From 99c058f9ec61c14a402afc2a44af00821e575f2c Mon Sep 17 00:00:00 2001
From: Thomas Rijpstra <thomas@fourlights.nl>
Date: Fri, 20 Sep 2024 21:55:43 +0200
Subject: [PATCH] update vault token

---
 .../management/bootstrap/stage2-harden/main.tf      | 13 +++++++++++--
 infra/modules/cluster/main.tf                       | 11 +++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/infra/clusters/management/bootstrap/stage2-harden/main.tf b/infra/clusters/management/bootstrap/stage2-harden/main.tf
index 478e90e..caad8c2 100644
--- a/infra/clusters/management/bootstrap/stage2-harden/main.tf
+++ b/infra/clusters/management/bootstrap/stage2-harden/main.tf
@@ -177,6 +177,14 @@ path "auth/token/renew-self" {
   capabilities = ["update"]
 }
 
+path "auth/token/lookup-accessor" {
+    capabilities = ["update"]
+}
+
+path "auth/token/renew-accessor" {
+    capabilities = ["update"]
+}
+
 # Add other necessary permissions as needed
 EOT
 }
@@ -184,6 +192,7 @@ EOT
 resource "vault_token" "management" {
   policies = [vault_policy.management.name]
   renewable = true
-  ttl       = "1h"
-  period    = "15m"
+  ttl       = "24h"
+  renew_min_lease = "12h"
+  renew_increment = "24h"
 }
diff --git a/infra/modules/cluster/main.tf b/infra/modules/cluster/main.tf
index 31622e2..d1c72db 100644
--- a/infra/modules/cluster/main.tf
+++ b/infra/modules/cluster/main.tf
@@ -105,6 +105,12 @@ path "auth/token/lookup-self" {
 path "auth/token/renew-self" {
     capabilities = ["update"]
 }
+path "auth/token/lookup-accessor" {
+    capabilities = ["update"]
+}
+path "auth/token/renew-accessor" {
+    capabilities = ["update"]
+}
 # Add other necessary permissions
 EOT
 }
@@ -112,6 +118,7 @@ EOT
 resource "vault_token" "cluster" {
   policies = [vault_policy.cluster.name]
   renewable = true
-  ttl       = "1h"
-  period    = "15m"
+  ttl       = "24h"
+  renew_min_lease = "12h"
+  renew_increment = "24h"
 }