49 lines
1.2 KiB
HCL
49 lines
1.2 KiB
HCL
resource "vault_mount" "kv" {
|
|
path = "secret"
|
|
type = "kv-v2"
|
|
description = "KV v2 secrets engine"
|
|
}
|
|
|
|
resource "vault_policy" "eso_read" {
|
|
name = "external-secrets-read"
|
|
policy = <<-EOT
|
|
path "${vault_mount.kv.path}/data/*" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "${vault_mount.kv.path}/metadata/*" {
|
|
capabilities = ["read", "list"]
|
|
}
|
|
EOT
|
|
}
|
|
|
|
resource "vault_auth_backend" "approle" {
|
|
type = "approle"
|
|
}
|
|
|
|
resource "vault_approle_auth_backend_role" "eso" {
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = "external-secrets"
|
|
token_policies = [vault_policy.eso_read.name]
|
|
token_ttl = 3600
|
|
token_max_ttl = 14400
|
|
}
|
|
|
|
data "vault_approle_auth_backend_role_id" "eso" {
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = vault_approle_auth_backend_role.eso.role_name
|
|
}
|
|
|
|
resource "vault_approle_auth_backend_role_secret_id" "eso" {
|
|
backend = vault_auth_backend.approle.path
|
|
role_name = vault_approle_auth_backend_role.eso.role_name
|
|
}
|
|
|
|
output "role_id" {
|
|
value = data.vault_approle_auth_backend_role_id.eso.role_id
|
|
sensitive = true
|
|
}
|
|
|
|
output "secret_id" {
|
|
value = vault_approle_auth_backend_role_secret_id.eso.secret_id
|
|
sensitive = true
|
|
} |