7 Commits

Author SHA1 Message Date
unkinben 65f844cbe1 Fix: add policy binding for forgebot K8s auth role
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Every K8s auth role needs at least one entry in the policy_auth_map.
Add a policy granting the forgebot role read access to the namespace-
scoped KV path, which the operator SA needs when authenticating with
the forgebot role instead of the default role.
2026-06-08 23:00:35 +10:00
benvin b9632f39e4 Merge branch 'master' into feature/forgebot-vault-access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
2026-06-08 22:57:54 +10:00
unkinben f5803605d6 Simplify: use default templated policy for forgebot KV access
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline failed
The default K8s auth policy already provides namespace-scoped access to
kv/data/kubernetes/namespace/{namespace}/{sa}/* via identity templating.
Forgebot secrets should be stored at kv/kubernetes/namespace/forgebot/default/*
instead of kv/service/forgebot/*, eliminating the need for 5 individual
policies. The forgebot K8s auth role is kept for the forgebot-operator SA.
2026-06-08 22:54:58 +10:00
unkinben 2c4d0d7f64 Add Vault access for forgebot service
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was canceled
K8s auth role binding for forgebot namespace (default + forgebot-operator
service accounts) and KV read policies for environment config, LiteLLM
API key, Gitea token, PostgreSQL credentials, and webhook secret.
2026-06-08 22:53:25 +10:00
unkinben a29ff9fe6a fix: use gitadmin woodpecker token path
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
2026-06-08 19:08:12 +10:00
unkinben 12680f93cd feat: replace webhook secrets policy with woodpecker token policy
ci/woodpecker/pr/pre-commit Pipeline was successful
ci/woodpecker/pr/plan Pipeline was successful
Webhook URLs are now managed by the Woodpecker terraform provider
instead of being stored in Vault. Add read policy for the Woodpecker
API token at kv/data/service/woodpecker/tokens/terraform-git.
2026-06-08 16:17:00 +10:00
unkinben 132e5ea4d9 feat: add vault policy for terraform-git webhook secrets
ci/woodpecker/pr/plan Pipeline failed
ci/woodpecker/pr/pre-commit Pipeline failed
Allow terraform-git to read webhook URLs stored in
kv/data/service/gitea/webhook/* via approle and k8s auth.
2026-06-08 16:11:58 +10:00
59 changed files with 13 additions and 746 deletions
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,9 +0,0 @@
token_ttl: 120
token_max_ttl: 120
bind_secret_id: false
token_bound_cidrs:
- "10.10.12.200/32"
- "198.18.25.102/32"
- "198.18.26.91/32"
- "198.18.27.40/32"
use_deterministic_role_id: true
@@ -1,7 +1,8 @@
bound_service_account_names:
- terraform-sonarr
- default
- forgebot-operator
bound_service_account_namespaces:
- woodpecker
- forgebot
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
audience: vault
@@ -1,7 +0,0 @@
bound_service_account_names:
- terraform-artifactapi
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -1,7 +0,0 @@
bound_service_account_names:
- terraform-authentik
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -1,7 +0,0 @@
bound_service_account_names:
- terraform-prowlarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -1,7 +0,0 @@
bound_service_account_names:
