mirror of
https://github.com/FAUSheppy/no-secrets-athq-ansible
synced 2025-12-09 22:48:32 +01:00
107 lines
2.8 KiB
HCL
107 lines
2.8 KiB
HCL
ui = true
|
|
|
|
storage "file" {
|
|
path = "/opt/vault/data"
|
|
}
|
|
|
|
listener "tcp" {
|
|
address = "0.0.0.0:8200"
|
|
tls_disable = 1
|
|
}
|
|
|
|
api_addr = "http://127.0.0.1:8200"
|
|
|
|
# Terraform OIDC config for reference
|
|
#path "/secret/*" {
|
|
# capabilities = ["read", "list"]
|
|
#}
|
|
#
|
|
#resource "vault_identity_oidc_key" "keycloak_provider_key" {
|
|
# name = "keycloak"
|
|
# algorithm = "RS256"
|
|
#}
|
|
#
|
|
#resource "vault_jwt_auth_backend" "keycloak" {
|
|
# path = "oidc"
|
|
# type = "oidc"
|
|
# default_role = "{{ keycloak_clients['pki']['groups'] }}"
|
|
#
|
|
# oidc_discovery_url="https://{{ keycloak_address }}/realms/master"
|
|
# oidc_client_id="{{ keycloak_clients['pki']['client_id'] }}"
|
|
# oidc_client_secret="{{ keycloak_clients['pki']['client_secret'] }}"
|
|
#
|
|
# tune {
|
|
# audit_non_hmac_request_keys = []
|
|
# audit_non_hmac_response_keys = []
|
|
# default_lease_ttl = "1h"
|
|
# listing_visibility = "unauth"
|
|
# max_lease_ttl = "1h"
|
|
# passthrough_request_headers = []
|
|
# token_type = "default-service"
|
|
# }
|
|
#}
|
|
#
|
|
#resource "vault_jwt_auth_backend_role" "pki" {
|
|
# backend = vault_jwt_auth_backend.keycloak.path
|
|
# role_name = "pki"
|
|
# role_type = "oidc"
|
|
# token_ttl = 3600
|
|
# token_max_ttl = 3600
|
|
#
|
|
# bound_audiences="{{ pki_domain }}"
|
|
# user_claim = "sub"
|
|
# claim_mappings = {
|
|
# preferred_username = "username"
|
|
# email = "email"
|
|
# }
|
|
#
|
|
# allowed_redirect_uris = [
|
|
# "https://{{ pki_domain }}/oidc/oidc/callback",
|
|
# "https://{{ pki_domain }}/ui/vault/auth/oidc/oidc/callback"
|
|
# ]
|
|
# groups_claim = format("/resource_access/%s/roles",
|
|
# keycloak_openid_client.openid_client.client_id)
|
|
#}
|
|
#
|
|
#data "vault_policy_document" "reader_policy" {
|
|
# rule {
|
|
# path = "/secret/*"
|
|
# capabilities = ["list", "read"]
|
|
# }
|
|
#}
|
|
#
|
|
#resource "vault_policy" "reader_policy" {
|
|
# name = "reader"
|
|
# policy = data.vault_policy_document.reader_policy.hcl
|
|
#}
|
|
#data "vault_policy_document" "manager_policy" {
|
|
# rule {
|
|
# path = "/secret/*"
|
|
# capabilities = ["create", "update", "delete"]
|
|
# }
|
|
#}
|
|
#
|
|
#resource "vault_policy" "manager_policy" {
|
|
# name = "management"
|
|
# policy = data.vault_policy_document.manager_policy.hcl
|
|
#}
|
|
#
|
|
#resource "vault_identity_oidc_role" "management_role" {
|
|
# name = "management"
|
|
# key = vault_identity_oidc_key.keycloak_provider_key.name
|
|
#}
|
|
#
|
|
#resource "vault_identity_group" "management_group" {
|
|
# name = vault_identity_oidc_role.management_role.name
|
|
# type = "external"
|
|
# policies = [
|
|
# vault_policy.manager_policy.name
|
|
# ]
|
|
#}
|
|
#
|
|
#resource "vault_identity_group_alias" "management_group_alias" {
|
|
# name = "pki"
|
|
# mount_accessor = vault_jwt_auth_backend.keycloak.accessor
|
|
# canonical_id = vault_identity_group.management_group.id
|
|
#}
|