From 61f5cec4ffbf6a1730cf0262c49e8a5c01769a88 Mon Sep 17 00:00:00 2001 From: Ben Vincent Date: Sun, 7 Jun 2026 20:01:06 +1000 Subject: [PATCH] feat: add vault and consul roles for terraform-git Add K8s auth role, consul secret backend role, consul ACL policy, and vault policy to allow terraform-git CI to store state in Consul. --- .../k8s/au/syd1/woodpecker_terraform_git.yaml | 7 +++++++ .../consul_root/au/syd1/terraform-git.yaml | 5 +++++ policies/consul_root/au/syd1/creds/terraform-git.yaml | 9 +++++++++ .../secret_backend/consul_root/au/syd1/terraform-git.hcl | 7 +++++++ 4 files changed, 28 insertions(+) create mode 100644 config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml create mode 100644 config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml create mode 100644 policies/consul_root/au/syd1/creds/terraform-git.yaml create mode 100644 resources/secret_backend/consul_root/au/syd1/terraform-git.hcl diff --git a/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml new file mode 100644 index 0000000..19acbad --- /dev/null +++ b/config/auth_kubernetes_role/k8s/au/syd1/woodpecker_terraform_git.yaml @@ -0,0 +1,7 @@ +bound_service_account_names: + - terraform-git +bound_service_account_namespaces: + - woodpecker +token_ttl: 600 +token_max_ttl: 600 +audience: https://kubernetes.default.svc.cluster.local diff --git a/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml new file mode 100644 index 0000000..0ede4f7 --- /dev/null +++ b/config/consul_secret_backend_role/consul_root/au/syd1/terraform-git.yaml @@ -0,0 +1,5 @@ +consul_roles: + - terraform-git +ttl: 120 +max_ttl: 300 +datacenters: [] diff --git a/policies/consul_root/au/syd1/creds/terraform-git.yaml b/policies/consul_root/au/syd1/creds/terraform-git.yaml new file mode 100644 index 0000000..228f586 --- /dev/null +++ b/policies/consul_root/au/syd1/creds/terraform-git.yaml @@ -0,0 +1,9 @@ +--- +rules: + - path: "consul_root/au/syd1/creds/terraform-git" + capabilities: + - read + +auth: + k8s/au/syd1: + - woodpecker_terraform_git diff --git a/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl b/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl new file mode 100644 index 0000000..3fd25a9 --- /dev/null +++ b/resources/secret_backend/consul_root/au/syd1/terraform-git.hcl @@ -0,0 +1,7 @@ +key_prefix "infra/terraform/git/" { + policy = "write" +} + +session_prefix "" { + policy = "write" +} -- 2.47.3