-
Notifications
You must be signed in to change notification settings - Fork 0
/
vault.tf
126 lines (111 loc) · 4.41 KB
/
vault.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
resource "vault_mount" "pki_root" {
path = "${var.namespace}_idam_root"
type = "pki"
description = "This is an pki_root mount"
default_lease_ttl_seconds = "315360000"
max_lease_ttl_seconds = "315360000"
}
resource "vault_mount" "pki_intermediate" {
path = "${var.namespace}_idam_intermediate"
type = "pki"
description = "This is an pki_intermediate mount"
default_lease_ttl_seconds = "31536000"
max_lease_ttl_seconds = "31536000"
}
resource "vault_pki_secret_backend_config_urls" "idam_root_config_urls" {
backend = vault_mount.pki_root.path
crl_distribution_points = ["${var.vaulturl}/v1/${vault_mount.pki_root.path}/crl"]
issuing_certificates = ["${var.vaulturl}/v1/${vault_mount.pki_root.path}/ca"]
}
resource "vault_pki_secret_backend_config_urls" "idam_intermediate_config_urls" {
backend = vault_mount.pki_intermediate.path
crl_distribution_points = ["${var.vaulturl}/v1/${vault_mount.pki_intermediate.path}/crl"]
issuing_certificates = ["${var.vaulturl}/v1/${vault_mount.pki_intermediate.path}/ca"]
}
resource "vault_pki_secret_backend_root_cert" "root" {
depends_on = [vault_mount.pki_root]
backend = vault_mount.pki_root.path
type = "internal"
common_name = "${var.organisation} ${var.ou} Root"
ttl = "315360000"
format = "pem"
private_key_format = "der"
key_type = "rsa"
key_bits = 4096
exclude_cn_from_sans = true
ou = var.ou
organization = var.organisation
country = var.country
locality = var.locality
}
resource "vault_pki_secret_backend_intermediate_cert_request" "intermediate" {
depends_on = [vault_mount.pki_intermediate]
backend = vault_mount.pki_intermediate.path
type = "internal"
common_name = "${var.organisation} Intermediate"
}
resource "vault_pki_secret_backend_root_sign_intermediate" "intermediate" {
depends_on = [vault_pki_secret_backend_intermediate_cert_request.intermediate]
backend = vault_mount.pki_root.path
csr = vault_pki_secret_backend_intermediate_cert_request.intermediate.csr
common_name = "${var.organisation} ${var.ou} Intermediate"
exclude_cn_from_sans = true
ou = var.ou
organization = var.organisation
}
resource "vault_pki_secret_backend_intermediate_set_signed" "intermediate" {
backend = vault_mount.pki_intermediate.path
certificate = "${vault_pki_secret_backend_root_sign_intermediate.intermediate.certificate}\n${vault_pki_secret_backend_root_sign_intermediate.intermediate.issuing_ca}"
}
resource "vault_pki_secret_backend_role" "backend_role_admin" {
backend = vault_mount.pki_intermediate.path
name = "admin"
allowed_domains = var.allowed_domains
allow_subdomains = true
max_ttl = "28296000"
key_usage = ["DigitalSignature", "KeyAgreement", "KeyEncipherment"]
}
resource "vault_pki_secret_backend_role" "backend_role_idam" {
backend = vault_mount.pki_intermediate.path
name = "${var.namespace}_idam"
allowed_domains = var.allowed_domains
allow_subdomains = true
allow_glob_domains = true
use_csr_common_name = true
require_cn = false
allow_any_name = true
}
resource "vault_policy" "cert-policy" {
name = "cert-policy"
policy = <<EOT
path "qhcv_idam_intermediate/issue*" {
capabilities = ["create","update"]
}
path "auth/token/renew" {
capabilities = ["update"]
}
path "auth/token/renew-self" {
capabilities = ["update"]
}
EOT
}
resource "vault_auth_backend" "approle" {
type = "approle"
}
resource "vault_approle_auth_backend_role" "example" {
backend = vault_auth_backend.approle.path
role_name = "test-role"
token_policies = ["cert-policy"]
}
resource "local_file" "roleid" {
content = vault_approle_auth_backend_role.example.role_id
filename = "/vault/agent/certs/role_id"
}
resource "vault_approle_auth_backend_role_secret_id" "id" {
backend = vault_auth_backend.approle.path
role_name = vault_approle_auth_backend_role.example.role_name
}
resource "local_file" "secretid" {
content = vault_approle_auth_backend_role_secret_id.id.secret_id
filename = "/vault/agent/certs/secret_id"
}