resource "vault_mount" "age" { count = var.manage_openbao_config ? 1 : 0 path = var.age_mount_path type = "kv-v2" description = "Migrated Burrow age-managed runtime secrets." options = { version = "2" } } resource "vault_policy" "admin" { count = var.manage_openbao_config ? 1 : 0 name = "burrow-openbao-admin" policy = <<-EOT path "*" { capabilities = ["create", "read", "update", "delete", "list", "sudo"] } EOT } resource "vault_policy" "runtime_read" { count = var.manage_openbao_config ? 1 : 0 name = "burrow-runtime-read" policy = <<-EOT path "${var.age_mount_path}/data/*" { capabilities = ["read"] } path "${var.age_mount_path}/metadata/*" { capabilities = ["list", "read"] } EOT } resource "vault_auth_backend" "approle" { count = var.manage_openbao_config ? 1 : 0 path = var.approle_auth_path type = "approle" description = "Machine auth for Burrow runtime secret consumers." tune { token_type = "default-service" } } resource "vault_approle_auth_backend_role" "runtime" { count = var.manage_openbao_config ? 1 : 0 backend = vault_auth_backend.approle[0].path role_name = var.runtime_approle_role_name bind_secret_id = true token_policies = [vault_policy.runtime_read[0].name] token_ttl = var.runtime_approle_token_ttl_seconds token_max_ttl = var.runtime_approle_token_max_ttl_seconds token_num_uses = 0 secret_id_ttl = var.runtime_approle_secret_id_ttl_seconds secret_id_num_uses = var.runtime_approle_secret_id_num_uses } resource "vault_jwt_auth_backend" "authentik" { count = var.manage_openbao_config ? 1 : 0 path = "oidc" type = "oidc" oidc_discovery_url = var.authentik_issuer bound_issuer = var.authentik_issuer oidc_client_id = var.authentik_client_id default_role = "burrow-admin" tune { listing_visibility = "unauth" token_type = "default-service" } } resource "vault_jwt_auth_backend_role" "admin" { count = var.manage_openbao_config ? 1 : 0 backend = vault_jwt_auth_backend.authentik[0].path role_name = "burrow-admin" role_type = "oidc" user_claim = "email" allowed_redirect_uris = [ "https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback", ] bound_audiences = [var.authentik_client_id] bound_claims = { groups = var.authentik_admin_group } oidc_scopes = ["openid", "profile", "email", "groups"] token_policies = [vault_policy.admin[0].name] } resource "vault_jwt_auth_backend_role" "runtime" { count = var.manage_openbao_config ? 1 : 0 backend = vault_jwt_auth_backend.authentik[0].path role_name = "burrow-runtime-read" role_type = "oidc" user_claim = "email" allowed_redirect_uris = [ "https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback", "http://localhost:8250/oidc/callback", ] bound_audiences = [var.authentik_client_id] bound_claims = { groups = var.authentik_runtime_group } oidc_scopes = ["openid", "profile", "email", "groups"] token_policies = [vault_policy.runtime_read[0].name] }