dotfiles/terranix/modules/push_approles.nix
magic_rb 935575707f
Desensitivize pushApproles provisioner
Signed-off-by: magic_rb <richard@brezak.sk>
2023-10-07 22:30:39 +02:00

109 lines
2.8 KiB
Nix

{ config, pkgs, lib, tflib, ... }:
let
cfg = config.prefab.pushApproles;
inherit (lib)
mkOption
mdDoc
types
mapAttrsToList
mkMerge
flip
;
inherit (tflib)
tf
;
metadataType = pkgs.formats.json {};
submoduleOptions = {
policies = mkOption {
description = mdDoc ''
Vault policies added to the approle generated.
'';
type = with types; listOf str;
default = [];
};
host = mkOption {
description = mdDoc ''
The address of the machine, either IP address, domain name or any other identificator accepted by `ssh`.
'';
type = types.str;
};
user = mkOption {
description = mdDoc ''
The user to connect as.
'';
type = types.str;
};
metadata = mkOption {
description = mdDoc ''
'';
type = metadataType.type;
default = {};
};
approlePath = mkOption {
description = mdDoc ''
'';
type = types.str;
};
};
in
{
options.prefab.pushApproles = mkOption {
description = ''
'';
type = with types; attrsOf (submodule { options = submoduleOptions; });
default = {};
};
config.resource = mkMerge
(flip mapAttrsToList cfg (hostname: value:
{
"vault_approle_auth_backend_role"."system-${hostname}" = {
backend = value.approlePath;
role_name = hostname;
token_policies = value.policies;
};
"vault_approle_auth_backend_role_secret_id"."system-${hostname}" = {
backend = value.approlePath;
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
metadata = builtins.toJSON value.metadata;
};
"null_resource"."approles-${hostname}" = {
triggers = {
secret_id = tf "vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id";
role_id = tf "data.vault_approle_auth_backend_role_id.system-${hostname}.role_id";
};
connection = {
inherit (value)
host
user;
};
provisioner = {
"remote-exec" = {
inline = [
"echo \${nonsensitive(vault_approle_auth_backend_role_secret_id.system-${hostname}.secret_id)} > /var/secrets/approle.secretid"
"echo \${data.vault_approle_auth_backend_role_id.system-${hostname}.role_id} > /var/secrets/approle.roleid"
];
};
};
};
}));
config.data = mkMerge
(flip mapAttrsToList cfg (hostname: value:
{
"vault_approle_auth_backend_role_id"."system-${hostname}" = {
backend = value.approlePath;
role_name = tf "vault_approle_auth_backend_role.system-${hostname}.role_name";
};
}));
}