From f497e9ba55838a544ef461a172845c5a68b4af1a Mon Sep 17 00:00:00 2001
From: Finn <finn@finn.io>
Date: Tue, 10 Sep 2024 10:36:12 -0700
Subject: [PATCH] bao policies: to use tf template

---
 tf/bao-policies.tf                 | 4 ++--
 tf/bao-policies/k8s-default-sa.hcl | 3 ---
 tf/bao-policies/k8s-default.hcl    | 3 +++
 tf/providers.tf                    | 6 +-----
 4 files changed, 6 insertions(+), 10 deletions(-)
 delete mode 100644 tf/bao-policies/k8s-default-sa.hcl
 create mode 100644 tf/bao-policies/k8s-default.hcl

diff --git a/tf/bao-policies.tf b/tf/bao-policies.tf
index 4c845dc..c6ef59b 100644
--- a/tf/bao-policies.tf
+++ b/tf/bao-policies.tf
@@ -1,5 +1,5 @@
-resource "vault_policy" "k8s_default_sa" {
+resource "vault_policy" "k8s_default" {
   name = "k8s-default-sa"
 
-  policy = file("bao-policies/k8s-default-sa.hcl")
+  policy = templatefile("bao-policies/k8s-default.hcl", { k8s_auth_backend = vault_auth_backend.kubernetes.accessor })
 }
diff --git a/tf/bao-policies/k8s-default-sa.hcl b/tf/bao-policies/k8s-default-sa.hcl
deleted file mode 100644
index 4b36341..0000000
--- a/tf/bao-policies/k8s-default-sa.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
-    capabilities = ["read"]
-}
diff --git a/tf/bao-policies/k8s-default.hcl b/tf/bao-policies/k8s-default.hcl
new file mode 100644
index 0000000..51c4e23
--- /dev/null
+++ b/tf/bao-policies/k8s-default.hcl
@@ -0,0 +1,3 @@
+path "test-kv/data/{{identity.entity.aliases.${k8s_auth_backend}.metadata.service_account_namespace}}/*" {
+    capabilities = ["read"]
+}
diff --git a/tf/providers.tf b/tf/providers.tf
index 6b05dc3..ae5935b 100644
--- a/tf/providers.tf
+++ b/tf/providers.tf
@@ -7,8 +7,4 @@ data "terraform_remote_state" "foo" {
   }
 }
 
-provider "vault" {
-  # This will default to using $VAULT_ADDR
-  # But can be set explicitly
-  # address = "https://vault.example.net:8200"
-}
+provider "vault" {}