Skip to content

Commit

Permalink
Merge pull request #50 from appuio/feat/vshn-lbaas-exoscale-iamv3
Browse files Browse the repository at this point in the history
vshn-lbaas-exoscale: Manage Floaty IAMv3 role and credentials in Terraform
  • Loading branch information
simu authored Feb 15, 2024
2 parents e14d7f4 + 11771ef commit 818fdab
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 12 deletions.
47 changes: 45 additions & 2 deletions modules/vshn-lbaas-exoscale/hiera.tf
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,49 @@ locals {
) : ""
nat_vip = var.cluster_network.enabled ? exoscale_elastic_ip.nat[0].ip_address : ""
}

resource "exoscale_iam_role" "floaty" {
name = "${var.cluster_id}_floaty"
description = "Exoscale IAMv3 role for Floaty for ${var.cluster_id}"
// TBD if we want to set `editable=false` -- note that this also prevents
// updates via Terraform
editable = true

policy = {
default_service_strategy = "deny"

services = {
compute-legacy = {
type = "rules"
rules = [
{
action = "allow"
expression = "operation in ['compute-add-ip-to-nic', 'compute-list-nics', 'compute-list-resource-details', 'compute-list-virtual-machines', 'compute-query-async-job-result', 'compute-remove-ip-from-nic']"
}
]
}
compute = {
type = "rules"
rules = [
{
action = "allow"
expression = "operation in ['get-instance', 'list-instances', 'list-elastic-ips']"
},
{
action = "allow"
expression = "operation in ['attach-instance-to-elastic-ip', 'detach-instance-from-elastic-ip'] && resources.elastic_ip.ip in ['${exoscale_elastic_ip.api.ip_address}', '${exoscale_elastic_ip.ingress.ip_address}']"
}
]
}
}
}
}

resource "exoscale_iam_api_key" "floaty" {
name = "${var.cluster_id}_floaty"
role_id = exoscale_iam_role.floaty.id
}

module "hiera" {
count = var.lb_count > 0 ? 1 : 0

Expand All @@ -33,8 +76,8 @@ module "hiera" {
lb_api_credentials = {
cloudscale = null
exoscale = {
key = var.lb_exoscale_api_key
secret = var.lb_exoscale_api_secret
key = exoscale_iam_api_key.floaty.key
secret = nonsensitive(exoscale_iam_api_key.floaty.secret)
}
}
}
10 changes: 0 additions & 10 deletions modules/vshn-lbaas-exoscale/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -71,16 +71,6 @@ variable "control_vshn_net_token" {
description = "The token is used to register the server with https://control.vshn.net/"
}

variable "lb_exoscale_api_key" {
type = string
description = "API key for Floaty"
}

variable "lb_exoscale_api_secret" {
type = string
description = "API secret for Floaty"
}

variable "hieradata_repo_user" {
type = string
description = "User used to check out the hieradata git repo"
Expand Down

0 comments on commit 818fdab

Please sign in to comment.