Patrick de Ruiter 9c0d389dd3
Migrate certificate-automation from consul-template to vault-agent
- Migrated Ansible integration from consul_template to vault_agent
  - Copied vault_agent role from terraform-vsphere-infra module
  - Created vault_agent-playbook.yml for deployment
  - Archived consul_template role as consul_template-legacy

- Updated Terraform configuration:
  - Changed Ansible inventory group from consul_template to vault_agent
  - Added vault_secret_path variable for vault-agent
  - Added ssl_certs_dir and ssl_private_dir variables
  - Formatted all Terraform files

- Implemented CI/CD pipeline:
  - Created .gitea/workflows/pipeline.yaml
  - Added TFLint, Tfsec, and Checkov security scans
  - Added Terraform validate step
  - Added SonarQube integration
  - Created sonar-project.properties

- Documentation updates:
  - Updated README.md with vault-agent information
  - Added migration section comparing consul-template vs vault-agent
  - Updated CLAUDE.md with vault-agent architecture
  - Added vault-agent configuration examples

Why vault-agent over consul-template:
  - Full AppRole support with role_id/secret_id files
  - Advanced token auto-renewal with auto_auth
  - Better credential security (separate files vs config)
  - Actively developed by HashiCorp

Note: The ansible/ directory changes (vault_agent role and playbook) are
not committed as the directory is in .gitignore. These files exist locally
and will be deployed during Ansible runs.
2025-11-10 11:32:35 +01:00

31 lines
875 B
HCL
Executable File

variable "environment" {
type = string
description = "Environment name (e.g., dev, staging, prod)"
validation {
condition = can(regex("^[a-zA-Z0-9-_]+$", var.environment))
error_message = "Environment must contain only alphanumeric characters, hyphens, and underscores."
}
}
variable "short_hostname" {
type = string
description = "Short hostname for the target server"
validation {
condition = can(regex("^[a-zA-Z0-9-]+$", var.short_hostname))
error_message = "Hostname must contain only alphanumeric characters and hyphens."
}
}
variable "vault_address" {
type = string
description = "Vault server address (e.g., https://vault.example.com:8200)"
validation {
condition = can(regex("^https?://", var.vault_address))
error_message = "Vault address must be a valid HTTP or HTTPS URL."
}
}