From a47f8410285ae4afce3b2d0adfe5537ecbda2cd5 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 14 Feb 2026 19:37:22 +1100
Subject: [PATCH] feat: add terraform_k8s approle

- add approle for kubernetes terraform
- ensure it can access consul token for state storage
- ensure it can generate root token for managing kubernetes
---
 config/auth_approle_role/approle/terraform_k8s.yaml | 9 +++++++++
 policies/kubernetes/au/syd1/creds/cluster-root.yaml | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)
 create mode 100644 config/auth_approle_role/approle/terraform_k8s.yaml

diff --git a/config/auth_approle_role/approle/terraform_k8s.yaml b/config/auth_approle_role/approle/terraform_k8s.yaml
new file mode 100644
index 0000000..cec109a
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_k8s.yaml
@@ -0,0 +1,9 @@
+token_ttl: 120
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: true
diff --git a/policies/kubernetes/au/syd1/creds/cluster-root.yaml b/policies/kubernetes/au/syd1/creds/cluster-root.yaml
index 42400f4..0409ca0 100644
--- a/policies/kubernetes/au/syd1/creds/cluster-root.yaml
+++ b/policies/kubernetes/au/syd1/creds/cluster-root.yaml
@@ -7,4 +7,4 @@ rules:
 
 auth:
   approle:
-    - tf_vault
+    - terraform_k8s
-- 
2.47.3