unkin/terraform-vault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add tf_vault required policies

Browse Source 
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
This commit is contained in:
Ben Vincent 2026-02-14 18:39:21 +11:00
parent f8f1185b42
commit fd03727ec2
12 changed files with 159 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
policies/consul_root/au/syd1/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure consul secret backend
---
rules:
- path: "consul_root/au/syd1/config/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

14
policies/consul_root/au/syd1/roles/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to manage consul secret backend roles
---
rules:
- path: "consul_root/au/syd1/roles/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

14
policies/kv/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure KV secret backend
---
rules:
- path: "kv/config"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

14
policies/pki/au/syd1/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure pki/au/syd1 secret backend
---
rules:
- path: "pki/au/syd1/config/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

11
policies/pki/au/syd1/issuer/admin.yaml Normal file
View File

@ -0,0 +1,11 @@
# Allow access to read pki/au/syd1 issuers
---
rules:
- path: "pki/au/syd1/issuer/*"
capabilities:
- read
- list
auth:
approle:
- tf_vault

14
policies/pki_int/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure pki_int secret backend
---
rules:
- path: "pki_int/config/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

11
policies/pki_int/issuer/admin.yaml Normal file
View File

@ -0,0 +1,11 @@
# Allow access to read pki_int issuers
---
rules:
- path: "pki_int/issuer/*"
capabilities:
- read
- list
auth:
approle:
- tf_vault

14
policies/pki_root/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure pki_root secret backend
---
rules:
- path: "pki_root/config/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

11
policies/pki_root/issuer/admin.yaml Normal file
View File

@ -0,0 +1,11 @@
# Allow access to read pki_root issuers
---
rules:
- path: "pki_root/issuer/*"
capabilities:
- read
- list
auth:
approle:
- tf_vault

14
policies/pki_root/roles/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to manage pki_root secret backend roles
---
rules:
- path: "pki_root/roles/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

14
policies/rundeck/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure rundeck KV secret backend
---
rules:
- path: "rundeck/config"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault

14
policies/sshca/config/admin.yaml Normal file
View File

@ -0,0 +1,14 @@
# Allow access to configure SSH CA secret backend
---
rules:
- path: "sshca/config/*"
capabilities:
- create
- update
- delete
- read
- list
auth:
approle:
- tf_vault