From 2e16e58e6c96e3de1141346e08339d7fd7d7b226 Mon Sep 17 00:00:00 2001
From: Finn <finn@finn.io>
Date: Tue, 10 Sep 2024 12:11:33 -0700
Subject: [PATCH] vault mounts: drop test, create a more prod kv store

---
 tf/bao-auth-backends.tf         | 2 +-
 tf/bao-mounts.tf                | 6 +++---
 tf/bao-policies.tf              | 7 +++++--
 tf/bao-policies/k8s-default.hcl | 2 +-
 4 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/tf/bao-auth-backends.tf b/tf/bao-auth-backends.tf
index ca6d646..88b2ce9 100644
--- a/tf/bao-auth-backends.tf
+++ b/tf/bao-auth-backends.tf
@@ -14,6 +14,6 @@ resource "vault_kubernetes_auth_backend_role" "k8s-default" {
   bound_service_account_namespaces = ["*"]
   token_ttl                        = 3600
   token_policies                   = [
-    vault_policy.k8s_default_sa.name
+    vault_policy.k8s_default.name
   ]
 }
diff --git a/tf/bao-mounts.tf b/tf/bao-mounts.tf
index 7b1cc62..affdb29 100644
--- a/tf/bao-mounts.tf
+++ b/tf/bao-mounts.tf
@@ -1,6 +1,6 @@
-resource "vault_mount" "test-kv" {
-  path        = "test-kv"
+resource "vault_mount" "static_secrets" {
+  path        = "static-secrets"
   type        = "kv"
   options     = { version = "2" }
-  description = "Testing KV for evaluating how OpenBao works"
+  description = "Static secrets, organized by <k8s-namespace>/<service-account>/*"
 }
diff --git a/tf/bao-policies.tf b/tf/bao-policies.tf
index c6ef59b..051b8fc 100644
--- a/tf/bao-policies.tf
+++ b/tf/bao-policies.tf
@@ -1,5 +1,8 @@
 resource "vault_policy" "k8s_default" {
-  name = "k8s-default-sa"
+  name = "k8s-default"
 
-  policy = templatefile("bao-policies/k8s-default.hcl", { k8s_auth_backend = vault_auth_backend.kubernetes.accessor })
+  policy = templatefile("bao-policies/k8s-default.hcl", {
+    k8s_auth_backend_accessor = vault_auth_backend.kubernetes.accessor,
+    k8s_secrets_path = vault_mount.static_secrets.path,
+  })
 }
diff --git a/tf/bao-policies/k8s-default.hcl b/tf/bao-policies/k8s-default.hcl
index 51c4e23..0eae800 100644
--- a/tf/bao-policies/k8s-default.hcl
+++ b/tf/bao-policies/k8s-default.hcl
@@ -1,3 +1,3 @@
-path "test-kv/data/{{identity.entity.aliases.${k8s_auth_backend}.metadata.service_account_namespace}}/*" {
+path "${k8s_secrets_path}/data/{{identity.entity.aliases.${k8s_auth_backend_accessor}.metadata.service_account_namespace}}/{{identity.entity.aliases.${k8s_auth_backend_accessor}.metadata.service_account_name}}/*" {
     capabilities = ["read"]
 }