-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathidentity_groups.tf
37 lines (32 loc) · 2.12 KB
/
identity_groups.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
locals {
# Take a directory of YAML files, read each one that matches naming pattern and bring them in to Terraform's native data set
inputidentitygroupvars = [for f in fileset(path.module, "identity_groups/{identity_group_}*.yaml") : yamldecode(file(f))]
# Take that data set and format it so that it can be used with the for_each command by converting it to a map where each top level key is a unique identifier.
inputidentitygroupmap = { for identity_group in toset(local.inputidentitygroupvars) : identity_group.name => identity_group }
}
resource "vault_identity_group" "identity_group" {
for_each = local.inputidentitygroupmap
name = each.key
type = "internal"
external_member_entity_ids = true # This is set to true bso member_entity_ids returned will not be considered as changes to this resource - they are mananged externally in a decoupled way
external_member_group_ids = true # This is set to true bso member_group_ids returned will not be considered as changes to this resource - they are mananged externally in a decoupled way
policies = [for i in each.value.identity_group_policies : i]
}
resource "vault_identity_group_member_entity_ids" "human_group" {
for_each = local.inputidentitygroupmap
group_id = vault_identity_group.identity_group[each.key].id
member_entity_ids = [for i in each.value.human_identities : vault_identity_entity.human[i].id]
exclusive = false
}
resource "vault_identity_group_member_entity_ids" "application_group" {
for_each = local.inputidentitygroupmap
group_id = vault_identity_group.identity_group[each.key].id
member_entity_ids = [for i in each.value.application_identities : vault_identity_entity.application[i].id]
exclusive = false
}
resource "vault_identity_group_member_group_ids" "group_group" {
for_each = local.inputidentitygroupmap
group_id = vault_identity_group.identity_group[each.key].id
member_group_ids = [for i in each.value.sub_groups : vault_identity_group.identity_group[i].id]
exclusive = false
}