From 12e04b3db74e38d5a6364fb7a308fc84e9e78947 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 6 Jan 2025 23:14:35 +1100
Subject: [PATCH] feat: add incus-cluster role/policies

- add policy and role to manage incus cluster join tokens
---
 auth_approle_incus_cluster.tf                    | 16 ++++++++++++++++
 policies.tf                                      |  1 +
 .../service/incus/incus-cluster-join-tokens.hcl  |  3 +++
 3 files changed, 20 insertions(+)
 create mode 100644 auth_approle_incus_cluster.tf
 create mode 100644 policies/kv/service/incus/incus-cluster-join-tokens.hcl

diff --git a/auth_approle_incus_cluster.tf b/auth_approle_incus_cluster.tf
new file mode 100644
index 0000000..da3c2a0
--- /dev/null
+++ b/auth_approle_incus_cluster.tf
@@ -0,0 +1,16 @@
+resource "vault_approle_auth_backend_role" "incus_cluster" {
+  role_name      = "incus_cluster"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "incus-cluster-join-tokens"
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+    "198.18.13.77/32",
+    "198.18.13.78/32",
+    "198.18.13.79/32"
+  ]
+}
diff --git a/policies.tf b/policies.tf
index 1d05b0a..084d87c 100644
--- a/policies.tf
+++ b/policies.tf
@@ -12,6 +12,7 @@ locals {
     "policies/ssh-host-signer",
     "policies/sshca",
     "policies/kv/service/glauth/services",
+    "policies/kv/service/incus",
     "policies/kv/service/puppetapi",
     "policies/kv/service/terraform",
   ]
diff --git a/policies/kv/service/incus/incus-cluster-join-tokens.hcl b/policies/kv/service/incus/incus-cluster-join-tokens.hcl
new file mode 100644
index 0000000..4e47c0e
--- /dev/null
+++ b/policies/kv/service/incus/incus-cluster-join-tokens.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/incus/cluster-join-tokens" {
+  capabilities = ["create", "read", "update", "delete"]
+}
-- 
2.47.3