diff --git a/.gitignore b/.gitignore
index 64b3492..ae4a6bd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 .terraform
 .terraform.lock.hcl
 env
+.terragrunt-cache
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index f0719ae..9d38d4b 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,11 @@
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.4.0
+    hooks:
+      - id: end-of-file-fixer
+        types: [yaml]
+      - id: trailing-whitespace
+        types: [yaml]
   - repo: https://github.com/gruntwork-io/pre-commit
     rev: v0.1.30
     hooks:
diff --git a/Makefile b/Makefile
index 6516722..69ca190 100644
--- a/Makefile
+++ b/Makefile
@@ -1,20 +1,29 @@
-.PHONY: init plan apply help
+.PHONY: init plan apply format
+
+#init:
+#	@echo "Sourcing environment and initializing Terraform..."
+#	@source ./env && terraform init
+#
+#plan:
+#	@echo "Sourcing environment and planning Terraform changes..."
+#	@source ./env && terraform plan
+#
+#apply:
+#	@echo "Sourcing environment and applying Terraform changes..."
+#	@source ./env && terraform apply -auto-approve
 
-# Default target
-help:
-	@echo "Available targets:"
-	@echo "  init  - Initialize Terraform"
-	@echo "  plan  - Plan Terraform changes"
-	@echo "  apply - Apply Terraform changes"
 
 init:
-	@echo "Sourcing environment and initializing Terraform..."
-	@source ./env && terraform init
+	@terragrunt run --all --non-interactive init -- -upgrade
 
-plan:
-	@echo "Sourcing environment and planning Terraform changes..."
-	@source ./env && terraform plan
+plan: init
+	@terragrunt run --all --parallelism 4 --non-interactive plan
 
-apply:
-	@echo "Sourcing environment and applying Terraform changes..."
-	@source ./env && terraform apply -auto-approve
\ No newline at end of file
+apply: init
+	@terragrunt run --all --parallelism 2 --non-interactive apply
+
+format:
+	@echo "Formatting Terraform files..."
+	@terraform fmt -recursive .
+	@echo "Formatting Terragrunt files..."
+	@terragrunt hcl fmt
diff --git a/auth_approle_certmanager.tf b/auth_approle_certmanager.tf
deleted file mode 100644
index bcc6e14..0000000
--- a/auth_approle_certmanager.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-resource "vault_approle_auth_backend_role" "certmanager" {
-  role_name      = "certmanager"
-  bind_secret_id = false
-  token_policies = ["pki_int/certmanager"]
-  token_ttl      = 30
-  token_max_ttl  = 30
-  token_bound_cidrs = [
-    "198.18.25.5/32",   # ausyd1nxvm2052.main.unkin.net
-    "198.18.26.3/32",   # ausyd1nxvm2053.main.unkin.net
-    "198.18.27.89/32",  # ausyd1nxvm2054.main.unkin.net
-    "198.18.28.8/32",   # ausyd1nxvm2055.main.unkin.net
-    "198.18.29.33/32",  # ausyd1nxvm2056.main.unkin.net
-    "198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
-  ]
-}
diff --git a/auth_approle_incus_cluster.tf b/auth_approle_incus_cluster.tf
deleted file mode 100644
index 548ff88..0000000
--- a/auth_approle_incus_cluster.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-resource "vault_approle_auth_backend_role" "incus_cluster" {
-  role_name      = "incus_cluster"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "kv/service/incus/incus-cluster-join-tokens"
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.13.77/32",
-    "198.18.13.78/32",
-    "198.18.13.79/32"
-  ]
-}
diff --git a/auth_approle_packer_builder.tf b/auth_approle_packer_builder.tf
deleted file mode 100644
index 7095183..0000000
--- a/auth_approle_packer_builder.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-resource "vault_approle_auth_backend_role" "packer_builder" {
-  role_name      = "packer_builder"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "kv/service/packer/packer_builder",
-  ]
-  token_ttl     = 300 # builds can take a few minutes
-  token_max_ttl = 600
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.25.102/32",
-    "198.18.26.91/32",
-    "198.18.27.40/32",
-  ]
-}
diff --git a/auth_approle_puppetapi.tf b/auth_approle_puppetapi.tf
deleted file mode 100644
index 1b67c85..0000000
--- a/auth_approle_puppetapi.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-resource "vault_approle_auth_backend_role" "puppetapi" {
-  role_name      = "puppetapi"
-  bind_secret_id = false
-  token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
-  token_ttl      = 30
-  token_max_ttl  = 30
-  token_bound_cidrs = [
-    "198.18.25.5/32",   # ausyd1nxvm2052.main.unkin.net
-    "198.18.26.3/32",   # ausyd1nxvm2053.main.unkin.net
-    "198.18.27.89/32",  # ausyd1nxvm2054.main.unkin.net
-    "198.18.28.8/32",   # ausyd1nxvm2055.main.unkin.net
-    "198.18.29.33/32",  # ausyd1nxvm2056.main.unkin.net
-    "198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
-  ]
-}
diff --git a/auth_approle_rpmbuilder.tf b/auth_approle_rpmbuilder.tf
deleted file mode 100644
index 609189c..0000000
--- a/auth_approle_rpmbuilder.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-resource "vault_approle_auth_backend_role" "rpmbuilder" {
-  role_name      = "rpmbuilder"
-  bind_secret_id = false
-  token_policies = [
-    "kv/service/github/neoloc/tokens/read-only-token/read",
-    "kv/service/gitea/unkinben/tokens/read-only-packages/read",
-  ]
-  token_ttl     = 30
-  token_max_ttl = 30
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.25.102/32",
-    "198.18.26.91/32",
-    "198.18.27.40/32",
-  ]
-}
diff --git a/auth_approle_rundeck-role.tf b/auth_approle_rundeck-role.tf
deleted file mode 100644
index 35d3c0e..0000000
--- a/auth_approle_rundeck-role.tf
+++ /dev/null
@@ -1,9 +0,0 @@
-resource "vault_approle_auth_backend_role" "rundeck-role" {
-  role_name             = "rundeck-role"
-  bind_secret_id        = true
-  token_policies        = ["rundeck/rundeck"]
-  token_ttl             = 1 * 3600
-  token_max_ttl         = 4 * 3600
-  token_bound_cidrs     = ["198.18.13.59/32"]
-  secret_id_bound_cidrs = ["198.18.13.59/32"]
-}
diff --git a/auth_approle_sshsign-host-role.tf b/auth_approle_sshsign-host-role.tf
deleted file mode 100644
index 090b961..0000000
--- a/auth_approle_sshsign-host-role.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-resource "vault_approle_auth_backend_role" "sshsign-host-role" {
-  role_name      = "sshsign-host-role"
-  bind_secret_id = false
-  token_policies = ["ssh-host-signer/sshsign-host-policy"]
-  token_ttl      = 30
-  token_max_ttl  = 30
-  token_bound_cidrs = [
-    "198.18.25.5/32",   # ausyd1nxvm2052.main.unkin.net
-    "198.18.26.3/32",   # ausyd1nxvm2053.main.unkin.net
-    "198.18.27.89/32",  # ausyd1nxvm2054.main.unkin.net
-    "198.18.28.8/32",   # ausyd1nxvm2055.main.unkin.net
-    "198.18.29.33/32",  # ausyd1nxvm2056.main.unkin.net
-    "198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
-  ]
-}
diff --git a/auth_approle_sshsigner.tf b/auth_approle_sshsigner.tf
deleted file mode 100644
index af32e62..0000000
--- a/auth_approle_sshsigner.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-resource "vault_approle_auth_backend_role" "sshsigner" {
-  role_name      = "sshsigner"
-  bind_secret_id = false
-  token_policies = [
-    "ssh-host-signer/sshsigner",
-    "sshca_signhost"
-  ]
-  token_ttl     = 30
-  token_max_ttl = 30
-  token_bound_cidrs = [
-    "198.18.25.5/32",   # ausyd1nxvm2052.main.unkin.net
-    "198.18.26.3/32",   # ausyd1nxvm2053.main.unkin.net
-    "198.18.27.89/32",  # ausyd1nxvm2054.main.unkin.net
-    "198.18.28.8/32",   # ausyd1nxvm2055.main.unkin.net
-    "198.18.29.33/32",  # ausyd1nxvm2056.main.unkin.net
-    "198.18.29.239/32", # ausyd1nxvm2097.main.unkin.net
-  ]
-}
diff --git a/auth_approle_terraform_incus.tf b/auth_approle_terraform_incus.tf
deleted file mode 100644
index fae226d..0000000
--- a/auth_approle_terraform_incus.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-resource "vault_approle_auth_backend_role" "terraform_incus" {
-  role_name      = "terraform_incus"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "kv/service/terraform/incus",
-    "kv/service/puppet/certificates/terraform_puppet_cert",
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.25.102/32",
-    "198.18.26.91/32",
-    "198.18.27.40/32",
-  ]
-}
diff --git a/auth_approle_terraform_nomad.tf b/auth_approle_terraform_nomad.tf
deleted file mode 100644
index 8d8aa9d..0000000
--- a/auth_approle_terraform_nomad.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-resource "vault_approle_auth_backend_role" "terraform_nomad" {
-  role_name      = "terraform_nomad"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "kv/service/terraform/nomad",
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.25.102/32",
-    "198.18.26.91/32",
-    "198.18.27.40/32",
-  ]
-}
diff --git a/auth_approle_terraform_repoflow.tf b/auth_approle_terraform_repoflow.tf
deleted file mode 100644
index 96b7176..0000000
--- a/auth_approle_terraform_repoflow.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-resource "vault_approle_auth_backend_role" "terraform_repoflow" {
-  role_name      = "terraform_repoflow"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "kv/service/repoflow/unkinadmin/tokens/terraform/read",
-    "kv/service/terraform/repoflow",
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-    "198.18.25.102/32",
-    "198.18.26.91/32",
-    "198.18.27.40/32",
-  ]
-}
diff --git a/auth_approle_tf_vault.tf b/auth_approle_tf_vault.tf
deleted file mode 100644
index 3e3c542..0000000
--- a/auth_approle_tf_vault.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-resource "vault_approle_auth_backend_role" "tf_vault" {
-  role_name      = "tf_vault"
-  bind_secret_id = false
-  token_policies = [
-    "default_access",
-    "approle_token_create",
-    "auth/approle/approle_role_admin",
-    "auth/approle/approle_role_login",
-    "auth/kubernetes/k8s_auth_admin",
-    "auth/ldap/ldap_admin",
-    "auth/token/auth_token_create",
-    "auth/token/auth_token_self",
-    "auth/token/auth_token_roles_admin",
-    "kubernetes/au/config_admin",
-    "kubernetes/au/roles_admin",
-    "kv/service/glauth/services/svc_vault_read",
-    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
-    "kv/service/kubernetes/au/syd1/service_account_jwt/read",
-    "pki_int/pki_int_roles_admin",
-    "pki_root/pki_root_roles_admin",
-    "ssh-host-signer/ssh-host-signer_roles_admin",
-    "sshca/sshca_roles_admin",
-    "sys/sys_auth_admin",
-    "sys/sys_mounts_admin",
-    "sys/sys_policy_admin",
-    "transit/keys/admin",
-  ]
-  token_ttl     = 60
-  token_max_ttl = 120
-  token_bound_cidrs = [
-    "10.10.12.200/32",
-  ]
-}
diff --git a/auth_backend_approle.tf b/auth_backend_approle.tf
deleted file mode 100644
index 7c8412d..0000000
--- a/auth_backend_approle.tf
+++ /dev/null
@@ -1,7 +0,0 @@
-#----------------------------
-# Enable approle auth method
-#----------------------------
-resource "vault_auth_backend" "approle" {
-  type = "approle"
-  path = "approle"
-}
diff --git a/auth_backend_kubernetes.tf b/auth_backend_kubernetes.tf
deleted file mode 100644
index 2b720a2..0000000
--- a/auth_backend_kubernetes.tf
+++ /dev/null
@@ -1,23 +0,0 @@
-#-----------------------------------
-# Enable kubernetes auth method
-#-----------------------------------
-resource "vault_auth_backend" "kubernetes" {
-  type = "kubernetes"
-  path = "kubernetes"
-}
-
-# Data source to read the token_reviewer_jwt from Vault KV
-data "vault_kv_secret_v2" "token_reviewer_jwt_au_syd1" {
-  mount = "kv"
-  name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
-}
-
-# Configure Kubernetes auth backend
-resource "vault_kubernetes_auth_backend_config" "config" {
-  backend                           = vault_auth_backend.kubernetes.path
-  kubernetes_host                   = "https://api-k8s.service.consul:6443"
-  kubernetes_ca_cert                = local.kubernetes_ca_cert_au_syd1
-  token_reviewer_jwt                = data.vault_kv_secret_v2.token_reviewer_jwt_au_syd1.data["token"]
-  disable_iss_validation            = true
-  use_annotations_as_alias_metadata = true
-}
diff --git a/auth_backend_ldap.tf b/auth_backend_ldap.tf
deleted file mode 100644
index b732dcf..0000000
--- a/auth_backend_ldap.tf
+++ /dev/null
@@ -1,40 +0,0 @@
-#--------------------------------
-# Enable ldap auth method
-#--------------------------------
-
-# retrieve the bindpass from Vault
-data "vault_generic_secret" "svc_vault" {
-  path = "kv/service/glauth/services/svc_vault"
-}
-
-# create the ldap backend
-resource "vault_ldap_auth_backend" "ldap" {
-  path        = "ldap"
-  url         = "ldap://ldap.service.consul"
-  userdn      = "ou=people,ou=users,dc=main,dc=unkin,dc=net"
-  userattr    = "uid"
-  upndomain   = "users.main.unkin.net"
-  discoverdn  = false
-  groupdn     = "ou=users,dc=main,dc=unkin,dc=net"
-  groupfilter = "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
-  groupattr   = "uid"
-  binddn      = data.vault_generic_secret.svc_vault.data["distinguishedName"]
-  bindpass    = data.vault_generic_secret.svc_vault.data["pass"]
-}
-
-resource "vault_ldap_auth_backend_group" "vault_access" {
-  groupname = "vault_access"
-  policies = [
-    "default_access",
-  ]
-  backend = vault_ldap_auth_backend.ldap.path
-}
-
-resource "vault_ldap_auth_backend_group" "vault_admin" {
-  groupname = "vault_admin"
-  policies = [
-    "default_access",
-    "global-admin",
-  ]
-  backend = vault_ldap_auth_backend.ldap.path
-}
diff --git a/auth_kubernetes_roles.tf b/auth_kubernetes_roles.tf
deleted file mode 100644
index d4edeac..0000000
--- a/auth_kubernetes_roles.tf
+++ /dev/null
@@ -1,117 +0,0 @@
-resource "vault_kubernetes_auth_backend_role" "default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["*"]
-  token_ttl                        = 3600
-  token_policies = [
-    "default"
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "demo_default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "demo_default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["demo"]
-  token_ttl                        = 60
-  token_policies = [
-    "kv/service/terraform/nomad"
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "huntarr-default"
-  bound_service_account_names      = ["default"]
-  bound_service_account_namespaces = ["huntarr"]
-  token_ttl                        = 60
-  token_policies = [
-    "pki_int/sign/servers_default",
-    "pki_int/issue/servers_default",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "externaldns" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "externaldns"
-  bound_service_account_names      = ["externaldns"]
-  bound_service_account_namespaces = ["externaldns"]
-  token_ttl                        = 60
-  token_policies = [
-    "kv/service/kubernetes/au/syd1/externaldns/tsig/read",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
-  backend                          = vault_auth_backend.kubernetes.path
-  role_name                        = "cert-manager-issuer"
-  bound_service_account_names      = ["cert-manager-vault-issuer"]
-  bound_service_account_namespaces = ["cert-manager"]
-  token_ttl                        = 60
-  token_policies = [
-    "pki_int/sign/servers_default",
-    "pki_int/issue/servers_default",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
-  backend   = vault_auth_backend.kubernetes.path
-  role_name = "ceph-csi"
-  bound_service_account_names = [
-    "ceph-csi-rbd-csi-rbd-provisioner",
-    "ceph-csi-cephfs-csi-cephfs-provisioner",
-  ]
-  bound_service_account_namespaces = [
-    "csi-cephrbd",
-    "csi-cephfs",
-  ]
-  token_ttl = 60
-  token_policies = [
-    "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
-    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "media-apps" {
-  backend   = vault_auth_backend.kubernetes.path
-  role_name = "media-apps"
-  bound_service_account_names = [
-    "media-apps-vault-reader",
-  ]
-  bound_service_account_namespaces = [
-    "media-apps",
-  ]
-  token_ttl = 60
-  token_policies = [
-    "kv/service/media-apps/radarr/read",
-    "kv/service/media-apps/sonarr/read",
-  ]
-  audience = "vault"
-}
-
-resource "vault_kubernetes_auth_backend_role" "repoflow" {
-  backend   = vault_auth_backend.kubernetes.path
-  role_name = "repoflow"
-  bound_service_account_names = [
-    "default",
-  ]
-  bound_service_account_namespaces = [
-    "repoflow",
-  ]
-  token_ttl = 60
-  token_policies = [
-    "kv/service/repoflow/au/syd1/ceph-s3/read",
-    "kv/service/repoflow/au/syd1/elasticsearch/read",
-    "kv/service/repoflow/au/syd1/hasura/read",
-    "kv/service/repoflow/au/syd1/postgres/read",
-    "kv/service/repoflow/au/syd1/repoflow-server/read",
-  ]
-  audience = "vault"
-}
diff --git a/config/auth_approle_backend/approle.yaml b/config/auth_approle_backend/approle.yaml
new file mode 100644
index 0000000..128d2ea
--- /dev/null
+++ b/config/auth_approle_backend/approle.yaml
@@ -0,0 +1,2 @@
+default_lease_ttl: 60s
+max_lease_ttl: 24h
diff --git a/config/auth_approle_role/approle/certmanager.yaml b/config/auth_approle_role/approle/certmanager.yaml
new file mode 100644
index 0000000..0e7ec68
--- /dev/null
+++ b/config/auth_approle_role/approle/certmanager.yaml
@@ -0,0 +1,13 @@
+token_policies:
+  - "pki_int/certmanager"
+token_ttl: 30
+token_max_ttl: 30
+bind_secret_id: false
+token_bound_cidrs:
+  - "198.18.25.5/32"
+  - "198.18.26.3/32"
+  - "198.18.27.89/32"
+  - "198.18.28.8/32"
+  - "198.18.29.33/32"
+  - "198.18.29.239/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/incus_cluster.yaml b/config/auth_approle_role/approle/incus_cluster.yaml
new file mode 100644
index 0000000..57f1ae5
--- /dev/null
+++ b/config/auth_approle_role/approle/incus_cluster.yaml
@@ -0,0 +1,12 @@
+token_policies:
+  - "default_access"
+  - "kv/service/incus/incus-cluster-join-tokens"
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.13.77/32"
+  - "198.18.13.78/32"
+  - "198.18.13.79/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/packer_builder.yaml b/config/auth_approle_role/approle/packer_builder.yaml
new file mode 100644
index 0000000..b75cceb
--- /dev/null
+++ b/config/auth_approle_role/approle/packer_builder.yaml
@@ -0,0 +1,12 @@
+token_policies:
+  - "default_access"
+  - "kv/service/packer/packer_builder"
+token_ttl: 300
+token_max_ttl: 600
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/puppetapi.yaml b/config/auth_approle_role/approle/puppetapi.yaml
new file mode 100644
index 0000000..d58dfe6
--- /dev/null
+++ b/config/auth_approle_role/approle/puppetapi.yaml
@@ -0,0 +1,13 @@
+token_policies:
+  - "kv/service/puppetapi/puppetapi_read_tokens"
+token_ttl: 30
+token_max_ttl: 30
+bind_secret_id: false
+token_bound_cidrs:
+  - "198.18.25.5/32"
+  - "198.18.26.3/32"
+  - "198.18.27.89/32"
+  - "198.18.28.8/32"
+  - "198.18.29.33/32"
+  - "198.18.29.239/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/rpmbuilder.yaml b/config/auth_approle_role/approle/rpmbuilder.yaml
new file mode 100644
index 0000000..9a6b498
--- /dev/null
+++ b/config/auth_approle_role/approle/rpmbuilder.yaml
@@ -0,0 +1,12 @@
+token_policies:
+  - "kv/service/github/neoloc/tokens/read-only-token/read"
+  - "kv/service/gitea/unkinben/tokens/read-only-packages/read"
+token_ttl: 30
+token_max_ttl: 30
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/rundeck-role.yaml b/config/auth_approle_role/approle/rundeck-role.yaml
new file mode 100644
index 0000000..76fd259
--- /dev/null
+++ b/config/auth_approle_role/approle/rundeck-role.yaml
@@ -0,0 +1,8 @@
+token_policies:
+  - "rundeck/rundeck"
+token_ttl: 3600
+token_max_ttl: 14400
+bind_secret_id: true
+token_bound_cidrs:
+  - "198.18.13.59/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/sshsigner.yaml b/config/auth_approle_role/approle/sshsigner.yaml
new file mode 100644
index 0000000..4fa774d
--- /dev/null
+++ b/config/auth_approle_role/approle/sshsigner.yaml
@@ -0,0 +1,14 @@
+token_policies:
+  - "ssh-host-signer/sshsigner"
+  - "sshca_signhost"
+token_ttl: 30
+token_max_ttl: 30
+bind_secret_id: false
+token_bound_cidrs:
+  - "198.18.25.5/32"
+  - "198.18.26.3/32"
+  - "198.18.27.89/32"
+  - "198.18.28.8/32"
+  - "198.18.29.33/32"
+  - "198.18.29.239/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/terraform_incus.yaml b/config/auth_approle_role/approle/terraform_incus.yaml
new file mode 100644
index 0000000..fdd409b
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_incus.yaml
@@ -0,0 +1,13 @@
+token_policies:
+  - "default_access"
+  - "kv/service/terraform/incus"
+  - "kv/service/puppet/certificates/terraform_puppet_cert"
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/terraform_nomad.yaml b/config/auth_approle_role/approle/terraform_nomad.yaml
new file mode 100644
index 0000000..ff85b2b
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_nomad.yaml
@@ -0,0 +1,12 @@
+token_policies:
+  - "default_access"
+  - "kv/service/terraform/nomad"
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/terraform_repoflow.yaml b/config/auth_approle_role/approle/terraform_repoflow.yaml
new file mode 100644
index 0000000..4d4d7bc
--- /dev/null
+++ b/config/auth_approle_role/approle/terraform_repoflow.yaml
@@ -0,0 +1,13 @@
+token_policies:
+  - "default_access"
+  - "kv/service/repoflow/unkinadmin/tokens/terraform/read"
+  - "kv/service/terraform/repoflow"
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+  - "198.18.25.102/32"
+  - "198.18.26.91/32"
+  - "198.18.27.40/32"
+use_deterministic_role_id: false
diff --git a/config/auth_approle_role/approle/tf_vault.yaml b/config/auth_approle_role/approle/tf_vault.yaml
new file mode 100644
index 0000000..cf5b647
--- /dev/null
+++ b/config/auth_approle_role/approle/tf_vault.yaml
@@ -0,0 +1,30 @@
+token_policies:
+  - "default_access"
+  - "approle_token_create"
+  - "auth/approle/approle_role_admin"
+  - "auth/approle/approle_role_login"
+  - "auth/kubernetes/k8s_auth_admin"
+  - "auth/ldap/ldap_admin"
+  - "auth/token/auth_token_create"
+  - "auth/token/auth_token_self"
+  - "auth/token/auth_token_roles_admin"
+  - "kubernetes/au/config_admin"
+  - "kubernetes/au/roles_admin"
+  - "kv/service/glauth/services/svc_vault_read"
+  - "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"
+  - "kv/service/kubernetes/au/syd1/service_account_jwt/read"
+  - "kv/service/vault/auth_backends_read"
+  - "pki_int/pki_int_roles_admin"
+  - "pki_root/pki_root_roles_admin"
+  - "ssh-host-signer/ssh-host-signer_roles_admin"
+  - "sshca/sshca_roles_admin"
+  - "sys/sys_auth_admin"
+  - "sys/sys_mounts_admin"
+  - "sys/sys_policy_admin"
+  - "transit/keys/admin"
+token_ttl: 60
+token_max_ttl: 120
+bind_secret_id: false
+token_bound_cidrs:
+  - "10.10.12.200/32"
+use_deterministic_role_id: false
diff --git a/config/auth_kubernetes_backend/k8s/au/syd1.yaml b/config/auth_kubernetes_backend/k8s/au/syd1.yaml
new file mode 100644
index 0000000..55c3135
--- /dev/null
+++ b/config/auth_kubernetes_backend/k8s/au/syd1.yaml
@@ -0,0 +1,5 @@
+kubernetes_host: https://api-k8s.service.consul:6443
+disable_iss_validation: true
+use_annotations_as_alias_metadata: true
+default_lease_ttl: 1h
+max_lease_ttl: 24h
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
new file mode 100644
index 0000000..f9dcb51
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@@ -0,0 +1,11 @@
+bound_service_account_names:
+  - ceph-csi-rbd-csi-rbd-provisioner
+  - ceph-csi-cephfs-csi-cephfs-provisioner
+bound_service_account_namespaces:
+  - csi-cephrbd
+  - csi-cephfs
+token_ttl: 60
+token_policies:
+  - kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read
+  - kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read
+audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
new file mode 100644
index 0000000..0911d28
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@@ -0,0 +1,9 @@
+bound_service_account_names:
+  - cert-manager-vault-issuer
+bound_service_account_namespaces:
+  - cert-manager
+token_ttl: 60
+token_policies:
+  - pki_int/sign/servers_default
+  - pki_int/issue/servers_default
+audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
new file mode 100644
index 0000000..4f1d4c3
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@@ -0,0 +1,8 @@
+bound_service_account_names:
+  - externaldns
+bound_service_account_namespaces:
+  - externaldns
+token_ttl: 60
+token_policies:
+  - kv/service/kubernetes/au/syd1/externaldns/tsig/read
+audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
new file mode 100644
index 0000000..69bbfa0
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
@@ -0,0 +1,9 @@
+bound_service_account_names:
+  - default
+bound_service_account_namespaces:
+  - huntarr
+token_ttl: 60
+token_policies:
+  - pki_int/sign/servers_default
+  - pki_int/issue/servers_default
+audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
new file mode 100644
index 0000000..4fa0429
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@@ -0,0 +1,9 @@
+bound_service_account_names:
+  - media-apps-vault-reader
+bound_service_account_namespaces:
+  - media-apps
+token_ttl: 60
+token_policies:
+  - kv/service/media-apps/radarr/read
+  - kv/service/media-apps/sonarr/read
+audience: vault
diff --git a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
new file mode 100644
index 0000000..4d184b6
--- /dev/null
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@@ -0,0 +1,12 @@
+bound_service_account_names:
+  - default
+bound_service_account_namespaces:
+  - repoflow
+token_ttl: 60
+token_policies:
+  - kv/service/repoflow/au/syd1/ceph-s3/read
+  - kv/service/repoflow/au/syd1/elasticsearch/read
+  - kv/service/repoflow/au/syd1/hasura/read
+  - kv/service/repoflow/au/syd1/postgres/read
+  - kv/service/repoflow/au/syd1/repoflow-server/read
+audience: vault
diff --git a/config/auth_ldap_backend/ldap.yaml b/config/auth_ldap_backend/ldap.yaml
new file mode 100644
index 0000000..2555c98
--- /dev/null
+++ b/config/auth_ldap_backend/ldap.yaml
@@ -0,0 +1,10 @@
+userdn: "ou=people,ou=users,dc=main,dc=unkin,dc=net"
+userattr: "uid"
+upndomain: "users.main.unkin.net"
+discoverdn: false
+groupdn: "ou=users,dc=main,dc=unkin,dc=net"
+groupfilter: "(&(objectClass=posixGroup)(memberUid={{.Username}}))"
+groupattr: "uid"
+username_as_alias: true
+default_lease_ttl: 24h
+max_lease_ttl: 168h
diff --git a/config/auth_ldap_group/ldap/vault_access.yaml b/config/auth_ldap_group/ldap/vault_access.yaml
new file mode 100644
index 0000000..e430d1a
--- /dev/null
+++ b/config/auth_ldap_group/ldap/vault_access.yaml
@@ -0,0 +1,2 @@
+policies:
+  - "default_access"
diff --git a/config/auth_ldap_group/ldap/vault_admin.yaml b/config/auth_ldap_group/ldap/vault_admin.yaml
new file mode 100644
index 0000000..cd28bf2
--- /dev/null
+++ b/config/auth_ldap_group/ldap/vault_admin.yaml
@@ -0,0 +1,3 @@
+policies:
+  - "default_access"
+  - "global-admin"
diff --git a/config/config.hcl b/config/config.hcl
new file mode 100644
index 0000000..405d97e
--- /dev/null
+++ b/config/config.hcl
@@ -0,0 +1,189 @@
+# =============================================================================
+# VAULT MODULE CONFIGURATION SYSTEM
+# =============================================================================
+#
+# This file automatically discovers and organizes YAML configuration files
+# for Vault modules, creating structured configuration maps for Terraform.
