This repository has been archived by the owner on Aug 25, 2023. It is now read-only.
generated from basisai/terraform-module-template
-
Notifications
You must be signed in to change notification settings - Fork 3
/
main.tf
251 lines (200 loc) · 9.12 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
resource "helm_release" "vault" {
depends_on = [
google_container_node_pool.vault,
google_storage_bucket.vault,
kubernetes_persistent_volume_claim.raft,
]
name = var.release_name
chart = var.chart_name
repository = var.chart_repository
version = var.chart_version
namespace = var.kubernetes_namespace
timeout = var.timeout
max_history = var.max_history
values = [
templatefile("${path.module}/templates/values.yaml", local.chart_values),
]
}
# To allow for easier viewing of diff for Vault Chart values
resource "null_resource" "vault_values" {
triggers = local.chart_values
}
locals {
chart_values = {
global_enabled = var.global_enabled
psp_enabled = var.psp_enabled
psp_annotations = jsonencode(var.psp_annotations)
####################################
# Injector
####################################
injector_enabled = var.injector_enabled
external_vault_addr = var.external_vault_addr
injector_image_repository = var.injector_image_repository
injector_image_tag = var.injector_image_tag
injector_log_level = var.injector_log_level
injector_log_format = var.injector_log_format
injector_resources = jsonencode(var.injector_resources)
injector_env = jsonencode(var.injector_env)
injector_affinity = jsonencode(var.injector_affinity)
injector_tolerations = jsonencode(var.injector_tolerations)
injector_priority_class_name = var.injector_priority_class_name
injector_replicas = var.injector_replicas
injector_leader_elector_enabled = var.injector_leader_elector_enabled
agent_image_repository = var.agent_image_repository
agent_image_tag = var.agent_image_tag
agent_default_cpu_request = var.agent_default_cpu_request
agent_default_cpu_limit = var.agent_default_cpu_limit
agent_default_memory_request = var.agent_default_memory_request
agent_default_memory_limit = var.agent_default_memory_limit
agent_default_template_type = var.agent_default_template_type
auth_path = var.auth_path
revoke_on_shutdown = var.revoke_on_shutdown
exit_on_retry_failure = var.exit_on_retry_failure
static_secret_render_interval = var.static_secret_render_interval
namespace_selector = jsonencode(var.namespace_selector)
object_selector = jsonencode(var.object_selector)
injector_metrics_enabled = var.injector_metrics_enabled
injector_failure_policy = var.injector_failure_policy != null ? var.injector_failure_policy : "null"
####################################
# Server
####################################
server_enabled = var.server_enabled
server_image_repository = var.server_image_repository
server_image_tag = var.server_image_tag
server_update_strategy = var.server_update_strategy
server_labels = jsonencode(var.server_labels)
server_annotations = jsonencode(var.server_annotations)
server_resources = jsonencode(var.server_resources)
server_extra_containers = jsonencode(var.server_extra_containers)
server_share_pid = var.server_share_pid
server_extra_args = var.server_extra_args
server_env = jsonencode(var.server_env)
server_secret_env = jsonencode(var.server_secret_env)
server_affinity = jsonencode(var.server_affinity)
server_tolerations = jsonencode(var.server_tolerations)
server_volumes = jsonencode(concat([local.tls_volume], var.server_volumes))
server_volume_mounts = jsonencode(concat([local.tls_volume_mount], var.server_volume_mounts))
server_priority_class_name = var.server_priority_class_name
server_readiness_probe_enable = var.server_readiness_probe_enable
server_readiness_probe_path = var.server_readiness_probe_path != "" ? var.server_readiness_probe_path : "null"
server_liveness_probe_enable = var.server_liveness_probe_enable
server_liveness_probe_path = var.server_liveness_probe_path
service_type = var.service_type
service_annotations = jsonencode(var.service_annotations)
node_port = var.node_port
external_traffic_policy = var.external_traffic_policy
ui_service_enable = var.ui_service_enable
