feat: add tf_vault required policies

move management of Vault back to tf_vault approle. for this, we need to create a number of policies that are missing. - add policies to manage consul secret engines - add policies to manage pki secret engines - add policies to manage kv secret engines - add policies to manage ssh secret engines
2026-02-14 18:39:21 +11:00 · 2026-02-14 18:39:21 +11:00 · fd03727ec2
commit fd03727ec2
parent f8f1185b42
12 changed files with 159 additions and 0 deletions
--- a/policies/consul_root/au/syd1/config/admin.yaml
+++ b/policies/consul_root/au/syd1/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure consul secret backend
+---
+rules:
+  - path: "consul_root/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/consul_root/au/syd1/roles/admin.yaml
+++ b/policies/consul_root/au/syd1/roles/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to manage consul secret backend roles
+---
+rules:
+  - path: "consul_root/au/syd1/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/kv/config/admin.yaml
+++ b/policies/kv/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure KV secret backend
+---
+rules:
+  - path: "kv/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki/au/syd1/config/admin.yaml
+++ b/policies/pki/au/syd1/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure pki/au/syd1 secret backend
+---
+rules:
+  - path: "pki/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki/au/syd1/issuer/admin.yaml
+++ b/policies/pki/au/syd1/issuer/admin.yaml
@ -0,0 +1,11 @@
+# Allow access to read pki/au/syd1 issuers
+---
+rules:
+  - path: "pki/au/syd1/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki_int/config/admin.yaml
+++ b/policies/pki_int/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure pki_int secret backend
+---
+rules:
+  - path: "pki_int/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki_int/issuer/admin.yaml
+++ b/policies/pki_int/issuer/admin.yaml
@ -0,0 +1,11 @@
+# Allow access to read pki_int issuers
+---
+rules:
+  - path: "pki_int/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki_root/config/admin.yaml
+++ b/policies/pki_root/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure pki_root secret backend
+---
+rules:
+  - path: "pki_root/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki_root/issuer/admin.yaml
+++ b/policies/pki_root/issuer/admin.yaml
@ -0,0 +1,11 @@
+# Allow access to read pki_root issuers
+---
+rules:
+  - path: "pki_root/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/pki_root/roles/admin.yaml
+++ b/policies/pki_root/roles/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to manage pki_root secret backend roles
+---
+rules:
+  - path: "pki_root/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/rundeck/config/admin.yaml
+++ b/policies/rundeck/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure rundeck KV secret backend
+---
+rules:
+  - path: "rundeck/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
--- a/policies/sshca/config/admin.yaml
+++ b/policies/sshca/config/admin.yaml
@ -0,0 +1,14 @@
+# Allow access to configure SSH CA secret backend
+---
+rules:
+  - path: "sshca/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault