-
Notifications
You must be signed in to change notification settings - Fork 1
/
main.tf
90 lines (83 loc) · 2.19 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
# setup k8s providers
provider "kubernetes" {
config_path = "~/.kube/admin"
alias = "admin"
}
# read the vault service principal
data "azuread_service_principal" "vault" {
display_name = "bradfordwagner-vault"
}
## ADMIN resources
resource "kubernetes_namespace" "admin" {
provider = kubernetes.admin
for_each = toset([
"argocd",
"argo-workflows",
"vault",
])
metadata {
name = each.value
}
}
resource "kubernetes_secret" "keyvault" {
depends_on = [kubernetes_namespace.admin]
provider = kubernetes.admin
metadata {
name = "keyvault"
namespace = "vault"
}
data = {
AZURE_TENANT_ID = data.azuread_service_principal.vault.application_tenant_id
AZURE_CLIENT_ID = data.azuread_service_principal.vault.application_id
AZURE_CLIENT_SECRET = var.vault_sp_secret
VAULT_AZUREKEYVAULT_VAULT_NAME = "bradfordwagner-vault"
VAULT_AZUREKEYVAULT_KEY_NAME = "generated-key"
}
}
resource "kubernetes_secret" "admin_auth_config" {
depends_on = [kubernetes_namespace.admin]
provider = kubernetes.admin
metadata {
name = "k8s-auth-config"
namespace = "vault"
}
data = {
"cluster_name" = "admin"
"ca" = file("~/.kube/kind/internal/admin_ca")
"server" = file("~/.kube/kind/internal/admin_server")
"role_id" = var.role_id
"secret_id" = var.secret_id
}
}
# based on: https://www.vaultproject.io/docs/platform/k8s/helm/run#protecting-sensitive-vault-configurations
resource "kubernetes_secret" "storage" {
depends_on = [kubernetes_namespace.admin]
provider = kubernetes.admin
metadata {
name = "storage"
namespace = "vault"
}
data = {
"config.hcl" = <<EOF
storage "azure" {
accountName = "bradfordwagnervault"
accountKey = "${var.vault_storage_key}"
container = "backend"
environment = "AzurePublicCloud"
}
EOF
}
}
resource "kubernetes_secret" "vault_tls" {
depends_on = [kubernetes_namespace.admin]
provider = kubernetes.admin
metadata {
name = "tls"
namespace = "vault"
}
data = {
"private_key" = file(".private_key")
"certificate" = file(".certificate")
}
}
## End ADMIN resources