xdr-terraform-modules/base/vault-configuration/policies.tf

#----------------------------------------------------------------------------
# Policies
#----------------------------------------------------------------------------

#Admins
data "vault_policy_document" "admins" {
  rule {
    path         = "*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "allow all on permissions"
  }
}

resource "vault_policy" "admins" {
  name   = "admins"
  policy = data.vault_policy_document.admins.hcl
}

#Clu Legacy
data "vault_policy_document" "clu" {
  rule {
    path         = "jenkins*"
    capabilities = ["read","list"]
    description  = "clu read write on jenkins - legacy"
  }
}

resource "vault_policy" "clu" {
  name   = "clu"
  policy = data.vault_policy_document.clu.hcl
}

#This access is for Feed Management/engineers. 
data "vault_policy_document" "engineers" {
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "engineers/Feed Management"
  }
}

resource "vault_policy" "engineers" {
  name   = "engineers"
  policy = data.vault_policy_document.engineers.hcl
}

#This access is for Phantom Admins. 
data "vault_policy_document" "phantom" {
  rule {
    path         = "phantom*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Phantom"
  }
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "onboarding"
  }
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "phantom" {
  name   = "phantom"
  policy = data.vault_policy_document.phantom.hcl
}

#portal
data "vault_policy_document" "portal" {
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "portal" {
  name   = "portal"
  policy = data.vault_policy_document.portal.hcl
}

#salt-master should be able to only create tokens
data "vault_policy_document" "salt-master" {
  rule {
    path         = "auth/*"
    capabilities = ["read", "list", "sudo", "create", "update", "delete"]
    description  = "salt-master"
  }
}

resource "vault_policy" "salt-master" {
  name   = "salt-master"
  policy = data.vault_policy_document.salt-master.hcl
}


#restrict salt-minions to only list secrets here - saltstack/minions
#allow all minions access to this shared pillar data.
data "vault_policy_document" "minions" {
  rule {
    path         = "salt/*"
    capabilities = ["list"]
    description  = "minions"
  }
  rule {
    path         = "salt/pillar_data"
    capabilities = ["read"]
    description  = "minions"
  }
}

resource "vault_policy" "minions" {
  name   = "saltstack/minions"
  policy = data.vault_policy_document.minions.hcl
}


#restrict sensu salt-minion to only list secrets here - saltstack/minions
#Policy must be named: saltstack/minion/sensu.msoc.defpoint.local
# saltstack/minion/<minion-id>
data "vault_policy_document" "sensu-minion" {
  rule {
    path         = "auth/*"
    capabilities = ["read", "list", "sudo", "create", "update", "delete"]
    description  = "sensu-minion"
  }
}

resource "vault_policy" "sensu-minion" {
  name   = "saltstack/minion/sensu.msoc.defpoint.local"
  policy = data.vault_policy_document.sensu-minion.hcl
}

data "vault_policy_document" "soc" {
  rule {
    path         = "soc*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "soc"
  }
}

resource "vault_policy" "soc" {
  name   = "soc"
  policy = data.vault_policy_document.soc.hcl
}


data "vault_policy_document" "read-only" {
  rule {
    path         = "/nothing/*"
    capabilities = ["read", "list"]
    description  = "No permissions"
  }
}

resource "vault_policy" "read-only" {
  name   = "read-only"
  policy = data.vault_policy_document.read-only.hcl
}