From be9bd96cf30541d5552b778cb741e5572f0d484a Mon Sep 17 00:00:00 2001 From: BenVincent Date: Wed, 17 Jun 2026 21:42:25 +1000 Subject: [PATCH] feat: enable consul state store for artifactapi (#77) enable the terraform-artifactapi system to manage its state in consul using dynamic credentials from kubernetes ci jobs in woodpecker --------- Co-authored-by: Ben Vincent Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/77 --- .../approle/terraform_artifactapi.yaml | 9 +++++++++ .../k8s/au/syd1/woodpecker_terraform_artifactapi.yaml | 7 +++++++ .../consul_root/au/syd1/terraform-artifactapi.yaml | 5 +++++ .../au/syd1/creds/terraform-artifactapi.yaml | 11 +++++++++++ .../consul_root/au/syd1/terraform-artifactapi.hcl | 7 +++++++ 5 files changed, 39 insertions(+) create mode 100644 config/auth_approle_role/approle/terraform_artifactapi.yaml create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_artifactapi.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-artifactapi.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-artifactapi.yaml create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-artifactapi.hcl diff --git a/config/auth_approle_role/approle/terraform_artifactapi.yaml b/config/auth_approle_role/approle/terraform_artifactapi.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_artifactapi.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_artifactapi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_artifactapi.yaml new file mode 100644 index 0000000..0270f88 --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_artifactapi.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-artifactapi +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-artifactapi.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-artifactapi.yaml new file mode 100644 index 0000000..caf1eea --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-artifactapi.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-artifactapi +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/policies/consul_root/au/syd1/creds/terraform-artifactapi.yaml b/policies/consul_root/au/syd1/creds/terraform-artifactapi.yaml new file mode 100644 index 0000000..fbc5c05 --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-artifactapi.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-artifactapi" + capabilities: + - read + +auth: + approle: + - terraform_artifactapi + k8s/au/syd1: + - woodpecker_terraform_artifactapi diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-artifactapi.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-artifactapi.hcl new file mode 100644 index 0000000..bec1083 --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-artifactapi.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/artifactapi/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +}