allow a SA from factory project (ansible orchestrator) to read cms cloudflare turnstile values for crowdsec captcha

hashicorp-vault/iac/factory_auth.tf

@@ -0,0 +1,25 @@
+locals {
+    factory_crowdsec_conf_sa_name = "factory-ansible-tool-crowdsec-traefik-plugin"
+}
+
+
+data "vault_policy_document" "factory_crowdsec_conf" {
+  rule {
+    path         = "kvv2/data/cms/factory/*" #  cms.git//cloudflare/iac.tf
+    capabilities = ["read", "list"]
+  }
+}
+resource "vault_policy" "factory_crowdsec_conf" {
+  name   = "factory_crowdsec_conf"
+  policy = data.vault_policy_document.factory_crowdsec_conf.hcl
+}
+resource "vault_kubernetes_auth_backend_role" "factory_crowdsec_conf" {
+  backend                          = vault_auth_backend.kubernetes.path
+  role_name                        = "factory_crowdsec_conf"
+  bound_service_account_names      = [local.factory_crowdsec_conf_sa_name]
+  bound_service_account_namespaces = ["kube-system"]
+  token_ttl                        = 3600
+  token_policies                   = ["default", vault_policy.factory_crowdsec_conf.name]
+  audience                         = "vault"
+  alias_name_source                = "serviceaccount_name"
+}