name = "etl/fdio_logs"
}
-data "vault_kv_secret_v2" "fdio_docs" {
- mount = "kv"
- name = "etl/fdio_docs"
-}
-
data "vault_kv_secret_v2" "csit_docs" {
mount = "kv"
name = "etl/csit_docs"
+++ /dev/null
-module "fdio-logs" {
- # fdio logs iam
- source = "../"
- name = "dynamic-aws-creds-vault-fdio-logs"
- aws_access_key = var.aws_access_key
- aws_secret_key = var.aws_secret_key
-}
-
-module "fdio-docs" {
- # fdio docs iam
- source = "../"
- name = "dynamic-aws-creds-vault-fdio-docs"
- aws_access_key = var.aws_access_key
- aws_secret_key = var.aws_secret_key
-}
-
-module "fdio-csit-jenkins" {
- # fdio csit jenkins iam
- source = "../"
- name = "dynamic-aws-creds-vault-fdio-csit-jenkins"
- aws_access_key = var.aws_access_key
- aws_secret_key = var.aws_secret_key
-}
-resource "vault_aws_secret_backend" "aws" {
+resource "vault_aws_secret_backend" "aws_secret_backend" {
access_key = var.aws_access_key
secret_key = var.aws_secret_key
path = "${var.name}-path"
max_lease_ttl_seconds = "0"
}
-resource "vault_aws_secret_backend_role" "admin" {
- backend = vault_aws_secret_backend.aws.path
+resource "vault_aws_secret_backend_role" "aws_secret_backend_role" {
+ backend = vault_aws_secret_backend.aws_secret_backend.path
name = "${var.name}-role"
credential_type = "iam_user"
- policy_document = <<EOF
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Effect": "Allow",
- "Action": [
- "iam:*",
- "ec2:*",
- "s3:*",
- "elasticbeanstalk:*"
- ],
- "Resource": "*"
- }
- ]
-}
-EOF
+ policy_document = var.policy_document
}
output "backend" {
- value = vault_aws_secret_backend.aws.path
+ value = vault_aws_secret_backend.aws_secret_backend.path
}
output "role" {
- value = vault_aws_secret_backend_role.admin.name
+ value = vault_aws_secret_backend_role.aws_secret_backend_role.name
}
description = "Vault path"
type = string
}
+
+variable "policy_document" {
+ description = "AWS policy document"
+ type = string
+}
--- /dev/null
+module "fdio-logs" {
+ # fdio logs iam
+ source = "../terraform-vault-aws-secret-backend"
+ name = "dynamic-aws-creds-vault-fdio-logs"
+ aws_access_key = var.aws_access_key
+ aws_secret_key = var.aws_secret_key
+ policy_document = jsonencode({
+ Statement = [
+ {
+ Action = [
+ "iam:*",
+ "ec2:*",
+ "s3:*",
+ "elasticbeanstalk:*",
+ "ssm:*",
+ "cloudformation:*",
+ "logs:*",
+ "elasticloadbalancing:*",
+ "autoscaling:*",
+ "cloudwatch:*"
+ ]
+ Effect = "Allow"
+ Resource = "*"
+ },
+ ]
+ Version = "2012-10-17"
+ })
+}
+
+module "csit-cdash" {
+ # csit cdash iam
+ source = "../terraform-vault-aws-secret-backend"
+ name = "dynamic-aws-creds-vault-cdash"
+ aws_access_key = var.aws_access_key
+ aws_secret_key = var.aws_secret_key
+ policy_document = jsonencode({
+ Statement = [
+ {
+ Action = [
+ "iam:*",
+ "ec2:*",
+ "s3:*",
+ "elasticbeanstalk:*",
+ "ssm:*",
+ "cloudformation:*",
+ "logs:*",
+ "elasticloadbalancing:*",
+ "autoscaling:*",
+ "cloudwatch:*"
+ ]
+ Effect = "Allow"
+ Resource = "*"
+ },
+ ]
+ Version = "2012-10-17"
+ })
+}
+
+module "fdio-csit-jenkins" {
+ # fdio csit jenkins iam
+ source = "../terraform-vault-aws-secret-backend"
+ name = "dynamic-aws-creds-vault-fdio-csit-jenkins"
+ aws_access_key = var.aws_access_key
+ aws_secret_key = var.aws_secret_key
+ policy_document = jsonencode({
+ Statement = [
+ {
+ Action = [
+ "iam:*",
+ "ec2:*",
+ "s3:*",
+ "elasticbeanstalk:*",
+ "ssm:*",
+ "cloudformation:*",
+ "logs:*",
+ "elasticloadbalancing:*",
+ "autoscaling:*",
+ "cloudwatch:*"
+ ]
+ Effect = "Allow"
+ Resource = "*"
+ },
+ ]
+ Version = "2012-10-17"
+ })
+}
Code Review / csit.git / commitdiff