Skip to content

Commit

Permalink
0.1.0
Browse files Browse the repository at this point in the history
  • Loading branch information
Canux Cheng committed Jul 18, 2022
0 parents commit 7c4fe9a
Show file tree
Hide file tree
Showing 6 changed files with 290 additions and 0 deletions.
34 changes: 34 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@

# terraform bank vaults

provision vault-secrets-webhook to EKS.

## HowTo

module "secrets_webhook" {
source = "crazy-canux/vaults/bank"
version = "0.1.0"
cluster_name = local.cluster_name
project = local.vault_project
helm_chart_version = local.helm_chart_version

vault_policies = [
{
name = "${local.vault_project}/${local.vault_role_name}"
hcl = <<-EOT
path "${local.vault_project}/*" {
capabilities = ["read", "list"]
}
EOT
}
]
extra_sa_mappings = [
{
name = local.vault_role_name
namespaces = [local.namespace]
service_accounts = [local.service_account]
policies = ["${local.vault_project}/${local.vault_role_name}"]
ttl = 7200
}
]
}
30 changes: 30 additions & 0 deletions auth-backend.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
resource "vault_auth_backend" "kubernetes" {
type = "kubernetes"
path = "${var.project}/${var.cluster_name}"
}

data "kubernetes_service_account" "webhook_admin" {
metadata {
name = var.service_account
namespace = var.namespace
}

depends_on = [
helm_release.vault_secrets_webhook
]
}

data "kubernetes_secret" "webhook_admin_token" {
metadata {
name = data.kubernetes_service_account.webhook_admin.default_secret_name
namespace = var.namespace
}
}

resource "vault_kubernetes_auth_backend_config" "default" {
backend = vault_auth_backend.kubernetes.path
kubernetes_host = data.aws_eks_cluster.default.endpoint
kubernetes_ca_cert = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
token_reviewer_jwt = data.kubernetes_secret.webhook_admin_token.data.token
disable_iss_validation = "true"
}
15 changes: 15 additions & 0 deletions auth-roles.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
resource "vault_policy" "k8s_policies" {
for_each = { for policy in local.policies : policy.name => policy }
name = each.key
policy = each.value.hcl
}

resource "vault_kubernetes_auth_backend_role" "webhook_admin" {
for_each = { for mapping in local.mappings : mapping.name => mapping }
backend = vault_auth_backend.kubernetes.path
role_name = each.value.name
bound_service_account_names = each.value.service_accounts
bound_service_account_namespaces = each.value.namespaces
token_ttl = each.value.ttl
token_policies = each.value.policies
}
98 changes: 98 additions & 0 deletions main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
locals {
vault_role_name = "${var.cluster_name}_${var.namespace}_${var.service_account}"

mappings = concat(var.extra_sa_mappings, [{
name = local.vault_role_name
namespaces = [var.namespace]
service_accounts = [var.service_account]
policies = ["${var.project}/${local.vault_role_name}"]
ttl = 3600 }])

policies = concat(var.vault_policies, [{
name = "${var.project}/${local.vault_role_name}"
hcl = length(var.webhook_vault_base_policy) > 0 ? var.webhook_vault_base_policy : <<-EOT
path "${var.project}/*" {
capabilities = ["read", "list"]
}
EOT
}])
}

# Data resources to retrieve data for providers
data "aws_eks_cluster" "default" {
name = var.cluster_name
}

####################
# resource/module
####################

# Create namespace
resource "kubernetes_namespace" "webhook_namespace" {
metadata {
name = var.namespace
}
}

# Deploy helm chart
resource "helm_release" "vault_secrets_webhook" {
name = var.helm_deployment_name
repository = var.chart_repo_url
chart = "vault-secrets-webhook"
version = var.helm_chart_version
namespace = var.namespace
values = length(var.helm_values) > 0 ? var.helm_values : ["${file("${path.module}/helm-values.yaml")}"]
set {
name = "env.VAULT_ADDR"
value = var.vault_address
}
set {
name = "env.VAULT_PATH"
value = "${var.project}/${var.cluster_name}"
}
set {
name = "env.VAULT_ENV_PASSTHROUGH"
value = "VAULT_ADDR,VAULT_PATH,VAULT_ROLE"
}
set {
name = "securityContext.runAsUser"
value = 1000570001
}
set {
name = "configMapMutation"
value = true
}
set {
name = "serviceAccount.name"
value = var.service_account
}
dynamic "set" {
for_each = var.extra_set_values
content {
name = set.value.name
value = set.value.value
type = set.value.type
}
}
depends_on = [
kubernetes_namespace.webhook_namespace
]
}

resource "kubernetes_cluster_role_binding_v1" "vault_auth_delegator" {
metadata {
name = "vault-auth:${var.namespace}:${var.service_account}"
}
role_ref {
api_group = "rbac.authorization.k8s.io"
kind = "ClusterRole"
name = "system:auth-delegator"
}
subject {
kind = "ServiceAccount"
name = var.service_account
namespace = var.namespace
}
}


91 changes: 91 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
variable "chart_repo_url" {
description = "URL to repository containing the vault-secrets-webhook helm chart"
type = string
default = "https://kubernetes-charts.banzaicloud.com"
}

variable "helm_deployment_name" {
description = "Name for helm deployment"
type = string
default = "banzai-vault-webhook"
}

variable "helm_chart_version" {
description = "Version of the vault-secrets-webhook chart"
type = string
default = "1.11.1"
}

var "vault_address" {
type = string
description = "vault server"
}

variable "namespace" {
description = "Name for vault-secrets-webhook namespace"
type = string
default = "vault-secrets-webhook"
}

variable "service_account" {
description = "Name for vault-secrets-webhook namespace"
type = string
default = "vault-webhook-admin"
}

variable "webhook_vault_base_policy" {
description = "Default policy for the webhook's service acccount in vault"
type = string
default = ""
}


variable "helm_values" {
description = "Values for vault-secrets-webhook Helm chart in raw YAML. If none specified, module will add its own set of default values"
type = list(string)
default = []
}

variable "extra_set_values" {
description = "Specific values to override in the vault-secrets-webhook Helm chart (overrides corresponding values in the helm-value.yaml file within the module)"
type = list(object({
name = string
value = any
type = string
})
)
default = []
}

variable "project" {
description = "Name top level project in vault"
type = string
}

variable "cluster_name" {
description = "EKS cluster name"
type = string
}

variable "vault_policies" {
description = "Specific values to override in the vault-secrets-webhook Helm chart (overrides corresponding values in the helm-value.yaml file within the module)"
type = list(object({
name = string
hcl = string
})
)
default = []
}

variable "extra_sa_mappings" {
description = "Specific values to override in the vault-secrets-webhook Helm chart (overrides corresponding values in the helm-value.yaml file within the module)"
type = list(object({
name = string
namespaces = list(string)
service_accounts = list(string)
policies = list(string)
ttl = number
})
)
default = []
}
22 changes: 22 additions & 0 deletions versions.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
terraform {
required_version = ">= 1.1.7"

required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.75.2"
}
helm = {
source = "hashicorp/helm"
version = ">= 1.3.2"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.6.1"
}
vault = {
source = "hashicorp/vault"
version = ">= 3.3.0"
}
}
}

0 comments on commit 7c4fe9a

Please sign in to comment.