burrow/infra/openbao/openbao.tf
Conrad Kramer 002bd382e9
Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
Wire Forge-native release infrastructure
2026-06-07 05:51:12 -07:00

125 lines
3.1 KiB
HCL

resource "vault_mount" "age" {
count = var.manage_openbao_config ? 1 : 0
path = var.age_mount_path
type = "kv-v2"
description = "Migrated Burrow age-managed runtime secrets."
options = {
version = "2"
}
}
resource "vault_policy" "admin" {
count = var.manage_openbao_config ? 1 : 0
name = "burrow-openbao-admin"
policy = <<-EOT
path "*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
EOT
}
resource "vault_policy" "runtime_read" {
count = var.manage_openbao_config ? 1 : 0
name = "burrow-runtime-read"
policy = <<-EOT
path "${var.age_mount_path}/data/*" {
capabilities = ["read"]
}
path "${var.age_mount_path}/metadata/*" {
capabilities = ["list", "read"]
}
EOT
}
resource "vault_auth_backend" "approle" {
count = var.manage_openbao_config ? 1 : 0
path = var.approle_auth_path
type = "approle"
description = "Machine auth for Burrow runtime secret consumers."
tune {
token_type = "default-service"
}
}
resource "vault_approle_auth_backend_role" "runtime" {
count = var.manage_openbao_config ? 1 : 0
backend = vault_auth_backend.approle[0].path
role_name = var.runtime_approle_role_name
bind_secret_id = true
token_policies = [vault_policy.runtime_read[0].name]
token_ttl = var.runtime_approle_token_ttl_seconds
token_max_ttl = var.runtime_approle_token_max_ttl_seconds
token_num_uses = 0
secret_id_ttl = var.runtime_approle_secret_id_ttl_seconds
secret_id_num_uses = var.runtime_approle_secret_id_num_uses
}
resource "vault_jwt_auth_backend" "authentik" {
count = var.manage_openbao_config ? 1 : 0
path = "oidc"
type = "oidc"
oidc_discovery_url = var.authentik_issuer
bound_issuer = var.authentik_issuer
oidc_client_id = var.authentik_client_id
default_role = "burrow-admin"
tune {
listing_visibility = "unauth"
token_type = "default-service"
}
}
resource "vault_jwt_auth_backend_role" "admin" {
count = var.manage_openbao_config ? 1 : 0
backend = vault_jwt_auth_backend.authentik[0].path
role_name = "burrow-admin"
role_type = "oidc"
user_claim = "email"
allowed_redirect_uris = [
"https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback",
]
bound_audiences = [var.authentik_client_id]
bound_claims = {
groups = var.authentik_admin_group
}
oidc_scopes = ["openid", "profile", "email", "groups"]
token_policies = [vault_policy.admin[0].name]
}
resource "vault_jwt_auth_backend_role" "runtime" {
count = var.manage_openbao_config ? 1 : 0
backend = vault_jwt_auth_backend.authentik[0].path
role_name = "burrow-runtime-read"
role_type = "oidc"
user_claim = "email"
allowed_redirect_uris = [
"https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback",
"http://localhost:8250/oidc/callback",
]
bound_audiences = [var.authentik_client_id]
bound_claims = {
groups = var.authentik_runtime_group
}
oidc_scopes = ["openid", "profile", "email", "groups"]
token_policies = [vault_policy.runtime_read[0].name]
}