feat: add vault component and module (#226)

components/terraform/vault/main.tf

@@ -0,0 +1,6 @@
+module "vault" {
+  source = "../../../modules/vault"
+
+  compartment_ocid = var.compartment_ocid
+  name             = var.vault.name
+}

components/terraform/vault/providers.tf

@@ -0,0 +1,41 @@
+provider "oci" {
+  tenancy_ocid     = var.tenancy_ocid
+  user_ocid        = var.user_ocid
+  private_key_path = var.private_key_path
+  fingerprint      = var.fingerprint
+  region           = var.region
+}
+
+provider "context" {
+  enabled   = var.enabled
+  delimiter = "-"
+  property_order = [
+    "namespace",
+    "stage",
+    "environment",
+    "name",
+  ]
+  properties = {
+    namespace = {
+      required   = true
+      max_length = 3
+    }
+    stage = {
+      required         = true
+      validation_regex = "^(dev|test|prod)"
+    }
+    environment = {
+      required = true
+    }
+    name = {
+      required = true
+    }
+  }
+  tags_key_case = "title"
+  values = {
+    namespace   = var.namespace
+    stage       = var.stage
+    environment = var.environment
+    name        = var.name
+  }
+}

components/terraform/vault/variables.tf

@@ -0,0 +1,50 @@
+variable "tenancy_ocid" {
+  type = string
+}
+
+variable "user_ocid" {
+  type = string
+}
+
+variable "private_key_path" {
+  type = string
+}
+
+variable "fingerprint" {
+  type = string
+}
+
+variable "region" {
+  type = string
+}
+
+variable "enabled" {
+  type = bool
+}
+
+variable "namespace" {
+  type = string
+}
+
+variable "stage" {
+  type = string
+}
+
+variable "environment" {
+  type = string
+}
+
+variable "name" {
+  type = string
+}
+
+variable "compartment_ocid" {
+  type        = string
+  description = "Compartment OCID"
+}
+
+variable "vault" {
+  type = object({
+    name = string
+  })
+}

components/terraform/vault/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = "~> 1.0"
+
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = "~> 6.0"
+    }
+    context = {
+      source  = "cloudposse/context"
+      version = "~> 0.4"
+    }
+  }
+}

modules/vault/main.tf

@@ -0,0 +1,60 @@
+locals {
+  enabled = data.context_config.main.enabled
+
+  compartment_ocid = var.compartment_ocid
+  name             = var.name
+}
+
+data "context_config" "main" {}
+
+data "context_label" "main" {
+  values = {
+    name = local.name
+  }
+}
+
+data "context_tags" "main" {
+  values = {
+    name = local.name
+  }
+}
+
+resource "oci_kms_vault" "default" {
+  count = local.enabled ? 1 : 0
+
+  compartment_id = local.compartment_ocid
+  display_name   = data.context_label.main.rendered
+  vault_type     = "DEFAULT"
+  freeform_tags  = data.context_tags.main.tags
+}
+
+resource "oci_kms_key" "default" {
+  count = local.enabled ? 1 : 0
+
+  compartment_id = local.compartment_ocid
+  display_name   = data.context_label.main.rendered
+  key_shape {
+    algorithm = "AES"
+    length    = 32
+  }
+  management_endpoint = oci_kms_vault.default[0].management_endpoint
+  protection_mode     = "SOFTWARE"
+  freeform_tags       = data.context_tags.main.tags
+}
+
+resource "oci_vault_secret" "default" {
+  count          = local.enabled ? 1 : 0
+  compartment_id = var.compartment_ocid
+  secret_content {
+    content_type = "BASE64"
+    content      = "false"
+  }
+  secret_name   = "cluster-initiated"
+  vault_id      = oci_kms_vault.default[0].id
+  key_id        = oci_kms_key.default[0].id
+  freeform_tags = data.context_tags.main.tags
+
+  lifecycle {
+    ignore_changes = all
+  }
+}

modules/vault/variables.tf

@@ -0,0 +1,11 @@
+variable "compartment_ocid" {
+  type        = string
+  description = "Compartment OCID"
+  default     = null
+}
+
+variable "name" {
+  type        = string
+  description = "The name used as a part of resources display name"
+  default     = null
+}

modules/vault/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    oci = {
+      source  = "oracle/oci"
+      version = ">= 6.0.0"
+    }
+    context = {
+      source  = "cloudposse/context"
+      version = ">= 0.4.0"
+    }
+  }
+}

stacks/catalog/vault/defaults.yaml

@@ -0,0 +1,5 @@
+components:
+  terraform:
+    vault:
+      vars:
+        enabled: true

stacks/mixins/region/fra.yaml

@@ -2,6 +2,7 @@ import:
   - catalog/vcn/defaults
   - catalog/alb/defaults
   - catalog/instance/defaults
+  - catalog/vault/defaults
 
 vars:
   region: eu-frankfurt-1

stacks/orgs/hs/plat/prod/fra.yaml

@@ -101,3 +101,10 @@ components:
         shape: VM.Standard.A1.Flex
         instance_public_key: |
           ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCafkXOuGWQfAZvmDyRcWi/HmTh8DJqRicGmFOammZe7oJAvK7YAOoBMlVvODwYA83dAh7YitbAW+RkQKbGDV5Gcz9/aXP+6AMC64wWprwgonGP6DjvRCH3GZBSo4PZfDohao/OelKBKmXVb8XMFDYE5Lu7Edw+Z/o093OBJFU6J12sO8IJNgU9iOnfZl9M4dr4XSf9HGiMlx1INN8+NBgVCySeTpRkmWGKoSwb5MGEBuZ+f1OWg5VARFe2nPbMLryBH7jOvHN0z71C9/W9ztSeejiy37f7TqC1GyHHkzR5+C6WtCyNAOaa3JBNV7W5ngFSb81mA5779PGd3vqUwCHD ssh-key-2024-03-16
+    vault:
+      metadata:
+        component: vault
+      vars:
+        name: vault
+        vault:
+          name: vault