feat: update policy names to be path based

- change policy names to be based on the path they are stored at
2025-11-15 10:48:17 +11:00 · 2025-11-15 10:48:17 +11:00 · 4364b444fd
commit 4364b444fd
parent fee61c3eb5
11 changed files with 31 additions and 29 deletions
--- a/auth_approle_certmanager.tf
+++ b/auth_approle_certmanager.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "certmanager" {
  role_name      = "certmanager"
  bind_secret_id = false
-  token_policies = ["certmanager"]
+  token_policies = ["pki_int/certmanager"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_incus_cluster.tf
+++ b/auth_approle_incus_cluster.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "incus_cluster" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "incus-cluster-join-tokens"
+    "kv/service/incus/incus-cluster-join-tokens"
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_packer_builder.tf
+++ b/auth_approle_packer_builder.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "packer_builder" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "packer_builder",
+    "kv/service/packer/packer_builder",
  ]
  token_ttl     = 300 # builds can take a few minutes
  token_max_ttl = 600
--- a/auth_approle_puppetapi.tf
+++ b/auth_approle_puppetapi.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "puppetapi" {
  role_name      = "puppetapi"
  bind_secret_id = false
-  token_policies = ["puppetapi_read_tokens"]
+  token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_rundeck-role.tf
+++ b/auth_approle_rundeck-role.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "rundeck-role" {
  role_name             = "rundeck-role"
  bind_secret_id        = true
-  token_policies        = ["rundeck"]
+  token_policies        = ["rundeck/rundeck"]
  token_ttl             = 1 * 3600
  token_max_ttl         = 4 * 3600
  token_bound_cidrs     = ["198.18.13.59/32"]
--- a/auth_approle_sshsign-host-role.tf
+++ b/auth_approle_sshsign-host-role.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "sshsign-host-role" {
  role_name      = "sshsign-host-role"
  bind_secret_id = false
-  token_policies = ["sshsign-host-policy"]
+  token_policies = ["ssh-host-signer/sshsign-host-policy"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_sshsigner.tf
+++ b/auth_approle_sshsigner.tf
@ -2,7 +2,7 @@ resource "vault_approle_auth_backend_role" "sshsigner" {
  role_name      = "sshsigner"
  bind_secret_id = false
  token_policies = [
-    "sshsigner",
+    "ssh-host-signer/sshsigner",
    "sshca_signhost"
  ]
  token_ttl     = 30
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@ -3,8 +3,8 @@ resource "vault_approle_auth_backend_role" "terraform_incus" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "incus",
-    "terraform_puppet_cert",
+    "kv/service/terraform/incus",
+    "kv/service/puppet/certificates/terraform_puppet_cert",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_terraform_nomad.tf
+++ b/auth_approle_terraform_nomad.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "terraform_nomad" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "nomad",
+    "kv/service/terraform/nomad",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -3,22 +3,23 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "auth_token_create",
-    "auth_token_self",
-    "auth_token_roles_admin",
-    "approle_role_admin",
-    "approle_role_login",
+    "auth/token/auth_token_create",
+    "auth/token/auth_token_self",
+    "auth/token/auth_token_roles_admin",
+    "auth/approle/approle_role_admin",
+    "auth/approle/approle_role_login",
    "approle_token_create",
-    "k8s_pki_roles_admin",
-    "ldap_admin",
-    "pki_int_roles_admin",
-    "pki_root_roles_admin",
-    "ssh-host-signer_roles_admin",
+    "auth/kubernetes/k8s_auth_admin",
+    "k8s/k8s_pki_roles_admin",
+    "auth/ldap/ldap_admin",
+    "pki_int/pki_int_roles_admin",
+    "pki_root/pki_root_roles_admin",
+    "ssh-host-signer/ssh-host-signer_roles_admin",
    "sshca_roles_admin",
-    "svc_vault_read",
-    "sys_auth_admin",
-    "sys_mounts_admin",
-    "sys_policy_admin",
+    "kv/service/glauth/services/svc_vault_read",
+    "sys/sys_auth_admin",
+    "sys/sys_mounts_admin",
+    "sys/sys_policy_admin",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/policies.tf
+++ b/policies.tf
@ -4,6 +4,7 @@ locals {
    "policies",
    "policies/sys",
    "policies/auth/approle",
+    "policies/auth/kubernetes",
    "policies/auth/ldap",
    "policies/auth/token",
    "policies/k8s",
@ -25,9 +26,9 @@ locals {
 locals {
  policy_files = flatten([
    for path in local.policy_directories : [
-      for policy in fileset(path, "*.hcl") : {
-        name = trim(replace(policy, ".hcl", ""), "/")
-        path = "${path}/${policy}"
+      for f in fileset(path, "*.hcl") : {
+        name = trimsuffix(trimprefix("${path}/${f}", "policies/"), ".hcl")
+        path = "${path}/${f}"
      }
    ]
  ])
@ -35,8 +36,8 @@ locals {

 # Define Vault policies for all listed directories
 resource "vault_policy" "policies" {
-  for_each = { for policy in local.policy_files : policy.name => policy }
+  for_each = { for p in local.policy_files : p.name => p }

-  name   = each.value.name
+  name   = each.key
  policy = file(each.value.path)
 }