feat(Terraform): AWS backend role migration

Signed-off-by: pmikus <pmikus@cisco.com> Change-Id: I8c93eaaa766c48b705a19e38123b69c994669dc0
author: pmikus <pmikus@cisco.com> 2021-10-29 06:19:46 +0000
committer: pmikus <pmikus@cisco.com> 2021-10-29 06:19:46 +0000
commit: 5747228f8c7c793dcf62a94aeb11fdb96ee7a37e (patch)
tree: 73f06cc812604071f6d8517382b0c5ffa027da1b /fdio.infra.terraform/1n_nmd/vault-aws-secret-backend
parent: 585b9d8bbf21b0c5a2d2c28809688563007760db (diff)
4 files changed, 78 insertions, 0 deletions
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf
new file mode 100644
index 0000000000..a65c390792
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+  access_key = var.aws_access_key
+  secret_key = var.aws_secret_key
+  path       = "${var.name}-path"
+
+  default_lease_ttl_seconds = "0"
+  max_lease_ttl_seconds     = "0"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+  backend         = vault_aws_secret_backend.aws.path
+  name            = "${var.name}-role"
+  credential_type = "iam_user"
+
+  policy_document = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:*", "ec2:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+output "backend" {
+  value = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+  value = vault_aws_secret_backend_role.admin.name
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf
new file mode 100644
index 0000000000..c084d486a6
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/providers.tf
@@ -0,0 +1,5 @@
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = var.token
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf
new file mode 100644
index 0000000000..df752980fd
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/variables.tf
@@ -0,0 +1,23 @@
+variable "aws_access_key" {
+  description = "AWS access key"
+  type        = string
+  sensitive   = true
+}
+
+variable "aws_secret_key" {
+  description = "AWS secret key"
+  type        = string
+  sensitive   = true
+}
+
+variable "name" {
+  default     = "dynamic-aws-creds-vault-fdio"
+  description = "Vault path"
+  type        = string
+}
+
+variable "token" {
+  description = "Vault root token"
+  type        = string
+  sensitive   = true
+}
diff --git a/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf
new file mode 100644
index 0000000000..ef6f844721
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/vault-aws-secret-backend/versions.tf
@@ -0,0 +1,13 @@
+terraform {
+  backend "consul" {
+    address = "consul.service.consul:8500"
+    scheme  = "http"
+    path    = "fdio/terraform/1n/nomad"
+  }
+  required_providers {
+    vault = {
+      version = ">=2.22.1"
+    }
+  }
+  required_version = ">= 1.0.3"
+}
author	pmikus <pmikus@cisco.com>	2021-10-29 06:19:46 +0000
committer	pmikus <pmikus@cisco.com>	2021-10-29 06:19:46 +0000
commit	5747228f8c7c793dcf62a94aeb11fdb96ee7a37e (patch)
tree	73f06cc812604071f6d8517382b0c5ffa027da1b /fdio.infra.terraform/1n_nmd/vault-aws-secret-backend
parent	585b9d8bbf21b0c5a2d2c28809688563007760db (diff)