build yaml with vars

joecorall · joecorall · commit 1d43b394fb95 · 2025-11-22T07:17:03.000-05:00
diff --git a/main.tf b/main.tf
@@ -15,10 +15,27 @@ terraform {
   }
 }
 
+data "google_client_openid_userinfo" "current" {}
+
 locals {
   image_name  = format("%s-docker.pkg.dev/%s/%s/vault-server:latest", var.country, var.project, var.repository)
   vault_proxy = "jcorall/vault-proxy:main"
   kms_key     = "vault"
+
+  # see https://github.com/libops/vault-proxy/blob/main/config.example.yaml
+  vault_proxy_config = {
+    vault_addr = "http://127.0.0.1:8200"
+    port       = 8080
+    admin_emails = concat(
+      var.admin_emails,
+      [data.google_client_openid_userinfo.current.email]
+    )
+    public_routes = concat(
+      var.public_routes,
+      ["/v1/sys/health"] # Essential for health checks
+    )
+  }
+  vault_proxy_yaml = yamlencode(local.vault_proxy_config)
 }
 
 ## Create the GSA the Vault CloudRun deployment will run as
@@ -146,7 +163,7 @@ module "vault" {
     },
     {
       name  = "VAULT_PROXY_YAML"
-      value = replace(var.vault_proxy_yaml, "__GCLOUD_PROJECT__", var.project)
+      value = local.vault_proxy_yaml
     }
   ])
 
diff --git a/variables.tf b/variables.tf
@@ -31,24 +31,19 @@ variable "country" {
   default = "us"
 }
 
-# e.g. https://github.com/libops/vault-proxy/blob/main/config.example.yaml
-variable "vault_proxy_yaml" {
-  type      = string
-  sensitive = true
-  default   = <<EOT
-vault_addr: http://127.0.0.1:8200
-port: 8080
-admin_emails:
-  - joe@libops.io
-  - github@__GCLOUD_PROJECT__.iam.gserviceaccount.com
-  - vault-server@__GCLOUD_PROJECT__.iam.gserviceaccount.com
-public_routes:
-  - /.well-known/
-  - /v1/identity/oidc/
-  - /v1/auth/oidc/
-  - /v1/auth/userpass/
-  # this should always be set, as the docker healthcheck relies on it
-  # the healthcheck checks both the proxy is working and vault is unsealed
-  - /v1/sys/health
-EOT
+variable "admin_emails" {
+  description = "List of emails (users or service accounts) that are allowed to access non-public routes by passing X-Admin-Token header with a google access token."
+  type        = list(string)
+  default     = []
+}
+
+variable "public_routes" {
+  description = "List of Vault API paths that should be accessible without X-Admin-Token header."
+  type        = list(string)
+  default = [
+    "/.well-known/",
+    "/v1/identity/oidc/",
+    "/v1/auth/oidc/",
+    "/v1/auth/userpass/",
+  ]
 }
