Remove backend.tf from child module

- backend.tf should only exist in root modules, not child modules
- Removes warning: Backend configuration ignored
- This module is only used as a child module via git source

.gitea/workflows/pipeline.yaml

@@ -20,7 +20,7 @@ jobs:
     - name: Setup TFLint
       uses: terraform-linters/setup-tflint@v4
       with:
-        tflint_version: latest
+        tflint_version: v0.50.3
 
     - name: Initialize TFLint
       working-directory: terraform

ansible/roles/consul_template-legacy

@@ -1 +0,0 @@
-Subproject commit 011db9074813e45da783f410592c31a0f31c482e

ansible/roles/consul_template-legacy/README.md

@@ -0,0 +1,49 @@
+#consul_template
+
+An Ansible role to install and configure HashiCorp’s consul-template, securely fetching TLS certificates and private keys\
+from HashiCorp Vault using AppRole authentication, rendering them to disk, and reloading services when certificates change.
+
+### Requirements
+	•	consul-template binary downloaded from HashiCorp releases.
+	•	Network connectivity from the target host to the Vault instance (vault_address).
+	•	Appropriate Vault AppRole credentials (vault_approle_role_id, vault_approle_secret_id) provisioned by Terraform or other automation.
+
+### Role Variables
+
+The following variables are required and should be set either through inventory or as role parameters:
+
+ | Variable	               | Description                                                | Default |
+ | vault_address           | URL of your HashiCorp Vault instance                       | None (required) |
+ | vault_approle_role_id   | Vault AppRole Role ID for consul-template authentication   | None (required) |
+ | vault_approle_secret_id | Vault AppRole Secret ID for consul-template authentication | None (required) |
+ | environment             | Environment identifier (e.g., prod, nonprod)               | None (required) |
+ | short_hostname          | Short hostname of the target server (used in file naming)  | None (required) |
+
+### Dependencies
+
+No direct Ansible Galaxy role dependencies. However, it relies on Terraform to provision AppRole credentials and Vault secrets.
+
+### Example Playbook
+
+Example playbook demonstrating basic role usage:
+
+```yml
+- hosts: webservers
+  become: true
+  roles:
+    - role: consul_template
+      vars:
+        vault_address: "https://vault.example.com:8200"
+        vault_approle_role_id: "{{ vault_approle_role_id }}"
+        vault_approle_secret_id: "{{ vault_approle_secret_id }}"
+        environment: "prod"
+        short_hostname: "web01"
+```
+
+### License
+
+BSD
+
+### Author Information
+
+Created by Patrick De Ruiter.

ansible/roles/consul_template-legacy/defaults/main.yml

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# defaults file for consul_template

ansible/roles/consul_template-legacy/files/certificate.ctmpl

@@ -0,0 +1,5 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.certificate }}
+{{ .Data.data.chain_pem }}
+{{ end }}
+

ansible/roles/consul_template-legacy/files/chain_pem.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.chain_pem }}
+{{ end }}

ansible/roles/consul_template-legacy/files/private_key.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.private_key }}
+{{ end }}

ansible/roles/consul_template-legacy/handlers/main.yml

@@ -0,0 +1,9 @@
+#SPDX-License-Identifier: MIT-0
+---
+# handlers file for consul_template
+
+- name: restart consul-template
+  systemd:
+    name: consul-template
+    state: restarted
+    daemon_reload: yes

ansible/roles/consul_template-legacy/meta/main.yml

@@ -0,0 +1,20 @@
+#SPDX-License-Identifier: BSD-3-Clause
+galaxy_info:
+author: Patrick De Ruiter
+description: An Ansible role to install and configure consul-template, fetching TLS certificates from HashiCorp Vault using AppRole authentication.
+company: “Benerail N.V.”
+
+license: BSD-3-Clause
+
+min_ansible_version: 2.10
+
+galaxy_tags:
+- vault
+- consul
+- consultemplate
+- tls
+- certificates
+- security
+- automation
+
+dependencies: []

