From f83ba13158cb59bb9e11a2bb5ac957e44f251c34 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 11 Jan 2025 21:01:17 +1100
Subject: [PATCH] feat: add packer-builder role

- limit access to workstation and gitea runners
---
 auth_approle_packer_builder.tf                | 15 +++++++++++++++
 policies.tf                                   |  1 +
 policies/kv/service/packer/packer-builder.hcl |  3 +++
 3 files changed, 19 insertions(+)
 create mode 100644 auth_approle_packer_builder.tf
 create mode 100644 policies/kv/service/packer/packer-builder.hcl

diff --git a/auth_approle_packer_builder.tf b/auth_approle_packer_builder.tf
new file mode 100644
index 0000000..32858d0
--- /dev/null
+++ b/auth_approle_packer_builder.tf
@@ -0,0 +1,15 @@
+resource "vault_approle_auth_backend_role" "packer_builder" {
+  role_name      = "terraform_nomad"
+  bind_secret_id = false
+  token_policies = [
+    "default_access",
+    "packer_builder",
+  ]
+  token_ttl     = 60
+  token_max_ttl = 120
+  token_bound_cidrs = [
+    "10.10.12.200/32",
+    "198.18.13.67/32",
+    "198.18.13.68/32",
+  ]
+}
diff --git a/policies.tf b/policies.tf
index 084d87c..30c00de 100644
--- a/policies.tf
+++ b/policies.tf
@@ -13,6 +13,7 @@ locals {
     "policies/sshca",
     "policies/kv/service/glauth/services",
     "policies/kv/service/incus",
+    "policies/kv/service/packer",
     "policies/kv/service/puppetapi",
     "policies/kv/service/terraform",
   ]
diff --git a/policies/kv/service/packer/packer-builder.hcl b/policies/kv/service/packer/packer-builder.hcl
new file mode 100644
index 0000000..79b114f
--- /dev/null
+++ b/policies/kv/service/packer/packer-builder.hcl
@@ -0,0 +1,3 @@
+path "kv/data/service/packer/builder/env" {
+  capabilities = ["read"]
+}
-- 
2.47.3