resource "vault_ssh_secret_backend_role" "sshca_signhost" {
  backend                 = vault_mount.sshca.path
  name                    = "sshca_signhost"
  key_type                = "ca"
  algorithm_signer        = "rsa-sha2-256"
  ttl                     = 87600 * 3600
  allow_host_certificates = true
  allow_subdomains        = true
  allow_bare_domains      = false
  allowed_domains         = "main.unkin.net,consul"
}