diff --git a/aws-github/atlantis.yaml b/aws-github/atlantis.yaml index 14760ca3c..8b633375c 100644 --- a/aws-github/atlantis.yaml +++ b/aws-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/aws-github/terraform/users/modules/user/main.tf b/aws-github/terraform/users/modules/user/main.tf index aec63b263..47ae13175 100644 --- a/aws-github/terraform/users/modules/user/main.tf +++ b/aws-github/terraform/users/modules/user/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/aws-gitlab/atlantis.yaml b/aws-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/aws-gitlab/atlantis.yaml +++ b/aws-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/aws-gitlab/terraform/users/modules/user/main.tf b/aws-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/aws-gitlab/terraform/users/modules/user/main.tf +++ b/aws-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/civo-github/atlantis.yaml b/civo-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/civo-github/atlantis.yaml +++ b/civo-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/civo-github/terraform/users/modules/user/github/main.tf b/civo-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/civo-github/terraform/users/modules/user/github/main.tf +++ b/civo-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/civo-gitlab/atlantis.yaml b/civo-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/civo-gitlab/atlantis.yaml +++ b/civo-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/civo-gitlab/terraform/users/modules/user/main.tf b/civo-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/civo-gitlab/terraform/users/modules/user/main.tf +++ b/civo-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/digitalocean-github/atlantis.yaml b/digitalocean-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/digitalocean-github/atlantis.yaml +++ b/digitalocean-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/digitalocean-github/terraform/users/modules/user/github/main.tf b/digitalocean-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/digitalocean-github/terraform/users/modules/user/github/main.tf +++ b/digitalocean-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/digitalocean-gitlab/atlantis.yaml b/digitalocean-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/digitalocean-gitlab/atlantis.yaml +++ b/digitalocean-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/digitalocean-gitlab/terraform/users/modules/user/main.tf b/digitalocean-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/digitalocean-gitlab/terraform/users/modules/user/main.tf +++ b/digitalocean-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/gcp-github/atlantis.yaml b/gcp-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/gcp-github/atlantis.yaml +++ b/gcp-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/gcp-github/terraform/users/modules/user/github/main.tf b/gcp-github/terraform/users/modules/user/github/main.tf index aec63b263..278ae38a5 100644 --- a/gcp-github/terraform/users/modules/user/github/main.tf +++ b/gcp-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,15 +44,19 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } + + resource "vault_generic_secret" "user" { path = "users/${var.username}" diff --git a/gcp-gitlab/atlantis.yaml b/gcp-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/gcp-gitlab/atlantis.yaml +++ b/gcp-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/gcp-gitlab/terraform/users/modules/user/main.tf b/gcp-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/gcp-gitlab/terraform/users/modules/user/main.tf +++ b/gcp-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/k3d-github/atlantis.yaml b/k3d-github/atlantis.yaml index 527f06b77..8d492d8c8 100644 --- a/k3d-github/atlantis.yaml +++ b/k3d-github/atlantis.yaml @@ -10,7 +10,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/k3d-gitlab/atlantis.yaml b/k3d-gitlab/atlantis.yaml index 527f06b77..8d492d8c8 100644 --- a/k3d-gitlab/atlantis.yaml +++ b/k3d-gitlab/atlantis.yaml @@ -10,7 +10,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-github/atlantis.yaml b/vultr-github/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/vultr-github/atlantis.yaml +++ b/vultr-github/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-github/terraform/users/modules/user/github/main.tf b/vultr-github/terraform/users/modules/user/github/main.tf index aec63b263..47ae13175 100644 --- a/vultr-github/terraform/users/modules/user/github/main.tf +++ b/vultr-github/terraform/users/modules/user/github/main.tf @@ -25,6 +25,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -43,11 +44,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) } diff --git a/vultr-gitlab/atlantis.yaml b/vultr-gitlab/atlantis.yaml index 46cc66164..ed8f5cf2c 100644 --- a/vultr-gitlab/atlantis.yaml +++ b/vultr-gitlab/atlantis.yaml @@ -15,7 +15,7 @@ projects: terraform_version: 1.3.8 autoplan: enabled: true - when_modified: ['**/*.tf', '*.tf*'] + when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*'] - dir: terraform/vault terraform_version: 1.3.8 autoplan: diff --git a/vultr-gitlab/terraform/users/modules/user/main.tf b/vultr-gitlab/terraform/users/modules/user/main.tf index 1a0002cff..785d149d8 100644 --- a/vultr-gitlab/terraform/users/modules/user/main.tf +++ b/vultr-gitlab/terraform/users/modules/user/main.tf @@ -34,6 +34,7 @@ resource "random_password" "password" { } resource "vault_generic_endpoint" "user" { + depends_on = [ vault_generic_endpoint.user_password ] # avoids race condition path = "auth/userpass/users/${var.username}" ignore_absent_fields = true @@ -52,11 +53,13 @@ resource "vault_generic_endpoint" "user_password" { ignore_changes=[data_json] } - # note: this resource only manages the user's initial password and has a lifecycle policy to - # ignore changes. to change other vault_generic_endpoint properties see the "user" resource above + # note: this resource includes the initial password and only gets applied once + # changes to the user should be managed by the vault_generic_endpoint named "user" above data_json = jsonencode( { - password = var.initial_password != "" ? var.initial_password : random_password.password.result + password = var.initial_password != "" ? var.initial_password : random_password.password.result, + policies = var.acl_policies, + token_ttl = "1h" } ) }