Skip to content

Commit

Permalink
Feat/adding vault init (#80)
Browse files Browse the repository at this point in the history 
* MAJOR: migrating to vault-init-controller. Vault access token needs to be migrated to s3 bucket.
* feat: adding vault-init-controller to auto init and auto-unseal vault upon any crashes.
  • Loading branch information
@venkatamutyala
venkatamutyala authored Aug 19, 2023
1 parent 22f31d6 commit b30529c
Show file tree
Hide file tree
Showing 7 changed files with 75 additions and 12 deletions.
6 changes: 5 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ No requirements.
| <a name="module_captain_repository_files"></a> [captain\_repository\_files](#module\_captain\_repository\_files) | ./modules/github-captain-repository-files/0.1.0 | n/a |
| <a name="module_common_s3"></a> [common\_s3](#module\_common\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
| <a name="module_dnssec_key"></a> [dnssec\_key](#module\_dnssec\_key) | git::https://github.com/GlueOps/terraform-module-cloud-aws-dnssec-kms-key.git | v0.1.0 |
| <a name="module_glueops_platform_helm_values"></a> [glueops\_platform\_helm\_values](#module\_glueops\_platform\_helm\_values) | git::https://github.com/GlueOps/platform-helm-chart-platform.git | v0.28.1 |
| <a name="module_glueops_platform_helm_values"></a> [glueops\_platform\_helm\_values](#module\_glueops\_platform\_helm\_values) | git::https://github.com/GlueOps/platform-helm-chart-platform.git | v0.29.0 |
| <a name="module_loki_s3"></a> [loki\_s3](#module\_loki\_s3) | ./modules/multy-s3-bucket/0.1.0 | n/a |
| <a name="module_opsgenie_teams"></a> [opsgenie\_teams](#module\_opsgenie\_teams) | ./modules/opsgenie/0.1.0 | n/a |
| <a name="module_tenant_readmes"></a> [tenant\_readmes](#module\_tenant\_readmes) | ./modules/tenant-readme/0.1.0 | n/a |
Expand All @@ -61,20 +61,24 @@ No requirements.
| [aws_iam_access_key.externaldns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.loki_log_exporter_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.loki_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.vault_init_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_access_key.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key) | resource |
| [aws_iam_policy.loki_logs_exporter_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.loki_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.route53](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vault_init_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_policy.vault_s3_backup](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
| [aws_iam_user.certmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.externaldns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.loki_log_exporter_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.loki_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.vault_init_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user) | resource |
| [aws_iam_user_policy_attachment.certmanager](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.externaldns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.loki_log_exporter_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.loki_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.vault_init_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_iam_user_policy_attachment.vault_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy_attachment) | resource |
| [aws_route53_hosted_zone_dnssec.cluster_zones](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
| [aws_route53_hosted_zone_dnssec.parent_tenant_zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_hosted_zone_dnssec) | resource |
Expand Down
16 changes: 9 additions & 7 deletions captain-repo.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,8 @@ module "captain_repository" {

}



module "captain_repository_files" {
for_each = local.environment_map
source = "./modules/github-captain-repository-files/0.1.0"
Expand All @@ -27,7 +29,6 @@ module "captain_repository_files" {
"platform.yaml" = module.glueops_platform_helm_values[each.value.environment_name].helm_values
"README.md" = module.tenant_readmes[each.value.environment_name].tenant_readme
"terraform/kubernetes/provider_versions.tf" = local.provider_versions_tf_file
"terraform/vault/initialization/provider_versions.tf" = local.provider_versions_tf_file
"terraform/vault/configuration/provider_versions.tf" = local.provider_versions_tf_file

".gitignore" = <<EOT
Expand All @@ -36,20 +37,21 @@ module "captain_repository_files" {
.terraform.lock.hcl
EOT
"terraform/vault/initialization/main.tf" = <<EOT
module "initialize_vault_cluster" {
source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-initialization.git?ref=v0.4.0"
}

EOT
"terraform/vault/configuration/main.tf" = <<EOT
module "configure_vault_cluster" {
source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration.git?ref=v0.5.1"
source = "git::https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration.git?ref=v0.6.0"
oidc_client_secret = "${random_password.dex_vault_client_secret[each.key].result}"
captain_domain = "${each.value.environment_name}.${aws_route53_zone.main.name}"
org_team_policy_mappings = [
${join(",\n ", [for mapping in each.value.vault_github_org_team_policy_mappings : "{ oidc_groups = ${jsonencode(mapping.oidc_groups)}, policy_name = \"${mapping.policy_name}\" }"])}
]
aws_region = "${var.primary_region}"
aws_s3_bucket_name = "${module.common_s3.primary_s3_bucket_id}"
aws_s3_key_vault_secret_file = "${aws_route53_zone.clusters[each.key].name}/${local.vault_access_tokens_s3_key}"
aws_access_key = "${aws_iam_access_key.vault_init_s3[each.value.environment_name].id}"
aws_secret_key = "${aws_iam_access_key.vault_init_s3[each.value.environment_name].secret}"
}
EOT
Expand Down
8 changes: 7 additions & 1 deletion generate-helm-values.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,13 @@ resource "random_password" "grafana_admin_secret" {
special = local.random_password_special_characters
}

