From 346cf9fa438c0373f1ced6a7e1648076286607d1 Mon Sep 17 00:00:00 2001 From: BenVincent Date: Mon, 8 Jun 2026 15:17:58 +1000 Subject: [PATCH] feat: manage gitadmin token (#74) - add approle for terraform-git - add policy to read gitadmin token - update access to the terraform-git consul token --------- Co-authored-by: Ben Vincent Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/74 --- config/auth_approle_role/approle/terraform_git.yaml | 9 +++++++++ .../consul_root/au/syd1/creds/terraform-git.yaml | 2 ++ .../gitea/gitadmin/tokens/terraform-git/read.yaml | 12 ++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 config/auth_approle_role/approle/terraform_git.yaml create mode 100644 policies/kv/service/gitea/gitadmin/tokens/terraform-git/read.yaml diff --git a/config/auth_approle_role/approle/terraform_git.yaml b/config/auth_approle_role/approle/terraform_git.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_git.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/policies/consul_root/au/syd1/creds/terraform-git.yaml b/policies/consul_root/au/syd1/creds/terraform-git.yaml index 228f586..f5db59c 100644 --- a/policies/consul_root/au/syd1/creds/terraform-git.yaml +++ b/policies/consul_root/au/syd1/creds/terraform-git.yaml @@ -5,5 +5,7 @@ rules: - read auth: + approle: + - terraform_git k8s/au/syd1: - woodpecker_terraform_git diff --git a/policies/kv/service/gitea/gitadmin/tokens/terraform-git/read.yaml b/policies/kv/service/gitea/gitadmin/tokens/terraform-git/read.yaml new file mode 100644 index 0000000..bc2dfc1 --- /dev/null +++ b/policies/kv/service/gitea/gitadmin/tokens/terraform-git/read.yaml @@ -0,0 +1,12 @@ +# Allow reading Gitea admin token +--- +rules: + - path: "kv/data/service/gitea/gitadmin/tokens/terraform-git" + capabilities: + - read + +auth: + approle: + - terraform_git + k8s/au/syd1: + - woodpecker_terraform_git