From 40b0776ce973bd6d649e6152bd51b9734a130a01 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 26 Jul 2022 20:14:48 -0700
Subject: [PATCH] WIP: Enable vault oidc provider

---
 nomad/acls/acls.tf                |  6 ++++
 nomad/acls/vars.tf                |  5 +++
 nomad/acls/vault_login.tf         | 16 +++++++++
 nomad/acls/vault_oidc_provider.tf | 60 +++++++++++++++++++++++++++++++
 4 files changed, 87 insertions(+)
 create mode 100644 nomad/acls/vault_oidc_provider.tf

diff --git a/nomad/acls/acls.tf b/nomad/acls/acls.tf
index 4631b7c..b4071d1 100644
--- a/nomad/acls/acls.tf
+++ b/nomad/acls/acls.tf
@@ -4,3 +4,9 @@ resource "nomad_acl_policy" "create_post_bootstrap_policy" {
   description = "Anon RW"
   rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
 }
+
+resource "nomad_acl_policy" "admin" {
+  name        = "admin"
+  description = "admin policy with access to everything"
+  rules_hcl   = file("${path.module}/nomad-anon-bootstrap.hcl")
+}
diff --git a/nomad/acls/vars.tf b/nomad/acls/vars.tf
index 4c6fcca..d619625 100644
--- a/nomad/acls/vars.tf
+++ b/nomad/acls/vars.tf
@@ -15,3 +15,8 @@ variable "vault_token" {
   sensitive = true
   default   = ""
 }
+
+variable "vault_admin_password" {
+  type      = string
+  sensitive = true
+}
diff --git a/nomad/acls/vault_login.tf b/nomad/acls/vault_login.tf
index 149bf4e..d6664b2 100644
--- a/nomad/acls/vault_login.tf
+++ b/nomad/acls/vault_login.tf
@@ -6,3 +6,19 @@ resource "vault_auth_backend" "userpass" {
     listing_visibility = "unauth"
   }
 }
+
+resource "vault_generic_secret" "admin_user" {
+  path = "auth/userpass/users/admin"
+
+  data_json = <<EOT
+{
+  "password": "${var.vault_admin_password}",
+  "policies": "admin"
+}
+EOT
+
+  depends_on = [
+    vault_auth_backend.userpass,
+    vault_policy.admin,
+  ]
+}
diff --git a/nomad/acls/vault_oidc_provider.tf b/nomad/acls/vault_oidc_provider.tf
new file mode 100644
index 0000000..ac87530
--- /dev/null
+++ b/nomad/acls/vault_oidc_provider.tf
@@ -0,0 +1,60 @@
+# Create an identity for the admin user
+resource "vault_identity_entity" "admin" {
+  name     = "admin"
+  policies = ["admin"]
+  metadata = {
+    email = "admin@example.com"
+  }
+
+  depends_on = [
+    vault_policy.admin,
+    vault_generic_secret.admin_user,
+  ]
+}
+
+# Tie the identity to the userpass
+resource "vault_identity_entity_alias" "admin" {
+  name           = "admin"
+  mount_accessor = vault_auth_backend.userpass.accessor
+  canonical_id   = vault_identity_entity.admin.id
+}
+
+# Tie the identity to a group
+resource "vault_identity_group" "admins" {
+  name              = "admins"
+  member_entity_ids = [vault_identity_entity.admin.id]
+}
+
+# Create an oidc client
+resource "vault_identity_oidc_assignment" "everyone" {
+  name = "everyone"
+  entity_ids = [
+    vault_identity_entity.admin.id,
+  ]
+  group_ids = [
+    vault_identity_group.admins.id,
+  ]
+}
+
+resource "vault_identity_oidc_key" "key" {
+  name               = "key"
+  algorithm          = "RS256"
+  rotation_period    = 3600
+  verification_ttl   = 7200
+  allowed_client_ids = ["*"]
+}
+
+resource "vault_identity_oidc_client" "consul" {
+  name = "consul"
+  redirect_uris = [
+    "http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
+    "http://127.0.0.1:8251/callback",
+    "http://127.0.0.1:8080/callback"
+  ]
+  assignments = [
+    vault_identity_oidc_assignment.everyone.name
+  ]
+  key              = vault_identity_oidc_key.key.name
+  id_token_ttl     = 2400
+  access_token_ttl = 7200
+}