- terraform-radarr
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
@@ -1,7 +0,0 @@
bound_service_account_names:
- terraform-rancher
bound_service_account_namespaces:
- woodpecker
token_ttl: 600
token_max_ttl: 600
audience: https://kubernetes.default.svc.cluster.local
-26
View File
@@ -185,31 +185,5 @@ locals {
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "pki_mount_only/")
}
litellm_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "litellm_secret_backend/")
}
litellm_secret_backend_role = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "litellm_secret_backend_role/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "litellm_secret_backend_role/", ""))
})
if startswith(file_path, "litellm_secret_backend_role/")
}
gpg_secret_backend = {
for file_path, content in local.all_configs :
trimsuffix(basename(file_path), ".yaml") => content
if startswith(file_path, "gpg_secret_backend/")
}
gpg_key = {
for file_path, content in local.all_configs :
trimsuffix(replace(file_path, "gpg_key/", ""), ".yaml") => merge(content, {
name = trimsuffix(basename(file_path), ".yaml")
backend = dirname(replace(file_path, "gpg_key/", ""))
})
if startswith(file_path, "gpg_key/")
}
}
}
@@ -1,5 +0,0 @@
consul_roles:
- terraform-artifactapi
ttl: 120
max_ttl: 300
datacenters: []
@@ -1,5 +0,0 @@
consul_roles:
- terraform-authentik
ttl: 120
max_ttl: 300
datacenters: []
@@ -1,5 +0,0 @@
consul_roles:
- terraform-prowlarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -1,5 +0,0 @@
consul_roles:
- terraform-radarr
ttl: 120
max_ttl: 300
datacenters: []
@@ -1,5 +0,0 @@
consul_roles:
- terraform-rancher
ttl: 120
max_ttl: 300
datacenters: []
@@ -1,5 +0,0 @@
consul_roles:
- terraform-sonarr
ttl: 120
max_ttl: 300
datacenters: []
-7
View File
@@ -1,7 +0,0 @@
# config/gpg_key/gpg/pass.yaml
# An OpenPGP key in the gpg engine for password-store (passv). The private key
# stays in Vault; clients import the exported public key to encrypt and delegate
# decryption to gpg/decrypt/pass. Key name = "pass", backend = "gpg".
algorithm: rsa-4096
identity: "pass <pass@unkin.net>"
exportable: false
-9
View File
@@ -1,9 +0,0 @@
# config/gpg_secret_backend/gpg.yaml
# Registers the vault-plugin-secrets-gpg plugin and mounts it at "gpg".
# The binary is installed on the OpenBao nodes by Puppet
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg).
#
# sha256 pins the released v0.1.0 binary; bump it in lockstep with any RPM
# upgrade or OpenBao will refuse to launch the plugin.
description: "GPG/OpenPGP secrets engine (sign/verify/encrypt/decrypt)"
sha256: "0e92d7408795688badb55789bc1604e8f1dd4d71998656c7f831991fce9a7b20"
@@ -1,6 +0,0 @@
# Mounts the LiteLLM dynamic secrets engine at "litellm" and writes its config.
# The master key is sensitive and read from KV, not stored here:
# kv/service/vault/au/syd1/secret_backend/litellm -> key "master_key"
description: "LiteLLM dynamic virtual keys"
base_url: "https://litellm.k8s.syd1.au.unkin.net"
request_timeout_seconds: 30
@@ -1,9 +0,0 @@
---
models:
- claude-opus-4-7
max_budget: 5
ttl: 3600 # seconds (1h)
max_ttl: 86400 # seconds (24h)
metadata:
team: testuser
env: prod
@@ -1,10 +0,0 @@
---
models:
- claude-haiku-4-5
- claude-sonnet-4-6
max_budget: 50
ttl: 3600 # seconds (1h)
max_ttl: 86400 # seconds (24h)
metadata:
