config/auth_approle_role/approle/certmanager.yaml

@@ -1,5 +1,3 @@
-token_policies:
-  - "pki_int/certmanager"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false

config/auth_approle_role/approle/incus_cluster.yaml

@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/incus/incus-cluster-join-tokens"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false

config/auth_approle_role/approle/packer_builder.yaml

@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/packer/packer_builder"
 token_ttl: 300
 token_max_ttl: 600
 bind_secret_id: false

config/auth_approle_role/approle/puppetapi.yaml

@@ -1,5 +1,3 @@
-token_policies:
-  - "kv/service/puppetapi/puppetapi_read_tokens"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false

config/auth_approle_role/approle/rpmbuilder.yaml

@@ -1,6 +1,3 @@
-token_policies:
-  - "kv/service/github/neoloc/tokens/read-only-token/read"
-  - "kv/service/gitea/unkinben/tokens/read-only-packages/read"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false

config/auth_approle_role/approle/rundeck-role.yaml

@@ -1,5 +1,3 @@
-token_policies:
-  - "rundeck/rundeck"
 token_ttl: 3600
 token_max_ttl: 14400
 bind_secret_id: true

config/auth_approle_role/approle/sshsigner.yaml

@@ -1,6 +1,3 @@
-token_policies:
-  - "ssh-host-signer/sshsigner"
-  - "sshca_signhost"
 token_ttl: 30
 token_max_ttl: 30
 bind_secret_id: false

config/auth_approle_role/approle/terraform_incus.yaml

@@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/incus"
-  - "kv/service/puppet/certificates/terraform_puppet_cert"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false

config/auth_approle_role/approle/terraform_nomad.yaml

@@ -1,6 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/terraform/nomad"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false

config/auth_approle_role/approle/terraform_repoflow.yaml

@@ -1,7 +1,3 @@
-token_policies:
-  - "default_access"
-  - "kv/service/repoflow/unkinadmin/tokens/terraform/read"
-  - "kv/service/terraform/repoflow"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false

config/auth_approle_role/approle/tf_vault.yaml

@@ -1,27 +1,3 @@
-token_policies:
-  - "default_access"
-  - "approle_token_create"
-  - "auth/approle/approle_role_admin"
-  - "auth/approle/approle_role_login"
-  - "auth/kubernetes/k8s_auth_admin"
-  - "auth/ldap/ldap_admin"
-  - "auth/token/auth_token_create"
-  - "auth/token/auth_token_self"
-  - "auth/token/auth_token_roles_admin"
-  - "kubernetes/au/config_admin"
-  - "kubernetes/au/roles_admin"
-  - "kv/service/glauth/services/svc_vault_read"
-  - "kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"
-  - "kv/service/kubernetes/au/syd1/service_account_jwt/read"
-  - "kv/service/vault/auth_backends_read"
-  - "pki_int/pki_int_roles_admin"
-  - "pki_root/pki_root_roles_admin"
-  - "ssh-host-signer/ssh-host-signer_roles_admin"
-  - "sshca/sshca_roles_admin"
-  - "sys/sys_auth_admin"
-  - "sys/sys_mounts_admin"
-  - "sys/sys_policy_admin"
-  - "transit/keys/admin"
 token_ttl: 60
 token_max_ttl: 120
 bind_secret_id: false

config/auth_kubernetes_role/k8s/au/syd1/ceph-csi.yaml

@@ -5,7 +5,4 @@ bound_service_account_namespaces:
   - csi-cephrbd
   - csi-cephfs
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read
-  - kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/cert_manager_issuer.yaml

@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - cert-manager
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/externaldns.yaml

@@ -3,6 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - externaldns
 token_ttl: 60
-token_policies:
-  - kv/service/kubernetes/au/syd1/externaldns/tsig/read
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/huntarr-default.yaml

@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - huntarr
 token_ttl: 60
-token_policies:
-  - pki_int/sign/servers_default
-  - pki_int/issue/servers_default
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/media-apps.yaml

@@ -3,7 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - media-apps
 token_ttl: 60
-token_policies:
-  - kv/service/media-apps/radarr/read
-  - kv/service/media-apps/sonarr/read
 audience: vault

config/auth_kubernetes_role/k8s/au/syd1/repoflow.yaml

@@ -3,10 +3,4 @@ bound_service_account_names:
 bound_service_account_namespaces:
   - repoflow
 token_ttl: 60
-token_policies:
-  - kv/service/repoflow/au/syd1/ceph-s3/read
-  - kv/service/repoflow/au/syd1/elasticsearch/read
-  - kv/service/repoflow/au/syd1/hasura/read
-  - kv/service/repoflow/au/syd1/postgres/read
-  - kv/service/repoflow/au/syd1/repoflow-server/read
 audience: vault

config/auth_ldap_group/ldap/vault_access.yaml

@@ -1,2 +0,0 @@
-policies:
-  - "default_access"

config/auth_ldap_group/ldap/vault_admin.yaml

@@ -1,3 +1,3 @@
-policies:
+---
-  - "default_access"
+# this file doesnt need anything in it, so this data is just to make sure yamlencode reads some yaml data
-  - "global-admin"
+description: foo

config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-admin.yaml

@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"

config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-operator.yaml

@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"

config/kubernetes_secret_backend_role/kubernetes/au/syd1/cluster-root.yaml

@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "*"
 kubernetes_role_type: "ClusterRole"

config/kubernetes_secret_backend_role/kubernetes/au/syd1/media-apps-operator.yaml

@@ -1,4 +1,3 @@
-backend: "kubernetes/au/syd1"
 allowed_kubernetes_namespaces:
   - "media-apps"
 kubernetes_role_type: "Role"

config/pki_secret_backend_role/pki/au/syd1/servers_default.yaml

@@ -1,4 +1,3 @@
-backend: "pki/au/syd1"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"

config/pki_secret_backend_role/pki_int/servers_default.yaml

@@ -1,4 +1,3 @@
-backend: "pki_int"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"

config/pki_secret_backend_role/pki_root/2024-servers.yaml

@@ -1,4 +1,3 @@
-backend: "pki_root"
 allow_ip_sans: true
 allowed_domains:
   - "unkin.net"

modules/vault_cluster/main.tf

@@ -61,7 +61,7 @@ module "auth_ldap_group" {
 
   groupname = each.value.groupname
   backend   = each.value.backend
-  policies  = each.value.policies
+  policies  = var.policy_auth_map[each.value.backend][each.value.groupname]
 
   depends_on = [module.auth_ldap_backend]
 }

modules/vault_cluster/variables.tf

@@ -58,7 +58,6 @@ variable "auth_ldap_group" {
   type = map(object({
     groupname = string
     backend   = string
-    policies  = list(string)
   }))
   default = {}
 }