Applying the litellm mount failed with 403 permission denied on
PUT litellm/config: the deployer identity (tf_vault approle /
woodpecker_terraform_vault k8s role) could enable the mount via
sys/mounts/admin but had no policy covering the engine's own data paths.
Add a litellm/admin policy granting create/read/update/delete on
litellm/config and litellm/roles/*, assigned to the same auth roles as the
other secret-engine admin policies.
## Why
terraform-authentik's provider needs an Authentik API token (`TF_VAR_authentik_token`), now sourced from Vault at `kv/service/terraform/authentik` (Makefile wiring in terraform-authentik #2). The CI role needs read access to that path.
## Change
Extend `policies/kv/service/terraform/authentik.yaml` to also grant read on `kv/data/service/terraform/authentik` for the `terraform_authentik` approle + `woodpecker_terraform_authentik` k8s role.
Reviewed-on: #82
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
## Why
terraform-authentik now reads OAuth2 client secrets from Vault (`data.vault_kv_secret_v2`) rather than committing them (terraform-authentik #2). But the `terraform_authentik` approle / `woodpecker_terraform_authentik` k8s role only had the consul-creds policy, so `plan` fails with permission denied on the grafana oauth path.
## Change
Add `policies/kv/service/terraform/authentik.yaml` granting read on `kv/data/kubernetes/namespace/+/default/oauth-credentials` for both the approle and the woodpecker k8s role.
Reviewed-on: #81
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
Add Kubernetes auth roles, AppRole configs, Consul secret backend roles, Consul ACL policies, and Vault kv read policies for terraform-sonarr, terraform-radarr, and terraform-prowlarr.
Reviewed-on: #79
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
## Summary
- K8s auth role for Woodpecker CI (`terraform-authentik` SA in `woodpecker` namespace)
- AppRole for local terraform runs
- Consul secret backend role (`terraform-authentik`, TTL 120/300)
- Consul ACL policy for `infra/terraform/authentik/` key prefix
- Vault policy granting both auth methods access to Consul creds
Reviewed-on: #78
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
enable the terraform-artifactapi system to manage its state in consul
using dynamic credentials from kubernetes ci jobs in woodpecker
---------
Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #77
## Summary
- Add read policy for kv/data/service/gitea/webhook/* path
- Assigned to terraform_git approle and woodpecker_terraform_git k8s auth role
- Webhook URLs are stored in Vault KV and read at plan/apply time
## Test plan
- [ ] Verify terragrunt plan succeeds for terraform-git after merge
Reviewed-on: #75
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
- add approle for terraform-git
- add policy to read gitadmin token
- update access to the terraform-git consul token
---------
Co-authored-by: Ben Vincent <ben@unkin.net>
Reviewed-on: #74
## Summary
- Add K8s auth role woodpecker_terraform_git for CI pipeline authentication
- Add consul secret backend role terraform-git for consul state storage tokens
- Add consul ACL policy granting write access to infra/terraform/git/ key prefix
- Add vault policy for reading consul creds at consul_root/au/syd1/creds/terraform-git
## Test plan
- [ ] Verify terragrunt plan succeeds
- [ ] Verify consul ACL policy is created correctly
- [ ] Verify K8s auth role can authenticate from woodpecker namespace
Reviewed-on: #73
Co-authored-by: Ben Vincent <ben@unkin.net>
Co-committed-by: Ben Vincent <ben@unkin.net>
vault's terraform approle doesnt need to access all of these kubernetes
roles, it was just added as a placeholder and access to the kubernetes
roles was via the `vault_admin` to-much-access account. this is an
effort to roll back that and make access more targeted.
- add kubernetes* ldap groups for specific cluster/role combinations
- remove tf_vault from kubernetes* roles
- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.
- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
This commit message captures the major architectural change of implementing Consul ACL management
with proper provider aliasing, along with the supporting configuration files and policy definitions
for various terraform services.
- add consul_acl_management module to manage consul acl policies and roles
- add consul backend roles and policies for terraform services (incus, k8s, nomad, repoflow, vault)
- add consul provider configuration to root.hcl
- add policies to generate credentials for each role
- simplify consul_secret_backend_role module to reference acl-managed roles
- switch to opentofu for provider foreach support
- update terragrunt configuration to support consul backend aliases
- update pre-commit hooks to use opentofu instead of terraform
- configure tflint exceptions for consul acl management module
- migrate from individual terraform files to config-driven terragrunt module structure
- add vault_cluster module with config discovery system
- replace individual .tf files with centralized config.hcl
- restructure auth and secret backends as configurable modules
- move auth roles and secret backends to yaml-based configuration
- convert policies from .hcl to .yaml format, add rules/auth definition
- add pre-commit hooks for yaml formatting and file cleanup
- add terragrunt cache to gitignore
- update makefile with terragrunt commands and format target
- Add Kubernetes secrets engine at kubernetes/au/syd1 path
- Create four RBAC roles with external YAML configuration:
* media-apps-operator: namespaced role for media-apps with selective permissions
* cluster-operator: cluster-wide read-only access to specific API groups
* cluster-admin: cluster-wide full access to specific API groups
* cluster-root: cluster-wide superuser access to all resources
- Add Vault policies for credential generation for each role
- Add admin policies for kubernetes auth backend configuration and role management
- Refactor kubernetes auth backend to use shared locals for CA certificate
- Update terraform-vault approle with required kubernetes policies
- update kubernetes_host to match value in jwt
- regenerate jwt token and store in vault
- add policy to enable access to jwt token
- update tf_deploy user with access to token