bao policies: to use tf template

2024-09-10 10:36:12 -07:00 · 2024-09-10 10:36:12 -07:00 · f497e9ba55
commit f497e9ba55
parent 6f568ffc4e
4 changed files with 6 additions and 10 deletions
--- a/tf/bao-policies.tf
+++ b/tf/bao-policies.tf
@ -1,5 +1,5 @@
-resource "vault_policy" "k8s_default_sa" {
+resource "vault_policy" "k8s_default" {
  name = "k8s-default-sa"

-  policy = file("bao-policies/k8s-default-sa.hcl")
+  policy = templatefile("bao-policies/k8s-default.hcl", { k8s_auth_backend = vault_auth_backend.kubernetes.accessor })
 }
--- a/tf/bao-policies/k8s-default-sa.hcl
+++ b/tf/bao-policies/k8s-default-sa.hcl
@ -1,3 +0,0 @@
-path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
-    capabilities = ["read"]
-}
--- a/tf/bao-policies/k8s-default.hcl
+++ b/tf/bao-policies/k8s-default.hcl
@ -0,0 +1,3 @@
+path "test-kv/data/{{identity.entity.aliases.${k8s_auth_backend}.metadata.service_account_namespace}}/*" {
+    capabilities = ["read"]
+}
--- a/tf/providers.tf
+++ b/tf/providers.tf
@ -7,8 +7,4 @@ data "terraform_remote_state" "foo" {
  }
 }

-provider "vault" {
-  # This will default to using $VAULT_ADDR
-  # But can be set explicitly
-  # address = "https://vault.example.net:8200"
-}
+provider "vault" {}