Created
June 22, 2023 15:08
-
-
Save devops-adeel/784b751923ce0f7313e65a788a952fa7 to your computer and use it in GitHub Desktop.
collection of TF configs that would amount to be a part of platform foundations build.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "boundary_scope" "default" { | |
name = "organization_one" | |
description = "My first scope!" | |
scope_id = "global" | |
auto_create_admin_role = true | |
auto_create_default_role = true | |
} | |
resource "boundary_auth_method_oidc" "default" { | |
scope_id = boundary_scope.default.id | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "github_enterprise" "default" { | |
slug = replace(var.domain, ".", "-") | |
} | |
data "vault_generic_secret" "github_org_secret" { | |
path = "secret/github_org_secret" | |
} | |
data "vault_generic_secret" "github_dependabot" { | |
path = "secret/github_dependabot" | |
} | |
resource "github_actions_organization_oidc_subject_claim_customization_template" "default" { | |
include_claim_keys = ["actor", "context", "repository_owner"] | |
} | |
resource "github_actions_organization_secret" "default" { | |
secret_name = var.org_secret | |
visibility = "private" | |
plaintext_value = data.vault_generic_secret.github_org_secret.data["token"] | |
} | |
resource "github_actions_organization_variable" "default" { | |
variable_name = "example_variable_name" | |
visibility = "private" | |
value = "example_variable_value" | |
} | |
resource "github_dependabot_organization_secret" "default" { | |
secret_name = var.org_secret | |
visibility = "private" | |
plaintext_value = data.vault_generic_secret.github_dependabot.data["token"] | |
} | |
resource "github_enterprise_organization" "default" { | |
enterprise_id = data.github_enterprise.default.id | |
name = var.org | |
billing_email = var.org_admin | |
admin_logins = [ | |
"jon-snow" | |
] | |
} | |
resource "github_organization_settings" "default" { | |
billing_email = var.org_admin | |
company = "Test Company" | |
email = var.org_admin | |
location = "Test Location" | |
name = "Test Name" | |
has_organization_projects = true | |
has_repository_projects = true | |
default_repository_permission = "read" | |
members_can_create_repositories = true | |
members_can_create_public_repositories = true | |
members_can_create_private_repositories = true | |
members_can_create_internal_repositories = true | |
members_can_create_pages = true | |
members_can_create_public_pages = true | |
members_can_create_private_pages = true | |
members_can_fork_private_repositories = true | |
web_commit_signoff_required = true | |
advanced_security_enabled_for_new_repositories = false | |
dependabot_alerts_enabled_for_new_repositories = false | |
dependabot_security_updates_enabled_for_new_repositories = false | |
dependency_graph_enabled_for_new_repositories = false | |
secret_scanning_enabled_for_new_repositories = false | |
secret_scanning_push_protection_enabled_for_new_repositories = false | |
} | |
resource "github_organization_webhook" "default" { | |
name = "web" | |
active = false | |
events = ["issues"] | |
configuration { | |
url = "https://google.de/" | |
content_type = "form" | |
insecure_ssl = false | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "google_billing_account" "default" { | |
display_name = "My Billing Account" | |
open = true | |
} | |
data "google_organization" "default" { | |
domain = var.domain | |
} | |
resource "google_folder" "prod" { | |
display_name = "prod" | |
parent = data.google_organization.default.name | |
} | |
resource "google_folder" "uat" { | |
display_name = "uat" | |
parent = data.google_organization.default.name | |
} | |
resource "google_folder" "dev" { | |
display_name = "dev" | |
parent = data.google_organization.default.name | |
} | |
resource "google_organization_policy" "default" { | |
org_id = data.google_organization.default.id | |
constraint = "compute.disableSerialPortAccess" | |
boolean_policy { | |
enforced = true | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
resource "newrelic_account_management" "default" { | |
name = var.organisation | |
region = var.default_region | |
} | |
resource "newrelic_api_access_key" "default" { | |
account_id = 1234567 | |
key_type = "INGEST" | |
ingest_type = "LICENSE" | |
name = "APM Ingest License Key" | |
notes = "CICD Integration" | |
} | |
resource "newrelic_cloud_gcp_link_account" "default" { | |
account_id = var.new_relic_account_id | |
