From 1288057b810b2082c756606f70de38c3b6d589a9 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 7 Jun 2026 20:36:35 +1000 Subject: [PATCH] feat: add vault and consul roles for terraform-git (#73) ## Summary - Add K8s auth role woodpecker_terraform_git for CI pipeline authentication - Add consul secret backend role terraform-git for consul state storage tokens - Add consul ACL policy granting write access to infra/terraform/git/ key prefix - Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git ## Test plan - [ ] Verify terragrunt plan succeeds - [ ] Verify consul ACL policy is created correctly - [ ] Verify K8s auth role can authenticate from woodpecker namespace Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/73 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- .../k8s/au/syd1/woodpecker_terraform_git.yaml | 7 +++++++ .../consul_root/au/syd1/terraform-git.yaml | 5 +++++ policies/consul_root/au/syd1/creds/terraform-git.yaml | 9 +++++++++ .../secret_backend/consul_root/au/syd1/terraform-git.hcl | 7 +++++++ 4 files changed, 28 insertions(+) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-git.yaml create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-git.hcl diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml new file mode 100644 index 0000000..19acbad --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-git +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml new file mode 100644 index 0000000..0ede4f7 --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-git +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/policies/consul_root/au/syd1/creds/terraform-git.yaml b/policies/consul_root/au/syd1/creds/terraform-git.yaml new file mode 100644 index 0000000..228f586 --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-git.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-git" + capabilities: + - read + +auth: + k8s/au/syd1: + - woodpecker_terraform_git diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl new file mode 100644 index 0000000..3fd25a9 --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/git/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +}