From 63dd3553111368eb737d73f16c103050e05c6d9a Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 15 Dec 2024 17:07:01 +1100
Subject: [PATCH] feat: add puppetapi approle/policy

---
 auth_approle_puppetapi.tf                          | 14 ++++++++++++++
 policies.tf                                        |  3 ++-
 .../kv/service/puppetapi/puppetapi_read_tokens.hcl |  3 +++
 3 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 auth_approle_puppetapi.tf
 create mode 100644 policies/kv/service/puppetapi/puppetapi_read_tokens.hcl

diff --git a/auth_approle_puppetapi.tf b/auth_approle_puppetapi.tf
new file mode 100644
index 0000000..3d9deb1
--- /dev/null
+++ b/auth_approle_puppetapi.tf
@@ -0,0 +1,14 @@
+resource "vault_approle_auth_backend_role" "puppetapi" {
+  role_name      = "puppetapi"
+  bind_secret_id = false
+  token_policies = ["puppetapi_read_tokens"]
+  token_ttl      = 30
+  token_max_ttl  = 30
+  token_bound_cidrs = [
+    "198.18.17.3/32",
+    "198.18.13.32/32",
+    "198.18.13.33/32",
+    "198.18.13.34/32",
+    "198.18.13.46/32"
+  ]
+}
diff --git a/policies.tf b/policies.tf
index 4eef688..a7fad86 100644
--- a/policies.tf
+++ b/policies.tf
@@ -11,7 +11,8 @@ locals {
     "policies/rundeck",
     "policies/ssh-host-signer",
     "policies/sshca",
-    "policies/kv/service/glauth/services"
+    "policies/kv/service/glauth/services",
+    "policies/kv/service/puppetapi",
   ]
 }
 
diff --git a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
new file mode 100644
index 0000000..d979cab
--- /dev/null
+++ b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/puppetapi/tokens" {
+    capabilities = ["read"]
+}