From 73440ab332c51eb11405767d320bc496d9ebdbe7 Mon Sep 17 00:00:00 2001
From: pmikus <pmikus@cisco.com>
Date: Tue, 18 May 2021 13:30:08 +0000
Subject: Infra: Vault

Signed-off-by: pmikus <pmikus@cisco.com>
Change-Id: Ia6e728f98d20144c3771405b32933a77fe15b19b
---
 fdio.infra.terraform/1n_nmd/aws/main.tf      | 37 ++++++++++++++++++++++++++++
 fdio.infra.terraform/1n_nmd/aws/providers.tf | 14 +++++++++++
 fdio.infra.terraform/1n_nmd/aws/variables.tf |  9 +++++++
 3 files changed, 60 insertions(+)
 create mode 100644 fdio.infra.terraform/1n_nmd/aws/main.tf
 create mode 100644 fdio.infra.terraform/1n_nmd/aws/providers.tf
 create mode 100644 fdio.infra.terraform/1n_nmd/aws/variables.tf

(limited to 'fdio.infra.terraform/1n_nmd')

diff --git a/fdio.infra.terraform/1n_nmd/aws/main.tf b/fdio.infra.terraform/1n_nmd/aws/main.tf
new file mode 100644
index 0000000000..6768203441
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/main.tf
@@ -0,0 +1,37 @@
+resource "vault_aws_secret_backend" "aws" {
+  access_key                = var.aws_access_key
+  secret_key                = var.aws_secret_key
+  path                      = "${var.name}-path"
+
+  default_lease_ttl_seconds = "120"
+  max_lease_ttl_seconds     = "240"
+}
+
+resource "vault_aws_secret_backend_role" "admin" {
+  backend                   = vault_aws_secret_backend.aws.path
+  name                      = "${var.name}-role"
+  credential_type           = "iam_user"
+
+  policy_document           = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "iam:*", "ec2:*"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+EOF
+}
+
+output "backend" {
+  value                     = vault_aws_secret_backend.aws.path
+}
+
+output "role" {
+  value                     = vault_aws_secret_backend_role.admin.name
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/providers.tf b/fdio.infra.terraform/1n_nmd/aws/providers.tf
new file mode 100644
index 0000000000..49922fd78f
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/providers.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    vault           = {
+      version       = ">=2.22.1"
+    }
+  }
+  required_version = ">= 1.0.3"
+}
+
+provider "vault" {
+  address         = "http://10.30.51.28:8200"
+  skip_tls_verify = true
+  token           = "s.4z5PsufFwV3sHbCzK9Y2Cojd"
+}
\ No newline at end of file
diff --git a/fdio.infra.terraform/1n_nmd/aws/variables.tf b/fdio.infra.terraform/1n_nmd/aws/variables.tf
new file mode 100644
index 0000000000..11c3535266
--- /dev/null
+++ b/fdio.infra.terraform/1n_nmd/aws/variables.tf
@@ -0,0 +1,9 @@
+variable "aws_access_key" {
+}
+
+variable "aws_secret_key" {
+}
+
+variable "name" {
+    default = "dynamic-aws-creds-vault-admin"
+}
\ No newline at end of file
-- 
cgit 1.2.3-korg