This changes the configuration of the postgres master username and
password. Instead of committing to source (short term hack), this now
sources those secrets from KeyVault. Those secrets are generated and
populated via secrets-tool.
- Set dict values directly instead of creating a variable
- Comment out unused route function entirely
- Use f-strings for string interpolation
- Move div inside if statement so empty divs are not printed
The terraform wrapper is now abstracted in to a utility class for
working with terraform. The terraform module was also updated to support
configurable keyvault servers. Logging for this new module was also
added, so the terraform output is seen on the console.
Adds admin_users map and keyvault policy
This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.
169163334 - Initial secrets-tool commit
Adds admin_users map and keyvault policy
This adds an admin_users map as well as a new policy in the keyvault
module. When run, this will apply an administrator policy for users in
the admin_users map. With these permissions, the admin users will be
able to manage secrets and keys in keyvault.
170237669 - Makes the read only policy for keyvault optional and only create the policy if a principal_id is passed
170237669 - Adds new operator keyvault for secrets
This is a new keyvault specifically for storing operator secrets and
things that would not be accessible to applications. The primary use
case for this is for launching things like postgres (root postgres
creds) and other services which would require secrets to be added to the
terraform configuration. This approach avoids adding secrets to
terraform.
An accompanying script will be added to populate the new keyvault.
This includes config for the VMSS assigned identity to authenticate for
FlexVol purposes. Right now, some dummy keys are referenced in the
config that we'll swap for the real ones later.
This also includes config for specifying the subnet the load balancers
should be in.
