-
Notifications
You must be signed in to change notification settings - Fork 0
/
auth.tf
61 lines (52 loc) · 1.38 KB
/
auth.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
# Enable userpass backend
resource "vault_auth_backend" "userpass" {
type = "userpass"
}
# Enable approle backend
resource "vault_auth_backend" "approle" {
type = "approle"
}
# Create ansible approle
resource "vault_approle_auth_backend_role" "ansible" {
backend = vault_auth_backend.approle.path
role_name = "ansible"
token_policies = ["ansible"]
}
# Create argocd approle
resource "vault_approle_auth_backend_role" "argocd" {
backend = vault_auth_backend.approle.path
role_name = "argocd"
token_policies = ["argocd"]
}
# Mount vault ssh ca path
resource "vault_mount" "ssh" {
type = "ssh"
path = "ssh-client-signer"
}
# Enable vault ssh ca and generate signing key
resource "vault_ssh_secret_backend_ca" "ssh" {
backend = vault_mount.ssh.path
generate_signing_key = true
}
# SSH role configs for clientrole
resource "vault_generic_endpoint" "clientrole" {
depends_on = [vault_ssh_secret_backend_ca.ssh]
path = "ssh-client-signer/roles/clientrole"
ignore_absent_fields = true
data_json = <<EOT
{
"allow_user_certificates": true,
"allowed_users": "*",
"allowed_extensions": "permit-pty,permit-port-forwarding",
"default_extensions": [
{
"permit-pty": ""
}
],
"key_type": "ca",
"default_user": "ansible",
"algorithm_signer": "rsa-sha2-512",
"ttl": "30m0s"
}
EOT
}