From bbde79d2a6bbe4fde6534a083c190337f1cf258e Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 Jul 2026 23:41:03 +1000 Subject: [PATCH] policies: let terraform-authentik read its provider API token (#82) ## Why terraform-authentik's provider needs an Authentik API token (`TF_VAR_authentik_token`), now sourced from Vault at `kv/service/terraform/authentik` (Makefile wiring in terraform-authentik #2). The CI role needs read access to that path. ## Change Extend `policies/kv/service/terraform/authentik.yaml` to also grant read on `kv/data/service/terraform/authentik` for the `terraform_authentik` approle + `woodpecker_terraform_authentik` k8s role. Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/82 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- policies/kv/service/terraform/authentik.yaml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/policies/kv/service/terraform/authentik.yaml b/policies/kv/service/terraform/authentik.yaml index 29adda4..466d4a6 100644 --- a/policies/kv/service/terraform/authentik.yaml +++ b/policies/kv/service/terraform/authentik.yaml @@ -1,9 +1,12 @@ -# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that -# back authentik providers. Secrets live under each target service's kv -# namespace path (kv/kubernetes/namespace//default/oauth-credentials) and -# are read by the module's data.vault_kv_secret_v2 lookups. +# Allow the Terraform Authentik runner to read: +# - its own Authentik API token (provider auth), and +# - OAuth2/OIDC client secrets that back authentik providers (per target +# service's kv namespace path, via the module's data.vault_kv_secret_v2). --- rules: + - path: "kv/data/service/terraform/authentik" + capabilities: + - read - path: "kv/data/kubernetes/namespace/+/default/oauth-credentials" capabilities: - read