chore: cleanup unused config data

- remove token_policies from roles config data, this comes from policies.hcl inputs - remove policies from ldap groups - remove backend data from roles, this comes from config.hcl inputs
2026-01-26 23:51:50 +11:00 · 2026-01-26 23:51:50 +11:00 · f6d06cb319
commit f6d06cb319
parent 1c9e063310
28 changed files with 5 additions and 88 deletions
--- a/config/auth_approle_role/approle/certmanager.yaml
+++ b/config/auth_approle_role/approle/certmanager.yaml
@ -1,5 +1,3 @@
-token_policies:
-  - "pki_int/certmanager"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
--- a/config/auth_approle_role/approle/incus_cluster.yaml
+++ b/config/auth_approle_role/approle/incus_cluster.yaml
@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/incus/incus-cluster-join-tokens"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
--- a/config/auth_approle_role/approle/packer_builder.yaml
+++ b/config/auth_approle_role/approle/packer_builder.yaml
@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/packer/packer_builder"
 token_ttl: 300
 token_max_ttl: 600
 bind_secret_id: false
--- a/config/auth_approle_role/approle/puppetapi.yaml
+++ b/config/auth_approle_role/approle/puppetapi.yaml
@ -1,5 +1,3 @@
-token_policies:
-  - "kv/service/puppetapi/puppetapi_read_tokens"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
--- a/config/auth_approle_role/approle/rpmbuilder.yaml
+++ b/config/auth_approle_role/approle/rpmbuilder.yaml
@ -1,6 +1,3 @@
-token_policies:
-  - "kv/service/github/neoloc/tokens/read-only-token/read"
-  - "kv/service/gitea/unkinben/tokens/read-only-packages/read"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
--- a/config/auth_approle_role/approle/rundeck-role.yaml
+++ b/config/auth_approle_role/approle/rundeck-role.yaml
@ -1,5 +1,3 @@
-token_policies:
-  - "rundeck/rundeck"
 token_ttl: 3600
 token_max_ttl: 14400
 bind_secret_id: true
--- a/config/auth_approle_role/approle/sshsigner.yaml
+++ b/config/auth_approle_role/approle/sshsigner.yaml
@ -1,6 +1,3 @@
-token_policies:
-  - "ssh-host-signer/sshsigner"
-  - "sshca_signhost"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false
--- a/config/auth_approle_role/approle/terraform_incus.yaml
+++ b/config/auth_approle_role/approle/terraform_incus.yaml
@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/incus"
-  - "kv/service/puppet/certificates/terraform_puppet_cert"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
--- a/config/auth_approle_role/approle/terraform_nomad.yaml
+++ b/config/auth_approle_role/approle/terraform_nomad.yaml
@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/nomad"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
--- a/config/auth_approle_role/approle/terraform_repoflow.yaml
+++ b/config/auth_approle_role/approle/terraform_repoflow.yaml
@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/repoflow/unkinadmin/tokens/terraform/read"
-  - "kv/service/terraform/repoflow"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
--- a/config/auth_approle_role/approle/tf_vault.yaml
+++ b/config/auth_approle_role/approle/tf_vault.yaml
@ -1,27 +1,3 @@
-token_policies:
-  - "default_access"
-  - "approle_token_create"
-  - "auth/approle/approle_role_admin"
-  - "auth/approle/approle_role_login"
-  - "auth/kubernetes/k8s_auth_admin"
-  - "auth/ldap/ldap_admin"
-  - "auth/token/auth_token_create"
-  - "auth/token/auth_token_self"
-  - "auth/token/auth_token_roles_admin"
-  - "kubernetes/au/config_admin"
-  - "kubernetes/au/roles_admin"
-  - "kv/service/glauth/services/svc_vault_read"
-  - "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"
-  - "kv/service/kubernetes/au/syd1/service_account_jwt/read"
-  - "kv/service/vault/auth_backends_read"
-  - "pki_int/pki_int_roles_admin"
-  - "pki_root/pki_root_roles_admin"
-  - "ssh-host-signer/ssh-host-signer_roles_admin"
-  - "sshca/sshca_roles_admin"
-  - "sys/sys_auth_admin"
-  - "sys/sys_mounts_admin"
-  - "sys/sys_policy_admin"
-  - "transit/keys/admin"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false
--- a/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml
@ -5,7 +5,4 @@ bound_service_account_namespaces:
  - csi-cephrbd
  - csi-cephfs
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read
-  - kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml
@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - cert-manager
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml
@ -3,6 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - externaldns
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/externaldns/tsig/read
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml
@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - huntarr
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml
@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - media-apps
 token_ttl: 60
-token_policies:
-  - kv/service/media-apps/radarr/read
-  - kv/service/media-apps/sonarr/read
 audience: vault
--- a/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
+++ b/config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml
@ -3,10 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
  - repoflow
 token_ttl: 60
-token_policies:
-  - kv/service/repoflow/au/syd1/ceph-s3/read
-  - kv/service/repoflow/au/syd1/elasticsearch/read
-  - kv/service/repoflow/au/syd1/hasura/read
-  - kv/service/repoflow/au/syd1/postgres/read
-  - kv/service/repoflow/au/syd1/repoflow-server/read
 audience: vault
--- a/config/auth_ldap_group/ldap/vault_access.yaml
+++ b/config/auth_ldap_group/ldap/vault_access.yaml
@ -1,2 +0,0 @@
-policies:
-  - "default_access"
--- a/config/auth_ldap_group/ldap/vault_admin.yaml
+++ b/config/auth_ldap_group/ldap/vault_admin.yaml
@ -1,3 +1,3 @@
-policies:
-  - "default_access"
-  - "global-admin"
+---
+# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
+description: foo
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml
@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
  - "*"
 kubernetes_role_type: "ClusterRole"
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml
@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
  - "*"
 kubernetes_role_type: "ClusterRole"
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml
@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
  - "*"
 kubernetes_role_type: "ClusterRole"
--- a/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
+++ b/config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml
@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
  - "media-apps"
 kubernetes_role_type: "Role"
--- a/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
+++ b/config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml
@ -1,4 +1,3 @@
-backend: "pki/au/syd1"
 allow_ip_sans: true
 allowed_domains:
  - "unkin.net"
--- a/config/pki_secret_backend_role/pki_int/servers_default.yaml
+++ b/config/pki_secret_backend_role/pki_int/servers_default.yaml
@ -1,4 +1,3 @@
-backend: "pki_int"
 allow_ip_sans: true
 allowed_domains:
  - "unkin.net"
--- a/config/pki_secret_backend_role/pki_root/2024-servers.yaml
+++ b/config/pki_secret_backend_role/pki_root/2024-servers.yaml
@ -1,4 +1,3 @@
-backend: "pki_root"
 allow_ip_sans: true
 allowed_domains:
  - "unkin.net"
--- a/modules/vault_cluster/main.tf
+++ b/modules/vault_cluster/main.tf
@ -61,7 +61,7 @@ module "auth_ldap_group" {

  groupname = each.value.groupname
  backend   = each.value.backend
-  policies  = each.value.policies
+  policies  = var.policy_auth_map[each.value.backend][each.value.groupname]

  depends_on = [module.auth_ldap_backend]
 }
--- a/modules/vault_cluster/variables.tf
+++ b/modules/vault_cluster/variables.tf
@ -58,7 +58,6 @@ variable "auth_ldap_group" {
  type = map(object({
    groupname = string
    backend   = string
-    policies  = list(string)
  }))
  default = {}
 }
@ -287,4 +286,4 @@ variable "policy_rules_map" {
    capabilities = list(string)
  })))
  default = {}
-}
+}