_seal_members" {
description = "IAM members allowed to encrypt/decrypt with the OpenBao seal key."
type = set(string)
default = []
}
variable "tags" {
description = "Additional labels applied to supported Google resources."
type = map(string)
default = {}
}