vault: deployment manifest, some docs, backup script - expected to run

on docker host
2026-01-14 14:48:09 +01:00
parent b5e1f4b737
commit 90a44bd59f
9 changed files with 214 additions and 0 deletions
--- a/docker-30/vault/terraform/main.tf
+++ b/docker-30/vault/terraform/main.tf
@@ -0,0 +1,49 @@
+resource "vault_mount" "kv" {
+  path        = "secret"
+  type        = "kv-v2"
+  description = "KV v2 secrets engine"
+}
+
+resource "vault_policy" "eso_read" {
+  name   = "external-secrets-read"
+  policy = <<-EOT
+    path "${vault_mount.kv.path}/data/*" {
+      capabilities = ["read"]
+    }
+    path "${vault_mount.kv.path}/metadata/*" {
+      capabilities = ["read", "list"]
+    }
+  EOT
+}
+
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+}
+
+resource "vault_approle_auth_backend_role" "eso" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "external-secrets"
+  token_policies = [vault_policy.eso_read.name]
+  token_ttl      = 3600
+  token_max_ttl  = 14400
+}
+
+data "vault_approle_auth_backend_role_id" "eso" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.eso.role_name
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "eso" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.eso.role_name
+}
+
+output "role_id" {
+  value     = data.vault_approle_auth_backend_role_id.eso.role_id
+  sensitive = true
+}
+
+output "secret_id" {
+  value     = vault_approle_auth_backend_role_secret_id.eso.secret_id
+  sensitive = true
+}