ansible/roles/consul_template-legacy/tasks/main.yml

@@ -0,0 +1,86 @@
+- name: Determine architecture
+  set_fact:
+    consul_template_arch: "{{ arch_mapping[ansible_architecture] | default('amd64') }}"
+
+- name: Download consul-template checksum file
+  get_url:
+    url: "https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_SHA256SUMS"
+    dest: "/tmp/consul-template_{{ consul_template.version }}_SHA256SUMS"
+    mode: '0644'
+
+- name: Extract expected checksum
+  shell: |
+    grep "consul-template_{{ consul_template.version }}_linux_{{ consul_template_arch }}.zip" \
+      /tmp/consul-template_{{ consul_template.version }}_SHA256SUMS | cut -d' ' -f1
+  register: expected_checksum
+  changed_when: false
+
+- name: Install consul-template
+  unarchive:
+    src: "https://releases.hashicorp.com/consul-template/{{ consul_template.version }}/consul-template_{{ consul_template.version }}_linux_{{ consul_template_arch }}.zip"
+    dest: "{{ consul_template.install_dir }}"
+    remote_src: yes
+    owner: root
+    group: root
+    mode: '0755'
+    checksum: "sha256:{{ expected_checksum.stdout }}"
+
+- name: Create consul-template user
+  user:
+    name: "{{ consul_template.user }}"
+    group: "{{ consul_template.group }}"
+    system: yes
+    shell: /bin/false
+    home: "{{ consul_template.config_dir }}"
+    create_home: no
+
+- name: Create consul-template group
+  group:
+    name: "{{ consul_template.group }}"
+    system: yes
+
+- name: Create consul-template directories
+  file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  loop:
+    - { path: "{{ consul_template.config_dir }}", mode: '0755', owner: "{{ consul_template.user }}", group: "{{ consul_template.group }}" }
+    - { path: "{{ certificate_paths.cert_dir }}", mode: '0755' }
+    - { path: "{{ certificate_paths.private_dir }}", mode: '0700' }
+
+- name: Deploy consul-template template files
+  copy:
+    src: "{{ item }}"
+    dest: "{{ consul_template.config_dir }}/{{ item }}"
+    mode: '0644'
+    owner: "{{ consul_template.user }}"
+    group: "{{ consul_template.group }}"
+  loop:
+    - certificate.ctmpl
+    - private_key.ctmpl
+    - chain_pem.ctmpl
+  notify: restart consul-template
+
+- name: Deploy consul-template config
+  template:
+    src: consul-template-config.hcl.j2
+    dest: "{{ consul_template.config_dir }}/config.hcl"
+    mode: '0600'
+    owner: "{{ consul_template.user }}"
+    group: "{{ consul_template.group }}"
+  notify: restart consul-template
+
+- name: Deploy consul-template systemd unit
+  template:
+    src: consul-template.service.j2
+    dest: /etc/systemd/system/consul-template.service
+
+- name: Enable and start consul-template
+  systemd:
+    name: consul-template
+    enabled: true
+    state: started
+    daemon_reload: yes

ansible/roles/consul_template-legacy/templates/consul-template-config.hcl.j2

@@ -0,0 +1,35 @@
+vault {
+  address      = "{{ vault_address }}"
+  auth {
+    method "approle" {
+      config = {
+        role_id   = "{{ vault_approle_role_id }}"
+        secret_id = "{{ vault_approle_secret_id }}"
+      }
+    }
+  }
+  renew_token = true
+}
+
+log_level = "{{ consul_template.log_level | default('INFO') }}"
+
+template {
+  source      = "{{ consul_template.config_dir }}/certificate.ctmpl"
+  destination = "{{ certificate_paths.cert_dir }}/{{ certificate_paths.cert_file }}"
+  command     = "{{ service_reload_commands[certificate_service | default('default')] }}"
+  perms       = 0644
+}
+
+template {
+  source      = "{{ consul_template.config_dir }}/private_key.ctmpl"
+  destination = "{{ certificate_paths.private_dir }}/{{ certificate_paths.private_key_file }}"
+  command     = "chmod 600 {{ certificate_paths.private_dir }}/{{ certificate_paths.private_key_file }}"
+  perms       = 0600
+}
+
+template {
+  source      = "{{ consul_template.config_dir }}/chain_pem.ctmpl"
+  destination = "{{ certificate_paths.private_dir }}/{{ certificate_paths.chain_file }}"
+  command     = "chmod 600 {{ certificate_paths.private_dir }}/{{ certificate_paths.chain_file }}"
+  perms       = 0600
+}

ansible/roles/consul_template-legacy/templates/consul-template.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description=consul-template TLS Certificate
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User={{ consul_template.user }}
+Group={{ consul_template.group }}
+ExecStart={{ consul_template.install_dir }}/consul-template \
+  -config={{ consul_template.config_dir }}/config.hcl
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/consul_template-legacy/tests/inventory

