bao policies: to use tf template

tf/bao-policies.tf

@@ -1,5 +1,5 @@
-resource "vault_policy" "k8s_default_sa" {
+resource "vault_policy" "k8s_default" {
   name = "k8s-default-sa"
 
-  policy = file("bao-policies/k8s-default-sa.hcl")
+  policy = templatefile("bao-policies/k8s-default.hcl", { k8s_auth_backend = vault_auth_backend.kubernetes.accessor })
 }

tf/bao-policies/k8s-default-sa.hcl

@@ -1,3 +0,0 @@
-path "test-kv/data/{{identity.entity.aliases.auth_kubernetes_6872b6a9.metadata.service_account_namespace}}/*" {
-    capabilities = ["read"]
-}

tf/bao-policies/k8s-default.hcl

@@ -0,0 +1,3 @@
+path "test-kv/data/{{identity.entity.aliases.${k8s_auth_backend}.metadata.service_account_namespace}}/*" {
+    capabilities = ["read"]
+}

tf/providers.tf

@@ -7,8 +7,4 @@ data "terraform_remote_state" "foo" {
   }
 }
 
-provider "vault" {
+provider "vault" {}
-  # This will default to using $VAULT_ADDR
-  # But can be set explicitly
-  # address = "https://vault.example.net:8200"
-}