-
Notifications
You must be signed in to change notification settings - Fork 12
/
main.tf
145 lines (138 loc) · 4.43 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
terraform {
required_providers {
akeyless = {
version = ">= 1.0.0"
source = "akeyless-community/akeyless"
}
}
backend "gcs" {
bucket = "akeyless-cg-tf"
prefix = "dba-example"
}
}
variable "access_id" {
type = string
description = "value of the Akeyless API access id (This Access ID MUST be configured in the allowedAccessIDs of the Gateway or BE the adminAccessId for the Gateway)"
}
variable "access_key" {
type = string
description = "value of the Akeyless API access key"
sensitive = true
}
variable "api_gateway_address" {
type = string
description = <<-EOF
value of the Akeyless Gateway 8081 port address
Examples:
- http://localhost:8081 if using port forwarding
- http://your-gateway-ip-address:8081 if using a port
- https://your-gateway-api-address.com that maps to the 8081 port
EOF
}
provider "akeyless" {
api_gateway_address = var.api_gateway_address
api_key_login {
access_id = var.access_id
access_key = var.access_key
}
}
module "mongodb_atlas_producer" {
source = "./producer"
dyn_secret_config = {
# The name of the dynamic secret
resourceName = "/Azure MongoDB Atlas - Sample Analytics"
# The name of the target database that the dynamic secret will be applied to
targetName = "/Azure Atlas"
# The time to live for the temporary credentials produced by the dynamic secret
user_ttl = "8h"
# The roles that the dynamic secret will have access to
mongodb_roles = [
{
roleName = "readWrite",
databaseName = "sample_analytics"
}
]
# The name of the role that will grant the team access to the resource
roleName = "/terraform-db/Team1"
auth_methods = {
# The key is the full path to the kubernetes auth method
"/my-k8s-auth-method" = {
subClaims = {
namespace = "team1"
}
}
# The key is the full path to the SAML provider so the team members can access the secret
"/OktaSAML" = {
subClaims = {
groups = "Team1"
}
}
}
ruleList = {
# The key is the access path to the secret object
"/k8s/*" = {
# What permissions do you want the team to have
allowedCapabilities = ["read", "list"]
# The type of rule (eg. item-rule, target-rule, role-rule, auth-method-rule)
ruleType = "item-rule"
}
# The key is the access path to the secret object
"/Azure MongoDB Atlas - Sample Analytics" = {
# What permissions do you want the team to have
allowedCapabilities = ["read", "list"]
# The type of rule (eg. item-rule, target-rule, role-rule, auth-method-rule)
ruleType = "item-rule"
}
}
}
}
module "mongodb_atlas_producer2" {
source = "./producer"
dyn_secret_config = {
# The name of the dynamic secret
resourceName = "/Azure MongoDB Atlas - Sample Restaurants"
# The name of the target database that the dynamic secret will be applied to
targetName = "/Azure Atlas"
# The time to live for the temporary credentials produced by the dynamic secret
user_ttl = "8h"
# The roles that the dynamic secret will have access to
mongodb_roles = [
{
roleName = "readWrite",
databaseName = "sample_restaurants"
}
]
# The name of the role that will grant the team access to the resource
roleName = "/terraform-db/Team2"
auth_methods = {
# The key is the full path to the kubernetes auth method
"/my-k8s-auth-method" = {
subClaims = {
namespace = "team2"
}
}
# The key is the full path to the SAML provider so the team members can access the secret
"/OktaSAML" = {
subClaims = {
groups = "Team2"
}
}
}
ruleList = {
# The key is the access path to the secret object
"/k8s/*" = {
# What permissions do you want the team to have
allowedCapabilities = ["read", "list"]
# The type of rule (eg. item-rule, target-rule, role-rule, auth-method-rule)
ruleType = "item-rule"
}
# The key is the access path to the secret object
"/Azure MongoDB Atlas - Sample Restaurants" = {
# What permissions do you want the team to have
allowedCapabilities = ["read", "list"]
# The type of rule (eg. item-rule, target-rule, role-rule, auth-method-rule)
ruleType = "item-rule"
}
}
}
}