team: mailfiltering
env: prod
-4
View File
@@ -68,10 +68,6 @@ inputs = {
kubernetes_secret_backend = local.config.kubernetes_secret_backend
kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
pki_mount_only = local.config.pki_mount_only
litellm_secret_backend = local.config.litellm_secret_backend
litellm_secret_backend_role = local.config.litellm_secret_backend_role
gpg_secret_backend = local.config.gpg_secret_backend
gpg_key = local.config.gpg_key
# Pass policy maps to vault_cluster module
policy_auth_map = local.policies.policy_auth_map
-20
View File
@@ -11,18 +11,6 @@ provider "vault" {
address = local.vault_addr
}
# The LiteLLM secrets engine is managed through its own provider, which talks to
# the same Vault server. Token falls back to the VAULT_TOKEN environment variable.
provider "litellm" {
address = local.vault_addr
}
# The gpg secrets engine's keys are managed through its own provider (same Vault
# server; token falls back to VAULT_TOKEN).
provider "gpg" {
address = local.vault_addr
}
terraform {
backend "consul" {
address = "https://consul.service.consul"
@@ -41,14 +29,6 @@ terraform {
source = "hashicorp/consul"
version = "2.23.0"
}
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
}
}
EOF
-59
View File
@@ -303,65 +303,6 @@ module "kubernetes_secret_backend_role" {
depends_on = [module.kubernetes_secret_backend]
}
module "litellm_secret_backend" {
source = "./modules/litellm_secret_backend"
for_each = var.litellm_secret_backend
country = var.country
region = var.region
path = each.key
plugin = each.value.plugin
description = each.value.description
base_url = each.value.base_url
request_timeout_seconds = each.value.request_timeout_seconds
}
module "litellm_secret_backend_role" {
source = "./modules/litellm_secret_backend_role"
for_each = var.litellm_secret_backend_role
name = each.value.name
backend = each.value.backend
models = each.value.models
max_budget = each.value.max_budget
key_alias_prefix = each.value.key_alias_prefix
ttl = each.value.ttl
max_ttl = each.value.max_ttl
metadata = each.value.metadata
depends_on = [module.litellm_secret_backend]
}
module "gpg_secret_backend" {
source = "./modules/gpg_secret_backend"
for_each = var.gpg_secret_backend
path = each.key
plugin = each.value.plugin
command = each.value.command
sha256 = each.value.sha256
description = each.value.description
}
module "gpg_key" {
source = "./modules/gpg_key"
for_each = var.gpg_key
backend = each.value.backend
name = each.value.name
algorithm = each.value.algorithm
identity = each.value.identity
exportable = each.value.exportable
deletion_allowed = each.value.deletion_allowed
min_decryption_version = each.value.min_decryption_version
depends_on = [module.gpg_secret_backend]
}
module "vault_policy" {
source = "./modules/vault_policy"
@@ -1,12 +0,0 @@
# Manages an OpenPGP key inside a gpg secrets engine mount, via the
# gpgvaultsecret provider. The private key never leaves Vault; consumers use the
# exported public_key to encrypt and delegate decryption back to the engine.
resource "gpg_key" "this" {
backend = var.backend
name = var.name
algorithm = var.algorithm
identity = var.identity
exportable = var.exportable
deletion_allowed = var.deletion_allowed
min_decryption_version = var.min_decryption_version
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
gpg = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/gpgvaultsecret"
version = "0.1.0"
}
}
}
@@ -1,39 +0,0 @@
variable "backend" {
description = "Mount path of the gpg secrets engine (e.g. \"gpg\")"
type = string
}
variable "name" {
description = "Name of the key"
type = string
}
variable "algorithm" {
description = "Key algorithm: rsa-2048, rsa-3072, rsa-4096 or ed25519"
type = string
default = "rsa-3072"
}
variable "identity" {
description = "OpenPGP User ID (defaults to the key name)"
type = string
default = null
}
variable "exportable" {
description = "Allow exporting the private key (enable-only)"
type = bool
default = false
}
variable "deletion_allowed" {
description = "Whether the key may be deleted"
type = bool
default = false
}
variable "min_decryption_version" {
description = "Minimum key version usable for decryption/verification"
