From d508dcd4a9056e93a13259348c82ea49da45c7a7 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 27 Apr 2025 16:24:24 +1000
Subject: [PATCH] feat: enable access to puppetcerts

- enable the terraform-incus repo to access puppet certs
---
 auth_approle_terraform_incus.tf                             | 1 +
 policies.tf                                                 | 1 +
 .../service/puppet/certificates/terraform_puppet_cert.hcl   | 6 ++++++
 3 files changed, 8 insertions(+)
 create mode 100644 policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl

diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf
index b6a30f9..393faff 100644
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@@ -4,6 +4,7 @@ resource "vault_approle_auth_backend_role" "terraform_incus" {
   token_policies = [
     "default_access",
     "incus",
+    "terraform_puppet_cert",
   ]
   token_ttl     = 60
   token_max_ttl = 120
diff --git a/policies.tf b/policies.tf
index 891de5c..8479aad 100644
--- a/policies.tf
+++ b/policies.tf
@@ -15,6 +15,7 @@ locals {
     "policies/kv/service/glauth/services",
     "policies/kv/service/incus",
     "policies/kv/service/packer",
+    "policies/kv/service/puppet/certificates",
     "policies/kv/service/puppetapi",
     "policies/kv/service/terraform",
   ]
diff --git a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
new file mode 100644
index 0000000..6a31417
--- /dev/null
+++ b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
@@ -0,0 +1,6 @@
+path "kv/data/service/puppet/certificates/terraform" {
+    capabilities = ["read"]
+}
+path "kv/data/service/puppet/certificates/ca" {
+    capabilities = ["read"]
+}
-- 
2.47.3