locals {
vault_access_tokens_s3_key= "hashicorp-vault-init/vault_access.json"
}

module "glueops_platform_helm_values" {
for_each = local.environment_map
source = "git::https://github.com/GlueOps/platform-helm-chart-platform.git?ref=v0.28.1"
source = "git::https://github.com/GlueOps/platform-helm-chart-platform.git?ref=v0.29.0"
captain_repo_b64encoded_private_deploy_key = base64encode(module.captain_repository[each.value.environment_name].private_deploy_key)
captain_repo_ssh_clone_url = module.captain_repository[each.value.environment_name].ssh_clone_url
this_is_development = var.this_is_development
Expand Down Expand Up @@ -69,6 +72,9 @@ module "glueops_platform_helm_values" {
github_tenant_app_installation_id = each.value.github_tenant_app_installation_id
github_tenant_app_b64enc_private_key = each.value.github_tenant_app_b64enc_private_key
host_network_enabled = each.value.host_network_enabled
vault_init_controller_s3_key = "${aws_route53_zone.clusters[each.value.environment_name].name}/${local.vault_access_tokens_s3_key}"
vault_init_controller_aws_access_key = aws_iam_access_key.vault_init_s3[each.value.environment_name].id
vault_init_controller_aws_access_secret = aws_iam_access_key.vault_init_s3[each.value.environment_name].secret
}

resource "aws_s3_object" "platform_helm_values" {
Expand Down
34 changes: 34 additions & 0 deletions iam-policy-vault-init-s3.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
resource "aws_iam_policy" "vault_init_s3" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
name = "vault-init-s3-${aws_route53_zone.clusters[each.key].name}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject*",
"s3:List*"
],
"Resource": [
"${module.common_s3.primary_s3_bucket_arn}/${aws_route53_zone.clusters[each.key].name}/hashicorp-vault-init/*",
"${module.common_s3.replica_s3_bucket_arn}/${aws_route53_zone.clusters[each.key].name}/hashicorp-vault-init/*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"${module.common_s3.primary_s3_bucket_arn}",
"${module.common_s3.replica_s3_bucket_arn}"
]
}
]
}
EOF
}
18 changes: 18 additions & 0 deletions iam-user-vault-init.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
resource "aws_iam_user" "vault_init_s3" {
provider = aws.clientaccount
for_each = aws_route53_zone.clusters
name = "vault-init-s3-${aws_route53_zone.clusters[each.key].name}"
}

resource "aws_iam_user_policy_attachment" "vault_init_s3" {
provider = aws.clientaccount
for_each = aws_iam_user.vault_init_s3
user = each.value.name
policy_arn = aws_iam_policy.vault_init_s3[each.key].arn
}

resource "aws_iam_access_key" "vault_init_s3" {
for_each = aws_iam_user.vault_init_s3
provider = aws.clientaccount
user = each.value.name
}
4 changes: 2 additions & 2 deletions modules/tenant-readme/0.1.0/readme.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,10 @@ data "local_file" "readme" {
}

locals {
codespace_version = "v0.28.0"
codespace_version = "v0.28.1"
argocd_crd_version = var.argocd_app_version
argocd_helm_chart_version = "5.42.2"
glueops_platform_version = "0.28.1" # this also needs to be updated in the module.glueops_platform_helm_values // generate-helm-values.tf
glueops_platform_version = "0.29.0" # this also needs to be updated in the module.glueops_platform_helm_values // generate-helm-values.tf
tools_version = "v0.4.0"
}

Expand Down
1 change: 0 additions & 1 deletion modules/tenant-readme/0.1.0/tenant-readme.md.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,6 @@ gh repo clone placeholder_github_owner/placeholder_repo_name
deploy-glueops-platform -v placeholder_glueops_platform_version
```

* [Initialize Vault](https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-initialization)
* [Configure Vault](https://github.com/GlueOps/terraform-module-kubernetes-hashicorp-vault-configuration)
3. Access Cluster services
* [ArgoCD](https://argocd.placeholder_repo_name): https://argocd.placeholder_repo_name
Expand Down

0 comments on commit b30529c

Please sign in to comment.