# Data source to read the service_token_jwt from Vault KV
data "vault_kv_secret_v2" "service_account_jwt_au_syd1" {
  mount = "kv"
  name  = "service/kubernetes/au/syd1/service_account_jwt"
}

resource "vault_kubernetes_secret_backend" "kubernetes_au_syd1" {
  path                      = "kubernetes/au/syd1"
  description               = "kubernetes secret engine for au-syd1 cluster"
  default_lease_ttl_seconds = 600
  max_lease_ttl_seconds     = 86400
  kubernetes_host           = "https://api-k8s.service.consul:6443"
  kubernetes_ca_cert        = local.kubernetes_ca_cert_au_syd1
  service_account_jwt       = data.vault_kv_secret_v2.service_account_jwt_au_syd1.data["token"]
  disable_local_ca_jwt      = false
}

resource "vault_kubernetes_secret_backend_role" "media_apps_operator" {
  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
  name                          = "vault-media-apps-operator"
  allowed_kubernetes_namespaces = ["media-apps"]
  kubernetes_role_type          = "Role"

  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/media-apps-operator.yaml")

  extra_labels = {
    vault-region = "au-syd1"
    vault-role   = "vault-media-apps-operator"
  }
}

resource "vault_kubernetes_secret_backend_role" "cluster_operator" {
  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
  name                          = "vault-cluster-operator"
  allowed_kubernetes_namespaces = ["*"]
  kubernetes_role_type          = "ClusterRole"

  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-operator.yaml")

  extra_labels = {
    vault-region = "au-syd1"
    vault-role   = "vault-cluster-operator"
  }
}

resource "vault_kubernetes_secret_backend_role" "cluster_admin" {
  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
  name                          = "vault-cluster-admin"
  allowed_kubernetes_namespaces = ["*"]
  kubernetes_role_type          = "ClusterRole"

  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-admin.yaml")

  extra_labels = {
    vault-region = "au-syd1"
    vault-role   = "vault-cluster-admin"
  }
}

resource "vault_kubernetes_secret_backend_role" "cluster_root" {
  backend                       = vault_kubernetes_secret_backend.kubernetes_au_syd1.path
  name                          = "vault-cluster-root"
  allowed_kubernetes_namespaces = ["*"]
  kubernetes_role_type          = "ClusterRole"

  generated_role_rules = file("${path.module}/resources/k8s/syd1/au/generated_role_rules/cluster-root.yaml")

  extra_labels = {
    vault-region = "au-syd1"
    vault-role   = "vault-cluster-root"
  }
}