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+localhost
+

ansible/roles/consul_template-legacy/tests/test.yml

@@ -0,0 +1,6 @@
+#SPDX-License-Identifier: MIT-0
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - consul_template

ansible/roles/consul_template-legacy/vars/main.yml

@@ -0,0 +1,3 @@
+#SPDX-License-Identifier: MIT-0
+---
+# vars file for consul_template

ansible/roles/consul_template-org

@@ -1 +0,0 @@
-Subproject commit 7c00f1e5e059869c33291948282e7772e5427562

ansible/roles/consul_template-org/files/certificate.ctmpl

@@ -0,0 +1,5 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.certificate }}
+{{ .Data.data.chain_pem }}
+{{ end }}
+

ansible/roles/consul_template-org/files/chain_pem.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.chain_pem }}
+{{ end }}

ansible/roles/consul_template-org/files/private_key.ctmpl

@@ -0,0 +1,3 @@
+{{ with secret "secret/data/{{ environment }}/{{ short_hostname }}/certificate" }}
+{{ .Data.data.private_key }}
+{{ end }}

ansible/roles/consul_template-org/tasks/main.yml

@@ -0,0 +1,33 @@
+- name: Install consul-template
+  unarchive:
+    src: "https://releases.hashicorp.com/consul-template/0.37.4/consul-template_0.37.4_linux_amd64.zip"
+    dest: /usr/local/bin
+    remote_src: yes
+
+- name: Create consul-template directories
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - /etc/consul-template
+    - /etc/ssl/certs
+    - /etc/ssl/private
+
+- name: Deploy consul-template config
+  template:
+    src: consul-template-config.hcl.j2
+    dest: /etc/consul-template/config.hcl
+    mode: '0600'
+
+- name: Deploy consul-template systemd unit
+  template:
+    src: consul-template.service.j2
+    dest: /etc/systemd/system/consul-template.service
+
+- name: Enable and start consul-template
+  systemd:
+    name: consul-template
+    enabled: true
+    state: restarted
+    daemon_reload: yes

ansible/roles/consul_template-org/templates/consul-template-config.hcl.j2

@@ -0,0 +1,30 @@
+vault {
+  address      = "{{ vault_address }}"
+  auth {
+    method "approle" {
+      config = {
+        role_id   = "{{ vault_approle_role_id }}"
+        secret_id = "{{ vault_approle_secret_id }}"
+      }
+    }
+  }
+  renew_token = true
+}
+
+template {
+  source      = "/etc/consul-template/certificate.ctmpl"
+  destination = "/etc/ssl/certs/{{ short_hostname }}.pem"
+  command     = "systemctl reload nginx"
+}
+
+template {
+  source      = "/etc/consul-template/private_key.ctmpl"
+  destination = "/etc/ssl/private/{{ short_hostname }}.key"
+  command     = "chmod 600 /etc/ssl/private/{{ short_hostname }}.key"
+}
+
+template {
+  source      = "/etc/consul-template/chain_pem.ctmpl"
+  destination = "/etc/ssl/private/le-chaincert.pem"
+  command     = "chmod 600 /etc/ssl/private/le-chaincert.pem"
+}

ansible/roles/consul_template-org/templates/consul-template.service.j2

@@ -0,0 +1,11 @@
+[Unit]
+Description=consul-template TLS Certificate
+After=network-online.target
+
+[Service]
+ExecStart=/usr/local/bin/consul-template \
+  -config=/etc/consul-template/config.hcl
+Restart=always
+
+[Install]
+WantedBy=multi-user.target

terraform/backend.tf

@@ -1,21 +0,0 @@
-terraform {
-  backend "s3" {
-    endpoints = {
-      s3 = "https://minio.bsdserver.nl:443"
-    }
-
-    bucket = "home-terraform"
-    key    = "home/security/encryption/certificate-automation.tfstate"
-
-    # Configure credentials via environment variables:
-    # export AWS_ACCESS_KEY_ID="your-access-key"
-    # export AWS_SECRET_ACCESS_KEY="your-secret-key"
-
-    region                      = "main"
-    skip_credentials_validation = true
-    skip_metadata_api_check     = true
-    skip_requesting_account_id  = true
-    skip_region_validation      = true
-    use_path_style              = true
-  }
-}

terraform/provider.tf

@@ -8,23 +8,7 @@ terraform {
     }
     vault = {
       source  = "hashicorp/vault"
-      version = "~> 4.0"
+      version = "~> 5.3"
     }
   }
 }
-
-# Configure the Vault provider
-provider "vault" {
-  address = var.vault_address
-  auth_login {
-    path = "auth/approle/login"
-    parameters = {
-      role_id   = var.role_id
-      secret_id = var.secret_id
-    }
-  }
-}
-
-# Ansible Provider
-provider "ansible" {
-}