iamthefij/orchestration-tests
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

WIP: Enable vault oidc provider

Browse Source
This commit is contained in:
IamTheFij 2022-07-26 20:14:48 -07:00
parent 3033c581f3
commit 40b0776ce9
4 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
nomad/acls/acls.tf
View File

@ -4,3 +4,9 @@ resource "nomad_acl_policy" "create_post_bootstrap_policy" {
description = "Anon RW" description = "Anon RW"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl") rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
} }
resource "nomad_acl_policy" "admin" {
name = "admin"
description = "admin policy with access to everything"
rules_hcl = file("${path.module}/nomad-anon-bootstrap.hcl")
}

5
nomad/acls/vars.tf
View File

@ -15,3 +15,8 @@ variable "vault_token" {
sensitive = true sensitive = true
default = "" default = ""
} }
variable "vault_admin_password" {
type = string
sensitive = true
}

16
nomad/acls/vault_login.tf
View File

@ -6,3 +6,19 @@ resource "vault_auth_backend" "userpass" {
listing_visibility = "unauth" listing_visibility = "unauth"
} }
} }
resource "vault_generic_secret" "admin_user" {
path = "auth/userpass/users/admin"
data_json = <<EOT
{
"password": "${var.vault_admin_password}",
"policies": "admin"
}
EOT
depends_on = [
vault_auth_backend.userpass,
vault_policy.admin,
]
}

60
nomad/acls/vault_oidc_provider.tf Normal file
View File

@ -0,0 +1,60 @@
# Create an identity for the admin user
resource "vault_identity_entity" "admin" {
name = "admin"
policies = ["admin"]
metadata = {
email = "admin@example.com"
}
depends_on = [
vault_policy.admin,
vault_generic_secret.admin_user,
]
}
# Tie the identity to the userpass
resource "vault_identity_entity_alias" "admin" {
name = "admin"
mount_accessor = vault_auth_backend.userpass.accessor
canonical_id = vault_identity_entity.admin.id
}
# Tie the identity to a group
resource "vault_identity_group" "admins" {
name = "admins"
member_entity_ids = [vault_identity_entity.admin.id]
}
# Create an oidc client
resource "vault_identity_oidc_assignment" "everyone" {
name = "everyone"
entity_ids = [
vault_identity_entity.admin.id,
]
group_ids = [
vault_identity_group.admins.id,
]
}
resource "vault_identity_oidc_key" "key" {
name = "key"
algorithm = "RS256"
rotation_period = 3600
verification_ttl = 7200
allowed_client_ids = ["*"]
}
resource "vault_identity_oidc_client" "consul" {
name = "consul"
redirect_uris = [
"http://127.0.0.1:9200/v1/auth-methods/oidc:authenticate:callback",
"http://127.0.0.1:8251/callback",
"http://127.0.0.1:8080/callback"
]
assignments = [
vault_identity_oidc_assignment.everyone.name
]
key = vault_identity_oidc_key.key.name
id_token_ttl = 2400
access_token_ttl = 7200
}