+#
+# HOW IT WORKS:
+# 1. Scans all subdirectories for *.yaml files
+# 2. Groups files by module type based on directory structure
+# 3. Creates unique resource keys to prevent naming conflicts
+# 4. Adds computed fields like name, backend, etc. from file paths
+#
+# DIRECTORY STRUCTURE:
+# config/
+# ├── auth_approle_role/
+# │   └── approle/
+# │       ├── certmanager.yaml    # Creates key: "approle/certmanager"
+# │       └── myapp.yaml          # Creates key: "approle/myapp"
+# ├── auth_kubernetes_role/
+# │   └── k8s/au/syd1/
+# │       ├── default.yaml        # Creates key: "k8s/au/syd1/default"
+# │       └── myapp.yaml          # Creates key: "k8s/au/syd1/myapp"
+# └── kv_secret_backend/
+#     ├── kv.yaml                 # Creates key: "kv"
+#     └── secrets.yaml            # Creates key: "secrets"
+#
+# EXAMPLE YAML FILE (config/auth_approle_role/approle/myapp.yaml):
+# ```yaml
+# token_ttl: 3600
+# token_max_ttl: 7200
+# bind_secret_id: true
+# token_bound_cidrs:
+#   - "10.0.0.0/8"
+# ```
+#
+# This becomes:
+# ```hcl
+# auth_approle_role = {
+#   "approle/myapp" = {
+#     approle_name = "myapp"        # Auto-computed from filename
+#     mount_path = "approle"        # Auto-computed from directory
+#     token_ttl = 3600              # From YAML content
+#     token_max_ttl = 7200          # From YAML content
+#     bind_secret_id = true         # From YAML content
+#     token_bound_cidrs = ["10.0.0.0/8"]
+#   }
+# }
+# ```
+#
+# KEY NAMING PATTERNS:
+# - Simple backends: filename only (e.g., "kv", "transit")
+# - Role-based resources: full path without extension (e.g., "approle/myapp")
+# - This ensures uniqueness when multiple backends have similar role names
+#
+# GENERATED OUTPUTS:
+# - config.auth_approle_backend, config.auth_approle_role, etc.
+# - Each module gets its own map with properly structured configuration
+#
+# =============================================================================
+
+locals {
+  # Find all YAML files in subdirectories
+  config_files = fileset(".", "**/*.yaml")
+
+  # Create a flat map of all files with their content
+  all_configs = {
+    for file_path in local.config_files :
+    file_path => yamldecode(file(file_path))
+  }
+
+  # Group by module directory (first part of path)
+  config = {
+    auth_approle_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "auth_approle_backend/")
+    }
+    auth_approle_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "auth_approle_role/", ""), ".yaml") => merge(content, {
+        approle_name = trimsuffix(basename(file_path), ".yaml")
+        mount_path   = split("/", replace(file_path, "auth_approle_role/", ""))[0]
+      })
+      if startswith(file_path, "auth_approle_role/")
+    }
+    auth_ldap_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "auth_ldap_backend/")
+    }
+    auth_ldap_group = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "auth_ldap_group/", ""), ".yaml") => merge(content, {
+        groupname = trimsuffix(basename(file_path), ".yaml")
+        backend   = split("/", replace(file_path, "auth_ldap_group/", ""))[0]
+      })
+      if startswith(file_path, "auth_ldap_group/")
+    }
+    auth_kubernetes_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "auth_kubernetes_backend/", ""), ".yaml") => content
+      if startswith(file_path, "auth_kubernetes_backend/")
+    }
+    auth_kubernetes_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "auth_kubernetes_role/", ""), ".yaml") => merge(content, {
+        role_name = trimsuffix(basename(file_path), ".yaml")
+        backend   = dirname(replace(file_path, "auth_kubernetes_role/", ""))
+      })
+      if startswith(file_path, "auth_kubernetes_role/")
+    }
+    kv_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "kv_secret_backend/")
+    }
+    transit_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "transit_secret_backend/")
+    }
+    transit_secret_backend_key = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "transit_secret_backend_key/", ""), ".yaml") => merge(content, {
+        name    = trimsuffix(basename(file_path), ".yaml")
+        backend = dirname(replace(file_path, "transit_secret_backend_key/", ""))
+      })
+      if startswith(file_path, "transit_secret_backend_key/")
+    }
+    ssh_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "ssh_secret_backend/")
+    }
+    ssh_secret_backend_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "ssh_secret_backend_role/", ""), ".yaml") => merge(content, {
+        name    = trimsuffix(basename(file_path), ".yaml")
+        backend = dirname(replace(file_path, "ssh_secret_backend_role/", ""))
+      })
+      if startswith(file_path, "ssh_secret_backend_role/")
+    }
+    pki_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "pki_secret_backend/", ""), ".yaml") => content
+      if startswith(file_path, "pki_secret_backend/")
+    }
+    pki_secret_backend_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "pki_secret_backend_role/", ""), ".yaml") => merge(content, {
+        name    = trimsuffix(basename(file_path), ".yaml")
+        backend = dirname(replace(file_path, "pki_secret_backend_role/", ""))
+      })
+      if startswith(file_path, "pki_secret_backend_role/")
+    }
+    kubernetes_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "kubernetes_secret_backend/", ""), ".yaml") => content
+      if startswith(file_path, "kubernetes_secret_backend/")
+    }
+    kubernetes_secret_backend_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "kubernetes_secret_backend_role/", ""), ".yaml") => merge(content, {
+        name    = trimsuffix(basename(file_path), ".yaml")
+        backend = dirname(replace(file_path, "kubernetes_secret_backend_role/", ""))
+      })
+      if startswith(file_path, "kubernetes_secret_backend_role/")
+    }
+    consul_secret_backend = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "consul_secret_backend/")
+    }
+    consul_secret_backend_role = {
+      for file_path, content in local.all_configs :
+      trimsuffix(replace(file_path, "consul_secret_backend_role/", ""), ".yaml") => merge(content, {
+        name    = trimsuffix(basename(file_path), ".yaml")
+        backend = dirname(replace(file_path, "consul_secret_backend_role/", ""))
+      })
+      if startswith(file_path, "consul_secret_backend_role/")
+    }
+    pki_mount_only = {
+      for file_path, content in local.all_configs :
+      trimsuffix(basename(file_path), ".yaml") => content
+      if startswith(file_path, "pki_mount_only/")
+    }
+  }
+}
\ No newline at end of file
diff --git a/config/kubernetes_secret_backend/kubernetes/au/syd1.yaml b/config/kubernetes_secret_backend/kubernetes/au/syd1.yaml
new file mode 100644
index 0000000..6c45b6a
--- /dev/null
+++ b/config/kubernetes_secret_backend/kubernetes/au/syd1.yaml
@@ -0,0 +1,5 @@
+description: "kubernetes secret engine for au-syd1 cluster"
+default_lease_ttl_seconds: 600
+max_lease_ttl_seconds: 86400
+kubernetes_host: "https://api-k8s.service.consul:6443"
+disable_local_ca_jwt: false
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
new file mode 100644
index 0000000..0144c62
--- /dev/null
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
@@ -0,0 +1,5 @@
+backend: "kubernetes/au/syd1"
+allowed_kubernetes_namespaces:
+  - "*"
+kubernetes_role_type: "ClusterRole"
+extra_labels: {}
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
new file mode 100644
index 0000000..0144c62
--- /dev/null
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
@@ -0,0 +1,5 @@
+backend: "kubernetes/au/syd1"
+allowed_kubernetes_namespaces:
+  - "*"
+kubernetes_role_type: "ClusterRole"
+extra_labels: {}
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
new file mode 100644
index 0000000..0144c62
--- /dev/null
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
@@ -0,0 +1,5 @@
+backend: "kubernetes/au/syd1"
+allowed_kubernetes_namespaces:
+  - "*"
+kubernetes_role_type: "ClusterRole"
+extra_labels: {}
diff --git a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
new file mode 100644
index 0000000..e4b7130
--- /dev/null
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
@@ -0,0 +1,5 @@
+backend: "kubernetes/au/syd1"
+allowed_kubernetes_namespaces:
+  - "media-apps"
+kubernetes_role_type: "Role"
+extra_labels: {}
diff --git a/config/kv_secret_backend/kv.yaml b/config/kv_secret_backend/kv.yaml
new file mode 100644
index 0000000..624cb25
--- /dev/null
+++ b/config/kv_secret_backend/kv.yaml
@@ -0,0 +1,4 @@
+type: kv-v2
+description: "Key-Value secrets engine"
+version: "2"
+max_versions: 10
diff --git a/config/kv_secret_backend/rundeck.yaml b/config/kv_secret_backend/rundeck.yaml
new file mode 100644
index 0000000..4979e4b
--- /dev/null
+++ b/config/kv_secret_backend/rundeck.yaml
@@ -0,0 +1,4 @@
+type: kv-v2
+description: "Rundeck secrets engine"
+version: "2"
+max_versions: 5
diff --git a/config/pki_mount_only/pki_int.yaml b/config/pki_mount_only/pki_int.yaml
new file mode 100644
index 0000000..b7ab963
--- /dev/null
+++ b/config/pki_mount_only/pki_int.yaml
@@ -0,0 +1,17 @@
+description: "PKI Intermediate CA"
+max_lease_ttl_seconds: 157680000  # 43800 hours * 3600
+issuer_ref: "default"
+issuing_certificates:
+  - "https://vault.service.consul:8200/v1/pki_int/ca"
+crl_distribution_points:
+  - "https://vault.service.consul:8200/v1/pki_int/crl"
+ocsp_servers: []
+enable_templating: false
+default_issuer_ref: null
+default_follows_latest_issuer: false
+crl_expiry: "72h"
+crl_disable: false
+ocsp_disable: false
+auto_rebuild: false
+enable_delta: false
+delta_rebuild_interval: null
diff --git a/config/pki_mount_only/pki_root.yaml b/config/pki_mount_only/pki_root.yaml
new file mode 100644
index 0000000..499169e
--- /dev/null
+++ b/config/pki_mount_only/pki_root.yaml
@@ -0,0 +1,17 @@
+description: "PKI Root CA"
+max_lease_ttl_seconds: 315360000  # 10 years
+issuer_ref: "default"
+issuing_certificates:
+  - "https://vault.service.consul:8200/v1/pki_root/ca"
+crl_distribution_points:
+  - "https://vault.service.consul:8200/v1/pki_root/crl"
+ocsp_servers: []
+enable_templating: false
+default_issuer_ref: null
+default_follows_latest_issuer: false
+crl_expiry: "72h"
+crl_disable: false
+ocsp_disable: false
+auto_rebuild: false
+enable_delta: false
+delta_rebuild_interval: null
diff --git a/config/pki_secret_backend/pki/au/syd1.yaml b/config/pki_secret_backend/pki/au/syd1.yaml
new file mode 100644
index 0000000..fd3c6ef
--- /dev/null
+++ b/config/pki_secret_backend/pki/au/syd1.yaml
@@ -0,0 +1,18 @@
+description: "PKI Root CA AU SYD1"
+max_lease_ttl_seconds: 315360000  # 87600 * 3600
+common_name: "unkin.net AU SYD1 Root CA"
+issuer_name: "UNKIN_AU_SYD1_ROOTCA_2024"
+ttl: 315360000  # 87600 * 3600
+format: "pem"
+issuing_certificates:
+  - "https://vault.service.consul:8200/v1/pki/au/syd1/ca"
+crl_distribution_points:
+  - "https://vault.service.consul:8200/v1/pki/au/syd1/crl"
+ocsp_servers: []
+enable_templating: false
+default_follows_latest_issuer: false
+crl_expiry: "72h"
+crl_disable: false
+ocsp_disable: false
+auto_rebuild: false
+enable_delta: false
diff --git a/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml b/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
new file mode 100644
index 0000000..b742321
--- /dev/null
+++ b/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
@@ -0,0 +1,17 @@
+backend: "pki/au/syd1"
+allow_ip_sans: true
+allowed_domains:
+  - "unkin.net"
+  - "*.unkin.net"
+  - "localhost"
+allow_subdomains: true
+allow_glob_domains: true
+allow_bare_domains: true
+enforce_hostnames: true
+allow_any_name: true
+max_ttl: 7776000  # 2160 * 3600
+key_bits: 4096
+country:
+  - "Australia"
+use_csr_common_name: true
+use_csr_sans: true
diff --git a/config/pki_secret_backend_role/pki_int/servers_default.yaml b/config/pki_secret_backend_role/pki_int/servers_default.yaml
new file mode 100644
index 0000000..e4f9ff0
--- /dev/null
+++ b/config/pki_secret_backend_role/pki_int/servers_default.yaml
@@ -0,0 +1,17 @@
+backend: "pki_int"
+allow_ip_sans: true
+allowed_domains:
+  - "unkin.net"
+  - "*.unkin.net"
+  - "localhost"
+allow_subdomains: true
+allow_glob_domains: true
+allow_bare_domains: true
+enforce_hostnames: true
+allow_any_name: true
+max_ttl: 7776000  # 2160 * 3600
+key_bits: 4096
+country:
+  - "Australia"
+use_csr_common_name: true
+use_csr_sans: true
diff --git a/config/pki_secret_backend_role/pki_root/2024-servers.yaml b/config/pki_secret_backend_role/pki_root/2024-servers.yaml
new file mode 100644
index 0000000..acdb7f1
--- /dev/null
+++ b/config/pki_secret_backend_role/pki_root/2024-servers.yaml
@@ -0,0 +1,15 @@
+backend: "pki_root"
+allow_ip_sans: true
+allowed_domains:
+  - "unkin.net"
+  - "unkin.local"
+allow_subdomains: true
+allow_glob_domains: false
+allow_bare_domains: true
+enforce_hostnames: false
+allow_any_name: false
+max_ttl: 31536000  # 8760h in seconds
+key_bits: 2048
+country: []
+use_csr_common_name: true
+use_csr_sans: true
diff --git a/config/ssh_secret_backend/sshca.yaml b/config/ssh_secret_backend/sshca.yaml
new file mode 100644
index 0000000..158fc5f
--- /dev/null
+++ b/config/ssh_secret_backend/sshca.yaml
@@ -0,0 +1,4 @@
+description: "SSH CA Engine"
+max_lease_ttl_seconds: 315360000  # 87600 * 3600
+generate_signing_key: true
+key_type: ssh-rsa
diff --git a/config/ssh_secret_backend_role/sshca/signhost.yaml b/config/ssh_secret_backend_role/sshca/signhost.yaml
new file mode 100644
index 0000000..e3b71b4
--- /dev/null
+++ b/config/ssh_secret_backend_role/sshca/signhost.yaml
@@ -0,0 +1,8 @@
+key_type: ca
+algorithm_signer: rsa-sha2-256
+ttl: 315360000  # 87600 * 3600
+allow_host_certificates: true
+allow_user_certificates: false
+allowed_domains: "main.unkin.net,consul"
+allow_subdomains: true
+allow_bare_domains: false
diff --git a/config/transit_secret_backend/transit.yaml b/config/transit_secret_backend/transit.yaml
new file mode 100644
index 0000000..8d0e898
--- /dev/null
+++ b/config/transit_secret_backend/transit.yaml
@@ -0,0 +1,3 @@
+description: "Transit Engine"
+default_lease_ttl_seconds: 3600
+max_lease_ttl_seconds: 86400
diff --git a/config/transit_secret_backend_key/transit/au-syd1-k8s-vso.yaml b/config/transit_secret_backend_key/transit/au-syd1-k8s-vso.yaml
new file mode 100644
index 0000000..71cf0e1
--- /dev/null
+++ b/config/transit_secret_backend_key/transit/au-syd1-k8s-vso.yaml
@@ -0,0 +1,5 @@
+type: aes256-gcm96
+deletion_allowed: false
+derived: false
+exportable: false
+allow_plaintext_backup: false
diff --git a/engine_k8s_au_syd1.tf b/engine_k8s_au_syd1.tf
deleted file mode 100644
index 9db2435..0000000
--- a/engine_k8s_au_syd1.tf
+++ /dev/null
@@ -1,72 +0,0 @@
-# Data source to read the service_token_jwt from Vault KV
-data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
-  mount = "kv"
-  name  = "service/kubernetes/au/syd1/service_account_jwt"
-}
-
-resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
-  path                      = "kubernetes/au/syd1"
-  description               = "kubernetes secret engine for au-syd1 cluster"
-  default_lease_ttl_seconds = 600
-  max_lease_ttl_seconds     = 86400
-  kubernetes_host           = "https://api-k8s.service.consul:6443"
-  kubernetes_ca_cert        = local.kubernetes_ca_cert_au_syd1
-  service_account_jwt       = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
-  disable_local_ca_jwt      = false
-}
-
-resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
-  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "vault-media-apps-operator"
-  allowed_kubernetes_namespaces = ["media-apps"]
-  kubernetes_role_type          = "Role"
-
-  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")
-
-  extra_labels = {
-    vault-region = "au-syd1"
-    vault-role   = "vault-media-apps-operator"
-  }
-}
-
-resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
-  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "vault-cluster-operator"
-  allowed_kubernetes_namespaces = ["*"]
-  kubernetes_role_type          = "ClusterRole"
-
-  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")
-
-  extra_labels = {
-    vault-region = "au-syd1"
-    vault-role   = "vault-cluster-operator"
-  }
-}
-
-resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
-  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "vault-cluster-admin"
-  allowed_kubernetes_namespaces = ["*"]
-  kubernetes_role_type          = "ClusterRole"
-
-  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")
-
-  extra_labels = {
-    vault-region = "au-syd1"
-    vault-role   = "vault-cluster-admin"
-  }
-}
-
-resource "vault_kubernetes_secret_backend_role" "cluster_root" {
-  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
-  name                          = "vault-cluster-root"
-  allowed_kubernetes_namespaces = ["*"]
-  kubernetes_role_type          = "ClusterRole"
-
-  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")
-
-  extra_labels = {
-    vault-region = "au-syd1"
-    vault-role   = "vault-cluster-root"
-  }
-}
diff --git a/engine_kv.tf b/engine_kv.tf
deleted file mode 100644
index 5b1f11e..0000000
--- a/engine_kv.tf
+++ /dev/null
@@ -1,15 +0,0 @@
-#--------------------------------------------------------------
-# kv
-#   create engine
-#--------------------------------------------------------------
-resource "vault_mount" "kv" {
-  path                    = "kv"
-  type                    = "kv"
-  listing_visibility      = "hidden"
-  max_lease_ttl_seconds   = 0
-  external_entropy_access = false
-  seal_wrap               = false
-  options = {
-    version = "2"
-  }
-}
diff --git a/engine_pki_int.tf b/engine_pki_int.tf
deleted file mode 100644
index a2d5a54..0000000
--- a/engine_pki_int.tf
+++ /dev/null
@@ -1,49 +0,0 @@
-#--------------------------------------------------------------
-# pki_int
-#   create engine
-#   generate intermediate csa
-#   sign the intermediate against rootca
-#   set the signed intermediate cert in the pki_int engine
-#--------------------------------------------------------------
-resource "vault_mount" "pki_int" {
-  path                  = "pki_int"
-  type                  = "pki"
-  description           = "PKI Intermediate CA"
-  max_lease_ttl_seconds = 43800 * 3600 # 43800 hours
-}
-
-## Generate the intermediate CSR
-#resource "vault_pki_secret_backend_intermediate_cert_request" "pki_int_intermediate" {
-#  backend     = vault_mount.pki_int.path
-#  common_name = "unkin.net Intermediate Authority"
-#  format      = "pem"
-#  type        = "internal"
-#}
-#
-## Sign the intermediate CSR using the root CA
-#resource "vault_generic_endpoint" "pki_root_sign_intermediate" {
-#  path = "${vault_mount.pki_root.path}/root/sign-intermediate"
-#
-#  data_json = jsonencode({
-#    csr        = vault_pki_secret_backend_intermediate_cert_request.pki_int_intermediate.csr,
-#    format     = "pem_bundle",
-#    ttl        = "43800h",
-#    issuer_ref = "UNKIN_ROOTCA_2024"
-#  })
-#}
-#
-## Decode the certificate from the response
-#locals {
-#  intermediate_signed_cert = vault_generic_endpoint.pki_root_sign_intermediate.write_data["certificate"]
-#}
-#
-## Set the signed intermediate certificate
-#resource "vault_pki_secret_backend_intermediate_set_signed" "pki_int_set_signed" {
-#  backend     = vault_mount.pki_int.path
-#  certificate = local.intermediate_signed_cert
-#}
-
-#data "vault_pki_secret_backend_issuer" "pki_int_issuer" {
-#  backend    = vault_mount.pki_int.path
-#  issuer_ref = data.vault_pki_secret_backend_root_cert.root.issuer_id
-#}
diff --git a/engine_pki_root.tf b/engine_pki_root.tf
deleted file mode 100644
index 576fd80..0000000
--- a/engine_pki_root.tf
+++ /dev/null
@@ -1,39 +0,0 @@
-#-------------------------------------------
-# pki_root:
-#   create engine
-#   generate rootca certificate
-#   read the issuer
-#   configure the pki urls
-#-------------------------------------------
-resource "vault_mount" "pki_root" {
-  path                  = "pki_root"
-  type                  = "pki"
-  description           = "PKI Root CA"
-  max_lease_ttl_seconds = 87600 * 3600 # 87600h
-}
-
-#resource "vault_pki_secret_backend_root_cert" "pki_root_root_cert" {
-#  backend     = vault_mount.pki_root.path
-#  common_name = "unkin.net"
