devops-adeel · April 20, 2022 09:30
diff --git a/cicd_admin.tf b/cicd_admin.tf
 locals {
  member_entity_ids = var.entity_ids
 }

 data "vault_policy_document" "default" {
  rule {
    path         = "sys/namespaces/"
    capabilities = ["list"]
    description  = "List namespaces in root"
  }
  rule {
    path         = "sys/capabilities-self"
    capabilities = ["read", "list"]
    description  = "Endpoint returns capabilities of client token on given path"
  }
  rule {
    path         = "auth/token/*"
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "create child tokens"
  }
  rule {
    path         = "sys/namespaces/*"
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "allowed to create namespaces"
  }
   rule {
    path         = "sys/policies/acl/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Create and manage ACL policies"
  }
  rule {
    path         = "sys/capabilities-self"
    capabilities = ["read", "list"]
    description  = "Endpoint returns capabilities of client token on given path"
  }
  rule {
    path         = "sys/auth/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "Manage auth methods broadly across Vault Namespace"
  }
  rule {
    path         = "sys/auth"
    capabilities = ["read"]
    description  = "List auth methods"
  }
  rule {
    path         = "auth/token/*"
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "create child tokens"
  }
  rule {
    path         = "auth/oidc/*"
    capabilities = ["create", "read", "update", "delete", "list"]
    description  = "Configure the OIDC auth method"
  }
  rule {
    path         = "secret/*"
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
    description  = "List, create, update, and delete key/value secrets"
  }
 }

 resource "vault_policy" "default" {
  name   = "cicd_admin"
  policy = data.vault_policy_document.default.hcl
 }

 resource "vault_identity_group" "default" {
  name              = "cicd_admin"
  type              = "internal"
  external_policies = true
  member_entity_ids = local.member_entity_ids
 }

 resource "vault_identity_group_policies" "default" {
  exclusive = false
  group_id  = vault_identity_group.default.id
  policies = [
    "default",
    vault_policy.default.name,
  ]
 }
	locals {
	member_entity_ids = var.entity_ids
	}

	data "vault_policy_document" "default" {
	rule {
	path = "sys/namespaces/"
	capabilities = ["list"]
	description = "List namespaces in root"
	}
	rule {
	path = "sys/capabilities-self"
	capabilities = ["read", "list"]
	description = "Endpoint returns capabilities of client token on given path"
	}
	rule {
	path = "auth/token/*"
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "create child tokens"
	}
	rule {
	path = "sys/namespaces/*"
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "allowed to create namespaces"
	}
	rule {
	path = "sys/policies/acl/*"
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	description = "Create and manage ACL policies"
	}
	rule {
	path = "sys/capabilities-self"
	capabilities = ["read", "list"]
	description = "Endpoint returns capabilities of client token on given path"
	}
	rule {
	path = "sys/auth/*"
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	description = "Manage auth methods broadly across Vault Namespace"
	}
	rule {
	path = "sys/auth"
	capabilities = ["read"]
	description = "List auth methods"
	}
	rule {
	path = "auth/token/*"
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "create child tokens"
	}
	rule {
	path = "auth/oidc/*"
	capabilities = ["create", "read", "update", "delete", "list"]
	description = "Configure the OIDC auth method"
	}
	rule {
	path = "secret/*"
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	description = "List, create, update, and delete key/value secrets"
	}
	}

	resource "vault_policy" "default" {
	name = "cicd_admin"
	policy = data.vault_policy_document.default.hcl
	}

	resource "vault_identity_group" "default" {
	name = "cicd_admin"
	type = "internal"
	external_policies = true
	member_entity_ids = local.member_entity_ids
	}

	resource "vault_identity_group_policies" "default" {
	exclusive = false
	group_id = vault_identity_group.default.id
	policies = [
	"default",
	vault_policy.default.name,
	]
	}
No results found