enable per app role list of policies

2025-10-30 10:05:25 +01:00
parent ea9e41ff1a
commit 24c3d92522
5 changed files with 22 additions and 10 deletions
--- a/hashicorp-vault/iac/modules/app_policy/main.tf
+++ b/hashicorp-vault/iac/modules/app_policy/main.tf
@@ -29,8 +29,12 @@ data "vault_policy_document" "ops" {
  }
  # read cloudflare credentials for terraform cloudflare backend
  rule {
-    path         = "kvv1/cloudflare"
-    capabilities = ["read"]
+    path         = "kvv1/cloudflare/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
+  }
+  rule {
+    path         = "kvv1/cloudflare/${local.name}*"
+    capabilities = ["read", "list", "create", "update", "delete"]
  }
  # read tofu_module_reader gitea bot user ssh keys
  rule {
@@ -122,7 +126,7 @@ data "vault_auth_backend" "gitea_jwt" {
 resource "vault_jwt_auth_backend_role" "gitea_jwt_cicd" {
  backend        = data.vault_auth_backend.gitea_jwt.path
  role_name      = "gitea_cicd_${local.name}"
-  token_policies = ["default"] # give "${local.name}-ops" role to group of entities
+  token_policies = concat(["default"], var.policies) # give "${local.name}-ops" role to group of entities

  bound_audiences = [
    var.gitea_app_id,
--- a/hashicorp-vault/iac/modules/app_policy/variables.tf
+++ b/hashicorp-vault/iac/modules/app_policy/variables.tf
@@ -3,4 +3,8 @@ variable "name" {
 }
 variable "gitea_app_id" {
  type = string
+}
+variable "policies" {
+  type    = list(string)
+  default = []
 }