-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Upgrade to 1.20, refactor Vault block
- Loading branch information
1 parent
51f4cdf
commit 4a0ce6b
Showing
115 changed files
with
2,088 additions
and
6,266 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,6 @@ | ||
distributionBase=GRADLE_USER_HOME | ||
distributionPath=wrapper/dists | ||
distributionUrl=https\://services.gradle.org/distributions/gradle-7.4-bin.zip | ||
distributionUrl=https\://services.gradle.org/distributions/gradle-8.1-bin.zip | ||
networkTimeout=10000 | ||
zipStoreBase=GRADLE_USER_HOME | ||
zipStorePath=wrapper/dists |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
resource "network" "local" { | ||
subnet = "10.10.0.0/16" | ||
} | ||
|
||
resource "container" "vault" { | ||
image { | ||
name = "hashicorp/vault:${variable.vault_version}" | ||
} | ||
|
||
command = [ | ||
"vault", | ||
"server", | ||
"-dev", | ||
"-dev-root-token-id=${variable.vault_root_token}", | ||
"-dev-listen-address=0.0.0.0:8200", | ||
"-dev-plugin-dir=/plugins" | ||
] | ||
|
||
port { | ||
local = 8200 | ||
remote = 8200 | ||
host = 8200 | ||
open_in_browser = "" | ||
} | ||
|
||
privileged = true | ||
|
||
# Wait for Vault to start | ||
health_check { | ||
timeout = "120s" | ||
http { | ||
address = "http://localhost:8200/v1/sys/health" | ||
success_codes = [200] | ||
} | ||
} | ||
|
||
environment = { | ||
VAULT_ADDR = "http://localhost:8200" | ||
VAULT_TOKEN = variable.vault_root_token | ||
} | ||
|
||
network { | ||
id = resource.network.local.id | ||
ip_address = variable.vault_ip_address | ||
} | ||
|
||
volume { | ||
source = variable.vault_data | ||
destination = "/data" | ||
} | ||
|
||
volume { | ||
source = variable.vault_plugin_folder | ||
destination = "/plugins" | ||
} | ||
|
||
volume { | ||
source = "../" | ||
destination = "/output" | ||
} | ||
|
||
volume { | ||
source = variable.vault_additional_volume.source | ||
destination = variable.vault_additional_volume.destination | ||
type = variable.vault_additional_volume.type | ||
} | ||
} | ||
|
||
resource "remote_exec" "vault_bootstrap" { | ||
target = resource.container.vault | ||
script = file("./vault_setup/setup.sh") | ||
working_directory = "/data" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
variable "vault_version" { | ||
default = "1.14.1" | ||
} | ||
|
||
variable "vault_root_token" { | ||
default = "root" | ||
} | ||
|
||
# Should the Vault ui be opened in the browser after run | ||
variable "vault_open_browser" { | ||
default = "" | ||
} | ||
|
||
# Optional IP address to add to Vault | ||
variable "vault_ip_address" { | ||
default = "" | ||
} | ||
|
||
# Path to a folder that is mounted into the Vault container at path /data | ||
variable "vault_data" { | ||
default = data("vault_data") | ||
} | ||
|
||
variable "vault_plugin_folder" { | ||
default = data("vault_plugins") | ||
description = "Folder where vault will load custom plugins" | ||
} | ||
|
||
variable "vault_additional_volume" { | ||
description = "Additional volume to mount to the vault server" | ||
|
||
default = { | ||
name = "" | ||
source = data("vault_additional_data") | ||
destination = "/additional_data" | ||
type = "bind" | ||
} | ||
} | ||
|
||
# Bootstrap script that is executed after Vault starts | ||
# can be used to initially configure Vault | ||
variable "vault_bootstrap_script" { | ||
default = <<-EOF | ||
#/bin/sh -e | ||
vault status | ||
EOF | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
#!/bin/sh | ||
|
||
# Enable Vault userpass | ||
vault auth enable userpass | ||
|
||
# Create the example secrets | ||
vault kv put secret/vault key="myvaultkey" | ||
vault kv put secret/admin key="myadminkey" | ||
|
||
# Create a policy for the user | ||
cat <<EOF > user.hcl | ||
path "secret/data/vault" { | ||
capabilities = ["read"] | ||
} | ||
EOF | ||
|
||
vault policy write user user.hcl | ||
|
||
# Create the admin policy | ||
cat <<EOF > admin.hcl | ||
path "secret/data/admin" { | ||
capabilities = ["read"] | ||
} | ||
EOF | ||
|
||
vault policy write admin admin.hcl | ||
|
||
# Create a user login | ||
# When running in debug mode the user is not authenticted and is randomly generated every time | ||
vault write "auth/userpass/users/Player844" password="bd0d6de2-7897-388f-8c0f-71e10002b81c" policies="user,admin" |
Oops, something went wrong.