From c33dcdc4471c83bdfc4b3a15218dbcb4992aa141 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 28 Jun 2026 01:17:51 +1000 Subject: [PATCH] Add auth and state access for terraform-authentik (#78) ## Summary - K8s auth role for Woodpecker CI (`terraform-authentik` SA in `woodpecker` namespace) - AppRole for local terraform runs - Consul secret backend role (`terraform-authentik`, TTL 120/300) - Consul ACL policy for `infra/terraform/authentik/` key prefix - Vault policy granting both auth methods access to Consul creds Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/78 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- .../approle/terraform_authentik.yaml | 9 +++++++++ .../k8s/au/syd1/woodpecker_terraform_authentik.yaml | 7 +++++++ .../consul_root/au/syd1/terraform-authentik.yaml | 5 +++++ .../au/syd1/creds/terraform-authentik.yaml | 11 +++++++++++ .../consul_root/au/syd1/terraform-authentik.hcl | 7 +++++++ 5 files changed, 39 insertions(+) create mode 100644 config/auth_approle_role/approle/terraform_authentik.yaml create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_authentik.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-authentik.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-authentik.yaml create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-authentik.hcl diff --git a/config/auth_approle_role/approle/terraform_authentik.yaml b/config/auth_approle_role/approle/terraform_authentik.yaml new file mode 100644 index 0000000..cec109a --- /dev/null +++ b/config/auth_approle_role/approle/terraform_authentik.yaml @@ -0,0 +1,9 @@ +token_ttl: 120 +token_max_ttl: 120 +bind_secret_id: false +token_bound_cidrs: + - "10.10.12.200/32" + - "198.18.25.102/32" + - "198.18.26.91/32" + - "198.18.27.40/32" +use_deterministic_role_id: true diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_authentik.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_authentik.yaml new file mode 100644 index 0000000..ea0f2ce --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_authentik.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-authentik +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-authentik.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-authentik.yaml new file mode 100644 index 0000000..421d885 --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-authentik.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-authentik +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/policies/consul_root/au/syd1/creds/terraform-authentik.yaml b/policies/consul_root/au/syd1/creds/terraform-authentik.yaml new file mode 100644 index 0000000..60404fe --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-authentik.yaml @@ -0,0 +1,11 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-authentik" + capabilities: + - read + +auth: + approle: + - terraform_authentik + k8s/au/syd1: + - woodpecker_terraform_authentik diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-authentik.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-authentik.hcl new file mode 100644 index 0000000..88ef079 --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-authentik.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/authentik/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +}