From dca26029c0a8fff0c42ba212c73c5704f38b0a0c Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 15 Feb 2026 13:36:10 +1100
Subject: [PATCH] feat: add terraform-ldap service

- add consul role/policy/acls to allow terraform-ldap state management
- add approle to generate tokens for consul
---
 config/auth_approle_role/approle/terraform_ldap.yaml   |  9 +++++++++
 .../consul_root/au/syd1/terraform-ldap.yaml            |  5 +++++
 policies/consul_root/au/syd1/creds/terraform-ldap.yaml | 10 ++++++++++
 .../consul_root/au/syd1/terraform-ldap.hcl             |  7 +++++++
 4 files changed, 31 insertions(+)
 create mode 100644 config/auth_approle_role/approle/terraform_ldap.yaml
 create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml
 create mode 100644 policies/consul_root/au/syd1/creds/terraform-ldap.yaml
 create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl

diff --git a/config/auth_approle_role/approle/terraform_ldap.yaml b/config/auth_approle_role/approle/terraform_ldap.yaml
new file mode 100644
index 0000000..7b880b0
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_ldap.yaml
@@ -0,0 +1,9 @@
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: true
diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml
new file mode 100644
index 0000000..c4fb024
--- /dev/null
+++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-ldap.yaml
@@ -0,0 +1,5 @@
+consul_roles:
+  - terraform-ldap
+ttl: 60
+max_ttl: 60
+datacenters: []
diff --git a/policies/consul_root/au/syd1/creds/terraform-ldap.yaml b/policies/consul_root/au/syd1/creds/terraform-ldap.yaml
new file mode 100644
index 0000000..852999f
--- /dev/null
+++ b/policies/consul_root/au/syd1/creds/terraform-ldap.yaml
@@ -0,0 +1,10 @@
+# generate credentials for the terraform-ldap role in consul
+---
+rules:
+  - path: "consul_root/au/syd1/creds/terraform-ldap"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_ldap
diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl
new file mode 100644
index 0000000..70d0a17
--- /dev/null
+++ b/resources/secret_backend/consul_root/au/syd1/terraform-ldap.hcl
@@ -0,0 +1,7 @@
+key_prefix "infra/terraform/ldap/" {
+  policy = "write"
+}
+
+session_prefix "" {
+  policy = "write"
+}