From f282933385c05091032669da59d8aea5edc0f45d Mon Sep 17 00:00:00 2001 From: adam Date: Mon, 26 Feb 2024 12:15:33 -0700 Subject: [PATCH] parameterize vault server resources more accurately --- .../deployments/roundtable/env/dev.tfvars | 4 +- .../roundtable/env/production.tfvars | 2 + environment/deployments/roundtable/main.tf | 42 +------------------ .../deployments/roundtable/variables.tf | 10 ++--- 4 files changed, 11 insertions(+), 47 deletions(-) diff --git a/environment/deployments/roundtable/env/dev.tfvars b/environment/deployments/roundtable/env/dev.tfvars index c47fe7e9..cd690f9b 100644 --- a/environment/deployments/roundtable/env/dev.tfvars +++ b/environment/deployments/roundtable/env/dev.tfvars @@ -70,9 +70,11 @@ activate_apis = [ ] # Vault service service account -vault_server_dev_service_accounts = [ +vault_server_service_accounts = [ "serviceAccount:vault-server@roundtable-dev-abe2.iam.gserviceaccount.com" ] +vault_server_bucket_suffix = "vault-server-dev" + # Increase this number to force Terraform to update the dev environment. # Serial: 6 diff --git a/environment/deployments/roundtable/env/production.tfvars b/environment/deployments/roundtable/env/production.tfvars index 05154696..c64c3577 100644 --- a/environment/deployments/roundtable/env/production.tfvars +++ b/environment/deployments/roundtable/env/production.tfvars @@ -72,6 +72,8 @@ vault_server_service_accounts = [ "serviceAccount:vault-server@roundtable-prod-f6fd.iam.gserviceaccount.com" ] +vault_server_bucket_suffix = "vault-server" + # Increase this number to force Terraform to update the prod environment. # Serial: 6 diff --git a/environment/deployments/roundtable/main.tf b/environment/deployments/roundtable/main.tf index 761db1d2..7fb263cf 100644 --- a/environment/deployments/roundtable/main.tf +++ b/environment/deployments/roundtable/main.tf @@ -34,19 +34,6 @@ module "kms" { encrypters = var.vault_server_service_accounts owners = var.vault_server_service_accounts } -// dev -module "kms_2" { - source = "../../../modules/kms" - project_id = module.project_factory.project_id - location = "us-central1" - keyring = "vault-server-dev" - keys = [ "vault-seal" ] - set_owners_for = [ "vault-seal" ] - decrypters = var.vault_server_dev_service_accounts - encrypters = var.vault_server_dev_service_accounts - owners = var.vault_server_dev_service_accounts -} - // Vault Server Storage Bucket module "storage_bucket" { @@ -54,7 +41,7 @@ module "storage_bucket" { project_id = module.project_factory.project_id storage_class = "REGIONAL" location = "us-central1" - suffix_name = ["vault-server"] + suffix_name = [ var.vault_server_bucket_suffix ] prefix_name = "rubin" versioning = { vault-server = false @@ -74,33 +61,6 @@ resource "google_storage_bucket_iam_binding" "vault-server-storage-binding" { members = var.vault_server_service_accounts } -// Vault Server Storage Bucket (Dev) -module "storage_bucket_2" { - source = "../../../modules/bucket" - project_id = module.project_factory.project_id - storage_class = "REGIONAL" - location = "us-central1" - suffix_name = ["vault-server-dev"] - prefix_name = "rubin" - versioning = { - vault-server-dev = false - } - force_destroy = { - vault-server-dev = false - } - labels = { - environment = var.environment - application = "vault" - } -} -// RW storage access to Vault Server Dev bucket -resource "google_storage_bucket_iam_binding" "vault-server-dev-storage-binding" { - bucket = module.storage_bucket_2.name - role = "roles/storage.objectUser" - members = var.vault_server_dev_service_accounts -} - - # Service account for Git LFS read/write resource "google_service_account" "git_lfs_rw_sa" { account_id = "git-lfs-rw" diff --git a/environment/deployments/roundtable/variables.tf b/environment/deployments/roundtable/variables.tf index f2815197..3127347e 100644 --- a/environment/deployments/roundtable/variables.tf +++ b/environment/deployments/roundtable/variables.tf @@ -187,9 +187,9 @@ variable "vault_server_service_accounts" { default = [] } -// Vault Server -variable "vault_server_dev_service_accounts" { - type = list(string) - description = "Service accounts used for Vault-Server Dev access" - default = [] +# Buckets + +variable "vault_server_bucket_suffix" { + type = string + description = "Suffix for bucket used for Vault server storage" }