feat(terraform): support declarative Vault policies

Signed-off-by: Raito Bezarius <masterancpp@gmail.com>
2024-12-31 18:30:12 +01:00 · 2024-12-31 18:30:12 +01:00 · efeeecb7e2
commit efeeecb7e2
parent ed64fb31ed
3 changed files with 83 additions and 0 deletions
--- a/terraform/vault/default.nix
+++ b/terraform/vault/default.nix
@ -6,6 +6,7 @@
  };

  imports = [
+    ./generic.nix
    ./pki.nix
  ];

@ -14,6 +15,10 @@
    address = "https://vault.forkos.org";
  };

+  infra.vault = {
+    provider = "vault.floral";
+  };
+
  infra.pki = {
    provider = "vault.floral";
    org = {
--- a/terraform/vault/generic.nix
+++ b/terraform/vault/generic.nix
@ -0,0 +1,16 @@
+{ lib, ... }:
+let
+  inherit (lib) mkOption types;
+in
+{
+  options.infra.vault = {
+    provider = mkOption {
+      type = types.str;
+      description = "Provider used for deploying those expressions";
+    };
+  };
+
+  imports = [
+    ./policy.nix
+  ];
+}
--- a/terraform/vault/policy.nix
+++ b/terraform/vault/policy.nix
@ -0,0 +1,62 @@
+{ config, lib, ... }:
+let
+  inherit (lib) types mkOption mapAttrs concatStringsSep mapAttrsToList filterAttrs;
+  policyOpts = { ... }: {
+    options = {
+      capabilities = mkOption {
+        type = types.enum [ "create" "read" "update" "patch" "delete" "list" "sudo" "deny" "subscribe" ];
+      };
+
+      min_wrapping_ttl = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+      };
+
+      max_wrapping_ttl = mkOption {
+        type = types.nullOr types.int;
+        default = null;
+      };
+
+      required_parameters = mkOption {
+        type = types.nullOr (types.listOf types.str);
+        default = null;
+      };
+
+      allowed_parameters = mkOption {
+        type = types.nullOr (types.attrsOf (types.listOf types.str));
+        default = null;
+      };
+
+      denied_parameters = mkOption {
+        type = types.nullOr (types.attrsOf (types.listOf types.str));
+        default = null;
+      };
+    };
+  };
+  cfg = config.infra.vault;
+  serializeRuleBody = body:
+    concatStringsSep "\n" (mapAttrsToList (name: value:
+      "${name} = ${builtins.toJSON value}"
+    ) (filterAttrs (n: v: v != null) body));
+  mkRules = rules: concatStringsSep "\n" (mapAttrsToList (path: body:
+  ''
+    path "${path}" {
+      ${serializeRuleBody body}
+    }
+  '') rules);
+  mkPolicy = name: rules: {
+    policy = mkRules rules;
+    inherit name;
+    inherit (cfg) provider;
+  };
+in
+{
+  options.infra.vault.policies = mkOption {
+    type = types.attrsOf (types.attrsOf (types.submodule policyOpts));
+    description = "Vault policies, see https://developer.hashicorp.com/vault/docs/concepts/policies";
+  };
+
+  config = {
+    resource.vault_policy = mapAttrs mkPolicy cfg.policies;
+  };
+}