From c21ed2fa3ff623b9bf8fa863a52bcd3b23fc4fa1 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 26 Jul 2022 20:09:52 -0700
Subject: [PATCH] Add userpass login to Vault

---
 acls/vault_login.tf                  | 8 ++++++++
 acls/vault_policies.tf               | 9 +++++++++
 bootstrap-values.yml                 | 8 ++++++++
 vault_hashi_vault_values.example.yml | 5 +++++
 4 files changed, 30 insertions(+)
 create mode 100644 acls/vault_login.tf
 create mode 100644 acls/vault_policies.tf

diff --git a/acls/vault_login.tf b/acls/vault_login.tf
new file mode 100644
index 0000000..149bf4e
--- /dev/null
+++ b/acls/vault_login.tf
@@ -0,0 +1,8 @@
+resource "vault_auth_backend" "userpass" {
+  type = "userpass"
+
+  tune {
+    max_lease_ttl      = "1h"
+    listing_visibility = "unauth"
+  }
+}
diff --git a/acls/vault_policies.tf b/acls/vault_policies.tf
new file mode 100644
index 0000000..77ff7f4
--- /dev/null
+++ b/acls/vault_policies.tf
@@ -0,0 +1,9 @@
+resource "vault_policy" "admin" {
+  name = "admin"
+
+  policy = <<EOF
+path "*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+  EOF
+}
diff --git a/bootstrap-values.yml b/bootstrap-values.yml
index 60604c4..135ef41 100644
--- a/bootstrap-values.yml
+++ b/bootstrap-values.yml
@@ -57,3 +57,11 @@
               data:
                 "{{ item.value }}"
           loop: "{{ hashi_vault_values | default({}) | dict2items }}"
+
+        - name: Write userpass
+          community.hashi_vault.vault_write:
+            url: "http://{{ inventory_hostname }}:8200"
+            token: "{{ root_token }}"
+            path: "auth/userpass/users/{{ item.name }}"
+            data: '{"password": "{{ item.password }}", "policies": "{{ item.policies }}"}'
+          loop: "{{ vault_userpass }}"
diff --git a/vault_hashi_vault_values.example.yml b/vault_hashi_vault_values.example.yml
index df367f3..2d3dbe9 100644
--- a/vault_hashi_vault_values.example.yml
+++ b/vault_hashi_vault_values.example.yml
@@ -16,3 +16,8 @@ hashi_vault_values:
     alert_email_addresses: email@example.com
   backups:
     backup_passphrase: tellnoone
+
+vault_userpass:
+  - name: admin
+    password: foo
+    policies: default