feat: rework policies file

- policy files are now found automatically

Makefile

@@ -0,0 +1,20 @@
+.PHONY: init plan apply help
+
+# Default target
+help:
+	@echo "Available targets:"
+	@echo "  init  - Initialize Terraform"
+	@echo "  plan  - Plan Terraform changes"
+	@echo "  apply - Apply Terraform changes"
+
+init:
+	@echo "Sourcing environment and initializing Terraform..."
+	@source ./env && terraform init
+
+plan:
+	@echo "Sourcing environment and planning Terraform changes..."
+	@source ./env && terraform plan
+
+apply:
+	@echo "Sourcing environment and applying Terraform changes..."
+	@source ./env && terraform apply -auto-approve

auth_approle_tf_vault.tf

@@ -21,6 +21,7 @@ resource "vault_approle_auth_backend_role" "tf_vault" {
     "sys/sys_mounts_admin",
     "sys/sys_policy_admin",
     "transit/keys/admin",
+    "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read",
   ]
   token_ttl     = 60
   token_max_ttl = 120

auth_backend_kubernetes.tf

@@ -6,12 +6,33 @@ resource "vault_auth_backend" "kubernetes" {
   path = "kubernetes"
 }
 
+locals {
+  kubernetes_ca_cert = <<-EOT
+-----BEGIN CERTIFICATE-----
+MIIBejCCAR+gAwIBAgIBADAKBggqhkjOPQQDAjAkMSIwIAYDVQQDDBlya2UyLXNl
+cnZlci1jYUAxNzU5MDI3NTg0MB4XDTI1MDkyODAyNDYyNFoXDTM1MDkyNjAyNDYy
+NFowJDEiMCAGA1UEAwwZcmtlMi1zZXJ2ZXItY2FAMTc1OTAyNzU4NDBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABKfsTD4tKzKcnHyubWseKjlIPphBVveV1n6RUxmi
+a3H6s9qMmT3dldYJyaalZI0NctSdW4ucPhBN5THCUr8sOmejQjBAMA4GA1UdDwEB
+/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBRFb0pf+pC/voWvbs1z
+fU/dqB0RxjAKBggqhkjOPQQDAgNJADBGAiEA/0zeJRrgwpHFPRsqgO+EhmwBx1Y8
+NH3FcktF9J6PfPQCIQD4/IpOhdjf9rmo0ckG1npNEx5V8+OQ8ZTM7s1DL6+DfA==
+-----END CERTIFICATE-----
+EOT
+}
+
+# Data source to read the token_reviewer_jwt from Vault KV
+data "vault_kv_secret_v2" "token_reviewer_jwt" {
+  mount = "kv"
+  name  = "service/kubernetes/au/syd1/token_reviewer_jwt"
+}
+
 # Configure Kubernetes auth backend
 resource "vault_kubernetes_auth_backend_config" "config" {
   backend                = vault_auth_backend.kubernetes.path
-  kubernetes_host        = "https://api-k8s.service.consul:6443"
+  kubernetes_host        = "https://kubernetes.default.svc.cluster.local"
-  kubernetes_ca_cert     = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJlakNDQVIrZ0F3SUJBZ0lCQURBS0JnZ3Foa2pPUFFRREFqQWtNU0l3SUFZRFZRUUREQmx5YTJVeUxYTmwKY25abGNpMWpZVUF4TnpVNU1ESTNOVGcwTUI0WERUSTFNRGt5T0RBeU5EWXlORm9YRFRNMU1Ea3lOakF5TkRZeQpORm93SkRFaU1DQUdBMVVFQXd3WmNtdGxNaTF6WlhKMlpYSXRZMkZBTVRjMU9UQXlOelU0TkRCWk1CTUdCeXFHClNNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJLZnNURDR0S3pLY25IeXViV3NlS2psSVBwaEJWdmVWMW42UlV4bWkKYTNINnM5cU1tVDNkbGRZSnlhYWxaSTBOY3RTZFc0dWNQaEJONVRIQ1VyOHNPbWVqUWpCQU1BNEdBMVVkRHdFQgovd1FFQXdJQ3BEQVBCZ05WSFJNQkFmOEVCVEFEQVFIL01CMEdBMVVkRGdRV0JCUkZiMHBmK3BDL3ZvV3ZiczF6CmZVL2RxQjBSeGpBS0JnZ3Foa2pPUFFRREFnTkpBREJHQWlFQS8wemVKUnJnd3BIRlBSc3FnTytFaG13QngxWTgKTkgzRmNrdEY5SjZQZlBRQ0lRRDQvSXBPaGRqZjlybW8wY2tHMW5wTkV4NVY4K09ROFpUTTdzMURMNitEZkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg=="
+  kubernetes_ca_cert     = local.kubernetes_ca_cert
-  token_reviewer_jwt     = "eyJhbGciOiJSUzI1NiIsImtpZCI6IkJGSlQtckZDOURTQ2hCVkVGYzkyT1dkOUVlMEJvMVhrTUZKM0hhYTVNVWsifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1zZWNyZXRzLW9wZXJhdG9yLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJ2YXVsdC1hdXRoLXNhLXRva2VuIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6InZhdWx0LWF1dGgtc2EiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiJiNjVjMTI4MS1kNTYxLTQ3ZDAtODFiMC0wZjIwOWM2YTRhMTIiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6dmF1bHQtc2VjcmV0cy1vcGVyYXRvci1zeXN0ZW06dmF1bHQtYXV0aC1zYSJ9.gxO6q4oQRHGGhBxV0ZH6Gkprq-vTUdWB44XW5Xmql7s9_JTqsN-ahnEuNX6I38sLMVR2iWsB4Hnp79-rjfL_u1xdBfU7T82K_Rn7mpL35jRDv1LzSrNQJ3b40MMS03yMKEe2SFFgA2lina3fKudpce9DuDDxWiJBdJ4whm9ivrbJkZ59coDU0pdNlojH5cYigArJ034z5s4-Q37JeYi0hfvIRUJ0TbK23ZyClR30N22eAetBZrCgQi3qQxG2r-VwezRTwg7CFkK1z9JWndXOqL2rYlxLb0bsw9jWkX-wB6Wb-538LtGJcYw_HcXwcOKMO1KSWVkwe30erp5wieX2mw"
+  token_reviewer_jwt     = data.vault_kv_secret_v2.token_reviewer_jwt.data["token"]
   disable_iss_validation = true
   use_annotations_as_alias_metadata = true
 }

