Merge pull request #9 from companieshouse/feature/logging

Incorporate Vault authentication methods
companieshouse · Apr 12, 2021 · 97fef30 · 97fef30
2 parents c7967fe + 68ac45d
commit 97fef30
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 9 deletions.
diff --git a/groups/frontend/instance.tf b/groups/frontend/instance.tf
@@ -109,11 +109,11 @@ resource "aws_security_group" "common" {
   vpc_id = data.aws_vpc.heritage.id
 
   ingress {
-    description = "Allow SSH connectivity from trusted subnets"
+    description = "Allow SSH connectivity for application deployments"
     from_port   = 22
     to_port     = 22
     protocol    = "TCP"
-    cidr_blocks = var.ssh_cidrs
+    cidr_blocks = var.deployment_cidrs
   }
 
   egress {

diff --git a/groups/frontend/variables.tf b/groups/frontend/variables.tf
@@ -26,6 +26,11 @@ variable "default_log_retention_in_days" {
   default     = 7
 }
 
+variable "deployment_cidrs" {
+  type        = list(string)
+  description = "A list of strings representing CIDR ranges from which applications will be deployed to Tuxedo instances via Ansible"
+}
+
 variable "web_subnet_pattern" {
   type        = string
   description = "The pattern to use when filtering for web subnets by 'Name' tag"
@@ -173,13 +178,6 @@ variable "tuxedo_services" {
     },
   }
 }
-
-# TODO read from Vault
-variable "ssh_cidrs" {
-  type        = list(string)
-  description = "A list of strings representing CIDR ranges from which SSH connections are permitted to EC2 instances"
-}
-
 variable "ssh_master_public_key" {
   type        = string
   description = "The SSH master public key; EC2 instance connect should be used for regular connectivity"

diff --git a/groups/frontend/vault-providers/approle b/groups/frontend/vault-providers/approle
@@ -0,0 +1,20 @@
+variable "hashicorp_vault_role_id" {
+  description = "The role identifier used when retrieving configuration from Hashicorp Vault"
+  type = string
+}
+
+variable "hashicorp_vault_secret_id" {
+  description = "The secret identifier used when retrieving configuration from Hashicorp Vault"
+  type = string
+}
+
+provider "vault" {
+  auth_login {
+    path = "auth/approle/login"
+
+    parameters = {
+      role_id   = var.hashicorp_vault_role_id
+      secret_id = var.hashicorp_vault_secret_id
+    }
+  }
+}
diff --git a/groups/frontend/vault-providers/token b/groups/frontend/vault-providers/token
@@ -0,0 +1,5 @@
+provider "vault" {
+    # Credentials read from the environment variables:
+    #   ${VAULT_ADDR}
+    #   ${VAULT_TOKEN}
+}
diff --git a/groups/frontend/vault-providers/userpass b/groups/frontend/vault-providers/userpass
@@ -0,0 +1,19 @@
+variable "hashicorp_vault_username" {
+  description = "The username used when retrieving configuration from Hashicorp Vault"
+  type = string
+}
+
+variable "hashicorp_vault_password" {
+  description = "The password used when retrieving configuration from Hashicorp Vault"
+  type = string
+}
+
+provider "vault" {
+  auth_login {
+    path = "auth/userpass/login/${var.hashicorp_vault_username}"
+
+    parameters = {
+      password = var.hashicorp_vault_password
+    }
+  }
+}
diff --git a/groups/frontend/vault.tf b/groups/frontend/vault.tf
@@ -0,0 +1 @@
+vault-providers/userpass