-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathpki-auth.tf
53 lines (48 loc) · 1.65 KB
/
pki-auth.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
locals {
# Take a directory of YAML files, read each one that matches naming pattern and bring them in to Terraform's native data set
inputpki-auth-role-vars = [for f in fileset(path.module, "pki-auth-roles/{pki-auth-role}*.yaml") : yamldecode(file(f))]
# Take that data set and format it so that it can be used with the for_each command by converting it to a map where each top level key is a unique identifier.
# In this case I am using the name key from my example YAML files
inputpki-auth-role-map = { for pki-auth-role in toset(local.inputpki-auth-role-vars) : pki-auth-role.name => pki-auth-role }
}
resource "vault_auth_backend" "cert" {
type = "cert"
path = "cert"
tune {
listing_visibility = "unauth"
}
}
resource "vault_cert_auth_backend_role" "authrole" {
for_each = local.inputpki-auth-role-map
certificate = vault_pki_secret_backend_root_sign_intermediate.intermediate.certificate
backend = each.value.backend
name = each.value.name
token_ttl = each.value.ttl
token_max_ttl = each.value.maxttl
token_policies = each.value.policies
allowed_names = each.value.allowed_machine_ids
}
resource "vault_policy" "pki-self-renewal" {
name = "pki-self-renewal"
policy = <<EOF
path "pki_intermediate/issue/machine-id" {
capabilities = ["update","list"]
}
EOF
}
resource "vault_policy" "server-pki" {
name = "server-pki"
policy = <<EOF
path "pki_intermediate/issue/server_pki" {
capabilities = ["update","list"]
}
EOF
}
resource "vault_policy" "client-pki" {
name = "client-pki"
policy = <<EOF
path "pki_intermediate/issue/client_pki" {
capabilities = ["update","list"]
}
EOF
}