-
-
Notifications
You must be signed in to change notification settings - Fork 9
/
main.tf
46 lines (40 loc) · 1.14 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
// Vault token should be provided in VAULT_TOKEN env var
provider "vault" {
address = var.vault_address
}
module "github_oidc" {
source = "digitalocean/github-oidc/vault"
version = "~> 2.1.0"
github_identity_provider = "https://github.fakeexample.digitalocean.com/_services/token"
oidc_bindings = [
{
audience : "https://github.com/artis3n",
vault_role_name : "oidc-test",
bound_subject : "repo:artis3n/github-oidc-vault-example:environment:nonprod",
vault_policies : [
vault_policy.example.name,
],
},
{
audience : "https://github.com/artis3n",
vault_role_name : "oidc-prod-test",
bound_subject : "repo:artis3n/github-oidc-vault-example:ref:refs/heads/main",
vault_policies : [
vault_policy.example.name,
],
},
]
}
resource "vault_policy" "example" {
name = "oidc-example"
policy = data.vault_policy_document.example.hcl
}
data "vault_policy_document" "example" {
rule {
path = "secret/data/foo/bar"
capabilities = ["list", "read"]
}
}
data "vault_auth_backend" "generated_backend" {
path = module.github_oidc.auth_backend_path
}