Adds Secrets for Vault Auth

base/vault-configuration/main.tf

@@ -5,7 +5,7 @@
 resource "vault_okta_auth_backend" "okta" {
   description  = "Terraform Okta auth backend"
   organization = "mdr-multipass"
-  token        = var.okta_api_token
+  token        = data.aws_secretsmanager_secret_version.okta_api_token.secret_string
   base_url     = "okta.com"
   ttl          = "1h"
   max_ttl      = "8h"
@@ -47,8 +47,8 @@ resource "vault_jwt_auth_backend" "okta_oidc" {
   path               = "oidc"
   type               = "oidc"
   oidc_discovery_url = "https://mdr-multipass.okta.com"
-  oidc_client_id     = var.okta_oidc_client_id
-  oidc_client_secret = var.okta_oidc_client_secret
+  oidc_client_id     = var.environment == "test" ? "0oa5icfdd1PdtoER0297" : "0oa5jb5198xfxqLiE297"
+  oidc_client_secret = data.aws_secretsmanager_secret_version.okta_oidc_client_secret.secret_string
   bound_issuer       = "https://mdr-multipass.okta.com"
   default_role       = "mdr-admins"
   tune {

base/vault-configuration/secrets.tf

@@ -0,0 +1,20 @@
+data "aws_secretsmanager_secret" "okta_oidc_client_secret" {
+  name     = "vault/okta_oidc_client_secret"
+  provider = aws.c2
+}
+
+data "aws_secretsmanager_secret" "okta_api_token" {
+  name     = "vault/okta_api_token"
+  provider = aws.c2
+}
+
+data "aws_secretsmanager_secret_version" "okta_oidc_client_secret" {
+  secret_id = data.aws_secretsmanager_secret.okta_oidc_client_secret.id
+  provider  = aws.c2
+}
+
+data "aws_secretsmanager_secret_version" "okta_api_token" {
+  secret_id = data.aws_secretsmanager_secret.okta_api_token.id
+  provider  = aws.c2
+}
+

base/vault-configuration/vars.tf

@@ -19,29 +19,6 @@ roles = {
 EOF
 }
 
-variable "okta_oidc_client_id" {
-  type        = string
-  description = "Okta Vault OIDC app client ID"
-}
-
-variable "okta_oidc_client_secret" {
-  type        = string
-  description = "Okta Vault OIDC app client secret"
-  validation {
-    condition     = var.okta_oidc_client_secret != "<place secret here>"
-    error_message = "Please update the okta_oidc_client_secret in terragrunt.hcl!"
-  }
-}
-
-variable "okta_api_token" {
-  type        = string
-  description = "Okta Vault api secret"
-  validation {
-    condition     = var.okta_api_token != "<place secret here>"
-    error_message = "Please update the okta_api_token in terragrunt.hcl!"
-  }
-}
-
 variable "dns_info" { type = map(any) }
 variable "environment" { type = string }
 variable "aws_region" { type = string }

base/vault/README.md

@@ -20,32 +20,28 @@
   - `vim ~/.vault-token`
   - The DNS in the Terraform Vault provider will be used. To test connectivity be sure to run this command: `export VAULT_ADDR=https://internal-vault-alb-test-778772793.us-gov-east-1.elb.amazonaws.com`. Replace the ALB address with the current ALB DNS address. This is due to Golang DNS not updating when connected to XDR over VPN. Vault binary is written in Go.  
   - Why not use the accenturefederal address? This is due to golang DNS issues.
-  - Download the vault binary ( might not be needed? Is the binary in the TF provider? )
+  - Download the Vault binary ( might not be needed? Is the binary in the TF provider? )
   - `terragrunt apply`
   - Might need this command as well. See main.tf in module for more information.
   - `vault write auth/aws/config/client sts_endpoint=https://sts.us-gov-east-1.amazonaws.com sts_region=us-gov-east-1`
-  - The Terraform Vault provider will look at ~/.vault-token for the token and the bash variables for the address to connect to.
+  - The Terraform Vault provider will look at ~/.vault-token for the token and the bash variables for the address to connect to. You can also add it to the command line (see below).
 - Revoke the root token
   - `vault token revoke <root-token>`
 - Distribute Vault shareds to the appriopriate individuals. 
 - Export/Import secrets
   - https://github.com/adamdecaf/vault-backend-migrator 
-
+- This module is dependent on AWS Secrets Manager for creds to authenticate to OKTA via OIDC and OKTA auth. 
 For additional Vault documentation see these locations:
 
 https://github.mdr.defpoint.com/mdr-engineering/infrastructure-notes/blob/master/Vault%20Notes.md
 
 https://github.mdr.defpoint.com/mdr-engineering/msoc-infrastructure/blob/develop/salt/fileroots/vault/README.md
 
-## To apply without putting your junk in the terragrunt.hcl
-
-THIS SECTION INCOMPLETE
+## To apply Terraform Changes without putting credentials in the terragrunt.hcl
 
-1. `VAULT_TOKEN`: Login to vault, and click your name dropdown, then copy secret. You'll need it more than once.
-1. `TF_VAR_okta_api_token`: Find this in the prod vault (even for test)
-1. `TF_VAR_okta_oidc_client_secret`: Find this in the prod vault (even for test)
+- `VAULT_TOKEN`: Login to vault, and click your name dropdown, then copy token. You'll need it more than once.
 
 Then apply:
 ```
-VAULT_TOKEN=<fromvault> TF_VAR_okta_api_token=YOURTOKENHERE TF_VAR_okta_oidc_client_secret=YOURSECRETHERE terragrunt apply
+VAULT_TOKEN=<fromvault> terragrunt apply
 ```