Infra: Vault

Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: Ia6e728f98d20144c3771405b32933a77fe15b19b

12 files changed, 127 insertions, 25 deletions

diff --git a/fdio.infra.terraform/1n_nmd/aws/main.tf b/fdio.infra.terraform/1n_nmd/aws/main.tf
new file mode 100644
index 0000000000..6768203441
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+  access_key                = var.aws_access_key
+  secret_key                = var.aws_secret_key
+  path                      = "${var.name}-path"
+
+  default_lease_ttl_seconds = "120"
+  max_lease_ttl_seconds     = "240"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+  backend                   = vault_aws_secret_backend.aws.path
+  name                      = "${var.name}-role"
+  credential_type           = "iam_user"
+
+  policy_document           = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:*", "ec2:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+output "backend" {
+  value                     = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+  value                     = vault_aws_secret_backend_role.admin.name
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/providers.tf b/fdio.infra.terraform/1n_nmd/aws/providers.tf
new file mode 100644
index 0000000000..49922fd78f
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/providers.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    vault           = {
+      version       = ">=2.22.1"
+    }
+  }
+  required_version = ">= 1.0.3"
+}
+
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/variables.tf b/fdio.infra.terraform/1n_nmd/aws/variables.tf
new file mode 100644
index 0000000000..11c3535266
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/variables.tf
@@ -0,0 +1,9 @@
+variable "aws_access_key" {
+}
+
+variable "aws_secret_key" {
+}
+
+variable "name" {
+    default = "dynamic-aws-creds-vault-admin"
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
index b9d6f188bb..95464fa177 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/main.tf
@@ -1,11 +1,12 @@
-provider "aws" {
-  region = var.region
+data "vault_aws_access_credentials" "creds" {
+  backend         = "${var.vault-name}-path"
+  role            = "${var.vault-name}-role"
 }
 
 resource "aws_vpc" "CSITVPC" {
   cidr_block = var.vpc_cidr_mgmt
 
-  tags = {
+  tags            = {
     "Name"        = "${var.resources_name_prefix}_${var.testbed_name}-vpc"
     "Environment" = var.environment_name
   }
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf
new file mode 100644
index 0000000000..a74ebb2455
--- /dev/null
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/providers.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+  region          = var.region
+  access_key      = data.vault_aws_access_credentials.creds.access_key
+  secret_key      = data.vault_aws_access_credentials.creds.secret_key
+}
+
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
index ca974709cd..429c5040de 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/variables.tf
@@ -3,6 +3,10 @@ variable "region" {
   type = string
 }
 
+variable "vault-name" {
+    default = "dynamic-aws-creds-vault-admin"
+}
+
 variable "ami_image" {
   description = "AWS AMI image name"
   type = string
diff --git a/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf b/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
index 8017bb9dc3..05fa5502b5 100644
--- a/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/deploy/versions.tf
@@ -1,17 +1,20 @@
 terraform {
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.32.0"
+    aws            = {
+      source       = "hashicorp/aws"
+      version      = "~> 3.32.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3.0.0"
+    null           = {
+      source       = "hashicorp/null"
+      version      = "~> 3.0.0"
     }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 3.0.0"
+    tls            = {
+      source       = "hashicorp/tls"
+      version      = "~> 3.0.0"
+    }
+    vault          = {
+      version      = ">=2.22.1"
     }
   }
-  required_version = ">= 0.13"
+  required_version = ">= 1.0.3"
 }
diff --git a/fdio.infra.terraform/2n_aws_c5n/variables.tf b/fdio.infra.terraform/2n_aws_c5n/variables.tf
index c5c74f6d13..43a2df335a 100644
--- a/fdio.infra.terraform/2n_aws_c5n/variables.tf
+++ b/fdio.infra.terraform/2n_aws_c5n/variables.tf
@@ -4,6 +4,10 @@ variable "region" {
   default = "eu-central-1"
 }
 
+variable "vault-name" {
+    default = "dynamic-aws-creds-vault-admin"
+}
+
 variable "avail_zone" {
   description = "AWS availability zone"
   type = string
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
index d8968bf5fe..3ca8758678 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/main.tf
@@ -1,5 +1,6 @@
-provider "aws" {
-  region = var.region
+data "vault_aws_access_credentials" "creds" {
+  backend         = "${var.vault-name}-path"
+  role            = "${var.vault-name}-role"
 }
 
 resource "aws_vpc" "CSITVPC" {
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf
new file mode 100644
index 0000000000..a74ebb2455
--- /dev/null
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/providers.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+  region          = var.region
+  access_key      = data.vault_aws_access_credentials.creds.access_key
+  secret_key      = data.vault_aws_access_credentials.creds.secret_key
+}
+
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
index 5dbc481938..97e986bb2f 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/variables.tf
@@ -3,6 +3,10 @@ variable "region" {
   type = string
 }
 
+variable "vault-name" {
+    default   = "dynamic-aws-creds-vault-admin"
+}
+
 variable "ami_image" {
   description = "AWS AMI image name"
   type = string
diff --git a/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf b/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
index 8017bb9dc3..05fa5502b5 100644
--- a/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
+++ b/fdio.infra.terraform/3n_aws_c5n/deploy/versions.tf
@@ -1,17 +1,20 @@
 terraform {
   required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = "~> 3.32.0"
+    aws            = {
+      source       = "hashicorp/aws"
+      version      = "~> 3.32.0"
     }
-    null = {
-      source  = "hashicorp/null"
-      version = "~> 3.0.0"
+    null           = {
+      source       = "hashicorp/null"
+      version      = "~> 3.0.0"
     }
-    tls = {
-      source  = "hashicorp/tls"
-      version = "~> 3.0.0"
+    tls            = {
+      source       = "hashicorp/tls"
+      version      = "~> 3.0.0"
+    }
+    vault          = {
+      version      = ">=2.22.1"
     }
   }
-  required_version = ">= 0.13"
+  required_version = ">= 1.0.3"
 }