M terraform_vault/auth.tf => terraform_vault/auth.tf +33 -0
@@ 67,3 67,36 @@ resource "vault_identity_group_alias" "admin_group_alias" {
mount_accessor = vault_jwt_auth_backend.keycloak.accessor
canonical_id = vault_identity_group.admin_group.id
}
+
+# Approle
+
+resource "vault_auth_backend" "approle" {
+ type = "approle"
+ description = "Approle auth for CI/CD"
+}
+
+resource "vault_approle_auth_backend_role" "ansible" {
+ backend = vault_auth_backend.approle.path
+ role_name = "ansible"
+ token_policies = ["ansible"]
+ # NOTE: docker bip
+ secret_id_bound_cidrs = ["172.17.0.0/16"]
+ token_bound_cidrs = ["172.17.0.0/16"]
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "ansible_secret" {
+ backend = vault_auth_backend.approle.path
+ role_name = vault_approle_auth_backend_role.ansible.role_name
+}
+
+output "role_id" {
+ description = "RoleID for ansible CI/CD"
+ sensitive = true
+ value = vault_approle_auth_backend_role.ansible.role_id
+}
+
+output "secret_id" {
+ description = "SecretID for ansible CI/CD"
+ value = vault_approle_auth_backend_role_secret_id.ansible_secret.secret_id
+ sensitive = true
+}