#---------------------------------------------------------------------------- # Policies #---------------------------------------------------------------------------- #Admins data "vault_policy_document" "admins" { rule { path = "*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "allow all on permissions" } } resource "vault_policy" "admins" { name = "admins" policy = data.vault_policy_document.admins.hcl } #Clu Legacy data "vault_policy_document" "clu" { rule { path = "jenkins*" capabilities = ["read","list"] description = "clu read write on jenkins - legacy" } } resource "vault_policy" "clu" { name = "clu" policy = data.vault_policy_document.clu.hcl } #This access is for Feed Management/engineers. data "vault_policy_document" "engineers" { rule { path = "onboarding*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "engineers/Feed Management" } } resource "vault_policy" "engineers" { name = "engineers" policy = data.vault_policy_document.engineers.hcl } #This access is for Phantom Admins. data "vault_policy_document" "phantom" { rule { path = "phantom*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "Phantom" } rule { path = "onboarding*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "onboarding" } rule { path = "portal*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "Portal" } } resource "vault_policy" "phantom" { name = "phantom" policy = data.vault_policy_document.phantom.hcl } #portal data "vault_policy_document" "portal" { rule { path = "portal*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "Portal" } } resource "vault_policy" "portal" { name = "portal" policy = data.vault_policy_document.portal.hcl } #salt-master should be able to only create tokens data "vault_policy_document" "salt-master" { rule { path = "auth/*" capabilities = ["read", "list", "sudo", "create", "update", "delete"] description = "salt-master" } } resource "vault_policy" "salt-master" { name = "salt-master" policy = data.vault_policy_document.salt-master.hcl } #restrict salt-minions to only list secrets here - saltstack/minions #allow all minions access to this shared pillar data. data "vault_policy_document" "minions" { rule { path = "salt/*" capabilities = ["list"] description = "minions" } rule { path = "salt/pillar_data" capabilities = ["read"] description = "minions" } } resource "vault_policy" "minions" { name = "saltstack/minions" policy = data.vault_policy_document.minions.hcl } #restrict sensu salt-minion to only list secrets here - saltstack/minions #Policy must be named: saltstack/minion/sensu.msoc.defpoint.local # saltstack/minion/ data "vault_policy_document" "sensu-minion" { rule { path = "auth/*" capabilities = ["read", "list", "sudo", "create", "update", "delete"] description = "sensu-minion" } } resource "vault_policy" "sensu-minion" { name = "saltstack/minion/sensu.msoc.defpoint.local" policy = data.vault_policy_document.sensu-minion.hcl } data "vault_policy_document" "soc" { rule { path = "soc*" capabilities = ["create", "read", "update", "delete", "list", "sudo"] description = "soc" } } resource "vault_policy" "soc" { name = "soc" policy = data.vault_policy_document.soc.hcl } data "vault_policy_document" "read-only" { rule { path = "/nothing/*" capabilities = ["read", "list"] description = "No permissions" } } resource "vault_policy" "read-only" { name = "read-only" policy = data.vault_policy_document.read-only.hcl }