Startseite Erkunden Hilfe
Registrieren Anmelden
AFS
/
xdr-terraform-modules
2
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Quellcode durchsuchen

Removes bits for Salt Vault integration

Also removes SAF secrets engine that is no longer used.
Brad Poulton vor 3 Jahren
Ursprung
581653c82c
Commit
fd3b408e69
2 geänderte Dateien mit 0 neuen und 104 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 0 25
      base/vault-configuration/engines.tf
  2. 0 79
      base/vault-configuration/policies.tf

+ 0 - 25
base/vault-configuration/engines.tf
Datei anzeigen 

@@ -38,12 +38,6 @@ resource "vault_mount" "onboarding-gallery" {
 
   description = "onboarding-gallery"
 
 }
 
 
-resource "vault_mount" "onboarding-saf" {
 
-  path        = "onboarding-saf"
 
-  type        = "kv-v2"
 
-  description = "onboarding-saf"
 
-}
 
-
 
 resource "vault_mount" "portal" {
 
   path        = "portal"
 
   type        = "kv-v2"
 
@@ -61,22 +55,3 @@ resource "vault_mount" "soc" {
 
   type        = "kv-v2"
 
   description = "soc"
 
 }
 
-
 
-#salt supports kv
 
-resource "vault_mount" "salt" {
 
-  path        = "salt"
 
-  type        = "kv"
 
-  description = "salt"
 
-}
 
-
 
-#test secret
 
-resource "vault_generic_secret" "test" {
 
-  depends_on = [ vault_mount.salt ]
 
-  path = "salt/pillar_data"
 
-
 
-  data_json = <<EOT
 
-{
 
-  "my-pillar":   "my-secret"
 
-}
 
-EOT
 
-}

+ 0 - 79
base/vault-configuration/policies.tf
Datei anzeigen 

@@ -82,85 +82,6 @@ resource "vault_policy" "portal" {
 
   policy = data.vault_policy_document.portal.hcl
 
 }
 
 
-#salt-master should be able to only create tokens
 
-data "vault_policy_document" "salt-master" {
 
-  rule {
 
-    path         = "auth/*"
 
-    capabilities = ["read", "list", "sudo", "create", "update", "delete"]
 
-    description  = "salt-master"
 
-  }
 
-}
 
-
 
-resource "vault_policy" "salt-master" {
 
-  name   = "salt-master"
 
-  policy = data.vault_policy_document.salt-master.hcl
 
-}
 
-
 
-
 
-#restrict salt-minions to only list secrets here - saltstack/minions
 
-#allow all minions access to this shared pillar data.
 
-data "vault_policy_document" "minions" {
 
-  rule {
 
-    path         = "salt/*"
 
-    capabilities = ["list"]
 
-    description  = "minions"
 
-  }
 
-  rule {
 
-    path         = "salt/pillar_data"
 
-    capabilities = ["read"]
 
-    description  = "minions"
 
-  }
 
-}
 
-
 
-resource "vault_policy" "minions" {
 
-  name   = "saltstack/minions"
 
-  policy = data.vault_policy_document.minions.hcl
 
-}
 
-
 
-
 
-#restrict sensu salt-minion to only list secrets here - saltstack/minions
 
-#Policy must be named: saltstack/minion/<minion-id>
 
-# e.g. saltstack/minion/sensu.pvt.xdrtest.accenturefederalcyber.com
 
-data "vault_policy_document" "sensu-minion" {
 
-  rule {
 
-    path         = "salt/*"
 
-    capabilities = ["list"]
 
-    description  = "sensu-minion"
 
-  }
 
-  rule {
 
-    path         = "salt/minions/sensu.${var.dns_info["private"]["zone"]}/*"
 
-    capabilities = ["read"]
 
-    description  = "sensu-minion"
 
-
 
-  }
 
-}
 
-
 
-resource "vault_policy" "sensu-minion" {
 
-  name   = "saltstack/minion/sensu.${var.dns_info["private"]["zone"]}"
 
-  policy = data.vault_policy_document.sensu-minion.hcl
 
-}
 
-
 
-#Temp for GC Transition. Remove when Legacy Sensu is termianted. 
-data "vault_policy_document" "sensu-minion-legacy" {
 
-  rule {
 
-    path         = "salt/*"
 
-    capabilities = ["list"]
 
-    description  = "sensu-minion-legacy"
 
-  }
 
-  rule {
 
-    path         = "salt/minions/sensu.msoc.defpoint.local"
 
-    capabilities = ["read"]
 
-    description  = "sensu-minion-legacy"
 
-
 
-  }
 
-}
 
-
 
-resource "vault_policy" "sensu-minion-legacy" {
 
-  name   = "saltstack/minion/sensu.msoc.defpoint.local"
 
-  policy = data.vault_policy_document.sensu-minion-legacy.hcl
 
-}
 
-
 
-
 
 data "vault_policy_document" "soc" {
 
   rule {
 
     path         = "soc*"