AFS
/
xdr-terraform-modules


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
							#----------------------------------------------------------------------------
# Policies
#----------------------------------------------------------------------------

#Admins
data "vault_policy_document" "admins" {
  rule {
    path         = "*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "allow all on permissions"
  }
}

resource "vault_policy" "admins" {
  name   = "admins"
  policy = data.vault_policy_document.admins.hcl
}

#Clu Legacy
data "vault_policy_document" "clu" {
  rule {
    path         = "jenkins*"
    capabilities = ["read","list"]
    description  = "clu read write on jenkins - legacy"
  }
}

resource "vault_policy" "clu" {
  name   = "clu"
  policy = data.vault_policy_document.clu.hcl
}

#This access is for Feed Management/engineers. 
data "vault_policy_document" "engineers" {
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "engineers/Feed Management"
  }
}

resource "vault_policy" "engineers" {
  name   = "engineers"
  policy = data.vault_policy_document.engineers.hcl
}

#This access is for Phantom Admins. 
data "vault_policy_document" "phantom" {
  rule {
    path         = "phantom*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Phantom"
  }
  rule {
    path         = "onboarding*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "onboarding"
  }
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "phantom" {
  name   = "phantom"
  policy = data.vault_policy_document.phantom.hcl
}

#portal
data "vault_policy_document" "portal" {
  rule {
    path         = "portal*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Portal"
  }
}

resource "vault_policy" "portal" {
  name   = "portal"
  policy = data.vault_policy_document.portal.hcl
}

data "vault_policy_document" "soc" {
  rule {
    path         = "soc*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "soc"
  }
}

resource "vault_policy" "soc" {
  name   = "soc"
  policy = data.vault_policy_document.soc.hcl
}


data "vault_policy_document" "read-only" {
  rule {
    path         = "/nothing/*"
    capabilities = ["read", "list"]
    description  = "No permissions"
  }
}

resource "vault_policy" "read-only" {
  name   = "read-only"
  policy = data.vault_policy_document.read-only.hcl
}