type = number
default = null
}
@@ -1,20 +0,0 @@
# Registers the GPG/OpenPGP secrets plugin in the catalog and mounts it. The
# plugin binary is installed on the OpenBao nodes by Puppet
# (openbao-plugin-secrets-gpg RPM -> /opt/openbao-plugins/vault-plugin-secrets-gpg);
# `command` is that filename, resolved relative to the server's plugin_directory.
#
# The sha256 is pinned here to the released binary. Puppet installs the RPM
# floating, so on a plugin upgrade this sha256 must be bumped in lockstep or
# OpenBao will refuse to launch the plugin.
resource "vault_plugin" "this" {
type = "secret"
name = var.plugin
command = var.command
sha256 = var.sha256
}
resource "vault_mount" "this" {
path = var.path
type = vault_plugin.this.name
description = var.description
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
}
}
@@ -1,27 +0,0 @@
variable "path" {
description = "Mount path of the GPG secrets engine (e.g. \"gpg\")"
type = string
}
variable "plugin" {
description = "Name to register the plugin under in the catalog (also the mount type)"
type = string
default = "vault-plugin-secrets-gpg"
}
variable "command" {
description = "Plugin binary filename, relative to the server plugin_directory"
type = string
default = "vault-plugin-secrets-gpg"
}
variable "sha256" {
description = "SHA-256 of the installed plugin binary; must match the on-disk binary or OpenBao rejects it"
type = string
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
@@ -1,14 +0,0 @@
# Expected keys in KV secret: master_key
data "vault_kv_secret_v2" "secret_backend_config" {
mount = "kv"
name = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
}
resource "litellm_secret_backend" "this" {
path = var.path
plugin = var.plugin
description = var.description
base_url = var.base_url
master_key = data.vault_kv_secret_v2.secret_backend_config.data["master_key"]
request_timeout_seconds = var.request_timeout_seconds
}
@@ -1,13 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
vault = {
source = "hashicorp/vault"
version = "5.6.0"
}
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
}
}
@@ -1,37 +0,0 @@
variable "country" {
description = "Country identifier (used to locate the KV secret holding the master key)"
type = string
}
variable "region" {
description = "Region identifier (used to locate the KV secret holding the master key)"
type = string
}
variable "path" {
description = "Mount path of the LiteLLM secrets engine"
type = string
}
variable "plugin" {
description = "Registered plugin name/type to mount"
type = string
default = "vault-plugin-secrets-litellm"
}
variable "description" {
description = "Human-friendly description of the mount"
type = string
default = null
}
variable "base_url" {
description = "Base URL of the LiteLLM proxy (e.g. http://litellm.litellm.svc:4000)"
type = string
}
variable "request_timeout_seconds" {
description = "HTTP timeout in seconds for calls from the plugin to the LiteLLM proxy"
type = number
default = 30
}
@@ -1,10 +0,0 @@
resource "litellm_secret_backend_role" "this" {
backend = var.backend
name = var.name
models = var.models
max_budget = var.max_budget
key_alias_prefix = var.key_alias_prefix
ttl = var.ttl
max_ttl = var.max_ttl
metadata = var.metadata
}
@@ -1,9 +0,0 @@
terraform {
required_version = ">= 1.10"
required_providers {
litellm = {
source = "artifactapi.k8s.syd1.au.unkin.net/terraform-unkin/litellmvaultsecret"
version = "0.1.0"
}
}
}
@@ -1,45 +0,0 @@
variable "name" {
description = "Name of the role"
type = string
}
variable "backend" {
description = "Mount path of the LiteLLM secrets engine this role belongs to"
type = string
}
variable "models" {
description = "Models a generated key may access. Empty means unrestricted"
type = list(string)
default = null
}
variable "max_budget" {
description = "Spending limit applied to each generated key. 0 means unlimited"
type = number
default = null
}
variable "key_alias_prefix" {
description = "Prefix for the auto-generated key alias"
type = string
default = null
}
variable "ttl" {
description = "Default lease TTL in seconds for keys generated from this role"
type = number
default = null
}
variable "max_ttl" {
description = "Maximum lease TTL in seconds for keys generated from this role"
type = number
default = null
}
variable "metadata" {
description = "Metadata attached to each generated key"
type = map(string)
default = null
}
-51
View File
@@ -289,57 +289,6 @@ variable "kubernetes_secret_backend_role" {
default = {}
}
variable "litellm_secret_backend" {
description = "Map of LiteLLM secret engines to create (mount + config). The master key is read from KV"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-litellm")