policies.tf

@@ -1,43 +1,14 @@
-# Define a list of directories that contain policy files
+# Automatically discover all HCL policy files under policies/ directory
 locals {
-  policy_directories = [
+  policy_files = [
-    "policies",
+    for f in fileset("policies", "**/*.hcl") : {
-    "policies/sys",
+      name = trimsuffix(f, ".hcl")
-    "policies/auth/approle",
+      path = "policies/${f}"
-    "policies/auth/kubernetes",
-    "policies/auth/ldap",
-    "policies/auth/token",
-    "policies/k8s",
-    "policies/pki_int",
-    "policies/pki_root",
-    "policies/rundeck",
-    "policies/ssh-host-signer",
-    "policies/sshca",
-    "policies/transit/decrypt",
-    "policies/transit/encrypt",
-    "policies/transit/keys",
-    "policies/kv/service/glauth/services",
-    "policies/kv/service/incus",
-    "policies/kv/service/packer",
-    "policies/kv/service/puppet/certificates",
-    "policies/kv/service/puppetapi",
-    "policies/kv/service/terraform",
-  ]
-}
-
-# Load policy files from each directory
-locals {
-  policy_files = flatten([
-    for path in local.policy_directories : [
-      for f in fileset(path, "*.hcl") : {
-        name = trimsuffix(trimprefix("${path}/${f}", "policies/"), ".hcl")
-        path = "${path}/${f}"
     }
   ]
-  ])
 }
 
-# Define Vault policies for all listed directories
+# Define Vault policies for all discovered HCL files
 resource "vault_policy" "policies" {
   for_each = { for p in local.policy_files : p.name => p }
 

policies/kv/service/kubernetes/au/syd1/token_reviewer_jwt/read.hcl

@@ -0,0 +1,3 @@
+path "kv/data/service/kubernetes/au/syd1/token_reviewer_jwt" {
+  capabilities = ["read"]
+}