-#  issuer_name = "UNKIN_ROOTCA_2024"
-#  ttl         = 87600 * 3600
-#  format      = "pem"
-#  type        = "internal"
-#}
-#
-#output "root_certificate" {
-#  value     = vault_pki_secret_backend_root_cert.pki_root_root_cert.certificate
-#  sensitive = true
-#}
-
-data "vault_pki_secret_backend_issuer" "pki_root_issuer" {
-  backend    = vault_mount.pki_root.path
-  issuer_ref = "default"
-}
-
-resource "vault_pki_secret_backend_config_urls" "pki_root_urls" {
-  backend = vault_mount.pki_root.path
-
-  issuing_certificates    = ["${local.vault_addr}/v1/pki_root/ca"]
-  crl_distribution_points = ["${local.vault_addr}/v1/pki_root/crl"]
-}
diff --git a/engine_rundeck.tf b/engine_rundeck.tf
deleted file mode 100644
index b368c99..0000000
--- a/engine_rundeck.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-#--------------------------------------------------------------
-# rundeck
-#   create engine
-#--------------------------------------------------------------
-resource "vault_mount" "rundeck" {
-  path                    = "rundeck"
-  type                    = "kv"
-  max_lease_ttl_seconds   = 0
-  external_entropy_access = false
-  seal_wrap               = false
-  options = {
-    version = "2"
-  }
-}
diff --git a/engine_ssh-host-signer.tf b/engine_ssh-host-signer.tf
deleted file mode 100644
index c64de19..0000000
--- a/engine_ssh-host-signer.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-#--------------------------------------------------------------
-# ssh-host-signer
-#   create engine
-#   generate ca cert
-#   tune the ssh engine
-#--------------------------------------------------------------
-#resource "vault_mount" "ssh_host_signer" {
-#  path                  = "ssh-host-signer"
-#  type                  = "ssh"
-#  description           = "SSH Host Signing Engine"
-#  max_lease_ttl_seconds = 87600 * 3600
-#}
-#
-#resource "vault_ssh_secret_backend_ca" "ssh_host_signer_ca" {
-#  backend              = vault_mount.ssh_host_signer.path
-#  generate_signing_key = false # change to true for new configuration
-#  key_type             = "ssh-rsa"
-#}
diff --git a/engine_sshca.tf b/engine_sshca.tf
deleted file mode 100644
index 8fdb483..0000000
--- a/engine_sshca.tf
+++ /dev/null
@@ -1,18 +0,0 @@
-#--------------------------------------------------------------
-# ssh
-#   create engine
-#   generate ca cert
-#   tune the ssh engine
-#--------------------------------------------------------------
-resource "vault_mount" "sshca" {
-  path                  = "sshca"
-  type                  = "ssh"
-  description           = "SSH CA Engine"
-  max_lease_ttl_seconds = 87600 * 3600
-}
-
-resource "vault_ssh_secret_backend_ca" "ssh_ca" {
-  backend              = vault_mount.sshca.path
-  generate_signing_key = true
-  key_type             = "ssh-rsa"
-}
diff --git a/engine_transit.tf b/engine_transit.tf
deleted file mode 100644
index c596b9b..0000000
--- a/engine_transit.tf
+++ /dev/null
@@ -1,13 +0,0 @@
-resource "vault_mount" "transit" {
-  path                      = "transit"
-  type                      = "transit"
-  description               = "Transit Engine"
-  default_lease_ttl_seconds = 3600
-  max_lease_ttl_seconds     = 86400
-}
-
-resource "vault_transit_secret_backend_key" "key" {
-  backend = vault_mount.transit.path
-  name    = "au-syd1-k8s-vso"
-  type    = "aes256-gcm96"
-}
diff --git a/environments/au/syd1/terragrunt.hcl b/environments/au/syd1/terragrunt.hcl
new file mode 100644
index 0000000..6549cee
--- /dev/null
+++ b/environments/au/syd1/terragrunt.hcl
@@ -0,0 +1,60 @@
+include "root" {
+  path   = find_in_parent_folders("root.hcl")
+  expose = true
+}
+
+include "config" {
+  path   = "${get_repo_root()}/config/config.hcl"
+  expose = true
+}
+
+include "policies" {
+  path   = "${get_repo_root()}/policies/policies.hcl"
+  expose = true
+}
+
+locals {
+  # Extract country and region from path
+  path_parts = split("/", dirname(get_terragrunt_dir()))
+  country    = basename(dirname(get_terragrunt_dir())) # "au"
+  region     = basename(get_terragrunt_dir())          # "syd1"
+
+  # Include configuration from config.hcl
+  config = include.config.locals.config
+
+  # Include policies from policies.hcl
+  policies = include.policies.locals
+}
+
+terraform {
+  source = "../../../modules/vault_cluster"
+}
+
+inputs = {
+  country = local.country
+  region  = local.region
+
+  # Pass configuration maps to vault_cluster module
+  auth_approle_backend           = local.config.auth_approle_backend
+  auth_approle_role              = local.config.auth_approle_role
+  auth_ldap_backend              = local.config.auth_ldap_backend
+  auth_ldap_group                = local.config.auth_ldap_group
+  auth_kubernetes_backend        = local.config.auth_kubernetes_backend
+  auth_kubernetes_role           = local.config.auth_kubernetes_role
+  kv_secret_backend              = local.config.kv_secret_backend
+  transit_secret_backend         = local.config.transit_secret_backend
+  transit_secret_backend_key     = local.config.transit_secret_backend_key
+  ssh_secret_backend             = local.config.ssh_secret_backend
+  ssh_secret_backend_role        = local.config.ssh_secret_backend_role
+  pki_secret_backend             = local.config.pki_secret_backend
+  pki_secret_backend_role        = local.config.pki_secret_backend_role
+  consul_secret_backend          = local.config.consul_secret_backend
+  consul_secret_backend_role     = local.config.consul_secret_backend_role
+  kubernetes_secret_backend      = local.config.kubernetes_secret_backend
+  kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
+  pki_mount_only                 = local.config.pki_mount_only
+
+  # Pass policy maps to vault_cluster module
+  policy_auth_map  = local.policies.policy_auth_map
+  policy_rules_map = local.policies.policy_rules_map
+}
diff --git a/main.tf b/environments/root.hcl
similarity index 82%
rename from main.tf
rename to environments/root.hcl
index dc249c3..43e86bf 100644
--- a/main.tf
+++ b/environments/root.hcl
@@ -1,3 +1,8 @@
+# Generate root backend.tf
+generate "backend" {
+  path      = "backend.tf"
+  if_exists = "overwrite"
+  contents  = <<EOF
 #-------------------------------------------
 # locals
 #-------------------------------------------
@@ -22,7 +27,7 @@ provider "vault" {
 terraform {
   backend "consul" {
     address = "https://consul.service.consul"
-    path    = "infra/terraform/vault/state"
+    path    = "infra/terraform/vault/${path_relative_to_include()}/state"
     scheme  = "https"
     lock    = true
     ca_file = "/etc/pki/tls/certs/ca-bundle.crt"
@@ -31,7 +36,9 @@ terraform {
   required_providers {
     vault = {
       source  = "hashicorp/vault"
-      version = "5.4.0"
+      version = "5.6.0"
     }
   }
 }
+EOF
+}
diff --git a/modules/vault_cluster/main.tf b/modules/vault_cluster/main.tf
new file mode 100644
index 0000000..59f0692
--- /dev/null
+++ b/modules/vault_cluster/main.tf
@@ -0,0 +1,316 @@
+module "auth_approle_backend" {
+  source = "./modules/auth_approle_backend"
+
+  for_each = var.auth_approle_backend
+
+  country            = var.country
+  region             = var.region
+  path               = each.key
+  listing_visibility = each.value.listing_visibility
+  default_lease_ttl  = each.value.default_lease_ttl
+  max_lease_ttl      = each.value.max_lease_ttl
+}
+
+module "auth_approle_role" {
+  source = "./modules/auth_approle_role"
+
+  for_each = var.auth_approle_role
+
+  country                   = var.country
+  region                    = var.region
+  approle_name              = each.value.approle_name
+  mount_path                = each.value.mount_path
+  token_policies            = var.policy_auth_map[each.value.mount_path][each.value.approle_name]
+  token_ttl                 = each.value.token_ttl
+  token_max_ttl             = each.value.token_max_ttl
+  bind_secret_id            = each.value.bind_secret_id
+  secret_id_ttl             = each.value.secret_id_ttl
+  token_bound_cidrs         = each.value.token_bound_cidrs
+  alias_metadata            = each.value.alias_metadata
+  use_deterministic_role_id = each.value.use_deterministic_role_id
+
+  depends_on = [module.auth_approle_backend]
+}
+
+module "auth_ldap_backend" {
+  source = "./modules/auth_ldap_backend"
+
+  for_each = var.auth_ldap_backend
+
+  country            = var.country
+  region             = var.region
+  path               = each.key
+  userdn             = each.value.userdn
+  userattr           = each.value.userattr
+  upndomain          = each.value.upndomain
+  discoverdn         = each.value.discoverdn
+  groupdn            = each.value.groupdn
+  groupfilter        = each.value.groupfilter
+  groupattr          = each.value.groupattr
+  alias_metadata     = each.value.alias_metadata
+  username_as_alias  = each.value.username_as_alias
+  listing_visibility = each.value.listing_visibility
+  default_lease_ttl  = each.value.default_lease_ttl
+  max_lease_ttl      = each.value.max_lease_ttl
+}
+
+module "auth_ldap_group" {
+  source = "./modules/auth_ldap_group"
+
+  for_each = var.auth_ldap_group
+
+  groupname = each.value.groupname
+  backend   = each.value.backend
+  policies  = each.value.policies
+
+  depends_on = [module.auth_ldap_backend]
+}
+
+module "auth_kubernetes_backend" {
+  source = "./modules/auth_kubernetes_backend"
+
+  for_each = var.auth_kubernetes_backend
+
+  country                           = var.country
+  region                            = var.region
+  path                              = each.key
+  kubernetes_host                   = each.value.kubernetes_host
+  disable_iss_validation            = each.value.disable_iss_validation
+  use_annotations_as_alias_metadata = each.value.use_annotations_as_alias_metadata
+  listing_visibility                = each.value.listing_visibility
+  default_lease_ttl                 = each.value.default_lease_ttl
+  max_lease_ttl                     = each.value.max_lease_ttl
+}
+
+module "auth_kubernetes_role" {
+  source = "./modules/auth_kubernetes_role"
+
+  for_each = var.auth_kubernetes_role
+
+  role_name                        = each.value.role_name
+  backend                          = each.value.backend
+  bound_service_account_names      = each.value.bound_service_account_names
+  bound_service_account_namespaces = each.value.bound_service_account_namespaces
+  token_ttl                        = each.value.token_ttl
+  token_policies                   = var.policy_auth_map[each.value.backend][each.value.role_name]
+  audience                         = each.value.audience
+
+  depends_on = [module.auth_kubernetes_backend]
+}
+
+module "kv_secret_backend" {
+  source = "./modules/kv_secret_backend"
+
+  for_each = var.kv_secret_backend
+
+  path         = each.key
+  type         = each.value.type
+  description  = each.value.description
+  kv_version   = each.value.version
+  max_versions = each.value.max_versions
+}
+
+module "transit_secret_backend" {
+  source = "./modules/transit_secret_backend"
+
+  for_each = var.transit_secret_backend
+
+  path                      = each.key
+  description               = each.value.description
+  default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = each.value.max_lease_ttl_seconds
+}
+
+module "transit_secret_backend_key" {
+  source = "./modules/transit_secret_backend_key"
+
+  for_each = var.transit_secret_backend_key
+
+  name                   = each.value.name
+  backend                = each.value.backend
+  type                   = each.value.type
+  deletion_allowed       = each.value.deletion_allowed
+  derived                = each.value.derived
+  exportable             = each.value.exportable
+  allow_plaintext_backup = each.value.allow_plaintext_backup
+  auto_rotate_period     = each.value.auto_rotate_period
+
+  depends_on = [module.transit_secret_backend]
+}
+
+module "ssh_secret_backend" {
+  source = "./modules/ssh_secret_backend"
+
+  for_each = var.ssh_secret_backend
+
+  path                  = each.key
+  description           = each.value.description
+  max_lease_ttl_seconds = each.value.max_lease_ttl_seconds
+  generate_signing_key  = each.value.generate_signing_key
+  key_type              = each.value.key_type
+}
+
+module "ssh_secret_backend_role" {
+  source = "./modules/ssh_secret_backend_role"
+
+  for_each = var.ssh_secret_backend_role
+
+  name                    = each.value.name
+  backend                 = each.value.backend
+  key_type                = each.value.key_type
+  algorithm_signer        = each.value.algorithm_signer
+  ttl                     = each.value.ttl
+  allow_host_certificates = each.value.allow_host_certificates
+  allow_user_certificates = each.value.allow_user_certificates
+  allowed_domains         = each.value.allowed_domains
+  allow_subdomains        = each.value.allow_subdomains
+  allow_bare_domains      = each.value.allow_bare_domains
+
+  depends_on = [module.ssh_secret_backend]
+}
+
+module "pki_secret_backend" {
+  source = "./modules/pki_secret_backend"
+
+  for_each = var.pki_secret_backend
+
+  path                          = each.key
+  description                   = each.value.description
+  max_lease_ttl_seconds         = each.value.max_lease_ttl_seconds
+  common_name                   = each.value.common_name
+  issuer_name                   = each.value.issuer_name
+  ttl                           = each.value.ttl
+  format                        = each.value.format
+  issuing_certificates          = each.value.issuing_certificates
+  crl_distribution_points       = each.value.crl_distribution_points
+  ocsp_servers                  = each.value.ocsp_servers
+  enable_templating             = each.value.enable_templating
+  default_issuer_ref            = each.value.default_issuer_ref
+  default_follows_latest_issuer = each.value.default_follows_latest_issuer
+  crl_expiry                    = each.value.crl_expiry
+  crl_disable                   = each.value.crl_disable
+  ocsp_disable                  = each.value.ocsp_disable
+  auto_rebuild                  = each.value.auto_rebuild
+  enable_delta                  = each.value.enable_delta
+  delta_rebuild_interval        = each.value.delta_rebuild_interval
+}
+
+module "pki_secret_backend_role" {
+  source = "./modules/pki_secret_backend_role"
+
+  for_each = var.pki_secret_backend_role
+
+  name                = each.value.name
+  backend             = each.value.backend
+  allow_ip_sans       = each.value.allow_ip_sans
+  allowed_domains     = each.value.allowed_domains
+  allow_subdomains    = each.value.allow_subdomains
+  allow_glob_domains  = each.value.allow_glob_domains
+  allow_bare_domains  = each.value.allow_bare_domains
+  enforce_hostnames   = each.value.enforce_hostnames
+  allow_any_name      = each.value.allow_any_name
+  max_ttl             = each.value.max_ttl
+  key_bits            = each.value.key_bits
+  country             = each.value.country
+  use_csr_common_name = each.value.use_csr_common_name
+  use_csr_sans        = each.value.use_csr_sans
+
+  depends_on = [module.pki_secret_backend]
+}
+
+module "consul_secret_backend" {
+  source = "./modules/consul_secret_backend"
+
+  for_each = var.consul_secret_backend
+
+  country                   = var.country
+  region                    = var.region
+  path                      = each.key
+  description               = each.value.description
+  address                   = each.value.address
+  bootstrap                 = each.value.bootstrap
+  scheme                    = each.value.scheme
+  ca_cert                   = each.value.ca_cert
+  client_cert               = each.value.client_cert
+  client_key                = each.value.client_key
+  default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = each.value.max_lease_ttl_seconds
+}
+
+module "consul_secret_backend_role" {
+  source = "./modules/consul_secret_backend_role"
+
+  for_each = var.consul_secret_backend_role
+
+  name         = each.value.name
+  backend      = each.value.backend
+  consul_roles = each.value.consul_roles
+  ttl          = each.value.ttl
+  max_ttl      = each.value.max_ttl
+  local        = each.value.local
+
+  depends_on = [module.consul_secret_backend]
+}
+
+module "kubernetes_secret_backend" {
+  source = "./modules/kubernetes_secret_backend"
+
+  for_each = var.kubernetes_secret_backend
+
+  country                   = var.country
+  region                    = var.region
+  path                      = each.key
+  description               = each.value.description
+  default_lease_ttl_seconds = each.value.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = each.value.max_lease_ttl_seconds
+  kubernetes_host           = each.value.kubernetes_host
+  disable_local_ca_jwt      = each.value.disable_local_ca_jwt
+}
+
+module "kubernetes_secret_backend_role" {
+  source = "./modules/kubernetes_secret_backend_role"
+
+  for_each = var.kubernetes_secret_backend_role
+
+  country                       = var.country
+  region                        = var.region
+  name                          = each.value.name
+  backend                       = each.value.backend
+  allowed_kubernetes_namespaces = each.value.allowed_kubernetes_namespaces
+  kubernetes_role_type          = each.value.kubernetes_role_type
+  extra_labels                  = each.value.extra_labels
+
+  depends_on = [module.kubernetes_secret_backend]
+}
+
+module "vault_policy" {
+  source = "./modules/vault_policy"
+
+  for_each = var.policy_rules_map
+
+  policy_name  = each.key
+  policy_rules = each.value
+}
+
+module "pki_mount_only" {
+  source = "./modules/pki_mount_only"
+
+  for_each = var.pki_mount_only
+
+  path                          = each.key
+  description                   = each.value.description
+  max_lease_ttl_seconds         = each.value.max_lease_ttl_seconds
+  issuer_ref                    = each.value.issuer_ref
+  issuing_certificates          = each.value.issuing_certificates
+  crl_distribution_points       = each.value.crl_distribution_points
+  ocsp_servers                  = each.value.ocsp_servers
+  enable_templating             = each.value.enable_templating
+  default_issuer_ref            = each.value.default_issuer_ref
+  default_follows_latest_issuer = each.value.default_follows_latest_issuer
+  crl_expiry                    = each.value.crl_expiry
+  crl_disable                   = each.value.crl_disable
+  ocsp_disable                  = each.value.ocsp_disable
+  auto_rebuild                  = each.value.auto_rebuild
+  enable_delta                  = each.value.enable_delta
+  delta_rebuild_interval        = each.value.delta_rebuild_interval
+}
diff --git a/modules/vault_cluster/modules/auth_approle_backend/main.tf b/modules/vault_cluster/modules/auth_approle_backend/main.tf
new file mode 100644
index 0000000..09a072d
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_approle_backend/main.tf
@@ -0,0 +1,11 @@
+
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = var.path
+
+  tune {
+    default_lease_ttl  = var.default_lease_ttl
+    max_lease_ttl      = var.max_lease_ttl
+    listing_visibility = var.listing_visibility
+  }
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_approle_backend/outputs.tf b/modules/vault_cluster/modules/auth_approle_backend/outputs.tf
new file mode 100644
index 0000000..d863477
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_approle_backend/outputs.tf
@@ -0,0 +1,4 @@
+output "backend" {
+  description = "The created auth backend"
+  value       = vault_auth_backend.approle
+}
diff --git a/modules/vault_cluster/modules/auth_approle_backend/variables.tf b/modules/vault_cluster/modules/auth_approle_backend/variables.tf
new file mode 100644
index 0000000..a575230
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_approle_backend/variables.tf
@@ -0,0 +1,37 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "path" {
+  description = "Mount path of the AppRole auth backend"
+  type        = string
+  default     = "approle"
+}
+
+variable "listing_visibility" {
+  description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
+    error_message = "listing_visibility must be either 'unauth' or 'hidden'."
