-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathmain.tf
121 lines (102 loc) · 3.07 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
terraform {
required_providers {
akeyless = {
version = ">= 1.0.0"
source = "akeyless-community/akeyless"
}
}
cloud {
organization = "cs-akl"
workspaces {
name = "instruqt-users-training-account"
}
}
}
provider "akeyless" {
api_gateway_address = "https://api.akeyless.io"
token_login {
token = var.akeyless_token
}
}
variable "akeyless_token" {
type = string
description = "Akeyless token"
sensitive = true
}
variable "instruqt_user_id" {
type = string
description = "Instruqt participant ID"
}
resource "akeyless_auth_method_universal_identity" "learner_uid" {
name = format("/instruqt-users-uid/%s/uid-%s", var.instruqt_user_id, var.instruqt_user_id)
jwt_ttl = 500
ttl = 500
}
resource "akeyless_role" "role" {
name = format("/instruqt-users-uid-roles/%s/uid-%s-role", var.instruqt_user_id, var.instruqt_user_id)
description = format("Role for user %s", var.instruqt_user_id)
audit_access = "own"
analytics_access = "own"
event_center_access = "own"
gw_analytics_access = "own"
sra_reports_access = "own"
rules {
capability = ["create", "read", "update", "delete", "list"]
path = format("/TrainingUsers/%s/*", var.instruqt_user_id)
rule_type = "item-rule"
}
rules {
capability = ["deny"]
path = "/Admin/*"
rule_type = "item-rule"
}
rules {
capability = ["create", "read", "update", "delete", "list"]
path = format("/TrainingUsers/%s/*", var.instruqt_user_id)
rule_type = "target-rule"
}
rules {
capability = ["create", "read", "update", "delete", "list"]
path = format("/TrainingUsers/%s/*", var.instruqt_user_id)
rule_type = "role-rule"
}
rules {
capability = ["create", "read", "update", "delete", "list"]
path = format("/TrainingUsers/%s/*", var.instruqt_user_id)
rule_type = "auth-method-rule"
}
}
resource "akeyless_role" "role_viewer" {
depends_on = [
akeyless_role.role
]
name = format("/instruqt-users-uid-roles/%s/role-viewer-%s-role", var.instruqt_user_id, var.instruqt_user_id)
description = format("Role Viewer for user %s", var.instruqt_user_id)
rules {
capability = ["read", "list"]
path = akeyless_role.role.name
rule_type = "role-rule"
}
}
resource "akeyless_associate_role_auth_method" "learner_uid_role" {
depends_on = [
akeyless_role.role,
akeyless_auth_method_universal_identity.learner_uid
]
role_name = akeyless_role.role.name
am_name = akeyless_auth_method_universal_identity.learner_uid.name
}
resource "akeyless_associate_role_auth_method" "role_viewer_role" {
depends_on = [
akeyless_role.role_viewer,
akeyless_auth_method_universal_identity.learner_uid
]
role_name = akeyless_role.role_viewer.name
am_name = akeyless_auth_method_universal_identity.learner_uid.name
}
output "learner_uid" {
value = akeyless_auth_method_universal_identity.learner_uid.name
}
output "uid_access_id" {
value = akeyless_auth_method_universal_identity.learner_uid.access_id
}