ui_publish_unready = var.ui_publish_unready
ui_active_vault_pod_only = var.ui_active_vault_pod_only
ui_service_type = var.ui_service_type
ui_service_node_port = var.ui_service_node_port != "" ? var.ui_service_node_port : "null"
ui_service_port = var.ui_service_port
ui_external_traffic_policy = var.ui_external_traffic_policy
ui_load_balancer_source_ranges = var.ui_load_balancer_source_ranges != [] ? jsonencode(var.ui_load_balancer_source_ranges) : "null"
ui_load_balancer_ip = var.ui_load_balancer_ip
ui_annotations = jsonencode(var.ui_annotations)
ingress_enabled = var.ingress_enabled
ingress_class_name = var.ingress_class_name
ingress_labels = jsonencode(var.ingress_labels)
ingress_annotations = jsonencode(var.ingress_annotations)
ingress_hosts = jsonencode(var.ingress_hosts)
ingress_tls = jsonencode(var.ingress_tls)
enable_auth_delegator = var.enable_auth_delegator
service_account_create = var.service_account_create
service_account_name = jsonencode(var.service_account_name)
service_account_annotations = jsonencode(merge(var.workload_identity_enable ? local.worload_identity_sa_annotation : {}, var.service_account_annotations))
sts_annotations = jsonencode(var.sts_annotations)
####################################
# Storage
####################################
data_storage_enable = var.raft_storage_enable && var.raft_storage_use
data_storage_size = "${var.raft_disk_size}G"
storage_class = var.raft_storage_enable && var.raft_storage_use ? kubernetes_storage_class.raft[0].metadata[0].name : ""
####################################
# Configuration
####################################
replicas = var.server_replicas
raft_enable = var.raft_storage_enable && var.raft_storage_use
raft_set_node_id = var.raft_set_node_id
api_addr = var.api_addr != null ? jsonencode(var.api_addr) : "null"
server_configuration = local.server_configuration
server_log_level = var.server_log_level
server_log_format = var.server_log_format
}
server_configuration = <<-EOF
ui = true
listener "tcp" {
address = "[::]:8200"
cluster_address = "[::]:8201"
tls_cert_file = "${local.tls_secret_path}/${local.tls_secret_cert_key}"
tls_key_file = "${local.tls_secret_path}/${local.tls_secret_key_key}"
tls_ciper_suites = "${var.tls_cipher_suites}"
telemetry {
unauthenticated_metrics_access = ${var.unauthenticated_metrics_access}
}
}
seal "gcpckms" {
project = "${google_kms_key_ring.vault.project}"
region = "${google_kms_key_ring.vault.location}"
key_ring = "${google_kms_key_ring.vault.name}"
crypto_key = "${google_kms_crypto_key.unseal.name}"
}
service_registration "kubernetes" {}
%{if var.raft_storage_enable && var.raft_storage_use}
storage "raft" {
path = "/vault/data"
%{for i in range(var.server_replicas)}
retry_join {
leader_api_addr = "https://vault-${i}.${local.fullname}-internal.${var.kubernetes_namespace}.svc:8200"
leader_ca_cert = ${jsonencode(var.tls_cert_ca)}
}
%{endfor}
${var.raft_extra_parameters}
}
%{endif}
%{if var.gcs_storage_enable && var.gcs_storage_use}
storage "gcs" {
bucket = "${var.gcs_storage_enable ? google_storage_bucket.vault[0].name : ""}"
ha_enabled = ${tostring(var.storage_ha_enabled)}
${var.gcs_extra_parameters}
}
%{endif}
%{if var.server_config != "" && var.server_config != null}
${var.server_config}
%{endif}
EOF
tls_secret_name = "${var.release_name}-tls"
tls_secret_path = "/vault/tls"
tls_secret_cert_key = "cert"
tls_secret_key_key = "key"
tls_secret_ca_key = "ca"
tls_volume = {
name = "tls"
secret = {
secretName = kubernetes_secret.tls_cert.metadata[0].name
}
}
tls_volume_mount = {
name = "tls"
mountPath = local.tls_secret_path
}
}
resource "kubernetes_secret" "tls_cert" {
metadata {
name = local.tls_secret_name
namespace = var.kubernetes_namespace
labels = var.kubernetes_labels
annotations = var.kubernetes_annotations
}
type = "Opaque"
data = {
(local.tls_secret_cert_key) = var.tls_cert_pem
(local.tls_secret_key_key) = var.tls_cert_key
(local.tls_secret_ca_key) = var.tls_cert_ca
}
}
resource "local_file" "values" {
count = var.values_file != "" ? 1 : 0
content = templatefile("${path.module}/templates/values.yaml", local.chart_values)
filename = var.values_file
}