diff --git a/auth_approle_terraform_repoflow.tf b/auth_approle_terraform_repoflow.tf
new file mode 100644
index 0000000..9c7bf15
--- /dev/null
+++ b/auth_approle_terraform_repoflow.tf
@@ -0,0 +1,16 @@
+resource "vault_approle_auth_backend_role" "terraform_repoflow" {
+  role_name      = "terraform_repoflow"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "kv/service/repoflow/unkinadmin/tokens/terraform/read",
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+    "198.18.25.102/32",
+    "198.18.26.91/32",
+    "198.18.27.40/32",
+  ]
+}
diff --git a/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl b/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl
new file mode 100644
index 0000000..e482516
--- /dev/null
+++ b/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/repoflow/unkinadmin/tokens/terraform" {
+  capabilities = ["read"]
+}