From ce087a1fb1d75a86f7e21607c3dec0aedc1503ef Mon Sep 17 00:00:00 2001
From: iuri aranda <iuri.aranda@gmail.com>
Date: Mon, 18 Dec 2017 16:25:44 +0100
Subject: [PATCH] Created the vault-auth module and added the vault config in
 the ecs-web module (#8)

* Created the vault-auth module

* Added the vault configuration in the ecs-web module

* terraform fmt

* Fix variable name

* Fix tf syntax error

* Fix vault auth role policy array

* Fix vault auth output

* Fix vault auth role bound parameter
---
 README.md                                     | 39 +++++++++++++++++++
 ecs-web/outputs.tf                            |  4 ++
 .../concourse_web_service.json                |  1 +
 ecs-web/variables.tf                          | 10 +++++
 ecs-web/web.tf                                | 15 +++++++
 vault-auth/client.tf                          |  4 ++
 vault-auth/outputs.tf                         |  7 ++++
 vault-auth/policy.tf                          |  9 +++++
 vault-auth/role.tf                            |  7 ++++
 vault-auth/variables.tf                       | 22 +++++++++++
 10 files changed, 118 insertions(+)
 create mode 100644 vault-auth/client.tf
 create mode 100644 vault-auth/outputs.tf
 create mode 100644 vault-auth/policy.tf
 create mode 100644 vault-auth/role.tf
 create mode 100644 vault-auth/variables.tf

diff --git a/README.md b/README.md
index 205b6fd..2e5b37b 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,8 @@ The following resources are created:
  * [`allowed_incoming_cidr_blocks`]: List(optional): Allowed CIDR blocks in Concourse ATC+TSA. Defaults to 0.0.0.0/0
  * [`keys_bucket_id`]: String(required): The id (name) of the bucket where the concourse keys are stored.
  * [`keys_bucket_arn`]: String(required): The ARN of the bucket where the concourse keys. Used to allow access to the bucket.
+ * [`vault_server_url`]: String(optional): The Vault server URL to configure in Concourse. Leaving it empty will disable the Vault integration. Defaults to ""
+ * [`vault_auth_concourse_role_name`]: String(optional): The Vault role that Concourse will use. This is normally fetched from the `vault-auth` terraform module. Defaults to "".
 
 Depending on if you want standard Github authentication or standard authentication,
 you need to fill in the following variables. We advise to use Github as there you can enforce 2 factor
@@ -78,6 +80,7 @@ the [concourse website](http://concourse.ci/teams.html).
 ### Output
  * [`elb_dns_name`]: String: DNS name of the loadbalancer
  * [`elb_sg_id`]: String: Security group id of the loadbalancer
+ * [`iam_role_arn`]: String: ARN of the IAM role created for the Concourse ECS task
 
 ### Example
 ```
@@ -101,6 +104,8 @@ module "concourse-web" {
   ssl_certificate_id                  = "${var.elb_ssl_certificate}"
   keys_bucket_id                      = "${module.keys.keys_bucket_id}"
   keys_bucket_arn                     = "${module.keys.keys_bucket_arn}"
+  vault_server_url                    = "https://vault.example.com"
+  vault_auth_concourse_role_name      = "${module.concourse-vault-auth.concourse_vault_role_name}"
 }
 ```
 