description = optional(string)
base_url = string
request_timeout_seconds = optional(number, 30)
}))
default = {}
}
variable "litellm_secret_backend_role" {
description = "Map of LiteLLM roles to create"
type = map(object({
name = string
backend = string
models = optional(list(string))
max_budget = optional(number)
key_alias_prefix = optional(string)
ttl = optional(number)
max_ttl = optional(number)
metadata = optional(map(string))
}))
default = {}
}
variable "gpg_secret_backend" {
description = "Map of GPG/OpenPGP secret engines to register + mount (path => plugin sha256 + config)"
type = map(object({
plugin = optional(string, "vault-plugin-secrets-gpg")
command = optional(string, "vault-plugin-secrets-gpg")
sha256 = string
description = optional(string)
}))
default = {}
}
variable "gpg_key" {
description = "Map of OpenPGP keys to manage in a gpg engine mount"
type = map(object({
name = string
backend = string
algorithm = optional(string, "rsa-3072")
identity = optional(string)
exportable = optional(bool, false)
deletion_allowed = optional(bool, false)
min_decryption_version = optional(number)
}))
default = {}
}
variable "policy_auth_map" {
description = "Map of auth mounts -> auth roles -> policy names"
type = map(map(list(string)))
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-artifactapi"
capabilities:
- read
auth:
approle:
- terraform_artifactapi
k8s/au/syd1:
- woodpecker_terraform_artifactapi
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-authentik"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-prowlarr"
capabilities:
- read
auth:
approle:
- terraform_prowlarr
k8s/au/syd1:
- woodpecker_terraform_prowlarr
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-radarr"
capabilities:
- read
auth:
approle:
- terraform_radarr
k8s/au/syd1:
- woodpecker_terraform_radarr
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-rancher"
capabilities:
- read
auth:
approle:
- terraform_rancher
k8s/au/syd1:
- woodpecker_terraform_rancher
@@ -1,11 +0,0 @@
---
rules:
- path: "consul_root/au/syd1/creds/terraform-sonarr"
capabilities:
- read
auth:
approle:
- terraform_sonarr
k8s/au/syd1:
- woodpecker_terraform_sonarr
@@ -0,0 +1,9 @@
---
rules:
- path: "kv/data/kubernetes/namespace/forgebot/*"
capabilities:
- read
auth:
k8s/au/syd1:
- forgebot
@@ -6,8 +6,5 @@ rules:
- read
auth:
approle:
- terraform_prowlarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_prowlarr
@@ -6,8 +6,5 @@ rules:
- read
auth:
approle:
- terraform_radarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_radarr
@@ -6,8 +6,5 @@ rules:
- read
auth:
approle:
- terraform_sonarr
k8s/au/syd1:
- media-apps
- woodpecker_terraform_sonarr
@@ -1,18 +0,0 @@
# Allow the Terraform Authentik runner to read:
# - its own Authentik API token (provider auth), and
# - OAuth2/OIDC client secrets that back authentik providers (per target
# service's kv namespace path, via the module's data.vault_kv_secret_v2).
---
rules:
- path: "kv/data/service/terraform/authentik"
capabilities:
- read
- path: "kv/data/kubernetes/namespace/+/default/oauth-credentials"
capabilities:
- read
auth:
approle:
- terraform_authentik
k8s/au/syd1:
- woodpecker_terraform_authentik
@@ -1,18 +0,0 @@
# Allow the Terraform Rancher runner to read:
# - its own Rancher admin API token (rancher2 provider auth), and
# - the OAuth2/OIDC client secret backing the Rancher keycloakoidc AuthConfig
# (same secret Authentik sets on the provider).
---
rules:
- path: "kv/data/service/terraform/rancher"
capabilities:
- read
- path: "kv/data/kubernetes/namespace/cattle-system/default/oauth-credentials"
capabilities:
- read
auth:
approle:
- terraform_rancher
k8s/au/syd1:
- woodpecker_terraform_rancher
-26
View File
@@ -1,26 +0,0 @@
# Allow management of the LiteLLM secrets engine (config and roles)
---
rules:
- path: "litellm/config"
capabilities:
- create
- update
- read
- delete
- path: "litellm/roles/*"
capabilities:
- create
- update
- delete
- read
- list
- path: "litellm/roles"
capabilities:
- read
- list
auth:
approle:
- tf_vault
k8s/au/syd1:
- woodpecker_terraform_vault
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/artifactapi/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/authentik/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/prowlarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/radarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/rancher/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}
@@ -1,7 +0,0 @@
key_prefix "infra/terraform/sonarr/" {
policy = "write"
}
session_prefix "" {
policy = "write"
}