add ACLs for VM users automatically (#6)

c-base · Jul 31, 2023 · 5e64f54 · 5e64f54
1 parent 02529bd
commit 5e64f54
Show file tree

Hide file tree

Showing 7 changed files with 53 additions and 32 deletions.
diff --git a/modules/vm/main.tf b/modules/vm/main.tf
@@ -91,39 +91,45 @@ resource "proxmox_virtual_environment_vm" "vm" {
     }
   }
 
-  dynamic "initialization" {
-    for_each = var.ssh_keys != null ? [var.ssh_keys] : []
-    content {
-      datastore_id = var.disk.storage
+  initialization {
+    datastore_id = var.disk.storage
 
-      # this is necessary when using machine type q35 or ovmf bios
-      interface = "scsi1"
+    # this is necessary when using machine type q35 or ovmf bios
+    interface = "scsi1"
 
-      user_account {
-        password = random_password.default_root_password.result
-        keys     = initialization.value
-      }
+    user_account {
+      password = random_password.default_root_password.result
+      keys     = [for _, user in var.admins : user.ssh_key]
+    }
 
-      ip_config {
-        ipv4 {
-          address = "dhcp"
-        }
+    ip_config {
+      ipv4 {
+        address = "dhcp"
+      }
 
-        ipv6 {
-          address = "dhcp"
-        }
+      ipv6 {
+        address = "dhcp"
       }
+    }
 
-      ip_config {
-        ipv4 {
-          address = "10.23.42.${var.vm_id}/24"
-          gateway = "10.23.42.1"
-        }
+    ip_config {
+      ipv4 {
+        address = "10.23.42.${var.vm_id}/24"
+        gateway = "10.23.42.1"
       }
     }
   }
 }
 
+resource "proxmox_virtual_environment_acl" "admin_acl" {
+  for_each = { for user in var.admins : user.username => user }
+
+  user_id = each.value.username
+  role_id = "VMUser"
+  path    = "/vms/${proxmox_virtual_environment_vm.vm.vm_id}"
+}
+
+
 resource "random_password" "default_root_password" {
   length           = 16
   override_special = "_%@"

diff --git a/modules/vm/variables.tf b/modules/vm/variables.tf
@@ -67,10 +67,11 @@ variable "clone" {
   description = "clone the vm with the given ID"
 }
 
-variable "ssh_keys" {
-  type        = list(string)
-  default     = null
-  description = "clone the vm with the given ID"
+variable "admins" {
+  type = list(object({
+    username = string
+    ssh_key  = string
+  }))
 }
 
 variable "template" {

diff --git a/proxmox/docker.tf b/proxmox/docker.tf
@@ -22,7 +22,7 @@ module "docker_vm" {
     internal_bridge = proxmox_virtual_environment_network_linux_bridge.internal_bridge.name
   }
 
-  ssh_keys = [
-    var.users["hrmny"].ssh_key,
+  admins = [
+    local.users["hrmny"]
   ]
 }
diff --git a/proxmox/home-assistant.tf b/proxmox/home-assistant.tf
@@ -19,4 +19,8 @@ module "home_assistant_vm" {
     bridge          = var.network.bridge
     internal_bridge = proxmox_virtual_environment_network_linux_bridge.internal_bridge.name
   }
+
+  admins = [
+    local.users["hrmny"]
+  ]
 }
diff --git a/proxmox/kristall-miai-vm.tf b/proxmox/kristall-miai-vm.tf
@@ -22,7 +22,7 @@ module "kristall-miai_vm" {
     internal_bridge = proxmox_virtual_environment_network_linux_bridge.internal_bridge.name
   }
 
-  ssh_keys = [
-    var.users["kristall"].ssh_key,
+  admins = [
+    local.users["kristall"]
   ]
 }
diff --git a/proxmox/netboot.tf b/proxmox/netboot.tf
@@ -22,7 +22,7 @@ module "netboot_vm" {
     internal_bridge = proxmox_virtual_environment_network_linux_bridge.internal_bridge.name
   }
 
-  ssh_keys = [
-    var.users["saces"].ssh_key,
+  admins = [
+    local.users["saces"]
   ]
 }
diff --git a/proxmox/users.tf b/proxmox/users.tf
@@ -21,3 +21,13 @@ resource "proxmox_virtual_environment_user" "ijon" {
     role_id   = data.proxmox_virtual_environment_role.admin_role.role_id
   }
 }
+
+resource "proxmox_virtual_environment_user" "member" {
+  for_each = local.users
+  user_id  = each.value.username
+}
+
+// add pve username to user object
+locals {
+  users = { for name, user in var.users : name => { username = "${name}@ldap", ssh_key = user.ssh_key } }
+}