doc

wescale · Dec 14, 2023 · d8a68fa · d8a68fa
1 parent bbe6e13
commit d8a68fa
Show file tree

Hide file tree

Showing 4 changed files with 53 additions and 25 deletions.
diff --git a/docs/source/howto.md b/docs/source/howto.md
@@ -4,14 +4,15 @@
 :maxdepth: 1
 
 howto/contribute
+howto/deploy_onprem
+howto/backend_for_addons
+howto/enable_vault_ldap
+howto/find_root_tokens
+howto/setup_scw_creds
 howto/setup_with_docker_installer
 howto/setup_workspace
-howto/setup_scw_creds
 howto/ssh_to_nodes
-howto/deploy_onprem
-howto/find_root_tokens
 howto/vault_policies
-howto/enable_vault_ldap
 ```
 
 ------

diff --git a/docs/source/howto/backend_for_addons.md b/docs/source/howto/backend_for_addons.md
@@ -0,0 +1,48 @@
+# Manage backend key for vault addons
+
+## The problem
+
+If you are using the `s3` backend configuration for terraformed parts of the vault role, you might encounter
+a problem of backend state key overlap.
+
+If you look into `roles/vault/tasks/main.yml` you will find this section:
+
+```{code-block}
+:caption: roles/vault/tasks/main.yml
+:linenos:
+:lineno-start: 66
+- name: "Include requested vault addons"
+  include_tasks:
+    file: "{{ role_path }}/tasks/tf_addons/_{{ _current_conf_addon }}.yml"
+    apply:
+      tags:
+        - addons
+  loop: "{{ hs_vault_enabled_addons }}"
+  loop_control:
+    loop_var: _current_conf_addon
+  when:
+    - __hs_vault_is_master
+  tags:
+    - addons
+```
+
+As you can read, addons are applied in a sequence and there is a `loop_var` statement.
+
+The idea is to rely on this mechanism to handle your key dynamism. You could configure your vault 
+role like in this example:
+
+
+```{code-block}
+:caption: roles/vault/tasks/main.yml
+:linenos:
+hs_vault_terraform_backend_type: 's3'
+hs_vault_terraform_backend_config:
+  key: "vault_{{ _current_conf_addon | default('no_current_conf_addon') }}"
+  bucket: "..."
+```
+
+In this way, when the `hs_vault_terraform_backend_config` will be evaluated during the applicance loop
+the property `key` will have a different value for each loop, directly linked to the current addon being applied.
+
+The `| default('no_current_conf_addon')` here is only to detect any evaluation outside of the applicance loop
+that could occur.
diff --git a/docs/source/reference/role_vault.md b/docs/source/reference/role_vault.md
@@ -206,19 +206,6 @@ hs_vault_addon_auth_ldap_path: 'ldap'
 
 LDAP connection parameters
 
-```{admonition} Dig Deeper
-:class: important
-See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap)
-```
-
-Mount point of the auth engine in vault.
-
-```
-hs_vault_addon_auth_ldap_path: 'ldap'
-```
-
-LDAP connection parameters
-
 ```
 hs_vault_addon_auth_ldap_server_url: ''
 hs_vault_addon_auth_ldap_starttls: ''    # MUST be 'true' or 'false' as string
@@ -235,13 +222,8 @@ hs_vault_addon_auth_ldap_user_dn: ''
 hs_vault_addon_auth_ldap_user_attr: ''
 hs_vault_addon_auth_ldap_group_dn: ''
 hs_vault_addon_auth_ldap_group_filter: ''  # MUST escape Go template by using
-<<<<<<< HEAD
 ```
-
 ```{admonition} Dig Deeper
 :class: important
 See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap)
 ```
-
-=======
->>>>>>> main
diff --git a/docs/source/reference/terraform/vault_policy_management.md b/docs/source/reference/terraform/vault_policy_management.md
@@ -29,10 +29,7 @@ export VAULT_TOKEN="..."
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-<<<<<<< HEAD
 | kv\_v2\_mount\_point | n/a | `string` | n/a | yes |
-=======
->>>>>>> main
 | policy\_management\_token\_renew\_increment | n/a | `number` | `86400` | no |
 | policy\_management\_token\_renew\_min\_lease | n/a | `number` | `43200` | no |
 | policy\_management\_token\_renewable | n/a | `bool` | `true` | no |