project_id = google_project.default.id | |
name = data.google_billing_account.default.name | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
locals { | |
data_json = json_encode( | |
{ | |
org_token = tfe_organization_token.default.token | |
} | |
) | |
} | |
data "tfe_ip_ranges" "default" {} | |
data "tfe_github_app_installation" "default" { | |
name = "installation_name" | |
} | |
resource "tfe_organization" "default" { | |
name = var.org | |
email = var.org_admin | |
} | |
resource "tfe_organization_token" "default" { | |
organization = tfe_organization.default.name | |
} | |
resource "vault_generic_secret" "default" { | |
path = "secret/tfe_org_token" | |
data_json = local.data_json | |
} | |
resource "tfe_admin_organization_settings" "default" { | |
organization = tfe_organization.default.name | |
module_sharing_consumer_organizations = [tfe_organization.default.name] | |
provider = tfe.admin | |
workspace_limit = 15 | |
access_beta_tools = false | |
global_module_sharing = false | |
} | |
resource "tfe_agent_pool" "default" { | |
organization = tfe_organization.default.name | |
name = "my-agent-pool-name" | |
} | |
data "vault_generic_secret" "oauth_token" { | |
path = "secret/github_oauth_token" | |
} | |
resource "tfe_oauth_client" "default" { | |
organization = tfe_organization.default.name | |
oauth_token = data.vault_generic_secret.oauth_token.data["token"] | |
name = "my-github-oauth-client" | |
api_url = "https://api.github.com" | |
http_url = "https://github.com" | |
service_provider = "github" | |
} | |
resource "tfe_organization_run_task" "default" { | |
organization = tfe_organization.default.name | |
url = "https://external.service.com" | |
name = "task-name" | |
enabled = true | |
} | |
resource "tfe_variable_set" "default" { | |
organization = tfe_organization.default.name | |
name = "Test Varset" | |
description = "Some description." | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_kms_key" "auto_unseal" { | |
key_id = "alias/my-key" | |
} | |
data "aws_iam_policy_document" "auto_unseal" { | |
version = "2012-10-17" | |
statement { | |
effect = "Allow" | |
resources = [data.aws_kms_key.auto_unseal.arn] | |
actions = [ | |
"kms:DescribeKey", | |
"kms:Encrypt", | |
"kms:Decrypt", | |
"kms:EnableKeyRotation" | |
] | |
} | |
} | |
data "aws_iam_policy_document" "raft_auto_join" { | |
version = "2012-10-17" | |
statement { | |
sid = "ListInstancesWithTags" | |
effect = "Allow" | |
actions = ["ec2:DescribeInstances"] | |
resources = ["*"] | |
condition { | |
test = "StringEquals" | |
variable = "ec2:ResourceTag/app" | |
values = ["vault"] | |
} | |
} | |
} | |
data "aws_iam_policy_document" "default" { | |
source_policy_documents = [data.aws_iam_policy_document.raft_auto_join.json] | |
} | |
resource "aws_iam_policy" "default" { | |
name = "vault_server_policy" | |
path = "/" | |
policy = data.aws_iam_policy_document.default.json | |
} | |
data "aws_s3_bucket" "default" { | |
bucket = var.bucket_name | |
} | |
data "aws_iam_policy_document" "raft_snapshot" { | |
version = "2012-10-17" | |
statement { | |
sid = "ListObjectsInBucket" | |
effect = "Allow" | |
actions = ["s3:ListBucket"] | |
resources = [data.aws_s3_bucket.default.arn] | |
} | |
statement { | |
sid = "AllObjectActions" | |
effect = "Allow" | |
actions = ["s3:*Object"] | |
resources = [data.aws_s3_bucket.default.arn] | |
} | |
} | |
data "aws_iam_policy_document" "default" { | |
source_policy_documents = [data.aws_iam_policy_document.raft_snapshot.json] | |
} | |
resource "aws_s3_bucket_policy" "default" { | |
bucket = data.aws_s3_bucket.default.id | |
policy = data.aws_iam_policy_document.default.json | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "azuread_application_published_app_ids" "default" {} | |
data "azuread_client_config" "default" {} | |
resource "azuread_service_principal" "graph" { | |
application_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph | |
use_existing = true | |
} | |
resource "azuread_application" "default" { | |
display_name = "hashicorp-vault-app" | |
prevent_duplicate_names = true | |
owners = [data.azuread_client_config.default.object_id] | |
group_membership_claims = ["SecurityGroup"] | |
web { | |
redirect_uris = [ | |
"https://vault.com:8200/ui/vault/auth/oidc/oidc/callback", | |
"http://localhost:8250/oidc/callback" | |
] | |
implicit_grant { | |
id_token_issuance_enabled = true | |
} | |
} | |
optional_claims { | |
