11 changed files with 29 additions and 31 deletions
--- a/auth_approle_certmanager.tf
+++ b/auth_approle_certmanager.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "certmanager" {
  role_name      = "certmanager"
  bind_secret_id = false
-  token_policies = ["pki_int/certmanager"]
+  token_policies = ["certmanager"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_incus_cluster.tf
+++ b/auth_approle_incus_cluster.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "incus_cluster" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "kv/service/incus/incus-cluster-join-tokens"
+    "incus-cluster-join-tokens"
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_packer_builder.tf
+++ b/auth_approle_packer_builder.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "packer_builder" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "kv/service/packer/packer_builder",
+    "packer_builder",
  ]
  token_ttl     = 300 # builds can take a few minutes
  token_max_ttl = 600
--- a/auth_approle_puppetapi.tf
+++ b/auth_approle_puppetapi.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "puppetapi" {
  role_name      = "puppetapi"
  bind_secret_id = false
-  token_policies = ["kv/service/puppetapi/puppetapi_read_tokens"]
+  token_policies = ["puppetapi_read_tokens"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_rundeck-role.tf
+++ b/auth_approle_rundeck-role.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "rundeck-role" {
  role_name             = "rundeck-role"
  bind_secret_id        = true
-  token_policies        = ["rundeck/rundeck"]
+  token_policies        = ["rundeck"]
  token_ttl             = 1 * 3600
  token_max_ttl         = 4 * 3600
  token_bound_cidrs     = ["198.18.13.59/32"]
--- a/auth_approle_sshsign-host-role.tf
+++ b/auth_approle_sshsign-host-role.tf
@ -1,7 +1,7 @@
 resource "vault_approle_auth_backend_role" "sshsign-host-role" {
  role_name      = "sshsign-host-role"
  bind_secret_id = false
-  token_policies = ["ssh-host-signer/sshsign-host-policy"]
+  token_policies = ["sshsign-host-policy"]
  token_ttl      = 30
  token_max_ttl  = 30
  token_bound_cidrs = [
--- a/auth_approle_sshsigner.tf
+++ b/auth_approle_sshsigner.tf
@ -2,7 +2,7 @@ resource "vault_approle_auth_backend_role" "sshsigner" {
  role_name      = "sshsigner"
  bind_secret_id = false
  token_policies = [
-    "ssh-host-signer/sshsigner",
+    "sshsigner",
    "sshca_signhost"
  ]
  token_ttl     = 30
--- a/auth_approle_terraform_incus.tf
+++ b/auth_approle_terraform_incus.tf
@ -3,8 +3,8 @@ resource "vault_approle_auth_backend_role" "terraform_incus" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "kv/service/terraform/incus",
+    "incus",
-    "kv/service/puppet/certificates/terraform_puppet_cert",
+    "terraform_puppet_cert",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_terraform_nomad.tf
+++ b/auth_approle_terraform_nomad.tf
@ -3,7 +3,7 @@ resource "vault_approle_auth_backend_role" "terraform_nomad" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "kv/service/terraform/nomad",
+    "nomad",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/auth_approle_tf_vault.tf
+++ b/auth_approle_tf_vault.tf
@ -3,23 +3,22 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
  bind_secret_id = false
  token_policies = [
    "default_access",
-    "auth/token/auth_token_create",
+    "auth_token_create",
-    "auth/token/auth_token_self",
+    "auth_token_self",
-    "auth/token/auth_token_roles_admin",
+    "auth_token_roles_admin",
-    "auth/approle/approle_role_admin",
+    "approle_role_admin",
-    "auth/approle/approle_role_login",
+    "approle_role_login",
    "approle_token_create",
-    "auth/kubernetes/k8s_auth_admin",
+    "k8s_pki_roles_admin",
-    "k8s/k8s_pki_roles_admin",
+    "ldap_admin",
-    "auth/ldap/ldap_admin",
+    "pki_int_roles_admin",
-    "pki_int/pki_int_roles_admin",
+    "pki_root_roles_admin",
-    "pki_root/pki_root_roles_admin",
+    "ssh-host-signer_roles_admin",
    "ssh-host-signer/ssh-host-signer_roles_admin",
    "sshca_roles_admin",
-    "kv/service/glauth/services/svc_vault_read",
+    "svc_vault_read",
-    "sys/sys_auth_admin",
+    "sys_auth_admin",
-    "sys/sys_mounts_admin",
+    "sys_mounts_admin",
-    "sys/sys_policy_admin",
+    "sys_policy_admin",
  ]
  token_ttl     = 60
  token_max_ttl = 120
--- a/policies.tf
+++ b/policies.tf
@ -4,7 +4,6 @@ locals {
    "policies",
    "policies/sys",
    "policies/auth/approle",
    "policies/auth/kubernetes",
    "policies/auth/ldap",
    "policies/auth/token",
    "policies/k8s",
@ -26,9 +25,9 @@ locals {
 locals {
  policy_files = flatten([
    for path in local.policy_directories : [
-      for f in fileset(path, "*.hcl") : {
+      for policy in fileset(path, "*.hcl") : {
-        name = trimsuffix(trimprefix("${path}/${f}", "policies/"), ".hcl")
+        name = trim(replace(policy, ".hcl", ""), "/")
-        path = "${path}/${f}"
+        path = "${path}/${policy}"
      }
    ]
  ])
@ -36,8 +35,8 @@ locals {
 # Define Vault policies for all listed directories
 resource "vault_policy" "policies" {
-  for_each = { for p in local.policy_files : p.name => p }
+  for_each = { for policy in local.policy_files : policy.name => policy }
-  name   = each.key
+  name   = each.value.name
  policy = file(each.value.path)
 }