@@ -200,3 +205,37 @@ module "concourse-worker" {
   additional_security_group_ids = ["${data.terraform_remote_state.static.sg_all_id}"]
 }
 ```
+
+## vault-auth
+
+This module sets up the needed Vault resources for Concourse:
+
+- It creates a Vault policy that allows read-only access to `/concourse/*`
+- It creates a Vault role in the aws auth backend (which should be previously created) for Concourse and attaches the previously mentioned policy
+
+### Available variables
+
+| Name | Description | Default | Required |
+|------|-------------|:-----:|:-----:|
+| name_suffix | Name suffix to append to the policy name, to differentiate different concourse policies. | `default` | no |
+| additional_vault_policies | Additional Vault policies to attach to the Concourse role. | [] | no |
+| concourse_iam_role_arn | IAM role ARN of the Concourse ATC server. | - | yes |
+| vault_aws_auth_backend_path | The path the AWS auth backend being configured was mounted at. | `aws` | no |
+| vault_server_url | The Vault server url. | - | yes |
+
+### Output
+
+| Name | Description |
+|------|-------------|
+| concourse_vault_policy_name | Name of the Vault policy created for Concourse |
+| concourse_vault_role_name | Name of the Vault role created for Concourse |
+
+### Example
+
+```
+module "concourse-vault-auth" {
+  source                 = "github.com/skyscrapers/terraform-concourse//vault-auth"
+  concourse_iam_role_arn = "${module.concourse-web.iam_role_arn}"
+  vault_server_url       = "https://vault.example.com"
+}
+```
diff --git a/ecs-web/outputs.tf b/ecs-web/outputs.tf
index 39d8b5d..df33371 100644
--- a/ecs-web/outputs.tf
+++ b/ecs-web/outputs.tf
@@ -9,3 +9,7 @@ output "elb_zone_id" {
 output "elb_sg_id" {
   value = "${module.elb.sg_id}"
 }
+
+output "iam_role_arn" {
+  value = "${aws_iam_role.concourse_task_role.arn}"
+}
diff --git a/ecs-web/task-definitions/concourse_web_service.json b/ecs-web/task-definitions/concourse_web_service.json
index 19746f7..7e4be4f 100644
--- a/ecs-web/task-definitions/concourse_web_service.json
+++ b/ecs-web/task-definitions/concourse_web_service.json
@@ -21,6 +21,7 @@
       ${concourse_github_auth}
       { "name": "CONCOURSE_EXTERNAL_URL"          , "value": "https://${concourse_hostname}"            },
       { "name": "CONCOURSE_POSTGRES_DATA_SOURCE"  , "value": "${concourse_db_uri}"                  },
+      ${concourse_vault_variables}
       { "name": "_CONCOURSE_KEYS_S3"              , "value": "s3://${concourse_keys_bucket_name}/"  }
     ],
     "logConfiguration": {
diff --git a/ecs-web/variables.tf b/ecs-web/variables.tf
index 48ccfeb..c5c3324 100644
--- a/ecs-web/variables.tf
+++ b/ecs-web/variables.tf
@@ -105,3 +105,13 @@ variable "keys_bucket_id" {
 variable "keys_bucket_arn" {
   description = "The S3 bucket ARN which contains the SSH keys to connect to the TSA"
 }
+
+variable "vault_server_url" {
+  description = "The Vault server URL to configure in Concourse. Leaving it empty will disable the Vault integration."
+  default     = ""
+}
+
+variable "vault_auth_concourse_role_name" {
+  description = "The Vault role that Concourse will use. This is normally fetched from the `vault-auth` terraform module."
+  default     = ""
+}
diff --git a/ecs-web/web.tf b/ecs-web/web.tf
index a10fa80..185e573 100644
--- a/ecs-web/web.tf
+++ b/ecs-web/web.tf
@@ -31,6 +31,21 @@ data "template_file" "concourse_web_task_template" {
     concourse_keys_bucket_name = "${var.keys_bucket_id}"
