diff --git a/docs/source/howto.md b/docs/source/howto.md index 9768184..5ce05f2 100644 --- a/docs/source/howto.md +++ b/docs/source/howto.md @@ -4,14 +4,15 @@ :maxdepth: 1 howto/contribute +howto/deploy_onprem +howto/backend_for_addons +howto/enable_vault_ldap +howto/find_root_tokens +howto/setup_scw_creds howto/setup_with_docker_installer howto/setup_workspace -howto/setup_scw_creds howto/ssh_to_nodes -howto/deploy_onprem -howto/find_root_tokens howto/vault_policies -howto/enable_vault_ldap ``` ------ diff --git a/docs/source/howto/backend_for_addons.md b/docs/source/howto/backend_for_addons.md new file mode 100644 index 0000000..b9e0fbf --- /dev/null +++ b/docs/source/howto/backend_for_addons.md @@ -0,0 +1,48 @@ +# Manage backend key for vault addons + +## The problem + +If you are using the `s3` backend configuration for terraformed parts of the vault role, you might encounter +a problem of backend state key overlap. + +If you look into `roles/vault/tasks/main.yml` you will find this section: + +```{code-block} +:caption: roles/vault/tasks/main.yml +:linenos: +:lineno-start: 66 +- name: "Include requested vault addons" + include_tasks: + file: "{{ role_path }}/tasks/tf_addons/_{{ _current_conf_addon }}.yml" + apply: + tags: + - addons + loop: "{{ hs_vault_enabled_addons }}" + loop_control: + loop_var: _current_conf_addon + when: + - __hs_vault_is_master + tags: + - addons +``` + +As you can read, addons are applied in a sequence and there is a `loop_var` statement. + +The idea is to rely on this mechanism to handle your key dynamism. You could configure your vault +role like in this example: + + +```{code-block} +:caption: roles/vault/tasks/main.yml +:linenos: +hs_vault_terraform_backend_type: 's3' +hs_vault_terraform_backend_config: + key: "vault_{{ _current_conf_addon | default('no_current_conf_addon') }}" + bucket: "..." +``` + +In this way, when the `hs_vault_terraform_backend_config` will be evaluated during the applicance loop +the property `key` will have a different value for each loop, directly linked to the current addon being applied. + +The `| default('no_current_conf_addon')` here is only to detect any evaluation outside of the applicance loop +that could occur. diff --git a/docs/source/reference/role_vault.md b/docs/source/reference/role_vault.md index 435f701..988fd47 100644 --- a/docs/source/reference/role_vault.md +++ b/docs/source/reference/role_vault.md @@ -206,19 +206,6 @@ hs_vault_addon_auth_ldap_path: 'ldap' LDAP connection parameters -```{admonition} Dig Deeper -:class: important -See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap) -``` - -Mount point of the auth engine in vault. - -``` -hs_vault_addon_auth_ldap_path: 'ldap' -``` - -LDAP connection parameters - ``` hs_vault_addon_auth_ldap_server_url: '' hs_vault_addon_auth_ldap_starttls: '' # MUST be 'true' or 'false' as string @@ -235,13 +222,8 @@ hs_vault_addon_auth_ldap_user_dn: '' hs_vault_addon_auth_ldap_user_attr: '' hs_vault_addon_auth_ldap_group_dn: '' hs_vault_addon_auth_ldap_group_filter: '' # MUST escape Go template by using -<<<<<<< HEAD ``` - ```{admonition} Dig Deeper :class: important See also: [Vault LDAP auth API](https://developer.hashicorp.com/vault/api-docs/auth/ldap) ``` - -======= ->>>>>>> main diff --git a/docs/source/reference/terraform/vault_policy_management.md b/docs/source/reference/terraform/vault_policy_management.md index cedac89..7a07708 100644 --- a/docs/source/reference/terraform/vault_policy_management.md +++ b/docs/source/reference/terraform/vault_policy_management.md @@ -29,10 +29,7 @@ export VAULT_TOKEN="..." | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -<<<<<<< HEAD | kv\_v2\_mount\_point | n/a | `string` | n/a | yes | -======= ->>>>>>> main | policy\_management\_token\_renew\_increment | n/a | `number` | `86400` | no | | policy\_management\_token\_renew\_min\_lease | n/a | `number` | `43200` | no | | policy\_management\_token\_renewable | n/a | `bool` | `true` | no |