+  }
+}
+
+variable "default_lease_ttl" {
+  description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
+
+variable "max_lease_ttl" {
+  description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_approle_role/main.tf b/modules/vault_cluster/modules/auth_approle_role/main.tf
new file mode 100644
index 0000000..f4617bd
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_approle_role/main.tf
@@ -0,0 +1,36 @@
+
+# Expected keys in KV secret for salt: salt
+data "vault_kv_secret_v2" "salt_config" {
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/auth_backend/${var.mount_path}"
+}
+
+# Expected keys in KV secret for role_id: role_id (when use_deterministic_role_id = false)
+data "vault_kv_secret_v2" "role_config" {
+  count = var.use_deterministic_role_id ? 0 : 1
+
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/auth_approle_role/${var.mount_path}/${var.approle_name}"
+}
+
+locals {
+  salt                  = data.vault_kv_secret_v2.salt_config.data["salt"]
+  role_id_input         = "${local.salt}-${var.approle_name}-${var.mount_path}"
+  deterministic_role_id = uuidv5("dns", "${local.role_id_input}")
+
+  # Use deterministic role-id by default, or read from KV if specified
+  role_id = var.use_deterministic_role_id ? local.deterministic_role_id : data.vault_kv_secret_v2.role_config[0].data["role_id"]
+}
+
+resource "vault_approle_auth_backend_role" "role" {
+  backend           = var.mount_path
+  role_name         = var.approle_name
+  role_id           = local.role_id
+  token_policies    = var.token_policies
+  token_ttl         = var.token_ttl
+  token_max_ttl     = var.token_max_ttl
+  bind_secret_id    = var.bind_secret_id
+  secret_id_ttl     = var.secret_id_ttl
+  token_bound_cidrs = var.token_bound_cidrs
+  alias_metadata    = var.alias_metadata
+}
diff --git a/modules/vault_cluster/modules/auth_approle_role/variables.tf b/modules/vault_cluster/modules/auth_approle_role/variables.tf
new file mode 100644
index 0000000..d11870a
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_approle_role/variables.tf
@@ -0,0 +1,68 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+
+variable "approle_name" {
+  description = "Name of the AppRole role"
+  type        = string
+}
+
+variable "mount_path" {
+  description = "Mount path of the AppRole auth backend"
+  type        = string
+  default     = "approle"
+}
+
+variable "token_policies" {
+  description = "List of policies to assign to the role (passed from policy_auth_map)"
+  type        = list(string)
+}
+
+variable "token_ttl" {
+  description = "The TTL period of tokens issued using this role"
+  type        = number
+  default     = null
+}
+
+variable "token_max_ttl" {
+  description = "The maximum TTL period of tokens issued using this role"
+  type        = number
+  default     = null
+}
+
+variable "bind_secret_id" {
+  description = "Whether or not to require secret_id to be presented when logging in using this AppRole"
+  type        = bool
+  default     = false
+}
+
+variable "secret_id_ttl" {
+  description = "The TTL period of SecretIDs generated against this AppRole"
+  type        = number
+  default     = null
+}
+
+variable "token_bound_cidrs" {
+  description = "List of CIDR blocks that can authenticate using this role"
+  type        = list(string)
+  default     = []
+}
+
+variable "alias_metadata" {
+  description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
+  type        = map(string)
+  default     = null
+}
+
+variable "use_deterministic_role_id" {
+  description = "Whether to use deterministic role-id generation (true) or read pre-generated role-id from KV (false)"
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_kubernetes_backend/main.tf b/modules/vault_cluster/modules/auth_kubernetes_backend/main.tf
new file mode 100644
index 0000000..a36f66b
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_kubernetes_backend/main.tf
@@ -0,0 +1,25 @@
+# Expected keys in KV secret: kubernetes_ca_cert, token_reviewer_jwt
+data "vault_kv_secret_v2" "auth_backend_config" {
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
+}
+
+resource "vault_auth_backend" "kubernetes" {
+  type = "kubernetes"
+  path = var.path
+
+  tune {
+    default_lease_ttl  = var.default_lease_ttl
+    max_lease_ttl      = var.max_lease_ttl
+    listing_visibility = var.listing_visibility
+  }
+}
+
+resource "vault_kubernetes_auth_backend_config" "config" {
+  backend                           = vault_auth_backend.kubernetes.path
+  kubernetes_host                   = var.kubernetes_host
+  kubernetes_ca_cert                = data.vault_kv_secret_v2.auth_backend_config.data["kubernetes_ca_cert"]
+  token_reviewer_jwt                = data.vault_kv_secret_v2.auth_backend_config.data["token_reviewer_jwt"]
+  disable_iss_validation            = var.disable_iss_validation
+  use_annotations_as_alias_metadata = var.use_annotations_as_alias_metadata
+}
diff --git a/modules/vault_cluster/modules/auth_kubernetes_backend/variables.tf b/modules/vault_cluster/modules/auth_kubernetes_backend/variables.tf
new file mode 100644
index 0000000..503ca77
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_kubernetes_backend/variables.tf
@@ -0,0 +1,54 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "path" {
+  description = "Mount path of the Kubernetes auth backend"
+  type        = string
+  default     = "kubernetes"
+}
+
+variable "disable_iss_validation" {
+  description = "Disable JWT issuer validation"
+  type        = bool
+  default     = true
+}
+
+variable "use_annotations_as_alias_metadata" {
+  description = "Use annotations as alias metadata"
+  type        = bool
+  default     = true
+}
+
+variable "listing_visibility" {
+  description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
+    error_message = "listing_visibility must be either 'unauth' or 'hidden'."
+  }
+}
+
+variable "default_lease_ttl" {
+  description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
+
+variable "max_lease_ttl" {
+  description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
+
+variable "kubernetes_host" {
+  description = "Host must be a host string, a host:port pair, or a URL to the base of the Kubernetes API server"
+  type        = string
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/main.tf b/modules/vault_cluster/modules/auth_kubernetes_role/main.tf
new file mode 100644
index 0000000..d2d08c8
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_kubernetes_role/main.tf
@@ -0,0 +1,9 @@
+resource "vault_kubernetes_auth_backend_role" "role" {
+  backend                          = var.backend
+  role_name                        = var.role_name
+  bound_service_account_names      = var.bound_service_account_names
+  bound_service_account_namespaces = var.bound_service_account_namespaces
+  token_ttl                        = var.token_ttl
+  token_policies                   = var.token_policies
+  audience                         = var.audience
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf b/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf
new file mode 100644
index 0000000..4a632c9
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_kubernetes_role/variables.tf
@@ -0,0 +1,36 @@
+variable "backend" {
+  description = "The unique path of the Kubernetes auth backend to configure"
+  type        = string
+}
+
+variable "role_name" {
+  description = "The name of the role"
+  type        = string
+}
+
+variable "bound_service_account_names" {
+  description = "List of service account names able to access this role"
+  type        = list(string)
+}
+
+variable "bound_service_account_namespaces" {
+  description = "List of namespaces allowed to access this role"
+  type        = list(string)
+}
+
+variable "token_ttl" {
+  description = "The TTL period of tokens issued using this role, in seconds"
+  type        = number
+  default     = 3600
+}
+
+variable "token_policies" {
+  description = "List of policies to assign to the role (passed from policy_auth_map)"
+  type        = list(string)
+}
+
+variable "audience" {
+  description = "Audience claim to verify in the JWT"
+  type        = string
+  default     = "vault"
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_ldap_backend/main.tf b/modules/vault_cluster/modules/auth_ldap_backend/main.tf
new file mode 100644
index 0000000..34272ff
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_ldap_backend/main.tf
@@ -0,0 +1,27 @@
+# Expected keys in KV secret: url, binddn, bindpass
+data "vault_kv_secret_v2" "auth_backend_config" {
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/auth_backend/${var.path}"
+}
+
+resource "vault_ldap_auth_backend" "ldap" {
+  path              = var.path
+  url               = data.vault_kv_secret_v2.auth_backend_config.data["url"]
+  userdn            = var.userdn
+  userattr          = var.userattr
+  upndomain         = var.upndomain
+  discoverdn        = var.discoverdn
+  groupdn           = var.groupdn
+  groupfilter       = var.groupfilter
+  groupattr         = var.groupattr
+  binddn            = data.vault_kv_secret_v2.auth_backend_config.data["binddn"]
+  bindpass          = data.vault_kv_secret_v2.auth_backend_config.data["bindpass"]
+  alias_metadata    = var.alias_metadata
+  username_as_alias = var.username_as_alias
+
+  tune {
+    default_lease_ttl  = var.default_lease_ttl
+    max_lease_ttl      = var.max_lease_ttl
+    listing_visibility = var.listing_visibility
+  }
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_ldap_backend/variables.tf b/modules/vault_cluster/modules/auth_ldap_backend/variables.tf
new file mode 100644
index 0000000..3508085
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_ldap_backend/variables.tf
@@ -0,0 +1,91 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "path" {
+  description = "Mount path of the LDAP auth backend"
+  type        = string
+  default     = "ldap"
+}
+
+variable "userdn" {
+  description = "Base DN under which to perform user search"
+  type        = string
+}
+
+variable "userattr" {
+  description = "Attribute on user objects matching the username"
+  type        = string
+  default     = "uid"
+}
+
+variable "upndomain" {
+  description = "UPN domain for users"
+  type        = string
+  default     = null
+}
+
+variable "discoverdn" {
+  description = "Use anonymous bind to discover the bind DN of a user"
+  type        = bool
+  default     = false
+}
+
+variable "groupdn" {
+  description = "Base DN under which to perform group search"
+  type        = string
+  default     = null
+}
+
+variable "groupfilter" {
+  description = "Go template for querying group membership"
+  type        = string
+  default     = null
+}
+
+variable "groupattr" {
+  description = "LDAP attribute to follow on objects returned by groupfilter"
+  type        = string
+  default     = "cn"
+}
+
+
+variable "listing_visibility" {
+  description = "Specifies whether to show this mount in the UI-specific listing endpoint. Valid values are 'unauth' or 'hidden'"
+  type        = string
+  default     = null
+  validation {
+    condition     = var.listing_visibility == null || contains(["unauth", "hidden"], var.listing_visibility)
+    error_message = "listing_visibility must be either 'unauth' or 'hidden'."
+  }
+}
+
+variable "default_lease_ttl" {
+  description = "Specifies the default time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
+
+variable "max_lease_ttl" {
+  description = "Specifies the maximum time-to-live. If set, this overrides the global default. Must be a valid duration string"
+  type        = string
+  default     = null
+}
+
+variable "alias_metadata" {
+  description = "The metadata to be tied to generated entity alias. This should be a list or map containing the metadata in key value pairs"
+  type        = map(string)
+  default     = null
+}
+
+variable "username_as_alias" {
+  description = "Force the auth method to use the username passed by the user as the alias name"
+  type        = bool
+  default     = true
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_ldap_group/main.tf b/modules/vault_cluster/modules/auth_ldap_group/main.tf
new file mode 100644
index 0000000..55862b8
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_ldap_group/main.tf
@@ -0,0 +1,5 @@
+resource "vault_ldap_auth_backend_group" "group" {
+  groupname = var.groupname
+  policies  = var.policies
+  backend   = var.backend
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/auth_ldap_group/variables.tf b/modules/vault_cluster/modules/auth_ldap_group/variables.tf
new file mode 100644
index 0000000..0225107
--- /dev/null
+++ b/modules/vault_cluster/modules/auth_ldap_group/variables.tf
@@ -0,0 +1,14 @@
+variable "groupname" {
+  description = "Name of the LDAP group"
+  type        = string
+}
+
+variable "policies" {
+  description = "List of policies to assign to the LDAP group"
+  type        = list(string)
+}
+
+variable "backend" {
+  description = "Path of the LDAP auth backend"
+  type        = string
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/consul_secret_backend/main.tf b/modules/vault_cluster/modules/consul_secret_backend/main.tf
new file mode 100644
index 0000000..a80253a
--- /dev/null
+++ b/modules/vault_cluster/modules/consul_secret_backend/main.tf
@@ -0,0 +1,21 @@
+# Expected keys in KV secret: token (if not bootstrapping)
+data "vault_kv_secret_v2" "secret_backend_config" {
+  count = var.bootstrap ? 0 : 1
+
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
+}
+
+resource "vault_consul_secret_backend" "consul" {
+  path                      = var.path
+  description               = var.description
+  address                   = var.address
+  token                     = var.bootstrap ? null : data.vault_kv_secret_v2.secret_backend_config[0].data["token"]
+  bootstrap                 = var.bootstrap
+  scheme                    = var.scheme
+  ca_cert                   = var.ca_cert
+  client_cert               = var.client_cert
+  client_key                = var.client_key
+  default_lease_ttl_seconds = var.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = var.max_lease_ttl_seconds
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/consul_secret_backend/variables.tf b/modules/vault_cluster/modules/consul_secret_backend/variables.tf
new file mode 100644
index 0000000..30d5d0a
--- /dev/null
+++ b/modules/vault_cluster/modules/consul_secret_backend/variables.tf
@@ -0,0 +1,67 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "path" {
+  description = "Mount path of the Consul secrets engine"
+  type        = string
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "address" {
+  description = "The address of the Consul instance"
+  type        = string
+}
+
+variable "bootstrap" {
+  description = "Whether to bootstrap the Consul backend"
+  type        = bool
+  default     = false
+}
+
+variable "scheme" {
+  description = "The scheme to use when connecting to Consul"
+  type        = string
+  default     = "https"
+}
+
+variable "ca_cert" {
+  description = "CA certificate for TLS verification"
+  type        = string
+  default     = null
+}
+
+variable "client_cert" {
+  description = "Client certificate for TLS authentication"
+  type        = string
+  default     = null
+}
+
+variable "client_key" {
+  description = "Client key for TLS authentication"
+  type        = string
+  default     = null
+}
+
+variable "default_lease_ttl_seconds" {
+  description = "Default lease TTL in seconds"
+  type        = number
+  default     = null
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum lease TTL in seconds"
+  type        = number
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/consul_secret_backend_role/main.tf b/modules/vault_cluster/modules/consul_secret_backend_role/main.tf
new file mode 100644
index 0000000..f910c1a
--- /dev/null
+++ b/modules/vault_cluster/modules/consul_secret_backend_role/main.tf
@@ -0,0 +1,8 @@
+resource "vault_consul_secret_backend_role" "role" {
+  backend      = var.backend
+  name         = var.name
+  consul_roles = var.consul_roles
+  ttl          = var.ttl
+  max_ttl      = var.max_ttl
+  local        = var.local
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf b/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf
new file mode 100644
index 0000000..503c495
--- /dev/null
+++ b/modules/vault_cluster/modules/consul_secret_backend_role/variables.tf
@@ -0,0 +1,35 @@
+variable "backend" {
+  description = "The unique path where the Consul backend is mounted"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the role"
+  type        = string
+}
+
+
+variable "consul_roles" {
+  description = "List of Consul roles to attach to tokens"
+  type        = list(string)
+  default     = []
+}
+
+
+variable "ttl" {
+  description = "TTL for generated tokens"
+  type        = number
+  default     = null
+}
+
+variable "max_ttl" {
+  description = "Maximum TTL for generated tokens"
+  type        = number
+  default     = null
+}
+
+variable "local" {
+  description = "Whether tokens should be local to the datacenter"
+  type        = bool
+  default     = false
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend/main.tf b/modules/vault_cluster/modules/kubernetes_secret_backend/main.tf
new file mode 100644
index 0000000..a57c560
--- /dev/null
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend/main.tf
@@ -0,0 +1,16 @@
+# Expected keys in KV secret: service_account_jwt, kubernetes_ca_cert
+data "vault_kv_secret_v2" "secret_backend_config" {
+  mount = "kv"
+  name  = "service/vault/${var.country}/${var.region}/secret_backend/${var.path}"
+}
+
+resource "vault_kubernetes_secret_backend" "kubernetes" {
+  path                      = var.path
+  description               = var.description
+  default_lease_ttl_seconds = var.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = var.max_lease_ttl_seconds
+  kubernetes_host           = var.kubernetes_host
+  kubernetes_ca_cert        = data.vault_kv_secret_v2.secret_backend_config.data["kubernetes_ca_cert"]
+  service_account_jwt       = data.vault_kv_secret_v2.secret_backend_config.data["service_account_jwt"]
+  disable_local_ca_jwt      = var.disable_local_ca_jwt
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend/variables.tf b/modules/vault_cluster/modules/kubernetes_secret_backend/variables.tf
new file mode 100644
index 0000000..883f1e4
--- /dev/null
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend/variables.tf
@@ -0,0 +1,43 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "path" {
+  description = "Mount path of the Kubernetes secrets engine"
+  type        = string
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "default_lease_ttl_seconds" {
+  description = "Default lease TTL in seconds"
+  type        = number
+  default     = 600
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum lease TTL in seconds"
+  type        = number
+  default     = 86400
+}
+
+variable "kubernetes_host" {
+  description = "The Kubernetes API server URL"
+  type        = string
+}
+
+variable "disable_local_ca_jwt" {
+  description = "Whether to disable local CA JWT validation"
+  type        = bool
+  default     = false
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend_role/main.tf b/modules/vault_cluster/modules/kubernetes_secret_backend_role/main.tf
new file mode 100644
index 0000000..6833a9a
--- /dev/null
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend_role/main.tf
@@ -0,0 +1,19 @@
+locals {
+  # Auto-generate role rules path: resources/secret_backend/{backend_path}/roles/{role_name}.yaml
+  role_rules_file = "resources/secret_backend/${var.backend}/roles/${var.name}.yaml"
+
+  # Auto-generate extra labels based on country/region and role name
+  auto_labels = merge(var.extra_labels, {
+    vault-region = "${var.country}-${var.region}"
+    vault-role   = var.name
+  })
+}
+
+resource "vault_kubernetes_secret_backend_role" "role" {
+  backend                       = var.backend
+  name                          = var.name
+  allowed_kubernetes_namespaces = var.allowed_kubernetes_namespaces
+  kubernetes_role_type          = var.kubernetes_role_type
+  generated_role_rules          = file("${path.module}/../../../../../../../../${local.role_rules_file}")
+  extra_labels                  = local.auto_labels
+}
diff --git a/modules/vault_cluster/modules/kubernetes_secret_backend_role/variables.tf b/modules/vault_cluster/modules/kubernetes_secret_backend_role/variables.tf
new file mode 100644
index 0000000..43d1fbf
--- /dev/null
+++ b/modules/vault_cluster/modules/kubernetes_secret_backend_role/variables.tf
@@ -0,0 +1,37 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "backend" {
+  description = "The unique path where the Kubernetes backend is mounted"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the role"
+  type        = string
+}
+
+variable "allowed_kubernetes_namespaces" {
+  description = "List of allowed Kubernetes namespaces"
+  type        = list(string)
+  default     = ["*"]
+}
+
+variable "kubernetes_role_type" {
+  description = "Type of Kubernetes role (Role or ClusterRole)"
+  type        = string
+  default     = "Role"
+}
+
+variable "extra_labels" {
+  description = "Additional labels to apply to generated Kubernetes objects"
+  type        = map(string)
+  default     = {}
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/kv_secret_backend/main.tf b/modules/vault_cluster/modules/kv_secret_backend/main.tf
new file mode 100644
index 0000000..2912f9b
--- /dev/null
+++ b/modules/vault_cluster/modules/kv_secret_backend/main.tf
@@ -0,0 +1,17 @@
+resource "vault_mount" "kv" {
+  path        = var.path
+  type        = "kv"
+  description = var.description
+
+  options = {
+    version = var.kv_version
+    type    = var.type
+  }
+}
+
+resource "vault_kv_secret_backend_v2" "config" {
+  count = var.type == "kv-v2" && var.max_versions != null ? 1 : 0
+
+  mount        = vault_mount.kv.path
+  max_versions = var.max_versions
+}
diff --git a/modules/vault_cluster/modules/kv_secret_backend/variables.tf b/modules/vault_cluster/modules/kv_secret_backend/variables.tf
new file mode 100644
index 0000000..b1d2f05
--- /dev/null
+++ b/modules/vault_cluster/modules/kv_secret_backend/variables.tf
@@ -0,0 +1,28 @@
+variable "path" {
+  description = "Mount path of the KV secrets engine"
+  type        = string
+}
+
+variable "type" {
+  description = "Type of the secrets engine"
+  type        = string
+  default     = "kv-v2"
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "kv_version" {
+  description = "KV secrets engine version"
+  type        = string
+  default     = "2"
+}
+
+variable "max_versions" {
+  description = "Maximum number of versions to keep per key"
+  type        = number
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/pki_mount_only/main.tf b/modules/vault_cluster/modules/pki_mount_only/main.tf
new file mode 100644
index 0000000..4f3e409
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_mount_only/main.tf
@@ -0,0 +1,38 @@
+resource "vault_mount" "pki" {
+  path                  = var.path
+  type                  = "pki"
+  description           = var.description
+  max_lease_ttl_seconds = var.max_lease_ttl_seconds
+}
+
+data "vault_pki_secret_backend_issuer" "issuer" {
+  backend    = vault_mount.pki.path
+  issuer_ref = var.issuer_ref
+}
+
+resource "vault_pki_secret_backend_config_urls" "config_urls" {
+  backend = vault_mount.pki.path
+
+  issuing_certificates    = var.issuing_certificates
+  crl_distribution_points = var.crl_distribution_points
+  ocsp_servers            = var.ocsp_servers
+  enable_templating       = var.enable_templating
+}
+
+resource "vault_pki_secret_backend_config_issuers" "issuers" {
+  count = var.default_issuer_ref != null ? 1 : 0
+
+  backend                       = vault_mount.pki.path
+  default                       = var.default_issuer_ref
+  default_follows_latest_issuer = var.default_follows_latest_issuer
+}
+
+resource "vault_pki_secret_backend_crl_config" "crl" {
+  backend                = vault_mount.pki.path
+  expiry                 = var.crl_expiry
+  disable                = var.crl_disable
+  ocsp_disable           = var.ocsp_disable
+  auto_rebuild           = var.auto_rebuild
+  enable_delta           = var.enable_delta
+  delta_rebuild_interval = var.delta_rebuild_interval
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/pki_mount_only/variables.tf b/modules/vault_cluster/modules/pki_mount_only/variables.tf
new file mode 100644
index 0000000..823132e
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_mount_only/variables.tf
@@ -0,0 +1,92 @@
+variable "path" {
+  description = "Path where the PKI backend will be mounted"
+  type        = string
+}
+
+variable "description" {
+  description = "Description of the PKI mount"
+  type        = string
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum possible lease duration for tokens and secrets in seconds"
+  type        = number
+}
+
+variable "issuer_ref" {
+  description = "Reference to the PKI issuer (default, or issuer ID/name)"
+  type        = string
+  default     = "default"
+}
+
+variable "issuing_certificates" {
+  description = "List of URLs for issuing certificates"
+  type        = list(string)
+  default     = []
+}
+
+variable "crl_distribution_points" {
+  description = "List of URLs for CRL distribution points"
+  type        = list(string)
+  default     = []
+}
+
+variable "ocsp_servers" {
+  description = "List of OCSP server URLs"
+  type        = list(string)
+  default     = []
+}
+
+variable "enable_templating" {
