From 36d7afbb65cab172282cc60d44323ca1e54bf4a1 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Jun 2026 22:03:25 +1000 Subject: [PATCH] feat: add vault/consul config for media terraform repos (#79) Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr. Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/79 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- .../auth_approle_role/approle/terraform_prowlarr.yaml | 9 +++++++++ .../auth_approle_role/approle/terraform_radarr.yaml | 9 +++++++++ .../auth_approle_role/approle/terraform_sonarr.yaml | 9 +++++++++ .../k8s/au/syd1/woodpecker_terraform_prowlarr.yaml | 7 +++++++ .../k8s/au/syd1/woodpecker_terraform_radarr.yaml | 7 +++++++ .../k8s/au/syd1/woodpecker_terraform_sonarr.yaml | 7 +++++++ .../consul_root/au/syd1/terraform-prowlarr.yaml | 5 +++++ .../consul_root/au/syd1/terraform-radarr.yaml | 5 +++++ .../consul_root/au/syd1/terraform-sonarr.yaml | 5 +++++ .../consul_root/au/syd1/creds/terraform-prowlarr.yaml | 11 +++++++++++ .../consul_root/au/syd1/creds/terraform-radarr.yaml | 11 +++++++++++ .../consul_root/au/syd1/creds/terraform-sonarr.yaml | 11 +++++++++++ policies/kv/service/media-apps/prowlarr/read.yaml | 3 +++ policies/kv/service/media-apps/radarr/read.yaml | 3 +++ policies/kv/service/media-apps/sonarr/read.yaml | 3 +++ .../consul_root/au/syd1/terraform-prowlarr.hcl | 7 +++++++ .../consul_root/au/syd1/terraform-radarr.hcl | 7 +++++++ .../consul_root/au/syd1/terraform-sonarr.hcl | 7 +++++++ 18 files changed, 126 insertions(+) create mode 100644 config/auth_approle_role/approle/terraform_prowlarr.yaml create mode 100644 config/auth_approle_role/approle/terraform_radarr.yaml create mode 100644 config/auth_approle_role/approle/terraform_sonarr.yaml create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_prowlarr.yaml create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_radarr.yaml create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_sonarr.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-prowlarr.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-radarr.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-sonarr.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-prowlarr.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-radarr.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-sonarr.yaml create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-prowlarr.hcl create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-radarr.hcl create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-sonarr.hcl diff --git a/config/auth_approle_role/approle/terraform_prowlarr.yaml b/config/auth_approle_role/approle/terraform_prowlarr.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_prowlarr.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/config/auth_approle_role/approle/terraform_radarr.yaml b/config/auth_approle_role/approle/terraform_radarr.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_radarr.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/config/auth_approle_role/approle/terraform_sonarr.yaml b/config/auth_approle_role/approle/terraform_sonarr.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_sonarr.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_prowlarr.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_prowlarr.yaml new file mode 100644 index 0000000..cca276b --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_prowlarr.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-prowlarr +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_radarr.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_radarr.yaml new file mode 100644 index 0000000..2e7af95 --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_radarr.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-radarr +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_sonarr.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_sonarr.yaml new file mode 100644 index 0000000..232fa5b --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_sonarr.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-sonarr +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-prowlarr.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-prowlarr.yaml new file mode 100644 index 0000000..1024d52 --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-prowlarr.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-prowlarr +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-radarr.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-radarr.yaml new file mode 100644 index 0000000..bd300ef --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-radarr.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-radarr +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-sonarr.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-sonarr.yaml new file mode 100644 index 0000000..93730e7 --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-sonarr.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-sonarr +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/policies/consul_root/au/syd1/creds/terraform-prowlarr.yaml b/policies/consul_root/au/syd1/creds/terraform-prowlarr.yaml new file mode 100644 index 0000000..819280d --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-prowlarr.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-prowlarr" + capabilities: + - read + +auth: + approle: + - terraform_prowlarr + k8s/au/syd1: + - woodpecker_terraform_prowlarr diff --git a/policies/consul_root/au/syd1/creds/terraform-radarr.yaml b/policies/consul_root/au/syd1/creds/terraform-radarr.yaml new file mode 100644 index 0000000..4aad7db --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-radarr.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-radarr" + capabilities: + - read + +auth: + approle: + - terraform_radarr + k8s/au/syd1: + - woodpecker_terraform_radarr diff --git a/policies/consul_root/au/syd1/creds/terraform-sonarr.yaml b/policies/consul_root/au/syd1/creds/terraform-sonarr.yaml new file mode 100644 index 0000000..8ef3ca5 --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-sonarr.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-sonarr" + capabilities: + - read + +auth: + approle: + - terraform_sonarr + k8s/au/syd1: + - woodpecker_terraform_sonarr diff --git a/policies/kv/service/media-apps/prowlarr/read.yaml b/policies/kv/service/media-apps/prowlarr/read.yaml index c794f0d..dfb687a 100644 --- a/policies/kv/service/media-apps/prowlarr/read.yaml +++ b/policies/kv/service/media-apps/prowlarr/read.yaml @@ -6,5 +6,8 @@ rules: - read auth: + approle: + - terraform_prowlarr k8s/au/syd1: - media-apps + - woodpecker_terraform_prowlarr diff --git a/policies/kv/service/media-apps/radarr/read.yaml b/policies/kv/service/media-apps/radarr/read.yaml index 8f7185b..ecf95c2 100644 --- a/policies/kv/service/media-apps/radarr/read.yaml +++ b/policies/kv/service/media-apps/radarr/read.yaml @@ -6,5 +6,8 @@ rules: - read auth: + approle: + - terraform_radarr k8s/au/syd1: - media-apps + - woodpecker_terraform_radarr diff --git a/policies/kv/service/media-apps/sonarr/read.yaml b/policies/kv/service/media-apps/sonarr/read.yaml index 7b20780..99778a2 100644 --- a/policies/kv/service/media-apps/sonarr/read.yaml +++ b/policies/kv/service/media-apps/sonarr/read.yaml @@ -6,5 +6,8 @@ rules: - read auth: + approle: + - terraform_sonarr k8s/au/syd1: - media-apps + - woodpecker_terraform_sonarr diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-prowlarr.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-prowlarr.hcl new file mode 100644 index 0000000..ce002ac --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-prowlarr.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/prowlarr/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +} diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-radarr.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-radarr.hcl new file mode 100644 index 0000000..268adab --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-radarr.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/radarr/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +} diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-sonarr.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-sonarr.hcl new file mode 100644 index 0000000..7937c3e --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-sonarr.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/sonarr/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +}