Skip to content

feat: add policy subcommand to render a vault policy without an approle backend #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jun 2, 2025
Merged

feat: add policy subcommand to render a vault policy without an approle backend #38

merged 3 commits into from
Jun 2, 2025

Conversation

@fin09pcap
Copy link
Member

@fin09pcap fin09pcap commented May 29, 2025

Notes for your reviewers

  • Introduce the sudo permissions as a potential option when defining an operation for a path.
  • Add the policy subcommand to the harp-terraformer command to support the generation of a policy without an approle.

@fin09pcap
fix: add concept of policy definition without approle to support poli…
861c1cc 
…cy creation

Signed-off-by: Ben Stickel <ben.stickel@elastic.co>
@fin09pcap fin09pcap self-assigned this May 29, 2025
@fin09pcap fin09pcap requested a review from Copilot May 29, 2025 22:46
Copilot AI reviewed May 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces a new policy subcommand to generate Vault policies without using an AppRole backend, and adds support for a sudo capability in policy rules.

  • Add sudo to the list of allowed Vault capabilities.
  • Define a new PolicyTemplate to render policies via Terraform.
  • Register and implement the policy subcommand in the CLI.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
pkg/terraformer/templates.go Updated template comments; added PolicyTemplate.
pkg/terraformer/compiler.go Added "sudo" to allowedCapabilities.
cmd/harp-terraformer/internal/cmd/root.go Registered terraformerPolicyCmd in the root command.
cmd/harp-terraformer/internal/cmd/policy.go Implemented the policy subcommand logic.
Comments suppressed due to low confidence (1)

terraformer/pkg/terraformer/templates.go:22

  • The comment reads TF +0.12 which is misleading—consider reverting to TF 0.12 or clarifying if you mean >=0.12.
// ServiceTemplate is the TF +0.12 Service template.

@fin09pcap
fix: update object reference to use policy for policy template
789848f 
Signed-off-by: Ben Stickel <ben.stickel@elastic.co>
robinverduijn
robinverduijn approved these changes May 29, 2025
View reviewed changes
@fin09pcap
fix: update policy template to use policy as prefix
d889317 
Signed-off-by: Ben Stickel <ben.stickel@elastic.co>
@fin09pcap fin09pcap merged commit a54c836 into elastic:main Jun 2, 2025
3 checks passed
@fin09pcap fin09pcap deleted the terraformer/policy_definition branch June 2, 2025 19:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@robinverduijn robinverduijn robinverduijn approved these changes

Assignees

@fin09pcap fin09pcap

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fin09pcap @robinverduijn