This repository was archived by the owner on Jan 15, 2025. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathboundary.tf
127 lines (110 loc) · 3.67 KB
/
boundary.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
resource "boundary_scope" "global" {
global_scope = true
description = "My first global scope!"
scope_id = "global"
}
resource "boundary_scope" "corp" {
name = "Corp One"
description = "My first scope!"
scope_id = boundary_scope.global.id
auto_create_admin_role = true
auto_create_default_role = true
}
## Use password auth method
resource "boundary_auth_method" "password" {
name = "Corp Password"
scope_id = boundary_scope.corp.id
type = "password"
}
resource "boundary_account" "users_acct" {
for_each = var.users
name = each.key
description = "User account for ${each.key}"
type = "password"
login_name = lower(each.key)
password = "password"
auth_method_id = boundary_auth_method.password.id
}
resource "boundary_user" "users" {
for_each = var.users
name = each.key
description = "User resource for ${each.key}"
scope_id = boundary_scope.corp.id
}
resource "boundary_user" "readonly_users" {
for_each = var.readonly_users
name = each.key
description = "User resource for ${each.key}"
scope_id = boundary_scope.corp.id
}
resource "boundary_group" "readonly" {
name = "read-only"
description = "Organization group for readonly users"
member_ids = [for user in boundary_user.readonly_users : user.id]
scope_id = boundary_scope.corp.id
}
resource "boundary_role" "organization_readonly" {
name = "Read-only"
description = "Read-only role"
principal_ids = [boundary_group.readonly.id]
grant_strings = ["id=*;type=*;actions=read"]
scope_id = boundary_scope.corp.id
}
resource "boundary_role" "organization_admin" {
name = "admin"
description = "Administrator role"
principal_ids = concat(
[for user in boundary_user.users : user.id]
)
grant_strings = ["id=*;type=*;actions=create,read,update,delete"]
scope_id = boundary_scope.corp.id
}
resource "boundary_scope" "core_infra" {
name = "Core infrastrcture"
description = "My first project!"
scope_id = boundary_scope.corp.id
auto_create_admin_role = true
}
resource "boundary_host_catalog" "backend_servers" {
name = "backend_servers"
description = "Backend servers host catalog"
type = "static"
scope_id = boundary_scope.core_infra.id
}
resource "boundary_host" "backend_servers" {
for_each = var.backend_server_ips
type = "static"
name = "backend_server_service_${each.value}"
description = "Backend server host"
address = each.key
host_catalog_id = boundary_host_catalog.backend_servers.id
}
resource "boundary_host_set" "backend_servers_ssh" {
type = "static"
name = "backend_servers_ssh"
description = "Host set for backend servers"
host_catalog_id = boundary_host_catalog.backend_servers.id
host_ids = [for host in boundary_host.backend_servers : host.id]
}
# create target for accessing backend servers on port :8000
resource "boundary_target" "backend_servers_service" {
type = "tcp"
name = "Backend service"
description = "Backend service target"
scope_id = boundary_scope.core_infra.id
default_port = "8080"
host_set_ids = [
boundary_host_set.backend_servers_ssh.id
]
}
# create target for accessing backend servers on port :22
resource "boundary_target" "backend_servers_ssh" {
type = "tcp"
name = "Backend servers"
description = "Backend SSH target"
scope_id = boundary_scope.core_infra.id
default_port = "22"
host_set_ids = [
boundary_host_set.backend_servers_ssh.id
]
}