resource "vault_kubernetes_auth_backend_role" "default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "default"
  bound_service_account_names      = ["default"]
  bound_service_account_namespaces = ["*"]
  token_ttl                        = 3600
  token_policies = [
    "default"
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "demo_default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "demo_default"
  bound_service_account_names      = ["default"]
  bound_service_account_namespaces = ["demo"]
  token_ttl                        = 60
  token_policies = [
    "kv/service/terraform/nomad"
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "huntarr-default" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "huntarr-default"
  bound_service_account_names      = ["default"]
  bound_service_account_namespaces = ["huntarr"]
  token_ttl                        = 60
  token_policies = [
    "pki_int/sign/servers_default",
    "pki_int/issue/servers_default",
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "externaldns" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "externaldns"
  bound_service_account_names      = ["externaldns"]
  bound_service_account_namespaces = ["externaldns"]
  token_ttl                        = 60
  token_policies = [
    "kv/service/kubernetes/au/syd1/externaldns/tsig/read",
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "cert_manager_issuer" {
  backend                          = vault_auth_backend.kubernetes.path
  role_name                        = "cert-manager-issuer"
  bound_service_account_names      = ["cert-manager-vault-issuer"]
  bound_service_account_namespaces = ["cert-manager"]
  token_ttl                        = 60
  token_policies = [
    "pki_int/sign/servers_default",
    "pki_int/issue/servers_default",
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "ceph-csi" {
  backend   = vault_auth_backend.kubernetes.path
  role_name = "ceph-csi"
  bound_service_account_names = [
    "ceph-csi-rbd-csi-rbd-provisioner",
    "ceph-csi-cephfs-csi-cephfs-provisioner",
  ]
  bound_service_account_namespaces = [
    "csi-cephrbd",
    "csi-cephfs",
  ]
  token_ttl = 60
  token_policies = [
    "kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read",
    "kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read",
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "media-apps" {
  backend   = vault_auth_backend.kubernetes.path
  role_name = "media-apps"
  bound_service_account_names = [
    "media-apps-vault-reader",
  ]
  bound_service_account_namespaces = [
    "media-apps",
  ]
  token_ttl = 60
  token_policies = [
    "kv/service/media-apps/prowlarr/read",
    "kv/service/media-apps/radarr/read",
    "kv/service/media-apps/sonarr/read",
  ]
  audience = "vault"
}

resource "vault_kubernetes_auth_backend_role" "repoflow" {
  backend   = vault_auth_backend.kubernetes.path
  role_name = "repoflow"
  bound_service_account_names = [
    "default",
  ]
  bound_service_account_namespaces = [
    "repoflow",
  ]
  token_ttl = 60
  token_policies = [
    "kv/service/repoflow/au/syd1/ceph-s3/read",
    "kv/service/repoflow/au/syd1/elasticsearch/read",
    "kv/service/repoflow/au/syd1/hasura/read",
    "kv/service/repoflow/au/syd1/postgres/read",
    "kv/service/repoflow/au/syd1/repoflow-server/read",
  ]
  audience = "vault"
}