     concourse_basic_auth       = "${length(var.concourse_auth_username) > 0 && length(var.concourse_auth_password) > 0 ? data.template_file.concourse_basic_auth.rendered : ""}"
     concourse_github_auth      = "${length(var.concourse_github_auth_client_id) > 0 && length(var.concourse_github_auth_client_secret) > 0 && length(var.concourse_github_auth_team) > 0 ? data.template_file.concourse_github_auth.rendered : ""}"
+    concourse_vault_variables  = "${length(var.vault_server_url) > 0 ? data.template_file.concourse_vault_variables.rendered : ""}"
+  }
+}
+
+data "template_file" "concourse_vault_variables" {
+  template = <<EOF
+{ "name": "CONCOURSE_VAULT_URL", "value": "$${concourse_vault_url}" },
+{ "name": "CONCOURSE_VAULT_AUTH_BACKEND", "value": "$${concourse_vault_auth_backend}" },
+{ "name": "CONCOURSE_VAULT_AUTH_PARAM", "value": "$${concourse_vault_auth_param}" },
+EOF
+
+  vars {
+    concourse_vault_url          = "${var.vault_server_url}"
+    concourse_vault_auth_backend = "aws"
+    concourse_vault_auth_param   = "header_value=${replace(replace(var.vault_server_url, "/^http(s)?:///", ""), "/", "")},role=${var.vault_auth_concourse_role_name}"
   }
 }
 
diff --git a/vault-auth/client.tf b/vault-auth/client.tf
new file mode 100644
index 0000000..87dfdbb
--- /dev/null
+++ b/vault-auth/client.tf
@@ -0,0 +1,4 @@
+resource "vault_aws_auth_backend_client" "concourse" {
+  backend                    = "${var.vault_aws_auth_backend_path}"
+  iam_server_id_header_value = "${replace(replace(var.vault_server_url, "/^http(s)?:///", ""), "/", "")}"
+}
diff --git a/vault-auth/outputs.tf b/vault-auth/outputs.tf
new file mode 100644
index 0000000..d6d9e6a
--- /dev/null
+++ b/vault-auth/outputs.tf
@@ -0,0 +1,7 @@
+output "concourse_vault_policy_name" {
+  value = "${vault_policy.concourse.name}"
+}
+
+output "concourse_vault_role_name" {
+  value = "${vault_aws_auth_backend_role.concourse.role}"
+}
diff --git a/vault-auth/policy.tf b/vault-auth/policy.tf
new file mode 100644
index 0000000..bdf9578
--- /dev/null
+++ b/vault-auth/policy.tf
@@ -0,0 +1,9 @@
+resource "vault_policy" "concourse" {
+  name = "concourse-${var.name_suffix}"
+
+  policy = <<EOT
+path "concourse/*" {
+  capabilities = ["read"]
+}
+EOT
+}
diff --git a/vault-auth/role.tf b/vault-auth/role.tf
new file mode 100644
index 0000000..00ba068
--- /dev/null
+++ b/vault-auth/role.tf
@@ -0,0 +1,7 @@
+resource "vault_aws_auth_backend_role" "concourse" {
+  backend                 = "${var.vault_aws_auth_backend_path}"
+  role                    = "concourse-${var.name_suffix}"
+  auth_type               = "iam"
+  bound_iam_principal_arn = "${var.concourse_iam_role_arn}"
+  policies                = ["${concat(list(vault_policy.concourse.name), var.additional_vault_policies)}"]
+}
diff --git a/vault-auth/variables.tf b/vault-auth/variables.tf
new file mode 100644
index 0000000..d6b8a51
--- /dev/null
+++ b/vault-auth/variables.tf
@@ -0,0 +1,22 @@
+variable "name_suffix" {
+  description = "Name suffix to append to the policy name, to differentiate different concourse policies. Defaults to 'default'"
+  default     = "default"
+}
+
+variable "additional_vault_policies" {
+  description = "Additional Vault policies to attach to the Concourse role. Defaults to empty list"
+  default     = []
+}
+
+variable "concourse_iam_role_arn" {
+  description = "IAM role ARN of the Concourse ATC server"
+}
+
+variable "vault_aws_auth_backend_path" {
+  description = "The path the AWS auth backend being configured was mounted at. Defaults to aws."
+  default     = "aws"
+}
+
+variable "vault_server_url" {
+  description = "The Vault server url"
+}