From bb5f6922fa120ec51022276e4a4e2dc5ed38d4d7 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 8 Jun 2026 22:56:30 +1000 Subject: [PATCH] feat: add vault policy for terraform-git webhook secrets (#75) ## Summary - Add read policy for kv/data/service/gitea/webhook/* path - Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role - Webhook URLs are stored in Vault KV and read at plan/apply time ## Test plan - [ ] Verify terragrunt plan succeeds for terraform-git after merge Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/75 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- policies/kv/service/woodpecker/tokens/gitadmin.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 policies/kv/service/woodpecker/tokens/gitadmin.yaml diff --git a/policies/kv/service/woodpecker/tokens/gitadmin.yaml b/policies/kv/service/woodpecker/tokens/gitadmin.yaml new file mode 100644 index 0000000..21c843e --- /dev/null +++ b/policies/kv/service/woodpecker/tokens/gitadmin.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "kv/data/service/woodpecker/tokens/gitadmin" + capabilities: + - read + +auth: + approle: + - terraform_git + k8s/au/syd1: + - woodpecker_terraform_git