parameterize vault server resources more accurately

lsst · Feb 26, 2024 · f282933 · f282933
1 parent 0135ff1
commit f282933
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 47 deletions.
diff --git a/environment/deployments/roundtable/env/dev.tfvars b/environment/deployments/roundtable/env/dev.tfvars
@@ -70,9 +70,11 @@ activate_apis = [
 ]
 
 # Vault service service account
-vault_server_dev_service_accounts = [
+vault_server_service_accounts = [
   "serviceAccount:[email protected]"
 ]
 
+vault_server_bucket_suffix = "vault-server-dev"
+
 # Increase this number to force Terraform to update the dev environment.
 # Serial: 6
diff --git a/environment/deployments/roundtable/env/production.tfvars b/environment/deployments/roundtable/env/production.tfvars
@@ -72,6 +72,8 @@ vault_server_service_accounts = [
   "serviceAccount:[email protected]"
 ]
 
+vault_server_bucket_suffix = "vault-server"
+
 # Increase this number to force Terraform to update the prod environment.
 # Serial: 6
 
diff --git a/environment/deployments/roundtable/main.tf b/environment/deployments/roundtable/main.tf
@@ -34,27 +34,14 @@ module "kms" {
   encrypters     = var.vault_server_service_accounts
   owners         = var.vault_server_service_accounts
 }
-// dev
-module "kms_2" {
-  source         = "../../../modules/kms"
-  project_id     = module.project_factory.project_id
-  location       = "us-central1"  
-  keyring        = "vault-server-dev"
-  keys           = [ "vault-seal" ]
-  set_owners_for = [ "vault-seal" ]
-  decrypters     = var.vault_server_dev_service_accounts
-  encrypters     = var.vault_server_dev_service_accounts
-  owners         = var.vault_server_dev_service_accounts
-}
-
 
 // Vault Server Storage Bucket
 module "storage_bucket" {
   source        = "../../../modules/bucket"
   project_id    = module.project_factory.project_id
   storage_class = "REGIONAL"
   location      = "us-central1"
-  suffix_name   = ["vault-server"]
+  suffix_name   = [ var.vault_server_bucket_suffix ]
   prefix_name   = "rubin"
   versioning = {
     vault-server = false
@@ -74,33 +61,6 @@ resource "google_storage_bucket_iam_binding" "vault-server-storage-binding" {
   members = var.vault_server_service_accounts
 }
 
-// Vault Server Storage Bucket (Dev)
-module "storage_bucket_2" {
-  source        = "../../../modules/bucket"
-  project_id    = module.project_factory.project_id
-  storage_class = "REGIONAL"
-  location      = "us-central1"
-  suffix_name   = ["vault-server-dev"]
-  prefix_name   = "rubin"
-  versioning = {
-    vault-server-dev = false
-  }
-  force_destroy = {
-    vault-server-dev = false
-  }
-  labels = {
-    environment = var.environment
-    application = "vault"
-  }
-}
-// RW storage access to Vault Server Dev bucket
-resource "google_storage_bucket_iam_binding" "vault-server-dev-storage-binding" {
-  bucket  = module.storage_bucket_2.name
-  role    = "roles/storage.objectUser"
-  members = var.vault_server_dev_service_accounts
-}
-
-
 # Service account for Git LFS read/write
 resource "google_service_account" "git_lfs_rw_sa" {
   account_id   = "git-lfs-rw"

diff --git a/environment/deployments/roundtable/variables.tf b/environment/deployments/roundtable/variables.tf
@@ -187,9 +187,9 @@ variable "vault_server_service_accounts" {
   default     = []
 }
 
-// Vault Server
-variable "vault_server_dev_service_accounts" {
-  type        = list(string)
-  description = "Service accounts used for Vault-Server Dev access"
-  default     = []
+# Buckets
+
+variable "vault_server_bucket_suffix" {
+  type        = string
+  description = "Suffix for bucket used for Vault server storage"
 }