+  description = "Whether to enable URL templating"
+  type        = bool
+  default     = false
+}
+
+variable "default_issuer_ref" {
+  description = "Default issuer reference"
+  type        = string
+  default     = null
+}
+
+variable "default_follows_latest_issuer" {
+  description = "Whether the default issuer follows the latest issuer"
+  type        = bool
+  default     = false
+}
+
+variable "crl_expiry" {
+  description = "CRL expiry time"
+  type        = string
+  default     = "72h"
+}
+
+variable "crl_disable" {
+  description = "Whether to disable CRL"
+  type        = bool
+  default     = false
+}
+
+variable "ocsp_disable" {
+  description = "Whether to disable OCSP"
+  type        = bool
+  default     = false
+}
+
+variable "auto_rebuild" {
+  description = "Whether to enable auto rebuild of CRL"
+  type        = bool
+  default     = false
+}
+
+variable "enable_delta" {
+  description = "Whether to enable delta CRL"
+  type        = bool
+  default     = false
+}
+
+variable "delta_rebuild_interval" {
+  description = "Delta CRL rebuild interval"
+  type        = string
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/pki_secret_backend/main.tf b/modules/vault_cluster/modules/pki_secret_backend/main.tf
new file mode 100644
index 0000000..39ada56
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_secret_backend/main.tf
@@ -0,0 +1,54 @@
+resource "vault_mount" "pki" {
+  path                  = var.path
+  type                  = "pki"
+  description           = var.description
+  max_lease_ttl_seconds = var.max_lease_ttl_seconds
+}
+
+resource "vault_pki_secret_backend_root_cert" "root_cert" {
+  backend     = vault_mount.pki.path
+  common_name = var.common_name
+  issuer_name = var.issuer_name
+  ttl         = var.ttl
+  format      = var.format
+  type        = "internal"
+}
+
+data "vault_pki_secret_backend_issuer" "issuer" {
+  backend    = vault_mount.pki.path
+  issuer_ref = vault_pki_secret_backend_root_cert.root_cert.issuer_id
+
+  depends_on = [vault_pki_secret_backend_root_cert.root_cert]
+}
+
+resource "vault_pki_secret_backend_config_urls" "urls" {
+  backend = vault_mount.pki.path
+
+  issuing_certificates    = var.issuing_certificates
+  crl_distribution_points = var.crl_distribution_points
+  ocsp_servers            = var.ocsp_servers
+  enable_templating       = var.enable_templating
+}
+
+resource "vault_pki_secret_backend_config_issuers" "issuers" {
+  backend                       = vault_mount.pki.path
+  default                       = data.vault_pki_secret_backend_issuer.issuer.issuer_id
+  default_follows_latest_issuer = var.default_follows_latest_issuer
+
+  depends_on = [
+    vault_pki_secret_backend_root_cert.root_cert,
+    data.vault_pki_secret_backend_issuer.issuer
+  ]
+}
+
+resource "vault_pki_secret_backend_crl_config" "crl" {
+  backend                = vault_mount.pki.path
+  expiry                 = var.crl_expiry
+  disable                = var.crl_disable
+  ocsp_disable           = var.ocsp_disable
+  auto_rebuild           = var.auto_rebuild
+  enable_delta           = var.enable_delta
+  delta_rebuild_interval = var.delta_rebuild_interval
+
+  depends_on = [vault_pki_secret_backend_root_cert.root_cert]
+}
diff --git a/modules/vault_cluster/modules/pki_secret_backend/variables.tf b/modules/vault_cluster/modules/pki_secret_backend/variables.tf
new file mode 100644
index 0000000..1844d01
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_secret_backend/variables.tf
@@ -0,0 +1,110 @@
+variable "path" {
+  description = "Mount path of the PKI secrets engine"
+  type        = string
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum lease TTL in seconds"
+  type        = number
+  default     = 315360000 # 87600 * 3600
+}
+
+variable "common_name" {
+  description = "Common name for the root certificate"
+  type        = string
+}
+
+variable "issuer_name" {
+  description = "Name for the root CA issuer"
+  type        = string
+}
+
+variable "ttl" {
+  description = "TTL for the root certificate in seconds"
+  type        = number
+  default     = 315360000 # 87600 * 3600
+}
+
+variable "format" {
+  description = "Format for the certificate"
+  type        = string
+  default     = "pem"
+}
+
+variable "issuing_certificates" {
+  description = "List of issuing certificate URLs"
+  type        = list(string)
+  default     = []
+}
+
+variable "crl_distribution_points" {
+  description = "List of CRL distribution point URLs"
+  type        = list(string)
+  default     = []
+}
+
+variable "ocsp_servers" {
+  description = "List of OCSP server URLs"
+  type        = list(string)
+  default     = []
+}
+
+variable "enable_templating" {
+  description = "Whether to enable templating for URL configuration"
+  type        = bool
+  default     = false
+}
+
+variable "default_issuer_ref" {
+  description = "Reference to the default issuer"
+  type        = string
+  default     = null
+}
+
+variable "default_follows_latest_issuer" {
+  description = "Whether the default issuer should follow the latest issuer"
+  type        = bool
+  default     = false
+}
+
+variable "crl_expiry" {
+  description = "CRL expiration time"
+  type        = string
+  default     = "72h"
+}
+
+variable "crl_disable" {
+  description = "Whether to disable CRL"
+  type        = bool
+  default     = false
+}
+
+variable "ocsp_disable" {
+  description = "Whether to disable OCSP"
+  type        = bool
+  default     = false
+}
+
+variable "auto_rebuild" {
+  description = "Whether to auto-rebuild CRL"
+  type        = bool
+  default     = false
+}
+
+variable "enable_delta" {
+  description = "Whether to enable delta CRL"
+  type        = bool
+  default     = false
+}
+
+variable "delta_rebuild_interval" {
+  description = "Delta CRL rebuild interval"
+  type        = string
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/pki_secret_backend_role/main.tf b/modules/vault_cluster/modules/pki_secret_backend_role/main.tf
new file mode 100644
index 0000000..1177b2b
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_secret_backend_role/main.tf
@@ -0,0 +1,16 @@
+resource "vault_pki_secret_backend_role" "role" {
+  backend             = var.backend
+  name                = var.name
+  allow_ip_sans       = var.allow_ip_sans
+  allowed_domains     = var.allowed_domains
+  allow_subdomains    = var.allow_subdomains
+  allow_glob_domains  = var.allow_glob_domains
+  allow_bare_domains  = var.allow_bare_domains
+  enforce_hostnames   = var.enforce_hostnames
+  allow_any_name      = var.allow_any_name
+  max_ttl             = var.max_ttl
+  key_bits            = var.key_bits
+  country             = var.country
+  use_csr_common_name = var.use_csr_common_name
+  use_csr_sans        = var.use_csr_sans
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/pki_secret_backend_role/variables.tf b/modules/vault_cluster/modules/pki_secret_backend_role/variables.tf
new file mode 100644
index 0000000..c4a8ff4
--- /dev/null
+++ b/modules/vault_cluster/modules/pki_secret_backend_role/variables.tf
@@ -0,0 +1,81 @@
+variable "backend" {
+  description = "The unique path where the PKI backend is mounted"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the role"
+  type        = string
+}
+
+variable "allow_ip_sans" {
+  description = "Whether IP Subject Alternative Names are allowed"
+  type        = bool
+  default     = false
+}
+
+variable "allowed_domains" {
+  description = "List of allowed domains for certificates"
+  type        = list(string)
+  default     = []
+}
+
+variable "allow_subdomains" {
+  description = "Whether subdomains are allowed"
+  type        = bool
+  default     = false
+}
+
+variable "allow_glob_domains" {
+  description = "Whether glob domains are allowed"
+  type        = bool
+  default     = false
+}
+
+variable "allow_bare_domains" {
+  description = "Whether bare domains are allowed"
+  type        = bool
+  default     = false
+}
+
+variable "enforce_hostnames" {
+  description = "Whether to enforce hostnames"
+  type        = bool
+  default     = false
+}
+
+variable "allow_any_name" {
+  description = "Whether any name is allowed"
+  type        = bool
+  default     = false
+}
+
+variable "max_ttl" {
+  description = "Maximum TTL for certificates in seconds"
+  type        = number
+  default     = null
+}
+
+variable "key_bits" {
+  description = "Number of bits for the key"
+  type        = number
+  default     = 4096
+}
+
+variable "country" {
+  description = "List of countries for certificate subject"
+  type        = list(string)
+  default     = []
+}
+
+variable "use_csr_common_name" {
+  description = "Whether to use CSR common name"
+  type        = bool
+  default     = false
+}
+
+variable "use_csr_sans" {
+  description = "Whether to use CSR Subject Alternative Names"
+  type        = bool
+  default     = false
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/ssh_secret_backend/main.tf b/modules/vault_cluster/modules/ssh_secret_backend/main.tf
new file mode 100644
index 0000000..53b8c37
--- /dev/null
+++ b/modules/vault_cluster/modules/ssh_secret_backend/main.tf
@@ -0,0 +1,14 @@
+resource "vault_mount" "ssh" {
+  path                  = var.path
+  type                  = "ssh"
+  description           = var.description
+  max_lease_ttl_seconds = var.max_lease_ttl_seconds
+}
+
+resource "vault_ssh_secret_backend_ca" "ssh_ca" {
+  count = var.generate_signing_key != null ? 1 : 0
+
+  backend              = vault_mount.ssh.path
+  generate_signing_key = var.generate_signing_key
+  key_type             = var.key_type
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/ssh_secret_backend/variables.tf b/modules/vault_cluster/modules/ssh_secret_backend/variables.tf
new file mode 100644
index 0000000..ef4c818
--- /dev/null
+++ b/modules/vault_cluster/modules/ssh_secret_backend/variables.tf
@@ -0,0 +1,28 @@
+variable "path" {
+  description = "Mount path of the SSH secrets engine"
+  type        = string
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum lease TTL in seconds"
+  type        = number
+  default     = 315360000 # 87600 * 3600
+}
+
+variable "generate_signing_key" {
+  description = "Whether to generate a signing key for the CA"
+  type        = bool
+  default     = null
+}
+
+variable "key_type" {
+  description = "Type of key to generate for the CA"
+  type        = string
+  default     = "ssh-rsa"
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/ssh_secret_backend_role/main.tf b/modules/vault_cluster/modules/ssh_secret_backend_role/main.tf
new file mode 100644
index 0000000..990ec89
--- /dev/null
+++ b/modules/vault_cluster/modules/ssh_secret_backend_role/main.tf
@@ -0,0 +1,12 @@
+resource "vault_ssh_secret_backend_role" "role" {
+  backend                 = var.backend
+  name                    = var.name
+  key_type                = var.key_type
+  algorithm_signer        = var.algorithm_signer
+  ttl                     = var.ttl
+  allow_host_certificates = var.allow_host_certificates
+  allow_user_certificates = var.allow_user_certificates
+  allowed_domains         = var.allowed_domains
+  allow_subdomains        = var.allow_subdomains
+  allow_bare_domains      = var.allow_bare_domains
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/ssh_secret_backend_role/variables.tf b/modules/vault_cluster/modules/ssh_secret_backend_role/variables.tf
new file mode 100644
index 0000000..f76ebb4
--- /dev/null
+++ b/modules/vault_cluster/modules/ssh_secret_backend_role/variables.tf
@@ -0,0 +1,57 @@
+variable "backend" {
+  description = "The unique path where the SSH backend is mounted"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the role"
+  type        = string
+}
+
+variable "key_type" {
+  description = "The type of key used by this role"
+  type        = string
+  default     = "ca"
+}
+
+variable "algorithm_signer" {
+  description = "Algorithm used to sign certificates"
+  type        = string
+  default     = "rsa-sha2-256"
+}
+
+variable "ttl" {
+  description = "TTL for certificates issued by this role"
+  type        = number
+  default     = 315360000 # 87600 * 3600
+}
+
+variable "allow_host_certificates" {
+  description = "Whether this role can issue host certificates"
+  type        = bool
+  default     = false
+}
+
+variable "allow_user_certificates" {
+  description = "Whether this role can issue user certificates"
+  type        = bool
+  default     = false
+}
+
+variable "allowed_domains" {
+  description = "List of allowed domains for certificates"
+  type        = string
+  default     = null
+}
+
+variable "allow_subdomains" {
+  description = "Whether subdomains are allowed"
+  type        = bool
+  default     = false
+}
+
+variable "allow_bare_domains" {
+  description = "Whether bare domains are allowed"
+  type        = bool
+  default     = false
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/transit_secret_backend/main.tf b/modules/vault_cluster/modules/transit_secret_backend/main.tf
new file mode 100644
index 0000000..5e28e28
--- /dev/null
+++ b/modules/vault_cluster/modules/transit_secret_backend/main.tf
@@ -0,0 +1,7 @@
+resource "vault_mount" "transit" {
+  path                      = var.path
+  type                      = "transit"
+  description               = var.description
+  default_lease_ttl_seconds = var.default_lease_ttl_seconds
+  max_lease_ttl_seconds     = var.max_lease_ttl_seconds
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/transit_secret_backend/variables.tf b/modules/vault_cluster/modules/transit_secret_backend/variables.tf
new file mode 100644
index 0000000..f594b9b
--- /dev/null
+++ b/modules/vault_cluster/modules/transit_secret_backend/variables.tf
@@ -0,0 +1,22 @@
+variable "path" {
+  description = "Mount path of the transit secrets engine"
+  type        = string
+}
+
+variable "description" {
+  description = "Human-friendly description of the mount"
+  type        = string
+  default     = null
+}
+
+variable "default_lease_ttl_seconds" {
+  description = "Default lease TTL in seconds"
+  type        = number
+  default     = 3600
+}
+
+variable "max_lease_ttl_seconds" {
+  description = "Maximum lease TTL in seconds"
+  type        = number
+  default     = 86400
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/transit_secret_backend_key/main.tf b/modules/vault_cluster/modules/transit_secret_backend_key/main.tf
new file mode 100644
index 0000000..1eb1729
--- /dev/null
+++ b/modules/vault_cluster/modules/transit_secret_backend_key/main.tf
@@ -0,0 +1,10 @@
+resource "vault_transit_secret_backend_key" "key" {
+  backend                = var.backend
+  name                   = var.name
+  type                   = var.type
+  deletion_allowed       = var.deletion_allowed
+  derived                = var.derived
+  exportable             = var.exportable
+  allow_plaintext_backup = var.allow_plaintext_backup
+  auto_rotate_period     = var.auto_rotate_period
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/transit_secret_backend_key/variables.tf b/modules/vault_cluster/modules/transit_secret_backend_key/variables.tf
new file mode 100644
index 0000000..ec33d40
--- /dev/null
+++ b/modules/vault_cluster/modules/transit_secret_backend_key/variables.tf
@@ -0,0 +1,45 @@
+variable "backend" {
+  description = "The unique path where the transit backend is mounted"
+  type        = string
+}
+
+variable "name" {
+  description = "The name of the encryption key"
+  type        = string
+}
+
+variable "type" {
+  description = "The type of key to create"
+  type        = string
+  default     = "aes256-gcm96"
+}
+
+variable "deletion_allowed" {
+  description = "Whether the key is allowed to be deleted"
+  type        = bool
+  default     = false
+}
+
+variable "derived" {
+  description = "Whether the key supports key derivation"
+  type        = bool
+  default     = false
+}
+
+variable "exportable" {
+  description = "Whether the key is exportable"
+  type        = bool
+  default     = false
+}
+
+variable "allow_plaintext_backup" {
+  description = "Whether the key supports plaintext backup"
+  type        = bool
+  default     = false
+}
+
+variable "auto_rotate_period" {
+  description = "Period for automatic key rotation"
+  type        = string
+  default     = null
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/vault_policy/main.tf b/modules/vault_cluster/modules/vault_policy/main.tf
new file mode 100644
index 0000000..b6dc78b
--- /dev/null
+++ b/modules/vault_cluster/modules/vault_policy/main.tf
@@ -0,0 +1,11 @@
+locals {
+  policy_hcl = join("\n", [
+    for rule in var.policy_rules :
+    "path \"${rule.path}\" {\n  capabilities = ${jsonencode(rule.capabilities)}\n}"
+  ])
+}
+
+resource "vault_policy" "this" {
+  name   = var.policy_name
+  policy = local.policy_hcl
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/modules/vault_policy/variables.tf b/modules/vault_cluster/modules/vault_policy/variables.tf
new file mode 100644
index 0000000..429e76f
--- /dev/null
+++ b/modules/vault_cluster/modules/vault_policy/variables.tf
@@ -0,0 +1,12 @@
+variable "policy_name" {
+  description = "Name of the Vault policy"
+  type        = string
+}
+
+variable "policy_rules" {
+  description = "List of policy rules for this policy"
+  type = list(object({
+    path         = string
+    capabilities = list(string)
+  }))
+}
\ No newline at end of file
diff --git a/modules/vault_cluster/state_migrations.tf b/modules/vault_cluster/state_migrations.tf
new file mode 100644
index 0000000..e9a2020
--- /dev/null
+++ b/modules/vault_cluster/state_migrations.tf
@@ -0,0 +1,427 @@
+# AppRole Backend
+moved {
+  from = vault_auth_backend.approle
+  to   = module.auth_approle_backend["approle"].vault_auth_backend.approle
+}
+
+# AppRole Roles (12 roles)
+moved {
+  from = vault_approle_auth_backend_role.certmanager
+  to   = module.auth_approle_role["approle/certmanager"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.incus_cluster
+  to   = module.auth_approle_role["approle/incus_cluster"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.packer_builder
+  to   = module.auth_approle_role["approle/packer_builder"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.puppetapi
+  to   = module.auth_approle_role["approle/puppetapi"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.rpmbuilder
+  to   = module.auth_approle_role["approle/rpmbuilder"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.rundeck-role
+  to   = module.auth_approle_role["approle/rundeck-role"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.sshsign-host-role
+  to   = module.auth_approle_role["approle/sshsign-host-role"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.sshsigner
+  to   = module.auth_approle_role["approle/sshsigner"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.terraform_incus
+  to   = module.auth_approle_role["approle/terraform_incus"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.terraform_nomad
+  to   = module.auth_approle_role["approle/terraform_nomad"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.terraform_repoflow
+  to   = module.auth_approle_role["approle/terraform_repoflow"].vault_approle_auth_backend_role.role
+}
+
+moved {
+  from = vault_approle_auth_backend_role.tf_vault
+  to   = module.auth_approle_role["approle/tf_vault"].vault_approle_auth_backend_role.role
+}
+
+# LDAP Backend
+moved {
+  from = vault_ldap_auth_backend.ldap
+  to   = module.auth_ldap_backend["ldap"].vault_ldap_auth_backend.ldap
+}
+
+# LDAP Groups
+moved {
+  from = vault_ldap_auth_backend_group.vault_access
+  to   = module.auth_ldap_group["ldap/vault_access"].vault_ldap_auth_backend_group.group
+}
+
+moved {
+  from = vault_ldap_auth_backend_group.vault_admin
+  to   = module.auth_ldap_group["ldap/vault_admin"].vault_ldap_auth_backend_group.group
+}
+
+
+# Kubernetes Secrets
+
+moved {
+  from = vault_kubernetes_secret_backend.kubernetes_au_syd1
+  to   = module.kubernetes_secret_backend["kubernetes/au/syd1"].vault_kubernetes_secret_backend.kubernetes
+}
+
+moved {
+  from = vault_kubernetes_secret_backend_role.cluster_admin
+  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_admin"].vault_kubernetes_secret_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_secret_backend_role.cluster_operator
+  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_operator"].vault_kubernetes_secret_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_secret_backend_role.cluster_root
+  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_root"].vault_kubernetes_secret_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_secret_backend_role.media_apps_operator
+  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/media_apps_operator"].vault_kubernetes_secret_backend_role.role
+}
+
+# Kubernetes Backend
+
+moved {
+  from = vault_auth_backend.kubernetes
+  to   = module.auth_kubernetes_backend["k8s/au/syd1"].vault_auth_backend.kubernetes
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_config.config
+  to   = module.auth_kubernetes_backend["k8s/au/syd1"].vault_kubernetes_auth_backend_config.config
+}
+
+# Kubernetes Roles (7 roles)
+moved {
+  from = vault_kubernetes_auth_backend_role.ceph-csi
+  to   = module.auth_kubernetes_role["k8s/au/syd1/ceph-csi"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.cert_manager_issuer
+  to   = module.auth_kubernetes_role["k8s/au/syd1/cert_manager_issuer"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.default
+  to   = module.auth_kubernetes_role["k8s/au/syd1/default"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.externaldns
+  to   = module.auth_kubernetes_role["k8s/au/syd1/externaldns"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.huntarr-default
+  to   = module.auth_kubernetes_role["k8s/au/syd1/huntarr-default"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.media-apps
+  to   = module.auth_kubernetes_role["k8s/au/syd1/media-apps"].vault_kubernetes_auth_backend_role.role
+}
+
+moved {
+  from = vault_kubernetes_auth_backend_role.repoflow
+  to   = module.auth_kubernetes_role["k8s/au/syd1/repoflow"].vault_kubernetes_auth_backend_role.role
+}
+
+# KV Backends:
+moved {
+  from = vault_mount.kv
+  to   = module.kv_secret_backend["kv"].vault_mount.kv
+}
+
+moved {
+  from = vault_mount.rundeck
+  to   = module.kv_secret_backend["rundeck"].vault_mount.kv
+}
+
+# SSH CA:
+moved {
+  from = vault_mount.sshca
+  to   = module.ssh_secret_backend["sshca"].vault_mount.ssh
+}
+
+moved {
+  from = vault_ssh_secret_backend_ca.ssh_ca
+  to   = module.ssh_secret_backend["sshca"].vault_ssh_secret_backend_ca.ssh_ca[0]
+}
+
+moved {
+  from = vault_ssh_secret_backend_role.signhost
+  to   = module.ssh_secret_backend_role["sshca/signhost"].vault_ssh_secret_backend_role.role
+}
+
+# Transit:
+moved {
+  from = vault_mount.transit
+  to   = module.transit_secret_backend["transit"].vault_mount.transit
+}
+
+moved {
+  from = vault_transit_secret_backend_key.key
+  to   = module.transit_secret_backend_key["transit/au-syd1-k8s-vso"].vault_transit_secret_backend_key.key
+}
+
+# Policy Migrations
+moved {
+  from = vault_policy.policies["auth/approle/approle_role_admin"]
+  to   = module.vault_policy["auth/approle/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/approle/approle_role_login"]
+  to   = module.vault_policy["auth/approle/login"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/kubernetes/k8s_auth_admin"]
+  to   = module.vault_policy["auth/k8s/au/syd1/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/ldap/ldap_admin"]
+  to   = module.vault_policy["auth/ldap/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/token/auth_token_create"]
+  to   = module.vault_policy["auth/token/create"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/token/auth_token_lookup"]
+  to   = module.vault_policy["auth/token/lookup"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/token/auth_token_renew"]
+  to   = module.vault_policy["auth/token/renew"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/token/auth_token_roles_admin"]
+  to   = module.vault_policy["auth/token/roles/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["auth/token/auth_token_self"]
+  to   = module.vault_policy["auth/token/self"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["default_access"]
+  to   = module.vault_policy["global-root"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kubernetes/au/config_admin"]
+  to   = module.vault_policy["kubernetes/au/config_admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/glauth/services/svc_vault_read"]
+  to   = module.vault_policy["kv/service/glauth/services/svc_vault/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/incus/incus-cluster-join-tokens"]
+  to   = module.vault_policy["kv/service/incus/cluster-join-tokens/crud"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"]
+  to   = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"]
+  to   = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/kubernetes/au/syd1/externaldns/tsig/read"]
+  to   = module.vault_policy["kv/service/kubernetes/au/syd1/externaldns/tsig/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/kubernetes/au/syd1/service_account_jwt/read"]
+  to   = module.vault_policy["kv/service/kubernetes/au/syd1/service_account_jwt/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"]
+  to   = module.vault_policy["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/media-apps/radarr/read"]
+  to   = module.vault_policy["kv/service/media-apps/radarr/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/media-apps/sonarr/read"]
