~xenrox/ansible: vault: Enable approle auth backend

47e253f9ac7f4cb9b107800c5ff7173ecd0dcead — Thorben Günther 2 years ago f275e51

vault: Enable approle auth backend

Can be used in my sourcehut CI/CD pipeline. Access restricted to docker
bip.

patch browse .tar.gz

1 files changed, 33 insertions(+), 0 deletions(-)

M terraform_vault/auth.tf

M terraform_vault/auth.tf => terraform_vault/auth.tf +33 -0

@@ 67,3 67,36 @@ resource "vault_identity_group_alias" "admin_group_alias" {
   mount_accessor = vault_jwt_auth_backend.keycloak.accessor
   canonical_id   = vault_identity_group.admin_group.id
 }
+
+# Approle
+
+resource "vault_auth_backend" "approle" {
+  type        = "approle"
+  description = "Approle auth for CI/CD"
+}
+
+resource "vault_approle_auth_backend_role" "ansible" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "ansible"
+  token_policies = ["ansible"]
+  # NOTE: docker bip
+  secret_id_bound_cidrs = ["172.17.0.0/16"]
+  token_bound_cidrs     = ["172.17.0.0/16"]
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "ansible_secret" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.ansible.role_name
+}
+
+output "role_id" {
+  description = "RoleID for ansible CI/CD"
+  sensitive   = true
+  value       = vault_approle_auth_backend_role.ansible.role_id
+}
+
+output "secret_id" {
+  description = "SecretID for ansible CI/CD"
+  value       = vault_approle_auth_backend_role_secret_id.ansible_secret.secret_id
+  sensitive   = true
+}