id_token { | |
name = "groups" | |
additional_properties = [] | |
} | |
} | |
required_resource_access { | |
resource_app_id = data.azuread_application_published_app_ids.default.result.MicrosoftGraph | |
resource_access { | |
id = azuread_service_principal.graph.app_role_ids["GroupMember.Read.All"] | |
type = "Scope" | |
} | |
} | |
} | |
resource "azuread_service_principal" "vault" { | |
application_id = azuread_application.default.application_id | |
owners = [data.azuread_client_config.default.object_id] | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
data "aws_region" "default" {} | |
locals { | |
role_name = "failover-handler" | |
} | |
resource "vault_raft_snapshot_agent_config" "local" { | |
name = "local" | |
interval_seconds = 86400 | |
retain = 7 | |
path_prefix = "/opt/vault/snapshots/" | |
storage_type = "local" | |
local_max_space = 10000000 | |
} | |
resource "vault_raft_snapshot_agent_config" "gcs" { | |
name = "s3" | |
interval_seconds = 86400 | |
retain = 7 | |
path_prefix = "/vault/snapshots/" | |
storage_type = "gcp-gcs" | |
aws_s3_bucket = "vault_snapshots" | |
aws_s3_region = data.aws_region.default.name | |
} | |
resource "vault_raft_autopilot" "default" { | |
cleanup_dead_servers = true | |
dead_server_last_contact_threshold = "10s" | |
last_contact_threshold = "10s" | |
max_trailing_logs = 1000 | |
min_quorum = 3 | |
server_stabilization_time = "10s" | |
} | |
resource "vault_audit" "file" { | |
type = "file" | |
description = "Vault Audit to File" | |
options = { | |
file_path = "/var/log/vault_audit.log" | |
format = "json" | |
mode = "0000" | |
prefix = "vault" | |
} | |
} | |
resource "vault_audit" "syslog" { | |
type = "syslog" | |
description = "Vault Audit to syslog" | |
options = { | |
tag = "vault" | |
facility = "AUTH" | |
format = "json" | |
prefix = "vault" | |
} | |
} | |
data "vault_policy_document" "default" { | |
rule { | |
path = "sys/replication/dr/secondary/promote" | |
capabilities = ["update"] | |
description = "Create and manage ACL policies" | |
} | |
rule { | |
path = "sys/replication/dr/secondary/update-primary" | |
capabilities = ["update"] | |
description = "To update the primary to connect" | |
} | |
rule { | |
path = "sys/storage/raft/autopilot/state" | |
capabilities = ["read", "update"] | |
description = "To read the current autopilot status" | |
} | |
} | |
resource "vault_policy" "default" { | |
name = "dr-secondary-promotion" | |
policy = data.vault_policy_document.default.hcl | |
} | |
resource "vault_token_auth_backend_role" "default" { | |
role_name = local.role_name | |
allowed_policies = [vault_policy.default.name] | |
orphan = true | |
renewable = false | |
token_type = "batch" | |
} | |
resource "vault_token" "default" { | |
role_name = vault_token_auth_backend_role.default.name | |
display_name = local.role_name | |
ttl = "8h" | |
} | |
output "batch_token" { | |
description = "create batch token" | |
value = vault_token.default.client_token | |
} | |
locals { | |
oidc_url = format( | |
"https://login.microsoftonline.com/%s/v2.0", | |
data.azuread_client_config.default.tenant_id | |
) | |
} | |
data "azuread_client_config" "default" {} | |
data "azuread_application" "default" { | |
display_name = var.application_name | |
} | |
resource "azuread_application_password" "default" { | |
display_name = var.application_name | |
application_object_id = data.azuread_application.default.object_id | |
end_date_relative = "17250h" | |
} | |
resource "vault_jwt_auth_backend" "default" { | |
description = "Vault OIDC Auth Method" | |
path = "oidc" | |
type = "oidc" | |
default_role = var.application_name | |
provider_config = { provider = "azure" } | |
oidc_discovery_url = local.oidc_url | |
oidc_client_id = data.azuread_application.default.application_id | |
oidc_client_secret = azuread_application_password.default.client_secret | |
tune { | |
default_lease_ttl = "768h" | |
max_lease_ttl = "768h" | |
token_type = "default-service" | |
} | |
} | |
resource "vault_jwt_auth_backend_role" "default" { | |
backend = vault_jwt_auth_backend.default.path | |
role_type = vault_jwt_auth_backend.default.path | |
role_name = var.application_name | |
oidc_scopes = ["profile", "https://graph.microsoft.com/.default"] | |
allowed_redirect_uris = element(data.azuread_application.default.web[*].redirect_uris, 0) | |
user_claim = "email" | |
groups_claim = "groups" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment