From 756286c23102b88e247d7a46f6818d6e8a62f1a5 Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 29 Nov 2025 00:09:57 +1100
Subject: [PATCH] chore: update name, role type for k8s

- ensure cluster roles are able to be created as ClusterRole
- prefix all vault managed roles with `vault-`
---
 engine_k8s_au_syd1.tf | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/engine_k8s_au_syd1.tf b/engine_k8s_au_syd1.tf
index 40433fa..bdadd84 100644
--- a/engine_k8s_au_syd1.tf
+++ b/engine_k8s_au_syd1.tf
@@ -17,32 +17,36 @@ resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
 
 resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
   backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "media-apps-operator"
+  name                          = "vault-media-apps-operator"
   allowed_kubernetes_namespaces = ["media-apps"]
+  kubernetes_role_type          = "Role"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
   backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "cluster-operator"
+  name                          = "vault-cluster-operator"
   allowed_kubernetes_namespaces = ["*"]
+  kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
   backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "cluster-admin"
+  name                          = "vault-cluster-admin"
   allowed_kubernetes_namespaces = ["*"]
+  kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
 }
 
 resource "vault_kubernetes_secret_backend_role" "cluster_root" {
   backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "cluster-root"
+  name                          = "vault-cluster-root"
   allowed_kubernetes_namespaces = ["*"]
+  kubernetes_role_type          = "ClusterRole"
 
   generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
 }