From 8bc67e1e5b04470e2eada283de877ebdb5a89daa Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 7 Apr 2025 16:22:41 +1000
Subject: [PATCH] feat: add terraform-incus approle/policy

---
 auth_approle_terraform_incus.tf         | 15 +++++++++++++++
 policies/kv/service/terraform/incus.hcl |  3 +++
 2 files changed, 18 insertions(+)
 create mode 100644 auth_approle_terraform_incus.tf
 create mode 100644 policies/kv/service/terraform/incus.hcl

diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf
new file mode 100644
index 0000000..b6a30f9
--- /dev/null
+++ b/auth_approle_terraform_incus.tf
@@ -0,0 +1,15 @@
+resource "vault_approle_auth_backend_role" "terraform_incus" {
+  role_name      = "terraform_incus"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "incus",
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+    "198.18.13.67/32",
+    "198.18.13.68/32",
+  ]
+}
diff --git a/policies/kv/service/terraform/incus.hcl b/policies/kv/service/terraform/incus.hcl
new file mode 100644
index 0000000..7173116
--- /dev/null
+++ b/policies/kv/service/terraform/incus.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/terraform/incus" {
+    capabilities = ["read"]
+}