+  to   = module.vault_policy["kv/service/media-apps/sonarr/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/packer/packer_builder"]
+  to   = module.vault_policy["kv/service/packer/builder/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/puppet/certificates/terraform_puppet_cert"]
+  to   = module.vault_policy["kv/service/puppet/certificates/ca/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/puppetapi/puppetapi_read_tokens"]
+  to   = module.vault_policy["kv/service/puppetapi/tokens/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/terraform/incus"]
+  to   = module.vault_policy["kv/service/terraform/incus"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["kv/service/terraform/nomad"]
+  to   = module.vault_policy["kv/service/terraform/nomad"].vault_policy.this
+}
+
+
+moved {
+  from = vault_policy.policies["rundeck/rundeck"]
+  to   = module.vault_policy["rundeck/rundeck"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sshca/sshca_roles_admin"]
+  to   = module.vault_policy["sshca/roles/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sshca/sshca_signhost"]
+  to   = module.vault_policy["sshca/sign/host"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sys/sys_audit_read"]
+  to   = module.vault_policy["sys/audit/read"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sys/sys_auth_admin"]
+  to   = module.vault_policy["sys/auth/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sys/sys_mounts_admin"]
+  to   = module.vault_policy["sys/mounts/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["sys/sys_policy_admin"]
+  to   = module.vault_policy["sys/policy/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["transit/decrypt/au-syd1-k8s-vso"]
+  to   = module.vault_policy["transit/decrypt/au-syd1-k8s-vso"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["transit/encrypt/au-syd1-k8s-vso"]
+  to   = module.vault_policy["transit/encrypt/au-syd1-k8s-vso"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["transit/keys/admin"]
+  to   = module.vault_policy["transit/keys/admin"].vault_policy.this
+}
+
+# PKI Mount Only Migrations
+moved {
+  from = vault_mount.pki_root
+  to   = module.pki_mount_only["pki_root"].vault_mount.pki
+}
+
+moved {
+  from = vault_mount.pki_int
+  to   = module.pki_mount_only["pki_int"].vault_mount.pki
+}
+
+moved {
+  from = vault_pki_secret_backend_config_urls.pki_root_urls
+  to   = module.pki_mount_only["pki_root"].vault_pki_secret_backend_config_urls.config_urls
+}
+
+# PKI Role Migrations
+moved {
+  from = vault_pki_secret_backend_role.pki_root_2024_servers
+  to   = module.pki_secret_backend_role["pki_root/2024-servers"].vault_pki_secret_backend_role.role
+}
+
+moved {
+  from = vault_pki_secret_backend_role.servers_default
+  to   = module.pki_secret_backend_role["pki_int/servers_default"].vault_pki_secret_backend_role.role
+}
+
+# PKI Policy Migrations (keep original names where policies exist)
+moved {
+  from = vault_policy.policies["pki_int/certmanager"]
+  to   = module.vault_policy["pki_int/certmanager"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["pki_int/issue/servers_default"]
+  to   = module.vault_policy["pki_int/issue/servers_default"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["pki_int/pki_int_roles_admin"]
+  to   = module.vault_policy["pki_int/roles/admin"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["pki_int/sign/servers_default"]
+  to   = module.vault_policy["pki_int/sign/servers_default"].vault_policy.this
+}
+
+moved {
+  from = vault_policy.policies["pki_root/pki_root_roles_admin"]
+  to   = module.vault_policy["pki_root/roles/admin"].vault_policy.this
+}
diff --git a/modules/vault_cluster/variables.tf b/modules/vault_cluster/variables.tf
new file mode 100644
index 0000000..bb0942e
--- /dev/null
+++ b/modules/vault_cluster/variables.tf
@@ -0,0 +1,290 @@
+variable "country" {
+  description = "Country identifier"
+  type        = string
+}
+
+variable "region" {
+  description = "Region identifier"
+  type        = string
+}
+
+variable "auth_approle_backend" {
+  description = "Map of AppRole auth backends to create"
+  type = map(object({
+    listing_visibility = optional(string)
+    default_lease_ttl  = optional(string)
+    max_lease_ttl      = optional(string)
+  }))
+  default = {}
+}
+
+variable "auth_approle_role" {
+  description = "Map of AppRole roles to create"
+  type = map(object({
+    approle_name              = string
+    mount_path                = string
+    token_ttl                 = optional(number)
+    token_max_ttl             = optional(number)
+    bind_secret_id            = optional(bool, false)
+    secret_id_ttl             = optional(number)
+    token_bound_cidrs         = optional(list(string), [])
+    alias_metadata            = optional(map(string))
+    use_deterministic_role_id = optional(bool, true)
+  }))
+  default = {}
+}
+
+variable "auth_ldap_backend" {
+  description = "Map of LDAP auth backends to create"
+  type = map(object({
+    userdn             = string
+    userattr           = optional(string, "uid")
+    upndomain          = optional(string)
+    discoverdn         = optional(bool, false)
+    groupdn            = optional(string)
+    groupfilter        = optional(string)
+    groupattr          = optional(string, "cn")
+    alias_metadata     = optional(map(string))
+    username_as_alias  = optional(bool, true)
+    listing_visibility = optional(string)
+    default_lease_ttl  = optional(string)
+    max_lease_ttl      = optional(string)
+  }))
+  default = {}
+}
+
+variable "auth_ldap_group" {
+  description = "Map of LDAP groups to create"
+  type = map(object({
+    groupname = string
+    backend   = string
+    policies  = list(string)
+  }))
+  default = {}
+}
+
+variable "auth_kubernetes_backend" {
+  description = "Map of Kubernetes auth backends to create"
+  type = map(object({
+    kubernetes_host                   = string
+    disable_iss_validation            = optional(bool, true)
+    use_annotations_as_alias_metadata = optional(bool, true)
+    listing_visibility                = optional(string)
+    default_lease_ttl                 = optional(string)
+    max_lease_ttl                     = optional(string)
+  }))
+  default = {}
+}
+
+variable "auth_kubernetes_role" {
+  description = "Map of Kubernetes auth roles to create"
+  type = map(object({
+    role_name                        = string
+    backend                          = string
+    bound_service_account_names      = list(string)
+    bound_service_account_namespaces = list(string)
+    token_ttl                        = optional(number, 3600)
+    audience                         = optional(string, "vault")
+  }))
+  default = {}
+}
+
+variable "kv_secret_backend" {
+  description = "Map of KV secret engines to create"
+  type = map(object({
+    type         = optional(string, "kv-v2")
+    description  = optional(string)
+    version      = optional(string, "2")
+    max_versions = optional(number)
+  }))
+  default = {}
+}
+
+variable "transit_secret_backend" {
+  description = "Map of Transit secret engines to create"
+  type = map(object({
+    description               = optional(string)
+    default_lease_ttl_seconds = optional(number, 3600)
+    max_lease_ttl_seconds     = optional(number, 86400)
+  }))
+  default = {}
+}
+
+variable "transit_secret_backend_key" {
+  description = "Map of Transit keys to create"
+  type = map(object({
+    name                   = string
+    backend                = string
+    type                   = optional(string, "aes256-gcm96")
+    deletion_allowed       = optional(bool, false)
+    derived                = optional(bool, false)
+    exportable             = optional(bool, false)
+    allow_plaintext_backup = optional(bool, false)
+    auto_rotate_period     = optional(string)
+  }))
+  default = {}
+}
+
+variable "ssh_secret_backend" {
+  description = "Map of SSH secret engines to create"
+  type = map(object({
+    description           = optional(string)
+    max_lease_ttl_seconds = optional(number, 315360000)
+    generate_signing_key  = optional(bool)
+    key_type              = optional(string, "ssh-rsa")
+  }))
+  default = {}
+}
+
+variable "ssh_secret_backend_role" {
+  description = "Map of SSH roles to create"
+  type = map(object({
+    name                    = string
+    backend                 = string
+    key_type                = optional(string, "ca")
+    algorithm_signer        = optional(string, "rsa-sha2-256")
+    ttl                     = optional(number, 315360000)
+    allow_host_certificates = optional(bool, false)
+    allow_user_certificates = optional(bool, false)
+    allowed_domains         = optional(string)
+    allow_subdomains        = optional(bool, false)
+    allow_bare_domains      = optional(bool, false)
+  }))
+  default = {}
+}
+
+variable "pki_secret_backend" {
+  description = "Map of PKI secret engines to create"
+  type = map(object({
+    description                   = optional(string)
+    max_lease_ttl_seconds         = optional(number, 315360000)
+    common_name                   = string
+    issuer_name                   = string
+    ttl                           = optional(number, 315360000)
+    format                        = optional(string, "pem")
+    issuing_certificates          = optional(list(string), [])
+    crl_distribution_points       = optional(list(string), [])
+    ocsp_servers                  = optional(list(string), [])
+    enable_templating             = optional(bool, false)
+    default_issuer_ref            = optional(string)
+    default_follows_latest_issuer = optional(bool, false)
+    crl_expiry                    = optional(string, "72h")
+    crl_disable                   = optional(bool, false)
+    ocsp_disable                  = optional(bool, false)
+    auto_rebuild                  = optional(bool, false)
+    enable_delta                  = optional(bool, false)
+    delta_rebuild_interval        = optional(string)
+  }))
+  default = {}
+}
+
+variable "pki_secret_backend_role" {
+  description = "Map of PKI roles to create"
+  type = map(object({
+    name                = string
+    backend             = string
+    allow_ip_sans       = optional(bool, false)
+    allowed_domains     = optional(list(string), [])
+    allow_subdomains    = optional(bool, false)
+    allow_glob_domains  = optional(bool, false)
+    allow_bare_domains  = optional(bool, false)
+    enforce_hostnames   = optional(bool, false)
+    allow_any_name      = optional(bool, false)
+    max_ttl             = optional(number)
+    key_bits            = optional(number, 4096)
+    country             = optional(list(string), [])
+    use_csr_common_name = optional(bool, false)
+    use_csr_sans        = optional(bool, false)
+  }))
+  default = {}
+}
+
+variable "pki_mount_only" {
+  description = "Map of PKI mounts to create (without certificate generation)"
+  type = map(object({
+    description                   = optional(string)
+    max_lease_ttl_seconds         = optional(number, 315360000)
+    issuer_ref                    = optional(string, "default")
+    issuing_certificates          = optional(list(string), [])
+    crl_distribution_points       = optional(list(string), [])
+    ocsp_servers                  = optional(list(string), [])
+    enable_templating             = optional(bool, false)
+    default_issuer_ref            = optional(string)
+    default_follows_latest_issuer = optional(bool, false)
+    crl_expiry                    = optional(string, "72h")
+    crl_disable                   = optional(bool, false)
+    ocsp_disable                  = optional(bool, false)
+    auto_rebuild                  = optional(bool, false)
+    enable_delta                  = optional(bool, false)
+    delta_rebuild_interval        = optional(string)
+  }))
+  default = {}
+}
+
+variable "consul_secret_backend" {
+  description = "Map of Consul secret engines to create"
+  type = map(object({
+    description               = optional(string)
+    address                   = string
+    bootstrap                 = optional(bool, false)
+    scheme                    = optional(string, "https")
+    ca_cert                   = optional(string)
+    client_cert               = optional(string)
+    client_key                = optional(string)
+    default_lease_ttl_seconds = optional(number)
+    max_lease_ttl_seconds     = optional(number)
+  }))
+  default = {}
+}
+
+variable "consul_secret_backend_role" {
+  description = "Map of Consul roles to create"
+  type = map(object({
+    name         = string
+    backend      = string
+    consul_roles = optional(list(string), [])
+    ttl          = optional(number)
+    max_ttl      = optional(number)
+    local        = optional(bool, false)
+  }))
+  default = {}
+}
+
+variable "kubernetes_secret_backend" {
+  description = "Map of Kubernetes secret engines to create"
+  type = map(object({
+    description               = optional(string)
+    default_lease_ttl_seconds = optional(number, 600)
+    max_lease_ttl_seconds     = optional(number, 86400)
+    kubernetes_host           = string
+    disable_local_ca_jwt      = optional(bool, false)
+  }))
+  default = {}
+}
+
+variable "kubernetes_secret_backend_role" {
+  description = "Map of Kubernetes secret backend roles to create"
+  type = map(object({
+    name                          = string
+    backend                       = string
+    allowed_kubernetes_namespaces = optional(list(string), ["*"])
+    kubernetes_role_type          = optional(string, "Role")
+    extra_labels                  = optional(map(string), {})
+  }))
+  default = {}
+}
+
+variable "policy_auth_map" {
+  description = "Map of auth mounts -> auth roles -> policy names"
+  type        = map(map(list(string)))
+  default     = {}
+}
+
+variable "policy_rules_map" {
+  description = "Map of policy names to their rules"
+  type = map(list(object({
+    path         = string
+    capabilities = list(string)
+  })))
+  default = {}
+}
\ No newline at end of file
diff --git a/policies.tf b/policies.tf
deleted file mode 100644
index 81312d2..0000000
--- a/policies.tf
+++ /dev/null
@@ -1,17 +0,0 @@
-# Automatically discover all HCL policy files under policies/ directory
-locals {
-  policy_files = [
-    for f in fileset("policies", "**/*.hcl") : {
-      name = trimsuffix(f, ".hcl")
-      path = "policies/${f}"
-    }
-  ]
-}
-
-# Define Vault policies for all discovered HCL files
-resource "vault_policy" "policies" {
-  for_each = { for p in local.policy_files : p.name => p }
-
-  name   = each.key
-  policy = file(each.value.path)
-}
diff --git a/policies/auth/approle/admin.yaml b/policies/auth/approle/admin.yaml
new file mode 100644
index 0000000..e61852c
--- /dev/null
+++ b/policies/auth/approle/admin.yaml
@@ -0,0 +1,14 @@
+# Allow full administration of AppRole roles
+---
+rules:
+  - path: "auth/approle/role/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/approle/approle_role_admin.hcl b/policies/auth/approle/approle_role_admin.hcl
deleted file mode 100644
index 7ebf64f..0000000
--- a/policies/auth/approle/approle_role_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "auth/approle/role/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/auth/approle/approle_role_login.hcl b/policies/auth/approle/approle_role_login.hcl
deleted file mode 100644
index f548494..0000000
--- a/policies/auth/approle/approle_role_login.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "auth/approle/login" {
-  capabilities = ["create"]
-}
diff --git a/policies/auth/approle/login.yaml b/policies/auth/approle/login.yaml
new file mode 100644
index 0000000..b4fb933
--- /dev/null
+++ b/policies/auth/approle/login.yaml
@@ -0,0 +1,10 @@
+# Allow AppRole login
+---
+rules:
+  - path: "auth/approle/login"
+    capabilities:
+      - create
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/k8s/au/syd1/admin.yaml b/policies/auth/k8s/au/syd1/admin.yaml
new file mode 100644
index 0000000..2754b5a
--- /dev/null
+++ b/policies/auth/k8s/au/syd1/admin.yaml
@@ -0,0 +1,23 @@
+# Allow administration of Kubernetes authentication backend
+---
+rules:
+  - path: "auth/k8s/au/syd1/config"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+  - path: "auth/k8s/au/syd1/role/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+  - path: "auth/k8s/au/syd1/role"
+    capabilities:
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/kubernetes/k8s_auth_admin.hcl b/policies/auth/kubernetes/k8s_auth_admin.hcl
deleted file mode 100644
index 83d484c..0000000
--- a/policies/auth/kubernetes/k8s_auth_admin.hcl
+++ /dev/null
@@ -1,14 +0,0 @@
-# Allow configuration of Kubernetes authentication backend
-path "auth/kubernetes/config" {
-  capabilities = ["create", "update", "read", "delete"]
-}
-
-# Allow management of Kubernetes auth roles
-path "auth/kubernetes/role/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
-
-# Allow listing auth/kubernetes/role
-path "auth/kubernetes/role" {
-  capabilities = ["list"]
-}
\ No newline at end of file
diff --git a/policies/auth/ldap/admin.yaml b/policies/auth/ldap/admin.yaml
new file mode 100644
index 0000000..9d3637c
--- /dev/null
+++ b/policies/auth/ldap/admin.yaml
@@ -0,0 +1,14 @@
+# Allow full administration of LDAP auth backend
+---
+rules:
+  - path: "auth/ldap/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/ldap/ldap_admin.hcl b/policies/auth/ldap/ldap_admin.hcl
deleted file mode 100644
index 5a790b8..0000000
--- a/policies/auth/ldap/ldap_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "auth/ldap/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/auth/token/auth_token_create.hcl b/policies/auth/token/auth_token_create.hcl
deleted file mode 100644
index ff3d7f8..0000000
--- a/policies/auth/token/auth_token_create.hcl
+++ /dev/null
@@ -1,7 +0,0 @@
-path "auth/token/create" {
-  capabilities = ["create", "read", "update", "list"]
-}
-
-path "auth/token/*" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/auth/token/auth_token_lookup.hcl b/policies/auth/token/auth_token_lookup.hcl
deleted file mode 100644
index d33244c..0000000
--- a/policies/auth/token/auth_token_lookup.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow listing and reading tokens
-path "auth/token/lookup" {
-  capabilities = ["read", "list"]
-}
diff --git a/policies/auth/token/auth_token_renew.hcl b/policies/auth/token/auth_token_renew.hcl
deleted file mode 100644
index 92e5ca3..0000000
--- a/policies/auth/token/auth_token_renew.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow renewing tokens
-path "auth/token/renew" {
-  capabilities = ["update"]
-}
diff --git a/policies/auth/token/auth_token_roles_admin.hcl b/policies/auth/token/auth_token_roles_admin.hcl
deleted file mode 100644
index 7bc329f..0000000
--- a/policies/auth/token/auth_token_roles_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "auth/token/roles/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
diff --git a/policies/auth/token/auth_token_self.hcl b/policies/auth/token/auth_token_self.hcl
deleted file mode 100644
index 4e80d4c..0000000
--- a/policies/auth/token/auth_token_self.hcl
+++ /dev/null
@@ -1,14 +0,0 @@
-# Allow tokens to query themselves
-path "auth/token/lookup-self" {
-  capabilities = ["read"]
-}
-
-# Allow tokens to renew themselves
-path "auth/token/renew-self" {
-  capabilities = ["update"]
-}
-
-# Allow tokens to revoke themselves
-path "auth/token/revoke-self" {
-  capabilities = ["update"]
-}
diff --git a/policies/auth/token/create.yaml b/policies/auth/token/create.yaml
new file mode 100644
index 0000000..e9cdaf9
--- /dev/null
+++ b/policies/auth/token/create.yaml
@@ -0,0 +1,17 @@
+# Allow token creation and management
+---
+rules:
+  - path: "auth/token/create"
+    capabilities:
+      - create
+      - read
+      - update
+      - list
+  - path: "auth/token/*"
+    capabilities:
+      - create
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/token/lookup.yaml b/policies/auth/token/lookup.yaml
new file mode 100644
index 0000000..4f883bb
--- /dev/null
+++ b/policies/auth/token/lookup.yaml
@@ -0,0 +1,11 @@
+# Allow listing and reading tokens
+---
+rules:
+  - path: "auth/token/lookup"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/token/renew.yaml b/policies/auth/token/renew.yaml
new file mode 100644
index 0000000..2699f8a
--- /dev/null
+++ b/policies/auth/token/renew.yaml
@@ -0,0 +1,10 @@
+# Allow renewing tokens
+---
+rules:
+  - path: "auth/token/renew"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/token/roles/admin.yaml b/policies/auth/token/roles/admin.yaml
new file mode 100644
index 0000000..dcf1ba7
--- /dev/null
+++ b/policies/auth/token/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow administration of token roles
+---
+rules:
+  - path: "auth/token/roles/*"
+    capabilities:
+      - create
+      - read
+      - update
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/auth/token/self.yaml b/policies/auth/token/self.yaml
new file mode 100644
index 0000000..4d94d9a
--- /dev/null
+++ b/policies/auth/token/self.yaml
@@ -0,0 +1,16 @@
+# Allow tokens to query themselves
+---
+rules:
+  - path: "auth/token/lookup-self"
+    capabilities:
+      - read
+  - path: "auth/token/renew-self"
+    capabilities:
+      - update
+  - path: "auth/token/revoke-self"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/default_access.hcl b/policies/default_access.hcl
deleted file mode 100644
index f981711..0000000
--- a/policies/default_access.hcl
+++ /dev/null
@@ -1,15 +0,0 @@
-path "pki_int/*" {
-  capabilities = ["list", "read"]
-}
-
-path "pki_root/*" {
-  capabilities = ["list", "read"]
-}
-
-path "ssh-host-signer/*" {
-  capabilities = ["list", "read"]
-}
-
-path "sshca/*" {
-  capabilities = ["list", "read"]
-}
diff --git a/policies/global-root.yaml b/policies/global-root.yaml
new file mode 100644
index 0000000..62e4e3a
--- /dev/null
+++ b/policies/global-root.yaml
@@ -0,0 +1,15 @@
+# Global root policy with full access to all paths
+---
+rules:
+  - path: "*"
+    capabilities:
+      - create
+      - read
+      - update
+      - delete
+      - list
+      - sudo
+
+auth:
+  ldap:
+    - vault_admin
diff --git a/policies/kubernetes/au/config_admin.hcl b/policies/kubernetes/au/config_admin.hcl
deleted file mode 100644
index fa245ed..0000000
--- a/policies/kubernetes/au/config_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kubernetes/au/+/config" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/kubernetes/au/config_admin.yaml b/policies/kubernetes/au/config_admin.yaml
new file mode 100644
index 0000000..64387f3
--- /dev/null
+++ b/policies/kubernetes/au/config_admin.yaml
@@ -0,0 +1,14 @@
+# Allow administration of Kubernetes secret backend config
+---
+rules:
+  - path: "kubernetes/au/+/config"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kubernetes/au/roles_admin.hcl b/policies/kubernetes/au/roles_admin.hcl
deleted file mode 100644
index cff7bd2..0000000
--- a/policies/kubernetes/au/roles_admin.hcl
+++ /dev/null
@@ -1,6 +0,0 @@
-path "kubernetes/au/+/roles" {
-  capabilities = ["list"]
-}
-path "kubernetes/au/+/roles/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/kubernetes/au/roles_admin.yaml b/policies/kubernetes/au/roles_admin.yaml
new file mode 100644
index 0000000..d540655
--- /dev/null
+++ b/policies/kubernetes/au/roles_admin.yaml
@@ -0,0 +1,17 @@
+# Allow administration of Kubernetes secret backend roles
+---
+rules:
+  - path: "kubernetes/au/+/roles"
+    capabilities:
+      - list
+  - path: "kubernetes/au/+/roles/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kubernetes/au/syd1/creds/cluster-admin.hcl b/policies/kubernetes/au/syd1/creds/cluster-admin.hcl
deleted file mode 100644
index e7aa0cb..0000000
--- a/policies/kubernetes/au/syd1/creds/cluster-admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kubernetes/au/syd1/creds/cluster-admin" {
-  capabilities = ["update"]
-}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/cluster-admin.yaml b/policies/kubernetes/au/syd1/creds/cluster-admin.yaml
new file mode 100644
index 0000000..68a3781
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-admin.yaml
@@ -0,0 +1,10 @@
+# Allow access to cluster-admin Kubernetes credentials
+---
+rules:
+  - path: "kubernetes/au/syd1/creds/cluster-admin"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kubernetes/au/syd1/creds/cluster-operator.hcl b/policies/kubernetes/au/syd1/creds/cluster-operator.hcl
deleted file mode 100644
index b0d507a..0000000
--- a/policies/kubernetes/au/syd1/creds/cluster-operator.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kubernetes/au/syd1/creds/cluster-operator" {
-  capabilities = ["update"]
-}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/cluster-operator.yaml b/policies/kubernetes/au/syd1/creds/cluster-operator.yaml
new file mode 100644
index 0000000..7f5dde7
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-operator.yaml
@@ -0,0 +1,10 @@
+# Allow access to cluster-operator Kubernetes credentials
+---
+rules:
+  - path: "kubernetes/au/syd1/creds/cluster-operator"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kubernetes/au/syd1/creds/cluster-root.hcl b/policies/kubernetes/au/syd1/creds/cluster-root.hcl
deleted file mode 100644
index 6dd2f14..0000000
--- a/policies/kubernetes/au/syd1/creds/cluster-root.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kubernetes/au/syd1/creds/cluster-root" {
-  capabilities = ["update"]
-}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/cluster-root.yaml b/policies/kubernetes/au/syd1/creds/cluster-root.yaml
