Some checks failed
Cache: Publish Nix / Publish Nix Cache (push) Waiting to run
Build Rust / Cargo Test (push) Successful in 4m14s
Build Site / Next.js Build (push) Failing after 6s
Infra: OpenTofu / OpenTofu (grafana) (push) Successful in 5s
Lint Governance / BEP Metadata (push) Successful in 0s
Build: Android / Android Rust Core Stub (push) Failing after 23s
125 lines
3.1 KiB
HCL
125 lines
3.1 KiB
HCL
resource "vault_mount" "age" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
path = var.age_mount_path
|
|
type = "kv-v2"
|
|
description = "Migrated Burrow age-managed runtime secrets."
|
|
|
|
options = {
|
|
version = "2"
|
|
}
|
|
}
|
|
|
|
resource "vault_policy" "admin" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
name = "burrow-openbao-admin"
|
|
|
|
policy = <<-EOT
|
|
path "*" {
|
|
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
resource "vault_policy" "runtime_read" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
name = "burrow-runtime-read"
|
|
|
|
policy = <<-EOT
|
|
path "${var.age_mount_path}/data/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "${var.age_mount_path}/metadata/*" {
|
|
capabilities = ["list", "read"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
resource "vault_auth_backend" "approle" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
path = var.approle_auth_path
|
|
type = "approle"
|
|
description = "Machine auth for Burrow runtime secret consumers."
|
|
|
|
tune {
|
|
token_type = "default-service"
|
|
}
|
|
}
|
|
|
|
resource "vault_approle_auth_backend_role" "runtime" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
backend = vault_auth_backend.approle[0].path
|
|
role_name = var.runtime_approle_role_name
|
|
bind_secret_id = true
|
|
|
|
token_policies = [vault_policy.runtime_read[0].name]
|
|
token_ttl = var.runtime_approle_token_ttl_seconds
|
|
token_max_ttl = var.runtime_approle_token_max_ttl_seconds
|
|
token_num_uses = 0
|
|
|
|
secret_id_ttl = var.runtime_approle_secret_id_ttl_seconds
|
|
secret_id_num_uses = var.runtime_approle_secret_id_num_uses
|
|
}
|
|
|
|
resource "vault_jwt_auth_backend" "authentik" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
path = "oidc"
|
|
type = "oidc"
|
|
oidc_discovery_url = var.authentik_issuer
|
|
bound_issuer = var.authentik_issuer
|
|
oidc_client_id = var.authentik_client_id
|
|
default_role = "burrow-admin"
|
|
|
|
tune {
|
|
listing_visibility = "unauth"
|
|
token_type = "default-service"
|
|
}
|
|
}
|
|
|
|
resource "vault_jwt_auth_backend_role" "admin" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
backend = vault_jwt_auth_backend.authentik[0].path
|
|
role_name = "burrow-admin"
|
|
role_type = "oidc"
|
|
user_claim = "email"
|
|
|
|
allowed_redirect_uris = [
|
|
"https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback",
|
|
"http://localhost:8250/oidc/callback",
|
|
]
|
|
|
|
bound_audiences = [var.authentik_client_id]
|
|
bound_claims = {
|
|
groups = var.authentik_admin_group
|
|
}
|
|
oidc_scopes = ["openid", "profile", "email", "groups"]
|
|
token_policies = [vault_policy.admin[0].name]
|
|
}
|
|
|
|
resource "vault_jwt_auth_backend_role" "runtime" {
|
|
count = var.manage_openbao_config ? 1 : 0
|
|
|
|
backend = vault_jwt_auth_backend.authentik[0].path
|
|
role_name = "burrow-runtime-read"
|
|
role_type = "oidc"
|
|
user_claim = "email"
|
|
|
|
allowed_redirect_uris = [
|
|
"https://vault.burrow.net/ui/vault/auth/oidc/oidc/callback",
|
|
"http://localhost:8250/oidc/callback",
|
|
]
|
|
|
|
bound_audiences = [var.authentik_client_id]
|
|
bound_claims = {
|
|
groups = var.authentik_runtime_group
|
|
}
|
|
oidc_scopes = ["openid", "profile", "email", "groups"]
|
|
token_policies = [vault_policy.runtime_read[0].name]
|
|
}
|