forked from burdandrei/vault-namespace-landing-zone
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathterraform_policy.tf
107 lines (81 loc) · 2.56 KB
/
terraform_policy.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
resource "vault_policy" "policy_for_terraform" {
name = "policy_for_terraform"
policy = <<EOF
path "sys/namespaces/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/sys/namespaces/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/+/sys/namespaces/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/+/+/sys/namespaces/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
# List available secrets engines
path "sys/mounts/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/sys/mounts/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/+/sys/mounts/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
path "+/+/+/sys/mounts/*" {
capabilities = ["read", "create", "update", "delete", "sudo", "list"]
}
# Create and manage identities (entities, aliases, lookup, identity tokens, OIDC)
path "identity/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
path "+/identity/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
path "+/+/identity/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
path "+/+/+/identity/*" {
capabilities = ["create", "update", "read", "delete", "list"]
}
# Manage ACL policies in the root level
path "sys/policies/acl/*" {
capabilities = ["read", "create", "update", "delete", "list"]
}
path "+/sys/policies/acl/*" {
capabilities = ["read", "create", "update", "delete", "list"]
}
path "+/+/sys/policies/acl/*" {
capabilities = ["read", "create", "update", "delete", "list"]
}
path "+/+/+/sys/policies/acl/*" {
capabilities = ["read", "create", "update", "delete", "list"]
}
# Enable, disable, and read auth methods in the root level
path "sys/auth/*" {
capabilities = ["read", "create", "update", "delete", "sudo"]
}
path "+/sys/auth/*" {
capabilities = ["read", "create", "update", "delete", "sudo"]
}
path "+/+/sys/auth/*" {
capabilities = ["read", "create", "update", "delete", "sudo"]
}
path "+/+/+/sys/auth/*" {
capabilities = ["read", "create", "update", "delete", "sudo"]
}
# Configure Auth methods and CRUD Auth methods' roles in the root level
path "auth/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
# Configure userpass, approle, etc.. auth methods
path "sys/mounts/auth/*" {
capabilities = ["create", "read", "update", "delete", "list"]
}
path "auth/token/create"
{
capabilities = ["update"]
}
EOF
}