diff --git a/config/auth_approle_role/approle/terraform_ldap.yaml b/config/auth_approle_role/approle/terraform_ldap.yaml
new file mode 100644
index 0000000..7b880b0
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_ldap.yaml
@@ -0,0 +1,9 @@
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: true
diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml
new file mode 100644
index 0000000..c4fb024
--- /dev/null
+++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml
@@ -0,0 +1,5 @@
+consul_roles:
+  - terraform-ldap
+ttl: 60
+max_ttl: 60
+datacenters: []
diff --git a/policies/consul_root/au/syd1/creds/terraform-ldap.yaml b/policies/consul_root/au/syd1/creds/terraform-ldap.yaml
new file mode 100644
index 0000000..852999f
--- /dev/null
+++ b/policies/consul_root/au/syd1/creds/terraform-ldap.yaml
@@ -0,0 +1,10 @@
+# generate credentials for the terraform-ldap role in consul
+---
+rules:
+  - path: "consul_root/au/syd1/creds/terraform-ldap"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_ldap
diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl
new file mode 100644
index 0000000..70d0a17
--- /dev/null
+++ b/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl
@@ -0,0 +1,7 @@
+key_prefix "infra/terraform/ldap/" {
+  policy = "write"
+}
+
+session_prefix "" {
+  policy = "write"
+}