From 7619f4ed910a78006c067ebc3d3219acd80c054a Mon Sep 17 00:00:00 2001 From: Nick Philbrook <42616679+nphilbrook@users.noreply.github.com> Date: Fri, 23 May 2025 13:40:56 -0400 Subject: [PATCH 1/5] Created branch nphilbrook_vault_backed_aws_improvement from main From f857642679d8119afdbd4831ef496a7de985646d Mon Sep 17 00:00:00 2001 From: Nick Philbrook <42616679+nphilbrook@users.noreply.github.com> Date: Fri, 23 May 2025 15:26:13 -0400 Subject: [PATCH 2/5] Add policy for self-rotation, other small fixes --- vault-backed/aws/aws.tf | 15 +++++++++++---- vault-backed/aws/vars.tf | 4 ++-- vault-backed/aws/vault.tf | 9 ++++++--- 3 files changed, 19 insertions(+), 9 deletions(-) diff --git a/vault-backed/aws/aws.tf b/vault-backed/aws/aws.tf index 99f41a1..f2f091a 100644 --- a/vault-backed/aws/aws.tf +++ b/vault-backed/aws/aws.tf @@ -80,7 +80,11 @@ resource "aws_iam_access_key" "secrets_engine_credentials" { } -# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user to assume other roles via STS +# Provides an IAM policy attached to a user. In this case, allowing the secrets_engine user rotate its own access key +# +# https://developer.hashicorp.com/vault/api-docs/secret/aws#rotate-root-iam-credentials +# +# Note that if the credentials are rotated, there will be drift in this Terraform configuration # # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_policy resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" { @@ -92,11 +96,14 @@ resource "aws_iam_user_policy" "vault_secrets_engine_generate_credentials" { Statement = [ { Action = [ - "sts:AssumeRole", + "iam:GetUser", + "iam:CreateAccessKey", + "iam:DeleteAccessKey", + "iam:ListAccessKeys" ] Effect = "Allow" - Resource = "${aws_iam_role.tfc_role.arn}" + Resource = aws_iam_user.secrets_engine.arn }, ] }) -} \ No newline at end of file +} diff --git a/vault-backed/aws/vars.tf b/vault-backed/aws/vars.tf index c7c204b..4dad050 100644 --- a/vault-backed/aws/vars.tf +++ b/vault-backed/aws/vars.tf @@ -37,7 +37,7 @@ variable "tfc_workspace_name" { variable "vault_url" { type = string - description = "The URL of the Vault instance you'd like to use with Terraform Cloud" + description = "The URL of the Vault instance you'd like to use with Terraform Cloud. Can also be set via VAULT_ADDR environment variable." } variable "jwt_backend_path" { @@ -56,4 +56,4 @@ variable "tfc_vault_audience" { type = string default = "vault.workload.identity" description = "The audience value to use in run identity tokens" -} \ No newline at end of file +} diff --git a/vault-backed/aws/vault.tf b/vault-backed/aws/vault.tf index 762f419..784e9ac 100644 --- a/vault-backed/aws/vault.tf +++ b/vault-backed/aws/vault.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 provider "vault" { - address = var.vault_url + # address = var.vault_url } # Enables the jwt auth backend in Vault at the given path, @@ -10,6 +10,7 @@ provider "vault" { # # https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/jwt_auth_backend resource "vault_jwt_auth_backend" "tfc_jwt" { + namespace = var.vault_namespace path = var.jwt_backend_path type = "jwt" oidc_discovery_url = "https://${var.tfc_hostname}" @@ -43,7 +44,8 @@ resource "vault_jwt_auth_backend_role" "tfc_role" { # # https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy resource "vault_policy" "tfc_policy" { - name = "tfc-policy" + namespace = var.vault_namespace + name = "tfc-policy" policy = < Date: Fri, 23 May 2025 15:27:52 -0400 Subject: [PATCH 3/5] Revert this which is inaccurate --- vault-backed/aws/vars.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-backed/aws/vars.tf b/vault-backed/aws/vars.tf index 4dad050..a7daa25 100644 --- a/vault-backed/aws/vars.tf +++ b/vault-backed/aws/vars.tf @@ -37,7 +37,7 @@ variable "tfc_workspace_name" { variable "vault_url" { type = string - description = "The URL of the Vault instance you'd like to use with Terraform Cloud. Can also be set via VAULT_ADDR environment variable." + description = "The URL of the Vault instance you'd like to use with Terraform Cloud." } variable "jwt_backend_path" { From a1a661bc81777e3bc7c62ab5716b634186e7eed6 Mon Sep 17 00:00:00 2001 From: Nick Philbrook <42616679+nphilbrook@users.noreply.github.com> Date: Fri, 23 May 2025 15:28:26 -0400 Subject: [PATCH 4/5] Revert this comment commit --- vault-backed/aws/vault.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-backed/aws/vault.tf b/vault-backed/aws/vault.tf index 784e9ac..4e5e338 100644 --- a/vault-backed/aws/vault.tf +++ b/vault-backed/aws/vault.tf @@ -2,7 +2,7 @@ # SPDX-License-Identifier: MPL-2.0 provider "vault" { - # address = var.vault_url + address = var.vault_url } # Enables the jwt auth backend in Vault at the given path, From 73031c93643841c93bf6179c50960933a26dbc3d Mon Sep 17 00:00:00 2001 From: Nick Philbrook <42616679+nphilbrook@users.noreply.github.com> Date: Wed, 28 May 2025 15:35:56 -0400 Subject: [PATCH 5/5] Remove extraneous period. --- vault-backed/aws/vars.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vault-backed/aws/vars.tf b/vault-backed/aws/vars.tf index a7daa25..9e09bf4 100644 --- a/vault-backed/aws/vars.tf +++ b/vault-backed/aws/vars.tf @@ -37,7 +37,7 @@ variable "tfc_workspace_name" { variable "vault_url" { type = string - description = "The URL of the Vault instance you'd like to use with Terraform Cloud." + description = "The URL of the Vault instance you'd like to use with Terraform Cloud" } variable "jwt_backend_path" {