125 lines
2.7 KiB
HCL
125 lines
2.7 KiB
HCL
resource "vault_mount" "cluster" {
|
|
path = var.name
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "KV Version 2 secret engine mount for ${var.name}"
|
|
}
|
|
|
|
resource "minio_s3_bucket" "cluster" {
|
|
bucket = var.name
|
|
acl = "private"
|
|
}
|
|
|
|
# TODO: Enable encryption and versioning on the bucket
|
|
# resource "minio_s3_bucket_server_side_encryption" "encryption" {
|
|
# bucket = minio_s3_bucket.management.bucket
|
|
# encryption_type = "aws:kms"
|
|
# kms_key_id = var.aws_kms_key_id
|
|
# }
|
|
|
|
resource "minio_iam_user" "cluster" {
|
|
name = var.name
|
|
}
|
|
|
|
resource "minio_iam_policy" "cluster" {
|
|
name = minio_s3_bucket.cluster.bucket
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["s3:ListBucket"]
|
|
Resource = ["arn:aws:s3:::${var.name}"]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
]
|
|
Resource = ["arn:aws:s3:::${var.name}/*"]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
|
|
resource "minio_iam_user_policy_attachment" "cluster" {
|
|
user_name = minio_iam_user.cluster.id
|
|
policy_name = minio_iam_policy.cluster.id
|
|
}
|
|
|
|
resource "minio_iam_service_account" "cluster" {
|
|
target_user = minio_iam_user.cluster.name
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["s3:ListBucket"]
|
|
Resource = ["arn:aws:s3:::${var.name}"]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
]
|
|
Resource = ["arn:aws:s3:::${var.name}/*"]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "vault_kv_secret_v2" "cluster" {
|
|
mount = var.name
|
|
name = "minio"
|
|
delete_all_versions = true
|
|
|
|
data_json = jsonencode({
|
|
access_key = minio_iam_service_account.cluster.access_key
|
|
secret_key = minio_iam_service_account.cluster.secret_key
|
|
})
|
|
|
|
depends_on = [
|
|
vault_mount.cluster,
|
|
minio_iam_service_account.cluster
|
|
]
|
|
}
|
|
|
|
resource "vault_policy" "cluster" {
|
|
name = var.name
|
|
|
|
policy = <<EOT
|
|
path "${var.name}/*" {
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
|
}
|
|
path "auth/token/create" {
|
|
capabilities = ["create", "update", "sudo"]
|
|
}
|
|
path "auth/token/lookup-self" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "auth/token/renew-self" {
|
|
capabilities = ["update"]
|
|
}
|
|
path "auth/token/lookup-accessor" {
|
|
capabilities = ["update"]
|
|
}
|
|
path "auth/token/renew-accessor" {
|
|
capabilities = ["update"]
|
|
}
|
|
# Add other necessary permissions
|
|
EOT
|
|
}
|
|
|
|
resource "vault_token" "cluster" {
|
|
policies = [vault_policy.cluster.name]
|
|
renewable = true
|
|
ttl = "24h"
|
|
renew_min_lease = "12h"
|
|
renew_increment = "24h"
|
|
}
|