-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvault.tf
More file actions
87 lines (72 loc) · 2.79 KB
/
vault.tf
File metadata and controls
87 lines (72 loc) · 2.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# ── OCI Vault (software-protected keys — Always Free) ─────────────────────────
# Always Free: all software-protected master encryption key versions + 150 secrets.
# Stores k3s_token, longhorn_ui_password, and grafana_admin_password as Vault
# secrets fetched by cloud-init via OCI CLI instance_principal auth at boot.
# This removes plaintext secrets from instance user-data (cloud-init).
resource "oci_kms_vault" "k3s" {
count = var.enable_vault ? 1 : 0
compartment_id = var.compartment_ocid
display_name = "${var.cluster_name}-vault"
vault_type = "DEFAULT"
freeform_tags = local.common_tags
# OCI DEFAULT vaults have a low tenancy limit and take 7+ days to fully delete
# (PENDING_DELETION state counts against quota). prevent_destroy keeps the vault
# alive across tofu destroy/apply cycles so it is never recreated unnecessarily.
lifecycle {
prevent_destroy = true
}
}
resource "oci_kms_key" "k3s" {
count = var.enable_vault ? 1 : 0
compartment_id = var.compartment_ocid
display_name = "${var.cluster_name}-key"
management_endpoint = oci_kms_vault.k3s[0].management_endpoint
key_shape {
algorithm = "AES"
length = 32
}
protection_mode = "SOFTWARE"
freeform_tags = local.common_tags
lifecycle {
prevent_destroy = true
}
}
resource "oci_vault_secret" "k3s_token" {
count = var.enable_vault ? 1 : 0
compartment_id = var.compartment_ocid
vault_id = oci_kms_vault.k3s[0].id
key_id = oci_kms_key.k3s[0].id
secret_name = "${var.cluster_name}-k3s-token"
description = "k3s cluster join token"
secret_content {
content_type = "BASE64"
content = base64encode(random_password.k3s_token.result)
}
freeform_tags = local.common_tags
}
resource "oci_vault_secret" "longhorn_ui_password" {
count = var.enable_vault ? 1 : 0
compartment_id = var.compartment_ocid
vault_id = oci_kms_vault.k3s[0].id
key_id = oci_kms_key.k3s[0].id
secret_name = "${var.cluster_name}-longhorn-ui-password"
description = "Longhorn UI BasicAuth password"
secret_content {
content_type = "BASE64"
content = base64encode(random_password.longhorn_ui_password.result)
}
freeform_tags = local.common_tags
}
resource "oci_vault_secret" "grafana_admin_password" {
count = var.enable_vault ? 1 : 0
compartment_id = var.compartment_ocid
vault_id = oci_kms_vault.k3s[0].id
key_id = oci_kms_key.k3s[0].id
secret_name = "${var.cluster_name}-grafana-admin-password"
description = "Grafana admin password"
secret_content {
content_type = "BASE64"
content = base64encode(random_password.grafana_admin_password.result)
}
freeform_tags = local.common_tags
}