From 49889eaf22dd91e425014b963347a2e894e3d1b9 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sun, 16 Nov 2025 12:49:07 +1100
Subject: [PATCH] feat: rework policies file

- policy files are now found automatically
---
 policies.tf | 44 +++++++-------------------------------------
 1 file changed, 7 insertions(+), 37 deletions(-)

diff --git a/policies.tf b/policies.tf
index 5fdaccc..81312d2 100644
--- a/policies.tf
+++ b/policies.tf
@@ -1,44 +1,14 @@
-# Define a list of directories that contain policy files
+# Automatically discover all HCL policy files under policies/ directory
 locals {
-  policy_directories = [
-    "policies",
-    "policies/sys",
-    "policies/auth/approle",
-    "policies/auth/kubernetes",
-    "policies/auth/ldap",
-    "policies/auth/token",
-    "policies/k8s",
-    "policies/pki_int",
-    "policies/pki_root",
-    "policies/rundeck",
-    "policies/ssh-host-signer",
-    "policies/sshca",
-    "policies/transit/decrypt",
-    "policies/transit/encrypt",
-    "policies/transit/keys",
-    "policies/kv/service/glauth/services",
-    "policies/kv/service/incus",
-    "policies/kv/service/packer",
-    "policies/kv/service/puppet/certificates",
-    "policies/kv/service/puppetapi",
-    "policies/kv/service/terraform",
-    "policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt",
+  policy_files = [
+    for f in fileset("policies", "**/*.hcl") : {
+      name = trimsuffix(f, ".hcl")
+      path = "policies/${f}"
+    }
   ]
 }
 
-# Load policy files from each directory
-locals {
-  policy_files = flatten([
-    for path in local.policy_directories : [
-      for f in fileset(path, "*.hcl") : {
-        name = trimsuffix(trimprefix("${path}/${f}", "policies/"), ".hcl")
-        path = "${path}/${f}"
-      }
-    ]
-  ])
-}
-
-# Define Vault policies for all listed directories
+# Define Vault policies for all discovered HCL files
 resource "vault_policy" "policies" {
   for_each = { for p in local.policy_files : p.name => p }