From 47e253f9ac7f4cb9b107800c5ff7173ecd0dcead Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Fri, 3 Sep 2021 11:07:36 +0200
Subject: [PATCH] vault: Enable approle auth backend

Can be used in my sourcehut CI/CD pipeline. Access restricted to docker
bip.
---
 terraform_vault/auth.tf | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/terraform_vault/auth.tf b/terraform_vault/auth.tf
index 86bf04c..2e31ed8 100644
--- a/terraform_vault/auth.tf
+++ b/terraform_vault/auth.tf
@@ -67,3 +67,36 @@ resource "vault_identity_group_alias" "admin_group_alias" {
   mount_accessor = vault_jwt_auth_backend.keycloak.accessor
   canonical_id   = vault_identity_group.admin_group.id
 }
+
+# Approle
+
+resource "vault_auth_backend" "approle" {
+  type        = "approle"
+  description = "Approle auth for CI/CD"
+}
+
+resource "vault_approle_auth_backend_role" "ansible" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "ansible"
+  token_policies = ["ansible"]
+  # NOTE: docker bip
+  secret_id_bound_cidrs = ["172.17.0.0/16"]
+  token_bound_cidrs     = ["172.17.0.0/16"]
+}
+
+resource "vault_approle_auth_backend_role_secret_id" "ansible_secret" {
+  backend   = vault_auth_backend.approle.path
+  role_name = vault_approle_auth_backend_role.ansible.role_name
+}
+
+output "role_id" {
+  description = "RoleID for ansible CI/CD"
+  sensitive   = true
+  value       = vault_approle_auth_backend_role.ansible.role_id
+}
+
+output "secret_id" {
+  description = "SecretID for ansible CI/CD"
+  value       = vault_approle_auth_backend_role_secret_id.ansible_secret.secret_id
+  sensitive   = true
+}
-- 
2.44.0