wbyc/terraform-certificate-automation
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
terraform-certificate-autom.../terraform/main.tf
Patrick de Ruiter 1f82d5bec7
Some checks failed
Code Quality & Security Scan / TFLint (push) Successful in 19s
Details
Code Quality & Security Scan / Tfsec Security Scan (push) Successful in 35s
Details
Code Quality & Security Scan / Checkov Security Scan (push) Successful in 32s
Details
Code Quality & Security Scan / Terraform Validate (push) Failing after 21s
Details
Code Quality & Security Scan / SonarQube Trigger (push) Has been skipped
Details
Fix TTL values: convert from string to seconds (numbers) 
- token_ttl: 1h -> 3600 seconds
- token_max_ttl: 4h -> 14400 seconds
- secret_id_ttl: 24h -> 86400 seconds
2025-11-10 12:25:22 +01:00

48 lines
1.6 KiB
HCL
Executable File
Raw Blame History

locals {
secret_path = "secret/data/${var.environment}/${var.short_hostname}/certificate"
policy_name = "${var.environment}-${var.short_hostname}-cert-policy"
approle_name = "${var.environment}-${var.short_hostname}-approle"
}
resource "vault_policy" "cert_access" {
name = local.policy_name
policy = <<EOT
path "${local.secret_path}" {
capabilities = ["read"]
}
EOT
}
resource "vault_approle_auth_backend_role" "cert_role" {
backend = "approle"
role_name = local.approle_name
token_policies = [vault_policy.cert_access.name]
token_ttl = 3600 # 1 hour in seconds
token_max_ttl = 14400 # 4 hours in seconds
secret_id_ttl = 86400 # 24 hours in seconds
}
resource "vault_approle_auth_backend_role_secret_id" "cert_role_secret" {
backend = "approle"
role_name = vault_approle_auth_backend_role.cert_role.role_name
}
resource "ansible_host" "vault_agent_node" {
name = var.short_hostname
groups = ["vault_agent"]
variables = {
ansible_user = "ansible"
ansible_ssh_private_key_file = "~/.ssh/id_ed25519"
ansible_python_interpreter = "/usr/bin/python3"
vault_approle_role_id = vault_approle_auth_backend_role.cert_role.role_id
vault_approle_secret_id = vault_approle_auth_backend_role_secret_id.cert_role_secret.secret_id
vault_address = var.vault_address
vault_secret_path = local.secret_path
environment = var.environment
short_hostname = var.short_hostname
ssl_certs_dir = "/etc/ssl/certs"
ssl_private_dir = "/etc/ssl/private"
}
}
Reference in New Issue View Git Blame Copy Permalink