Created the vault-auth module and added the vault config in the ecs-w…

…eb module (#8)

* Created the vault-auth module

* Added the vault configuration in the ecs-web module

* terraform fmt

* Fix variable name

* Fix tf syntax error

* Fix vault auth role policy array

* Fix vault auth output

* Fix vault auth role bound parameter

README.md

@@ -62,6 +62,8 @@ The following resources are created:
  * [`allowed_incoming_cidr_blocks`]: List(optional): Allowed CIDR blocks in Concourse ATC+TSA. Defaults to 0.0.0.0/0
  * [`keys_bucket_id`]: String(required): The id (name) of the bucket where the concourse keys are stored.
  * [`keys_bucket_arn`]: String(required): The ARN of the bucket where the concourse keys. Used to allow access to the bucket.
+ * [`vault_server_url`]: String(optional): The Vault server URL to configure in Concourse. Leaving it empty will disable the Vault integration. Defaults to ""
+ * [`vault_auth_concourse_role_name`]: String(optional): The Vault role that Concourse will use. This is normally fetched from the `vault-auth` terraform module. Defaults to "".
 
 Depending on if you want standard Github authentication or standard authentication,
 you need to fill in the following variables. We advise to use Github as there you can enforce 2 factor
@@ -78,6 +80,7 @@ the [concourse website](http://concourse.ci/teams.html).
 ### Output
  * [`elb_dns_name`]: String: DNS name of the loadbalancer
  * [`elb_sg_id`]: String: Security group id of the loadbalancer
+ * [`iam_role_arn`]: String: ARN of the IAM role created for the Concourse ECS task
 
 ### Example
 ```
@@ -101,6 +104,8 @@ module "concourse-web" {
   ssl_certificate_id                  = "${var.elb_ssl_certificate}"
   keys_bucket_id                      = "${module.keys.keys_bucket_id}"
   keys_bucket_arn                     = "${module.keys.keys_bucket_arn}"
+  vault_server_url                    = "https://vault.example.com"
+  vault_auth_concourse_role_name      = "${module.concourse-vault-auth.concourse_vault_role_name}"
 }
 ```
 
