From f2c54888defa7de3585180a3cd3f232c9e3ef846 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Mon, 6 Jul 2026 23:05:20 +1000 Subject: [PATCH] policies: let terraform-authentik read oauth client secrets from kv (#81) ## Why terraform-authentik now reads OAuth2 client secrets from Vault (`data.vault_kv_secret_v2`) rather than committing them (terraform-authentik #2). But the `terraform_authentik` approle / `woodpecker_terraform_authentik` k8s role only had the consul-creds policy, so `plan` fails with permission denied on the grafana oauth path. ## Change Add `policies/kv/service/terraform/authentik.yaml` granting read on `kv/data/kubernetes/namespace/+/default/oauth-credentials` for both the approle and the woodpecker k8s role. Reviewed-on: https://git.unkin.net/unkin/terraform-vault/pulls/81 Co-authored-by: Ben Vincent Co-committed-by: Ben Vincent --- policies/kv/service/terraform/authentik.yaml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) create mode 100644 policies/kv/service/terraform/authentik.yaml diff --git a/policies/kv/service/terraform/authentik.yaml b/policies/kv/service/terraform/authentik.yaml new file mode 100644 index 0000000..29adda4 --- /dev/null +++ b/policies/kv/service/terraform/authentik.yaml @@ -0,0 +1,15 @@ +# Allow the Terraform Authentik runner to read OAuth2/OIDC client secrets that +# back authentik providers. Secrets live under each target service's kv +# namespace path (kv/kubernetes/namespace//default/oauth-credentials) and +# are read by the module's data.vault_kv_secret_v2 lookups. +--- +rules: + - path: "kv/data/kubernetes/namespace/+/default/oauth-credentials" + capabilities: + - read + +auth: + approle: + - terraform_authentik + k8s/au/syd1: + - woodpecker_terraform_authentik