Vault DR replication ACL following: https://learn.hashicorp.com/tutorials/vault/disaster-recovery?in=vault/day-one-raft#dr-operation-token-strategy

vault_dr_acl.tf

locals {
  role_name = "failover-handler"
}

data "vault_policy_document" "default" {
  rule {
    path         = "sys/replication/dr/secondary/promote"
    capabilities = ["update"]
    description  = "Create and manage ACL policies"
  }
  rule {
    path         = "sys/replication/dr/secondary/update-primary"
    capabilities = ["update"]
    description  = "To update the primary to connect"
  }
  rule {
    path         = "sys/storage/raft/autopilot/state"
    capabilities = ["read", "update"]
    description  = "To read the current autopilot status"
  }
}

resource "vault_policy" "default" {
  name   = "dr-secondary-promotion"
  policy = data.vault_policy_document.default.hcl
}

resource "vault_token_auth_backend_role" "default" {
  role_name        = local.role_name
  allowed_policies = [vault_policy.default.name]
  orphan           = true
  renewable        = false
  token_type       = "batch"
}

resource "vault_token" "default" {
  role_name    = vault_token_auth_backend_role.default.name
  display_name = local.role_name
  ttl          = "8h"
}

output "batch_token" {
  description = "create batch token"
  value       = vault_token.default.client_token
}