Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.
Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time
## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge
Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token
---------
Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
- Create four RBAC roles with external YAML configuration:
* media-apps-operator: namespaced role for media-apps with selective permissions
* cluster-operator: cluster-wide read-only access to specific API groups
* cluster-admin: cluster-wide full access to specific API groups
* cluster-root: cluster-wide superuser access to all resources
- Add Vault policies for credential generation for each role
- Add admin policies for kubernetes auth backend configuration and role management
- Refactor kubernetes auth backend to use shared locals for CA certificate
- Update terraform-vault approle with required kubernetes policies
- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token