lucymhdavies · August 7, 2022 13:35
diff --git a/policy attributes b/policy attributes
 $ vault read sys/policies/egp/restrict-userpass-cidr
 Key                  Value
 ---                  -----
 enforcement_level    hard-mandatory
 name                 restrict-userpass-cidr
 paths                [auth/userpass/*]
 policy               ...
diff --git a/sentinel-policy.tf b/sentinel-policy.tf
 data "dns_a_record_set" "ddns" {
  host = "my-dynamic-dns-record-here"
 }

 resource "vault_egp_policy" "restrict-userpass-cidr" {
  name              = "restrict-userpass-cidr"
  paths             = ["auth/userpass/*"]
  enforcement_level = "hard-mandatory"

  policy = <<EOT
 import "sockaddr"
 import "strings"

 cidrcheck = rule {
    sockaddr.is_contained("${data.dns_a_record_set.ddns.addrs[0]}/32", request.connection.remote_addr) or
    error("Cannot use this auth method from", request.connection.remote_addr)
 }

 main = rule when strings.has_prefix(request.path, "auth/userpass/login") {
    cidrcheck
 }
 EOT
 }
	$ vault read sys/policies/egp/restrict-userpass-cidr
	Key Value
	--- -----
	enforcement_level hard-mandatory
	name restrict-userpass-cidr
	paths [auth/userpass/*]
	policy ...
	data "dns_a_record_set" "ddns" {
	host = "my-dynamic-dns-record-here"
	}

	resource "vault_egp_policy" "restrict-userpass-cidr" {
	name = "restrict-userpass-cidr"
	paths = ["auth/userpass/*"]
	enforcement_level = "hard-mandatory"

	policy = <<EOT
	import "sockaddr"
	import "strings"

	cidrcheck = rule {
	sockaddr.is_contained("${data.dns_a_record_set.ddns.addrs[0]}/32", request.connection.remote_addr) or
	error("Cannot use this auth method from", request.connection.remote_addr)
	}

	main = rule when strings.has_prefix(request.path, "auth/userpass/login") {
	cidrcheck
	}
	EOT
	}