new file mode 100644
index 0000000..42400f4
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/cluster-root.yaml
@@ -0,0 +1,10 @@
+# Allow access to cluster-root Kubernetes credentials
+---
+rules:
+  - path: "kubernetes/au/syd1/creds/cluster-root"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl b/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl
deleted file mode 100644
index 7ebabbb..0000000
--- a/policies/kubernetes/au/syd1/creds/media-apps-operator.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kubernetes/au/syd1/creds/media-apps-operator" {
-  capabilities = ["update"]
-}
\ No newline at end of file
diff --git a/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml b/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml
new file mode 100644
index 0000000..cd1604f
--- /dev/null
+++ b/policies/kubernetes/au/syd1/creds/media-apps-operator.yaml
@@ -0,0 +1,10 @@
+# Allow access to media-apps-operator Kubernetes credentials
+---
+rules:
+  - path: "kubernetes/au/syd1/creds/media-apps-operator"
+    capabilities:
+      - update
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl
deleted file mode 100644
index e848288..0000000
--- a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/gitea/unkinben/tokens/read-only-packages" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml
new file mode 100644
index 0000000..a667cb7
--- /dev/null
+++ b/policies/kv/service/gitea/unkinben/tokens/read-only-packages/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Gitea read-only package tokens
+---
+rules:
+  - path: "kv/data/service/gitea/unkinben/tokens/read-only-packages"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - rpmbuilder
diff --git a/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl b/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl
deleted file mode 100644
index 0ff450c..0000000
--- a/policies/kv/service/github/neoloc/tokens/read-only-token/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/github/neoloc/tokens/read-only-token" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml b/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml
new file mode 100644
index 0000000..2194dca
--- /dev/null
+++ b/policies/kv/service/github/neoloc/tokens/read-only-token/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading GitHub read-only tokens
+---
+rules:
+  - path: "kv/data/service/github/neoloc/tokens/read-only-token"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - rpmbuilder
diff --git a/policies/kv/service/glauth/services/svc_vault/read.yaml b/policies/kv/service/glauth/services/svc_vault/read.yaml
new file mode 100644
index 0000000..a9cf6c7
--- /dev/null
+++ b/policies/kv/service/glauth/services/svc_vault/read.yaml
@@ -0,0 +1,11 @@
+# Allow reading GLAuth service vault configuration
+---
+rules:
+  - path: "kv/data/service/glauth/services/svc_vault"
+    capabilities:
+      - list
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/glauth/services/svc_vault_read.hcl b/policies/kv/service/glauth/services/svc_vault_read.hcl
deleted file mode 100644
index e34e98d..0000000
--- a/policies/kv/service/glauth/services/svc_vault_read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/glauth/services/svc_vault" {
-  capabilities = ["list", "read"]
-}
diff --git a/policies/kv/service/incus/cluster-join-tokens/crud.yaml b/policies/kv/service/incus/cluster-join-tokens/crud.yaml
new file mode 100644
index 0000000..7e12ef3
--- /dev/null
+++ b/policies/kv/service/incus/cluster-join-tokens/crud.yaml
@@ -0,0 +1,13 @@
+# Allow access to Incus cluster join tokens
+---
+rules:
+  - path: "kv/data/service/incus/cluster-join-tokens"
+    capabilities:
+      - create
+      - read
+      - update
+      - delete
+
+auth:
+  approle:
+    - incus_cluster
diff --git a/policies/kv/service/incus/incus-cluster-join-tokens.hcl b/policies/kv/service/incus/incus-cluster-join-tokens.hcl
deleted file mode 100644
index 4e47c0e..0000000
--- a/policies/kv/service/incus/incus-cluster-join-tokens.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/incus/cluster-join-tokens" {
-  capabilities = ["create", "read", "update", "delete"]
-}
diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl b/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl
deleted file mode 100644
index b937320..0000000
--- a/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.yaml b/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.yaml
new file mode 100644
index 0000000..fb07a50
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Ceph CephFS CSI secrets
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/csi/ceph-cephfs-secret"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - ceph-csi
diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl
deleted file mode 100644
index b80913b..0000000
--- a/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.yaml b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.yaml
new file mode 100644
index 0000000..93ff084
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Ceph RBD CSI secrets
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/csi/ceph-rbd-secret"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - ceph-csi
diff --git a/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl
deleted file mode 100644
index fba1b64..0000000
--- a/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/externaldns/tsig" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.yaml b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.yaml
new file mode 100644
index 0000000..044669c
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/externaldns/tsig/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading ExternalDNS TSIG keys
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/externaldns/tsig"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - externaldns
diff --git a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl
deleted file mode 100644
index 4712a2a..0000000
--- a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/service_account_jwt" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml
new file mode 100644
index 0000000..74a3493
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/service_account_jwt/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Kubernetes service account JWT
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/service_account_jwt"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
deleted file mode 100644
index 85cc6b9..0000000
--- a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
-  capabilities = ["read"]
-}
\ No newline at end of file
diff --git a/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml
new file mode 100644
index 0000000..1cdfae5
--- /dev/null
+++ b/policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Kubernetes token reviewer JWT
+---
+rules:
+  - path: "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/media-apps/nzbget/read.yaml b/policies/kv/service/media-apps/nzbget/read.yaml
new file mode 100644
index 0000000..fe85562
--- /dev/null
+++ b/policies/kv/service/media-apps/nzbget/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Prowlarr configuration
+---
+rules:
+  - path: "kv/data/service/media-apps/nzbget"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - media-apps
diff --git a/policies/kv/service/media-apps/prowlarr/read.yaml b/policies/kv/service/media-apps/prowlarr/read.yaml
new file mode 100644
index 0000000..c794f0d
--- /dev/null
+++ b/policies/kv/service/media-apps/prowlarr/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Prowlarr configuration
+---
+rules:
+  - path: "kv/data/service/media-apps/prowlarr"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - media-apps
diff --git a/policies/kv/service/media-apps/radarr/read.hcl b/policies/kv/service/media-apps/radarr/read.hcl
deleted file mode 100644
index 073161f..0000000
--- a/policies/kv/service/media-apps/radarr/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/media-apps/radarr" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/media-apps/radarr/read.yaml b/policies/kv/service/media-apps/radarr/read.yaml
new file mode 100644
index 0000000..8f7185b
--- /dev/null
+++ b/policies/kv/service/media-apps/radarr/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Radarr configuration
+---
+rules:
+  - path: "kv/data/service/media-apps/radarr"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - media-apps
diff --git a/policies/kv/service/media-apps/sonarr/read.hcl b/policies/kv/service/media-apps/sonarr/read.hcl
deleted file mode 100644
index e67c3a7..0000000
--- a/policies/kv/service/media-apps/sonarr/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/media-apps/sonarr" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/media-apps/sonarr/read.yaml b/policies/kv/service/media-apps/sonarr/read.yaml
new file mode 100644
index 0000000..7b20780
--- /dev/null
+++ b/policies/kv/service/media-apps/sonarr/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Sonarr configuration
+---
+rules:
+  - path: "kv/data/service/media-apps/sonarr"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - media-apps
diff --git a/policies/kv/service/packer/builder/read.yaml b/policies/kv/service/packer/builder/read.yaml
new file mode 100644
index 0000000..755bac7
--- /dev/null
+++ b/policies/kv/service/packer/builder/read.yaml
@@ -0,0 +1,13 @@
+# Allow Packer builder to read configuration
+---
+rules:
+  - path: "kv/data/service/packer/builder/env"
+    capabilities:
+      - read
+  - path: "kv/data/service/packer/builder/docker-incus-client"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - packer_builder
diff --git a/policies/kv/service/packer/packer_builder.hcl b/policies/kv/service/packer/packer_builder.hcl
deleted file mode 100644
index f36d0d3..0000000
--- a/policies/kv/service/packer/packer_builder.hcl
+++ /dev/null
@@ -1,6 +0,0 @@
-path "kv/data/service/packer/builder/env" {
-  capabilities = ["read"]
-}
-path "kv/data/service/packer/builder/docker-incus-client" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/puppet/certificates/ca/read.yaml b/policies/kv/service/puppet/certificates/ca/read.yaml
new file mode 100644
index 0000000..a69d7f6
--- /dev/null
+++ b/policies/kv/service/puppet/certificates/ca/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Puppet CA Certificate
+---
+rules:
+  - path: "kv/data/service/puppet/certificates/ca"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_incus
diff --git a/policies/kv/service/puppet/certificates/terraform/read.yaml b/policies/kv/service/puppet/certificates/terraform/read.yaml
new file mode 100644
index 0000000..291637b
--- /dev/null
+++ b/policies/kv/service/puppet/certificates/terraform/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Puppet certificates for Terraform
+---
+rules:
+  - path: "kv/data/service/puppet/certificates/terraform"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_incus
diff --git a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl b/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
deleted file mode 100644
index 736758f..0000000
--- a/policies/kv/service/puppet/certificates/terraform_puppet_cert.hcl
+++ /dev/null
@@ -1,6 +0,0 @@
-path "kv/data/service/puppet/certificates/terraform" {
-  capabilities = ["read"]
-}
-path "kv/data/service/puppet/certificates/ca" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl b/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
deleted file mode 100644
index 465a81e..0000000
--- a/policies/kv/service/puppetapi/puppetapi_read_tokens.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/puppetapi/tokens" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/puppetapi/tokens/read.yaml b/policies/kv/service/puppetapi/tokens/read.yaml
new file mode 100644
index 0000000..c887ba6
--- /dev/null
+++ b/policies/kv/service/puppetapi/tokens/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Puppet API tokens
+---
+rules:
+  - path: "kv/data/service/puppetapi/tokens"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - puppetapi
diff --git a/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl b/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl
deleted file mode 100644
index c9382bf..0000000
--- a/policies/kv/service/repoflow/au/syd1/ceph-s3/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/au/syd1/ceph-s3" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/au/syd1/ceph-s3/read.yaml b/policies/kv/service/repoflow/au/syd1/ceph-s3/read.yaml
new file mode 100644
index 0000000..fb99bfe
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/ceph-s3/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow Ceph S3 configuration
+---
+rules:
+  - path: "kv/data/service/repoflow/au/syd1/ceph-s3"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - repoflow
diff --git a/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl b/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl
deleted file mode 100644
index ca884b6..0000000
--- a/policies/kv/service/repoflow/au/syd1/elasticsearch/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/au/syd1/elasticsearch" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/au/syd1/elasticsearch/read.yaml b/policies/kv/service/repoflow/au/syd1/elasticsearch/read.yaml
new file mode 100644
index 0000000..6ae5d0f
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/elasticsearch/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow Elasticsearch configuration
+---
+rules:
+  - path: "kv/data/service/repoflow/au/syd1/elasticsearch"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - repoflow
diff --git a/policies/kv/service/repoflow/au/syd1/hasura/read.hcl b/policies/kv/service/repoflow/au/syd1/hasura/read.hcl
deleted file mode 100644
index dc09fe5..0000000
--- a/policies/kv/service/repoflow/au/syd1/hasura/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/au/syd1/hasura" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/au/syd1/hasura/read.yaml b/policies/kv/service/repoflow/au/syd1/hasura/read.yaml
new file mode 100644
index 0000000..804989c
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/hasura/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow Hasura configuration
+---
+rules:
+  - path: "kv/data/service/repoflow/au/syd1/hasura"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - repoflow
diff --git a/policies/kv/service/repoflow/au/syd1/postgres/read.hcl b/policies/kv/service/repoflow/au/syd1/postgres/read.hcl
deleted file mode 100644
index a84fa8d..0000000
--- a/policies/kv/service/repoflow/au/syd1/postgres/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/au/syd1/postgres" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/au/syd1/postgres/read.yaml b/policies/kv/service/repoflow/au/syd1/postgres/read.yaml
new file mode 100644
index 0000000..059867a
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/postgres/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow PostgreSQL configuration
+---
+rules:
+  - path: "kv/data/service/repoflow/au/syd1/postgres"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - repoflow
diff --git a/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl b/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl
deleted file mode 100644
index d29383c..0000000
--- a/policies/kv/service/repoflow/au/syd1/repoflow-server/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/au/syd1/repoflow-server" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/au/syd1/repoflow-server/read.yaml b/policies/kv/service/repoflow/au/syd1/repoflow-server/read.yaml
new file mode 100644
index 0000000..1ae1c67
--- /dev/null
+++ b/policies/kv/service/repoflow/au/syd1/repoflow-server/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow server configuration
+---
+rules:
+  - path: "kv/data/service/repoflow/au/syd1/repoflow-server"
+    capabilities:
+      - read
+
+auth:
+  k8s/au/syd1:
+    - repoflow
diff --git a/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl b/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl
deleted file mode 100644
index e482516..0000000
--- a/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/repoflow/unkinadmin/tokens/terraform" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.yaml b/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.yaml
new file mode 100644
index 0000000..f0677da
--- /dev/null
+++ b/policies/kv/service/repoflow/unkinadmin/tokens/terraform/read.yaml
@@ -0,0 +1,10 @@
+# Allow reading Repoflow admin Terraform tokens
+---
+rules:
+  - path: "kv/data/service/repoflow/unkinadmin/tokens/terraform"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_repoflow
diff --git a/policies/kv/service/terraform/incus.hcl b/policies/kv/service/terraform/incus.hcl
deleted file mode 100644
index 4708a89..0000000
--- a/policies/kv/service/terraform/incus.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/terraform/incus" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/terraform/incus.yaml b/policies/kv/service/terraform/incus.yaml
new file mode 100644
index 0000000..61688d8
--- /dev/null
+++ b/policies/kv/service/terraform/incus.yaml
@@ -0,0 +1,10 @@
+# Allow reading Terraform Incus configuration
+---
+rules:
+  - path: "kv/data/service/terraform/incus"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_incus
diff --git a/policies/kv/service/terraform/nomad.hcl b/policies/kv/service/terraform/nomad.hcl
deleted file mode 100644
index c3118ba..0000000
--- a/policies/kv/service/terraform/nomad.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/terraform/nomad" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/terraform/nomad.yaml b/policies/kv/service/terraform/nomad.yaml
new file mode 100644
index 0000000..6e8c0a9
--- /dev/null
+++ b/policies/kv/service/terraform/nomad.yaml
@@ -0,0 +1,10 @@
+# Allow reading Terraform Nomad configuration
+---
+rules:
+  - path: "kv/data/service/terraform/nomad"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_nomad
diff --git a/policies/kv/service/terraform/repoflow.hcl b/policies/kv/service/terraform/repoflow.hcl
deleted file mode 100644
index d07a5bd..0000000
--- a/policies/kv/service/terraform/repoflow.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "kv/data/service/terraform/repoflow" {
-  capabilities = ["read"]
-}
diff --git a/policies/kv/service/terraform/repoflow.yaml b/policies/kv/service/terraform/repoflow.yaml
new file mode 100644
index 0000000..1a26028
--- /dev/null
+++ b/policies/kv/service/terraform/repoflow.yaml
@@ -0,0 +1,10 @@
+# Allow reading Terraform Repoflow configuration
+---
+rules:
+  - path: "kv/data/service/terraform/repoflow"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - terraform_repoflow
diff --git a/policies/kv/service/vault/auth_approle_roles_read.yaml b/policies/kv/service/vault/auth_approle_roles_read.yaml
new file mode 100644
index 0000000..fb743a8
--- /dev/null
+++ b/policies/kv/service/vault/auth_approle_roles_read.yaml
@@ -0,0 +1,11 @@
+# Allow reading Vault auth AppRole role configuration
+---
+rules:
+  - path: "kv/data/service/vault/+/+/auth_approle_role/*"
+    capabilities:
+      - list
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/vault/auth_backends_read.yaml b/policies/kv/service/vault/auth_backends_read.yaml
new file mode 100644
index 0000000..91e9451
--- /dev/null
+++ b/policies/kv/service/vault/auth_backends_read.yaml
@@ -0,0 +1,11 @@
+# Allow reading Vault auth backend configuration
+---
+rules:
+  - path: "kv/data/service/vault/+/+/auth_backend/*"
+    capabilities:
+      - list
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/kv/service/vault/secret_backends_read.yaml b/policies/kv/service/vault/secret_backends_read.yaml
new file mode 100644
index 0000000..a6f9259
--- /dev/null
+++ b/policies/kv/service/vault/secret_backends_read.yaml
@@ -0,0 +1,11 @@
+# Allow reading Vault secret backend configuration
+---
+rules:
+  - path: "kv/data/service/vault/+/+/secret_backend/*"
+    capabilities:
+      - list
+      - read
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/certmanager.yaml b/policies/pki/au/syd1/certmanager.yaml
new file mode 100644
index 0000000..2d29ac0
--- /dev/null
+++ b/policies/pki/au/syd1/certmanager.yaml
@@ -0,0 +1,19 @@
+# Allow cert-manager to issue and manage certificates
+# used by the puppet autossl role
+---
+rules:
+  - path: "pki/au/syd1/issue/*"
+    capabilities:
+      - create
+      - update
+      - read
+  - path: "pki/au/syd1/renew/*"
+    capabilities:
+      - update
+  - path: "pki/au/syd1/cert/*"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - certmanager
diff --git a/policies/pki/au/syd1/issue/servers_default.yaml b/policies/pki/au/syd1/issue/servers_default.yaml
new file mode 100644
index 0000000..7e49b81
--- /dev/null
+++ b/policies/pki/au/syd1/issue/servers_default.yaml
@@ -0,0 +1,11 @@
+# Allow issuing server certificates from servers_default role
+---
+rules:
+  - path: "pki/au/syd1/issue/servers_default"
+    capabilities:
+      - update
+
+auth:
+  k8s/au/syd1:
+    - huntarr-default
+    - cert_manager_issuer
diff --git a/policies/pki/au/syd1/roles/admin.yaml b/policies/pki/au/syd1/roles/admin.yaml
new file mode 100644
index 0000000..aff865d
--- /dev/null
+++ b/policies/pki/au/syd1/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow administration of PKI roles
+---
+rules:
+  - path: "pki/au/syd1/roles/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki/au/syd1/sign/servers_default.yaml b/policies/pki/au/syd1/sign/servers_default.yaml
new file mode 100644
index 0000000..e4e6de0
--- /dev/null
+++ b/policies/pki/au/syd1/sign/servers_default.yaml
@@ -0,0 +1,11 @@
+# Allow signing server certificates with servers_default role
+---
+rules:
+  - path: "pki/au/syd1/sign/servers_default"
+    capabilities:
+      - update
+
+auth:
+  k8s/au/syd1:
+    - huntarr-default
+    - cert_manager_issuer
diff --git a/policies/pki_int/certmanager.hcl b/policies/pki_int/certmanager.hcl
deleted file mode 100644
index c1b38d5..0000000
--- a/policies/pki_int/certmanager.hcl
+++ /dev/null
@@ -1,9 +0,0 @@
-path "pki_int/issue/*" {
-  capabilities = ["create", "update", "read"]
-}
-path "pki_int/renew/*" {
-  capabilities = ["update"]
-}
-path "pki_int/cert/*" {
-  capabilities = ["read"]
-}
diff --git a/policies/pki_int/certmanager.yaml b/policies/pki_int/certmanager.yaml
new file mode 100644
index 0000000..362ff75
--- /dev/null
+++ b/policies/pki_int/certmanager.yaml
@@ -0,0 +1,19 @@
+# Allow cert-manager to issue and manage certificates
+# used by the puppet autossl role
+---
+rules:
+  - path: "pki_int/issue/*"
+    capabilities:
+      - create
+      - update
+      - read
+  - path: "pki_int/renew/*"
+    capabilities:
+      - update
+  - path: "pki_int/cert/*"
+    capabilities:
+      - read
+
+auth:
+  approle:
+    - certmanager
diff --git a/policies/pki_int/issue/servers_default.hcl b/policies/pki_int/issue/servers_default.hcl
deleted file mode 100644
index 14200c8..0000000
--- a/policies/pki_int/issue/servers_default.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "pki_int/issue/servers_default" {
-  capabilities = ["update"]
-}
diff --git a/policies/pki_int/issue/servers_default.yaml b/policies/pki_int/issue/servers_default.yaml
new file mode 100644
index 0000000..01ecda1
--- /dev/null
+++ b/policies/pki_int/issue/servers_default.yaml
@@ -0,0 +1,11 @@
+# Allow issuing server certificates from servers_default role
+---
+rules:
+  - path: "pki_int/issue/servers_default"
+    capabilities:
+      - update
+
+auth:
+  k8s/au/syd1:
+    - huntarr-default
+    - cert_manager_issuer
diff --git a/policies/pki_int/pki_int_roles_admin.hcl b/policies/pki_int/pki_int_roles_admin.hcl
deleted file mode 100644
index ffbab59..0000000
--- a/policies/pki_int/pki_int_roles_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "pki_int/roles/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/pki_int/roles/admin.yaml b/policies/pki_int/roles/admin.yaml
new file mode 100644
index 0000000..a0892a8
--- /dev/null
+++ b/policies/pki_int/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow administration of PKI roles
+---
+rules:
+  - path: "pki_int/roles/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/pki_int/sign/servers_default.hcl b/policies/pki_int/sign/servers_default.hcl
deleted file mode 100644
index 84749e8..0000000
--- a/policies/pki_int/sign/servers_default.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "pki_int/sign/servers_default" {
-  capabilities = ["update"]
-}
diff --git a/policies/pki_int/sign/servers_default.yaml b/policies/pki_int/sign/servers_default.yaml
new file mode 100644
index 0000000..6e1df50
--- /dev/null
+++ b/policies/pki_int/sign/servers_default.yaml
@@ -0,0 +1,11 @@
+# Allow signing server certificates with servers_default role
+---
+rules:
+  - path: "pki_int/sign/servers_default"
+    capabilities:
+      - update
+
+auth:
+  k8s/au/syd1:
+    - huntarr-default
+    - cert_manager_issuer
diff --git a/policies/pki_root/pki_root_roles_admin.hcl b/policies/pki_root/pki_root_roles_admin.hcl
deleted file mode 100644
index 11ec94b..0000000
--- a/policies/pki_root/pki_root_roles_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "pki_root/roles/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/policies.hcl b/policies/policies.hcl
new file mode 100644
index 0000000..01079f4
--- /dev/null
+++ b/policies/policies.hcl
@@ -0,0 +1,76 @@
+# =============================================================================
+# VAULT POLICY CONFIGURATION SYSTEM
+# =============================================================================
+#
+# This file automatically discovers and processes all YAML policy files from
+# subdirectories, creating a unified policy configuration for Vault.
