feat(vault-group): aws secret engine support

boldare · Jul 7, 2020 · dacc140 · dacc140
1 parent 8b465b3
commit dacc140
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 0 deletions.
diff --git a/modules/vault-group/main.tf b/modules/vault-group/main.tf
@@ -49,6 +49,7 @@
  * * Key-Value Version 2 (name: `kv2`)
  * * Database (name: `db`)
  * * RabbitMQ (name: `rabbitmq`)
+ * * AWS (name: `aws`)
  *
  */
 

diff --git a/modules/vault-group/policy-templates/aws-read.hcl b/modules/vault-group/policy-templates/aws-read.hcl
@@ -0,0 +1,21 @@
+# AWS Secret Engine Policy
+# Allows Read Access
+
+# List roles
+path "${engine_path}/roles" {
+  capabilities = ["list"]
+}
+
+# Read roles
+path "${engine_path}/roles/${group_name}${separator}${environment}${separator}+" {
+  capabilities = ["read"]
+}
+
+# Generate credentials
+path "${engine_path}/creds/${group_name}${separator}${environment}${separator}+" {
+  capabilities = ["read"]
+}
+
+path "${engine_path}/sts/${group_name}${separator}${environment}${separator}+" {
+  capabilities = ["read"]
+}
diff --git a/modules/vault-group/policy-templates/aws-write.hcl b/modules/vault-group/policy-templates/aws-write.hcl
@@ -0,0 +1,6 @@
+# Database Secret Engine Policy
+# Allows Write Access
+
+path "${engine_path}/roles/${group_name}${separator}${environment}${separator}+" {
+  capabilities = ["create", "delete"]
+}