@@ -200,3 +205,37 @@ module "concourse-worker" {
   additional_security_group_ids = ["${data.terraform_remote_state.static.sg_all_id}"]
 }
 ```
+
+## vault-auth
+
+This module sets up the needed Vault resources for Concourse:
+
+- It creates a Vault policy that allows read-only access to `/concourse/*`
+- It creates a Vault role in the aws auth backend (which should be previously created) for Concourse and attaches the previously mentioned policy
+
+### Available variables
+
+| Name | Description | Default | Required |
+|------|-------------|:-----:|:-----:|
+| name_suffix | Name suffix to append to the policy name, to differentiate different concourse policies. | `default` | no |
+| additional_vault_policies | Additional Vault policies to attach to the Concourse role. | [] | no |
+| concourse_iam_role_arn | IAM role ARN of the Concourse ATC server. | - | yes |
+| vault_aws_auth_backend_path | The path the AWS auth backend being configured was mounted at. | `aws` | no |
+| vault_server_url | The Vault server url. | - | yes |
+
+### Output
+
+| Name | Description |
+|------|-------------|
+| concourse_vault_policy_name | Name of the Vault policy created for Concourse |
+| concourse_vault_role_name | Name of the Vault role created for Concourse |
+
+### Example
+
+```
+module "concourse-vault-auth" {
+  source                 = "github.com/skyscrapers/terraform-concourse//vault-auth"
+  concourse_iam_role_arn = "${module.concourse-web.iam_role_arn}"
+  vault_server_url       = "https://vault.example.com"
+}
+```

ecs-web/outputs.tf

@@ -9,3 +9,7 @@ output "elb_zone_id" {
 output "elb_sg_id" {
   value = "${module.elb.sg_id}"
 }
+
+output "iam_role_arn" {
+  value = "${aws_iam_role.concourse_task_role.arn}"
+}

ecs-web/task-definitions/concourse_web_service.json

@@ -21,6 +21,7 @@
       ${concourse_github_auth}
       { "name": "CONCOURSE_EXTERNAL_URL"          , "value": "https://${concourse_hostname}"            },
       { "name": "CONCOURSE_POSTGRES_DATA_SOURCE"  , "value": "${concourse_db_uri}"                  },
+      ${concourse_vault_variables}
       { "name": "_CONCOURSE_KEYS_S3"              , "value": "s3://${concourse_keys_bucket_name}/"  }
     ],
     "logConfiguration": {

ecs-web/variables.tf

@@ -105,3 +105,13 @@ variable "keys_bucket_id" {
 variable "keys_bucket_arn" {
   description = "The S3 bucket ARN which contains the SSH keys to connect to the TSA"
 }
+
+variable "vault_server_url" {
+  description = "The Vault server URL to configure in Concourse. Leaving it empty will disable the Vault integration."
+  default     = ""
+}
+
+variable "vault_auth_concourse_role_name" {
+  description = "The Vault role that Concourse will use. This is normally fetched from the `vault-auth` terraform module."
+  default     = ""
+}

ecs-web/web.tf

@@ -31,6 +31,21 @@ data "template_file" "concourse_web_task_template" {
     concourse_keys_bucket_name = "${var.keys_bucket_id}"
     concourse_basic_auth       = "${length(var.concourse_auth_username) > 0 && length(var.concourse_auth_password) > 0 ? data.template_file.concourse_basic_auth.rendered : ""}"
     concourse_github_auth      = "${length(var.concourse_github_auth_client_id) > 0 && length(var.concourse_github_auth_client_secret) > 0 && length(var.concourse_github_auth_team) > 0 ? data.template_file.concourse_github_auth.rendered : ""}"
+    concourse_vault_variables  = "${length(var.vault_server_url) > 0 ? data.template_file.concourse_vault_variables.rendered : ""}"
+  }
+}
+
+data "template_file" "concourse_vault_variables" {
+  template = <<EOF
+{ "name": "CONCOURSE_VAULT_URL", "value": "$${concourse_vault_url}" },
+{ "name": "CONCOURSE_VAULT_AUTH_BACKEND", "value": "$${concourse_vault_auth_backend}" },
+{ "name": "CONCOURSE_VAULT_AUTH_PARAM", "value": "$${concourse_vault_auth_param}" },
+EOF
+
+  vars {
+    concourse_vault_url          = "${var.vault_server_url}"
+    concourse_vault_auth_backend = "aws"
+    concourse_vault_auth_param   = "header_value=${replace(replace(var.vault_server_url, "/^http(s)?:///", ""), "/", "")},role=${var.vault_auth_concourse_role_name}"
   }
 }
 

vault-auth/client.tf

@@ -0,0 +1,4 @@
+resource "vault_aws_auth_backend_client" "concourse" {
+  backend                    = "${var.vault_aws_auth_backend_path}"
+  iam_server_id_header_value = "${replace(replace(var.vault_server_url, "/^http(s)?:///", ""), "/", "")}"
+}

vault-auth/outputs.tf

@@ -0,0 +1,7 @@
+output "concourse_vault_policy_name" {
+  value = "${vault_policy.concourse.name}"
+}
+
+output "concourse_vault_role_name" {
+  value = "${vault_aws_auth_backend_role.concourse.role}"
+}

vault-auth/policy.tf

@@ -0,0 +1,9 @@
+resource "vault_policy" "concourse" {
+  name = "concourse-${var.name_suffix}"
+
+  policy = <<EOT
+path "concourse/*" {
+  capabilities = ["read"]
+}
+EOT
+}

vault-auth/role.tf

@@ -0,0 +1,7 @@
+resource "vault_aws_auth_backend_role" "concourse" {
+  backend                 = "${var.vault_aws_auth_backend_path}"
+  role                    = "concourse-${var.name_suffix}"
+  auth_type               = "iam"
+  bound_iam_principal_arn = "${var.concourse_iam_role_arn}"
+  policies                = ["${concat(list(vault_policy.concourse.name), var.additional_vault_policies)}"]
+}

vault-auth/variables.tf

@@ -0,0 +1,22 @@
+variable "name_suffix" {
+  description = "Name suffix to append to the policy name, to differentiate different concourse policies. Defaults to 'default'"
+  default     = "default"
+}
+
+variable "additional_vault_policies" {
+  description = "Additional Vault policies to attach to the Concourse role. Defaults to empty list"
+  default     = []
+}
+
+variable "concourse_iam_role_arn" {
+  description = "IAM role ARN of the Concourse ATC server"
+}
+
+variable "vault_aws_auth_backend_path" {
+  description = "The path the AWS auth backend being configured was mounted at. Defaults to aws."
+  default     = "aws"
+}
+
+variable "vault_server_url" {
+  description = "The Vault server url"
+}