+#
+# HOW IT WORKS:
+# 1. Scans all subdirectories for *.yaml files
+# 2. Parses each YAML file to extract policy rules and auth assignments
+# 3. Creates mappings for auth methods -> roles -> assigned policies
+#
+# YAML STRUCTURE:
+# Each policy YAML file should contain:
+#   - rules: List of Vault policy rules (path + capabilities)
+#   - auth: Map of auth methods to roles that should have this policy
+#
+# EXAMPLE YAML FILE (policies/kv/service/myapp/read.yaml):
+# ```yaml
+# rules:
+#   - path: "kv/data/service/myapp/*"
+#     capabilities:
+#       - read
+#
+# auth:
+#   approle:
+#     - myapp-service
+#   k8s/au/syd1:
+#     - myapp-pod
+# ```
+#
+# This creates a policy that allows reading secrets under kv/service/myapp/
+# and assigns it to:
+# - AppRole role "myapp-service" in the "approle" mount
+# - Kubernetes role "myapp-pod" in the "k8s/au/syd1" mount
+#
+# GENERATED OUTPUTS:
+# - policy_rules_map: policy_name -> [rules]
+# - policy_auth_map: auth_mount -> role_name -> [policy_names]
+#
+# =============================================================================
+
+locals {
+  # Find all YAML files in subdirectories
+  policy_files = fileset(".", "**/*.yaml")
+
+  # Create a flat map of all files with their content
+  all_policies = {
+    for file_path in local.policy_files :
+    trimsuffix(file_path, ".yaml") => yamldecode(file(file_path))
+  }
+
+  # Create a map of just the rules for each policy
+  policy_rules_map = {
+    for file_path in local.policy_files :
+    trimsuffix(file_path, ".yaml") => yamldecode(file(file_path)).rules
+  }
+
+  # Create a map of auth mounts -> auth roles -> policy names
+  policy_auth_map = {
+    for auth_mount in distinct(flatten([
+      for file_path in local.policy_files : [
+        for auth_type, roles in yamldecode(file(file_path)).auth : auth_type
+      ]
+      ])) : auth_mount => {
+      for auth_role in distinct(flatten([
+        for file_path in local.policy_files : [
+          for role in try(yamldecode(file(file_path)).auth[auth_mount], []) : role
+        ]
+        ])) : auth_role => [
+        for file_path in local.policy_files : trimsuffix(file_path, ".yaml")
+        if contains(try(yamldecode(file(file_path)).auth[auth_mount], []), auth_role)
+      ]
+    }
+  }
+}
\ No newline at end of file
diff --git a/policies/rundeck/rundeck.hcl b/policies/rundeck/rundeck.hcl
deleted file mode 100644
index ea4c523..0000000
--- a/policies/rundeck/rundeck.hcl
+++ /dev/null
@@ -1,7 +0,0 @@
-path "rundeck/data/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
-
-path "rundeck/metadata/*" {
-  capabilities = ["list"]
-}
diff --git a/policies/rundeck/rundeck.yaml b/policies/rundeck/rundeck.yaml
new file mode 100644
index 0000000..489fd01
--- /dev/null
+++ b/policies/rundeck/rundeck.yaml
@@ -0,0 +1,17 @@
+# Allow Rundeck access to its KV secrets
+---
+rules:
+  - path: "rundeck/data/*"
+    capabilities:
+      - create
+      - read
+      - update
+      - delete
+      - list
+  - path: "rundeck/metadata/*"
+    capabilities:
+      - list
+
+auth:
+  approle:
+    - rundeck-role
diff --git a/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl b/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl
deleted file mode 100644
index a6e723f..0000000
--- a/policies/ssh-host-signer/ssh-host-signer_roles_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "ssh-host-signer/roles/*" {
-  capabilities = ["create", "read", "update", "delete", "list"]
-}
diff --git a/policies/ssh-host-signer/sshsign-host-policy.hcl b/policies/ssh-host-signer/sshsign-host-policy.hcl
deleted file mode 100644
index 7709b99..0000000
--- a/policies/ssh-host-signer/sshsign-host-policy.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "ssh-host-signer/sign/hostrole" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/ssh-host-signer/sshsigner.hcl b/policies/ssh-host-signer/sshsigner.hcl
deleted file mode 100644
index 7709b99..0000000
--- a/policies/ssh-host-signer/sshsigner.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "ssh-host-signer/sign/hostrole" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/sshca/roles/admin.yaml b/policies/sshca/roles/admin.yaml
new file mode 100644
index 0000000..491998d
--- /dev/null
+++ b/policies/sshca/roles/admin.yaml
@@ -0,0 +1,14 @@
+# Allow administration of SSH CA roles
+---
+rules:
+  - path: "sshca/roles/*"
+    capabilities:
+      - create
+      - update
+      - read
+      - delete
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sshca/sign/host.yaml b/policies/sshca/sign/host.yaml
new file mode 100644
index 0000000..8c1e978
--- /dev/null
+++ b/policies/sshca/sign/host.yaml
@@ -0,0 +1,11 @@
+# Allow signing SSH host certificates
+---
+rules:
+  - path: "sshca/sign/host"
+    capabilities:
+      - create
+      - update
+
+auth:
+  approle:
+    - sshsigner
diff --git a/policies/sshca/sign/user.yaml b/policies/sshca/sign/user.yaml
new file mode 100644
index 0000000..8b41c4e
--- /dev/null
+++ b/policies/sshca/sign/user.yaml
@@ -0,0 +1,11 @@
+# Allow signing SSH user certificates
+---
+rules:
+  - path: "sshca/sign/user"
+    capabilities:
+      - create
+      - update
+
+auth:
+  approle:
+    - sshsigner
diff --git a/policies/sshca/sshca_roles_admin.hcl b/policies/sshca/sshca_roles_admin.hcl
deleted file mode 100644
index ac09136..0000000
--- a/policies/sshca/sshca_roles_admin.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "sshca/roles/*" {
-  capabilities = ["create", "update", "read", "delete", "list"]
-}
diff --git a/policies/sshca/sshca_signhost.hcl b/policies/sshca/sshca_signhost.hcl
deleted file mode 100644
index 436eea1..0000000
--- a/policies/sshca/sshca_signhost.hcl
+++ /dev/null
@@ -1,3 +0,0 @@
-path "sshca/sign/host" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/sshca/sshca_signuser.hcl  b/policies/sshca/sshca_signuser.hcl 
deleted file mode 100644
index 6450b2c..0000000
--- a/policies/sshca/sshca_signuser.hcl 	
+++ /dev/null
@@ -1,3 +0,0 @@
-path "sshca/sign/user" {
-    capabilities = ["create", "update"]
-}
diff --git a/policies/sys/audit/read.yaml b/policies/sys/audit/read.yaml
new file mode 100644
index 0000000..1c136bb
--- /dev/null
+++ b/policies/sys/audit/read.yaml
@@ -0,0 +1,9 @@
+# Allow reading audit logs related to secret engines
+---
+rules:
+  - path: "sys/audit"
+    capabilities:
+      - read
+      - list
+
+auth: {}
diff --git a/policies/sys/auth/admin.yaml b/policies/sys/auth/admin.yaml
new file mode 100644
index 0000000..a8c9e1f
--- /dev/null
+++ b/policies/sys/auth/admin.yaml
@@ -0,0 +1,14 @@
+# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
+---
+rules:
+  - path: "sys/auth/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sys/mounts/admin.yaml b/policies/sys/mounts/admin.yaml
new file mode 100644
index 0000000..6176a09
--- /dev/null
+++ b/policies/sys/mounts/admin.yaml
@@ -0,0 +1,22 @@
+# Allow access to manage secret engines (mount, unmount, update)
+---
+rules:
+  - path: "sys/mounts/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+  - path: "sys/mounts-tune/*"
+    capabilities:
+      - update
+      - read
+  - path: "sys/mounts"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sys/policy/admin.yaml b/policies/sys/policy/admin.yaml
new file mode 100644
index 0000000..6c86dd7
--- /dev/null
+++ b/policies/sys/policy/admin.yaml
@@ -0,0 +1,18 @@
+# Allow management of policies (create, update, delete, list, and read)
+---
+rules:
+  - path: "sys/policies/acl/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+  - path: "sys/policies/acl"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/policies/sys/sys_audit_read.hcl b/policies/sys/sys_audit_read.hcl
deleted file mode 100644
index b294013..0000000
--- a/policies/sys/sys_audit_read.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow reading audit logs related to secret engines
-path "sys/audit" {
-  capabilities = ["read", "list"]
-}
diff --git a/policies/sys/sys_auth_admin.hcl b/policies/sys/sys_auth_admin.hcl
deleted file mode 100644
index b07492e..0000000
--- a/policies/sys/sys_auth_admin.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow creating and management of authentication backends (AppRole, LDAP, etc.)
-path "sys/auth/*" {
-  capabilities = ["create", "update", "delete", "read", "list"]
-}
diff --git a/policies/sys/sys_mounts_admin.hcl b/policies/sys/sys_mounts_admin.hcl
deleted file mode 100644
index 4383e1e..0000000
--- a/policies/sys/sys_mounts_admin.hcl
+++ /dev/null
@@ -1,14 +0,0 @@
-# Allow access to manage secret engines (mount, unmount, update)
-path "sys/mounts/*" {
-  capabilities = ["create", "update", "delete", "read", "list"]
-}
-
-# Allow tuning existing secret engines
-path "sys/mounts-tune/*" {
-  capabilities = ["update", "read"]
-}
-
-# Allow reaing and listing of enabled secret engines
-path "sys/mounts" {
-  capabilities = ["read", "list"]
-}
diff --git a/policies/sys/sys_policy_admin.hcl b/policies/sys/sys_policy_admin.hcl
deleted file mode 100644
index 43d2310..0000000
--- a/policies/sys/sys_policy_admin.hcl
+++ /dev/null
@@ -1,9 +0,0 @@
-# Allow management of policies (create, update, delete, list, and read)
-path "sys/policies/acl/*" {
-  capabilities = ["create", "update", "delete", "read", "list"]
-}
-
-# Allow listing of available policies
-path "sys/policies/acl" {
-  capabilities = ["read", "list"]
-}
diff --git a/policies/transit/decrypt/au-syd1-k8s-vso.hcl b/policies/transit/decrypt/au-syd1-k8s-vso.hcl
deleted file mode 100644
index e345e7e..0000000
--- a/policies/transit/decrypt/au-syd1-k8s-vso.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow decryption with the au-syd1-k8s-vso key
-path "transit/decrypt/au-syd1-k8s-vso" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/transit/decrypt/au-syd1-k8s-vso.yaml b/policies/transit/decrypt/au-syd1-k8s-vso.yaml
new file mode 100644
index 0000000..cc52f24
--- /dev/null
+++ b/policies/transit/decrypt/au-syd1-k8s-vso.yaml
@@ -0,0 +1,10 @@
+# Allow decryption with the au-syd1-k8s-vso key
+---
+rules:
+  - path: "transit/decrypt/au-syd1-k8s-vso"
+    capabilities:
+      - create
+      - update
+
+auth: {}
+# Add specific roles here when needed
diff --git a/policies/transit/encrypt/au-syd1-k8s-vso.hcl b/policies/transit/encrypt/au-syd1-k8s-vso.hcl
deleted file mode 100644
index bc9b4ac..0000000
--- a/policies/transit/encrypt/au-syd1-k8s-vso.hcl
+++ /dev/null
@@ -1,4 +0,0 @@
-# Allow encryption with the au-syd1-k8s-vso key
-path "transit/encrypt/au-syd1-k8s-vso" {
-  capabilities = ["create", "update"]
-}
diff --git a/policies/transit/encrypt/au-syd1-k8s-vso.yaml b/policies/transit/encrypt/au-syd1-k8s-vso.yaml
new file mode 100644
index 0000000..3696bcf
--- /dev/null
+++ b/policies/transit/encrypt/au-syd1-k8s-vso.yaml
@@ -0,0 +1,10 @@
+# Allow encryption with the au-syd1-k8s-vso key
+---
+rules:
+  - path: "transit/encrypt/au-syd1-k8s-vso"
+    capabilities:
+      - create
+      - update
+
+auth: {}
+# Add specific roles here when needed
diff --git a/policies/transit/keys/admin.hcl b/policies/transit/keys/admin.hcl
deleted file mode 100644
index 59f8d1a..0000000
--- a/policies/transit/keys/admin.hcl
+++ /dev/null
@@ -1,8 +0,0 @@
-# Allow management of keys (create, update, delete, list, and read)
-path "transit/keys/*" {
-  capabilities = ["create", "update", "delete", "read", "list"]
-}
-# Allow listing of available keys
-path "transit/keys" {
-  capabilities = ["read", "list"]
-}
diff --git a/policies/transit/keys/admin.yaml b/policies/transit/keys/admin.yaml
new file mode 100644
index 0000000..c1ce9dd
--- /dev/null
+++ b/policies/transit/keys/admin.yaml
@@ -0,0 +1,18 @@
+# Allow management of keys (create, update, delete, list, and read)
+---
+rules:
+  - path: "transit/keys/*"
+    capabilities:
+      - create
+      - update
+      - delete
+      - read
+      - list
+  - path: "transit/keys"
+    capabilities:
+      - read
+      - list
+
+auth:
+  approle:
+    - tf_vault
diff --git a/resources/resources.hcl b/resources/resources.hcl
new file mode 100644
index 0000000..b3de11c
--- /dev/null
+++ b/resources/resources.hcl
@@ -0,0 +1,62 @@
+# =============================================================================
+# VAULT RESOURCES CONFIGURATION SYSTEM
+# =============================================================================
+#
+# This file automatically discovers and processes all YAML resource files from
+# the resources/ directory, creating a unified resource configuration for Vault.
+#
+# HOW IT WORKS:
+# 1. Scans all subdirectories under resources/ for *.yaml files
+# 2. Parses each YAML file to extract resource rules and configuration
+# 3. Creates structured mappings for backend types -> paths -> resource names
+#
+# YAML STRUCTURE:
+# Each resource YAML file should contain Kubernetes RBAC rules or similar
+# resource definitions that will be used by Vault secret backends.
+#
+# EXAMPLE YAML FILE (resources/secret_backend/kubernetes/au/syd1/roles/admin.yaml):
+# ```yaml
+# rules:
+#   - apiGroups: [""]
+#     resources: ["*"]
+#     verbs: ["*"]
+# ```
+#
+# DIRECTORY STRUCTURE:
+# resources/
+# └── secret_backend/
+#     └── {backend_type}/
+#         └── {country}/
+#             └── {region}/
+#                 └── roles/
+#                     └── {role_name}.yaml
+#
+# GENERATED OUTPUTS:
+# - resources: [resources][secret_backend\auth_backend][path-between][yaml-file-name]
+#
+# =============================================================================
+
+locals {
+  # Find all YAML files in current directory and subdirectories
+  resource_files = fileset(".", "**/*.yaml")
+
+  # Create the desired nested structure: resources -> backend_type -> middle_path -> filename
+  resources = {
+    resources = {
+      for backend_type in distinct([
+        for file_path in local.resource_files : split("/", file_path)[0]
+        ]) : backend_type => {
+        for middle_path in distinct([
+          for file_path in local.resource_files :
+          length(split("/", file_path)) > 2 ? join("/", slice(split("/", file_path), 1, length(split("/", file_path)) - 1)) : ""
+          if split("/", file_path)[0] == backend_type
+          ]) : middle_path => {
+          for file_path in local.resource_files :
+          trimsuffix(basename(file_path), ".yaml") => yamldecode(file(file_path))
+          if split("/", file_path)[0] == backend_type &&
+          (length(split("/", file_path)) > 2 ? join("/", slice(split("/", file_path), 1, length(split("/", file_path)) - 1)) : "") == middle_path
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml
similarity index 100%
rename from resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml
rename to resources/secret_backend/kubernetes/au/syd1/roles/cluster-admin.yaml
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml
similarity index 100%
rename from resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml
rename to resources/secret_backend/kubernetes/au/syd1/roles/cluster-operator.yaml
diff --git a/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/cluster-root.yaml
similarity index 100%
rename from resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml
rename to resources/secret_backend/kubernetes/au/syd1/roles/cluster-root.yaml
diff --git a/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml b/resources/secret_backend/kubernetes/au/syd1/roles/media-apps-operator.yaml
similarity index 100%
rename from resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml
rename to resources/secret_backend/kubernetes/au/syd1/roles/media-apps-operator.yaml
diff --git a/role_pki_int_servers_default.tf b/role_pki_int_servers_default.tf
deleted file mode 100644
index e095c86..0000000
--- a/role_pki_int_servers_default.tf
+++ /dev/null
@@ -1,21 +0,0 @@
-resource "vault_pki_secret_backend_role" "servers_default" {
-  backend = "pki_int"
-  name    = "servers_default"
-  #issuer_ref         = data.vault_pki_secret_backend_issuer.pki_int_issuer.default
-  allow_ip_sans = true
-  allowed_domains = [
-    "unkin.net",
-    "*.unkin.net",
-    "localhost"
-  ]
-  allow_subdomains    = true
-  allow_glob_domains  = true
-  allow_bare_domains  = true
-  enforce_hostnames   = true
-  allow_any_name      = true
-  max_ttl             = 2160 * 3600
-  key_bits            = 4096
-  country             = ["Australia"]
-  use_csr_common_name = true
-  use_csr_sans        = true
-}
diff --git a/role_pki_root_2024_servers.tf b/role_pki_root_2024_servers.tf
deleted file mode 100644
index 6e2975b..0000000
--- a/role_pki_root_2024_servers.tf
+++ /dev/null
@@ -1,6 +0,0 @@
-resource "vault_pki_secret_backend_role" "pki_root_2024_servers" {
-  backend        = vault_mount.pki_root.path
-  name           = "2024-servers"
-  issuer_ref     = data.vault_pki_secret_backend_issuer.pki_root_issuer.issuer_ref
-  allow_any_name = true
-}
diff --git a/role_ssh-host-signer_hostrole.tf b/role_ssh-host-signer_hostrole.tf
deleted file mode 100644
index 71ff4db..0000000
--- a/role_ssh-host-signer_hostrole.tf
+++ /dev/null
@@ -1,11 +0,0 @@
-resource "vault_ssh_secret_backend_role" "hostrole" {
-  backend                 = "ssh-host-signer"
-  name                    = "hostrole"
-  key_type                = "ca"
-  algorithm_signer        = "rsa-sha2-256"
-  ttl                     = 87600 * 3600
-  allow_host_certificates = true
-  allowed_domains         = "*"
-  allow_subdomains        = true
-  allow_bare_domains      = false
-}
diff --git a/role_sshca_signhost.tf b/role_sshca_signhost.tf
deleted file mode 100644
index 1b4dd3b..0000000
--- a/role_sshca_signhost.tf
+++ /dev/null
@@ -1,12 +0,0 @@
-resource "vault_ssh_secret_backend_role" "sshca_signhost" {
-  backend                 = vault_mount.sshca.path
-  name                    = "sshca_signhost"
-  key_type                = "ca"
-  algorithm_signer        = "rsa-sha2-256"
-  ttl                     = 87600 * 3600
-  allow_host_certificates = true
-  allow_subdomains        = true
-  allow_bare_domains      = false
-  allowed_domains         = "main.unkin.net,consul"
-}
-
diff --git a/shared_locals.tf b/shared_locals.tf
deleted file mode 100644
index ef4d839..0000000
--- a/shared_locals.tf
+++ /dev/null
@@ -1,14 +0,0 @@
-locals {
-  kubernetes_ca_cert_au_syd1 = <<-EOT
------BEGIN CERTIFICATE-----
-MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
-cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
-NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
-SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
-a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
-/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
-fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
-NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
------END CERTIFICATE-----
-EOT
-}