From fd03727ec264178ebed34677cd3762a41e0fc1ca Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 14 Feb 2026 18:39:21 +1100
Subject: [PATCH] feat: add tf_vault required policies

move management of Vault back to tf_vault approle. for this, we need to
create a number of policies that are missing.

- add policies to manage consul secret engines
- add policies to manage pki secret engines
- add policies to manage kv secret engines
- add policies to manage ssh secret engines
---
 policies/consul_root/au/syd1/config/admin.yaml | 14 ++++++++++++++
 policies/consul_root/au/syd1/roles/admin.yaml  | 14 ++++++++++++++
 policies/kv/config/admin.yaml                  | 14 ++++++++++++++
 policies/pki/au/syd1/config/admin.yaml         | 14 ++++++++++++++
 policies/pki/au/syd1/issuer/admin.yaml         | 11 +++++++++++
 policies/pki_int/config/admin.yaml             | 14 ++++++++++++++
 policies/pki_int/issuer/admin.yaml             | 11 +++++++++++
 policies/pki_root/config/admin.yaml            | 14 ++++++++++++++
 policies/pki_root/issuer/admin.yaml            | 11 +++++++++++
 policies/pki_root/roles/admin.yaml             | 14 ++++++++++++++
 policies/rundeck/config/admin.yaml             | 14 ++++++++++++++
 policies/sshca/config/admin.yaml               | 14 ++++++++++++++
 12 files changed, 159 insertions(+)
 create mode 100644 policies/consul_root/au/syd1/config/admin.yaml
 create mode 100644 policies/consul_root/au/syd1/roles/admin.yaml
 create mode 100644 policies/kv/config/admin.yaml
 create mode 100644 policies/pki/au/syd1/config/admin.yaml
 create mode 100644 policies/pki/au/syd1/issuer/admin.yaml
 create mode 100644 policies/pki_int/config/admin.yaml
 create mode 100644 policies/pki_int/issuer/admin.yaml
 create mode 100644 policies/pki_root/config/admin.yaml
 create mode 100644 policies/pki_root/issuer/admin.yaml
 create mode 100644 policies/pki_root/roles/admin.yaml
 create mode 100644 policies/rundeck/config/admin.yaml
 create mode 100644 policies/sshca/config/admin.yaml

diff --git a/policies/consul_root/au/syd1/config/admin.yaml b/policies/consul_root/au/syd1/config/admin.yaml
new file mode 100644
index 0000000..e974120
--- /dev/null
+++ b/policies/consul_root/au/syd1/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure consul secret backend
+---
+rules:
+  - path: "consul_root/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/consul_root/au/syd1/roles/admin.yaml b/policies/consul_root/au/syd1/roles/admin.yaml
new file mode 100644
index 0000000..f7feaeb
--- /dev/null
+++ b/policies/consul_root/au/syd1/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to manage consul secret backend roles
+---
+rules:
+  - path: "consul_root/au/syd1/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/config/admin.yaml b/policies/kv/config/admin.yaml
new file mode 100644
index 0000000..f43cf73
--- /dev/null
+++ b/policies/kv/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure KV secret backend
+---
+rules:
+  - path: "kv/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/config/admin.yaml b/policies/pki/au/syd1/config/admin.yaml
new file mode 100644
index 0000000..5965236
--- /dev/null
+++ b/policies/pki/au/syd1/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki/au/syd1 secret backend
+---
+rules:
+  - path: "pki/au/syd1/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/issuer/admin.yaml b/policies/pki/au/syd1/issuer/admin.yaml
new file mode 100644
index 0000000..e21ee91
--- /dev/null
+++ b/policies/pki/au/syd1/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki/au/syd1 issuers
+---
+rules:
+  - path: "pki/au/syd1/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_int/config/admin.yaml b/policies/pki_int/config/admin.yaml
new file mode 100644
index 0000000..f63d28d
--- /dev/null
+++ b/policies/pki_int/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki_int secret backend
+---
+rules:
+  - path: "pki_int/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_int/issuer/admin.yaml b/policies/pki_int/issuer/admin.yaml
new file mode 100644
index 0000000..3501baa
--- /dev/null
+++ b/policies/pki_int/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki_int issuers
+---
+rules:
+  - path: "pki_int/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/config/admin.yaml b/policies/pki_root/config/admin.yaml
new file mode 100644
index 0000000..42059e8
--- /dev/null
+++ b/policies/pki_root/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure pki_root secret backend
+---
+rules:
+  - path: "pki_root/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/issuer/admin.yaml b/policies/pki_root/issuer/admin.yaml
new file mode 100644
index 0000000..bdb6a82
--- /dev/null
+++ b/policies/pki_root/issuer/admin.yaml
@@ -0,0 +1,11 @@
+# Allow access to read pki_root issuers
+---
+rules:
+  - path: "pki_root/issuer/*"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_root/roles/admin.yaml b/policies/pki_root/roles/admin.yaml
new file mode 100644
index 0000000..7f66761
--- /dev/null
+++ b/policies/pki_root/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to manage pki_root secret backend roles
+---
+rules:
+  - path: "pki_root/roles/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/rundeck/config/admin.yaml b/policies/rundeck/config/admin.yaml
new file mode 100644
index 0000000..2a63e98
--- /dev/null
+++ b/policies/rundeck/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure rundeck KV secret backend
+---
+rules:
+  - path: "rundeck/config"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sshca/config/admin.yaml b/policies/sshca/config/admin.yaml
new file mode 100644
index 0000000..abac807
--- /dev/null
+++ b/policies/sshca/config/admin.yaml
@@ -0,0 +1,14 @@
+# Allow access to configure SSH CA secret backend
+---
+rules:
+  - path: "sshca/config/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
-- 
2.47.3