135 lines
2.9 KiB
HCL
135 lines
2.9 KiB
HCL
resource "vault_mount" "cluster" {
|
|
depends_on = [var.wait_on]
|
|
path = var.cluster
|
|
type = "kv"
|
|
options = { version = "2" }
|
|
description = "KV Version 2 secret engine mount for ${var.cluster}"
|
|
}
|
|
|
|
resource "vault_policy" "cluster" {
|
|
name = var.cluster
|
|
depends_on = [var.wait_on]
|
|
|
|
policy = <<EOT
|
|
path "${var.cluster}/*" {
|
|
capabilities = ["create", "read", "update", "delete", "list"]
|
|
}
|
|
path "auth/token/create" {
|
|
capabilities = ["create", "update", "sudo"]
|
|
}
|
|
path "auth/token/lookup-self" {
|
|
capabilities = ["read"]
|
|
}
|
|
path "auth/token/renew-self" {
|
|
capabilities = ["update"]
|
|
}
|
|
# Add other necessary permissions
|
|
EOT
|
|
}
|
|
|
|
resource "vault_token" "cluster" {
|
|
policies = [vault_policy.cluster.name]
|
|
renewable = true
|
|
ttl = "365d"
|
|
period = "30d"
|
|
no_parent = true
|
|
}
|
|
|
|
resource "minio_s3_bucket" "cluster" {
|
|
bucket = var.cluster
|
|
acl = "private"
|
|
}
|
|
|
|
# TODO: Enable encryption and versioning on the bucket
|
|
# resource "minio_s3_bucket_server_side_encryption" "encryption" {
|
|
# bucket = minio_s3_bucket.management.bucket
|
|
# encryption_type = "aws:kms"
|
|
# kms_key_id = var.aws_kms_key_id
|
|
# }
|
|
|
|
resource "minio_iam_user" "cluster" {
|
|
name = var.cluster
|
|
}
|
|
|
|
resource "minio_iam_policy" "cluster" {
|
|
name = minio_s3_bucket.cluster.bucket
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["s3:ListBucket"]
|
|
Resource = ["arn:aws:s3:::${var.cluster}"]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
]
|
|
Resource = ["arn:aws:s3:::${var.cluster}/*"]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
|
|
resource "minio_iam_user_policy_attachment" "cluster" {
|
|
user_name = minio_iam_user.cluster.id
|
|
policy_name = minio_iam_policy.cluster.id
|
|
}
|
|
|
|
resource "minio_iam_service_account" "cluster" {
|
|
target_user = minio_iam_user.cluster.name
|
|
policy = jsonencode({
|
|
Version = "2012-10-17"
|
|
Statement = [
|
|
{
|
|
Effect = "Allow"
|
|
Action = ["s3:ListBucket"]
|
|
Resource = ["arn:aws:s3:::${var.cluster}"]
|
|
},
|
|
{
|
|
Effect = "Allow"
|
|
Action = [
|
|
"s3:GetObject",
|
|
"s3:PutObject",
|
|
"s3:DeleteObject"
|
|
]
|
|
Resource = ["arn:aws:s3:::${var.cluster}/*"]
|
|
}
|
|
]
|
|
})
|
|
}
|
|
|
|
resource "vault_kv_secret_v2" "cluster" {
|
|
mount = var.cluster
|
|
name = "minio"
|
|
delete_all_versions = true
|
|
|
|
data_json = jsonencode({
|
|
access_key = minio_iam_service_account.cluster.access_key
|
|
secret_key = minio_iam_service_account.cluster.secret_key
|
|
})
|
|
|
|
depends_on = [
|
|
var.wait_on,
|
|
minio_iam_service_account.cluster
|
|
]
|
|
}
|
|
|
|
output "vault_token" {
|
|
value = vault_token.cluster.client_token
|
|
sensitive = true
|
|
}
|
|
|
|
output "minio_access_key" {
|
|
value = minio_iam_service_account.cluster.access_key
|
|
}
|
|
|
|
output "minio_secret_key" {
|
|
value = minio_iam_service_account.cluster.secret_key
|
|
sensitive = true
|
|
}
|