dotfiles/terraform/upload-approles/main.tf

variable "policies" {
  type = list(string)
}

variable "hostname" {
  type = string
}

variable "host" {
  type = string
}

variable "user" {
  type = string
}

variable "metadata" {
  type = any
}

variable "vault_auth_approle" {
  type = any
}

resource "vault_approle_auth_backend_role" "system" {
  backend        = var.vault_auth_approle.path
  role_name      = var.hostname
  token_policies = var.policies
}

data "vault_approle_auth_backend_role_id" "system" {
  backend   = var.vault_auth_approle.path
  role_name = vault_approle_auth_backend_role.system.role_name
}

resource "vault_approle_auth_backend_role_secret_id" "system" {
  backend   = var.vault_auth_approle.path
  role_name = vault_approle_auth_backend_role.system.role_name

  metadata = jsonencode(var.metadata)
}

resource "null_resource" "approles" {
  triggers = {
    secret_id = vault_approle_auth_backend_role_secret_id.system.secret_id
    role_id = data.vault_approle_auth_backend_role_id.system.role_id
  }

  connection {
    host = var.host
    user = var.user
  }

  provisioner "remote-exec" {
    inline = [
      "#!/usr/bin/env bash",
      "echo \"${vault_approle_auth_backend_role_secret_id.system.secret_id}\" > /var/secrets/approle.secretid",
      "echo \"${data.vault_approle_auth_backend_role_id.system.role_id}\" > /var/secrets/approle.roleid"
    ]
  }
}
Large rework and cleanup Signed-off-by: main <magic_rb@redalder.org> 2022-07-31 11:03:59 +02:00			`variable "policies" {`
			`type = list(string)`
			`}`

			`variable "hostname" {`
			`type = string`
			`}`

			`variable "host" {`
			`type = string`
			`}`

			`variable "user" {`
			`type = string`
			`}`

			`variable "metadata" {`
			`type = any`
			`}`

			`variable "vault_auth_approle" {`
			`type = any`
			`}`

			`resource "vault_approle_auth_backend_role" "system" {`
			`backend = var.vault_auth_approle.path`
			`role_name = var.hostname`
			`token_policies = var.policies`
			`}`

			`data "vault_approle_auth_backend_role_id" "system" {`
			`backend = var.vault_auth_approle.path`
			`role_name = vault_approle_auth_backend_role.system.role_name`
			`}`

			`resource "vault_approle_auth_backend_role_secret_id" "system" {`
			`backend = var.vault_auth_approle.path`
			`role_name = vault_approle_auth_backend_role.system.role_name`

			`metadata = jsonencode(var.metadata)`
			`}`

			`resource "null_resource" "approles" {`
			`triggers = {`
			`secret_id = vault_approle_auth_backend_role_secret_id.system.secret_id`
			`role_id = data.vault_approle_auth_backend_role_id.system.role_id`
			`}`

			`connection {`
			`host = var.host`
			`user = var.user`
			`}`

			`provisioner "remote-exec" {`
			`inline = [`
			`"#!/usr/bin/env bash",`
			`"echo \"${vault_approle_auth_backend_role_secret_id.system.secret_id}\" > /var/secrets/approle.secretid",`
			`"echo \"${data.vault_approle_auth_backend_role_id.system.role_id}\" > /var/secrets/approle.roleid"`
			`]`
			`}`
			`}`