# AppRole Backend
moved {
  from = vault_auth_backend.approle
  to   = module.auth_approle_backend["approle"].vault_auth_backend.approle
}

# AppRole Roles (12 roles)
moved {
  from = vault_approle_auth_backend_role.certmanager
  to   = module.auth_approle_role["approle/certmanager"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.incus_cluster
  to   = module.auth_approle_role["approle/incus_cluster"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.packer_builder
  to   = module.auth_approle_role["approle/packer_builder"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.puppetapi
  to   = module.auth_approle_role["approle/puppetapi"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.rpmbuilder
  to   = module.auth_approle_role["approle/rpmbuilder"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.rundeck-role
  to   = module.auth_approle_role["approle/rundeck-role"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.sshsign-host-role
  to   = module.auth_approle_role["approle/sshsign-host-role"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.sshsigner
  to   = module.auth_approle_role["approle/sshsigner"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.terraform_incus
  to   = module.auth_approle_role["approle/terraform_incus"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.terraform_nomad
  to   = module.auth_approle_role["approle/terraform_nomad"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.terraform_repoflow
  to   = module.auth_approle_role["approle/terraform_repoflow"].vault_approle_auth_backend_role.role
}

moved {
  from = vault_approle_auth_backend_role.tf_vault
  to   = module.auth_approle_role["approle/tf_vault"].vault_approle_auth_backend_role.role
}

# LDAP Backend
moved {
  from = vault_ldap_auth_backend.ldap
  to   = module.auth_ldap_backend["ldap"].vault_ldap_auth_backend.ldap
}

# LDAP Groups
moved {
  from = vault_ldap_auth_backend_group.vault_access
  to   = module.auth_ldap_group["ldap/vault_access"].vault_ldap_auth_backend_group.group
}

moved {
  from = vault_ldap_auth_backend_group.vault_admin
  to   = module.auth_ldap_group["ldap/vault_admin"].vault_ldap_auth_backend_group.group
}


# Kubernetes Secrets

moved {
  from = vault_kubernetes_secret_backend.kubernetes_au_syd1
  to   = module.kubernetes_secret_backend["kubernetes/au/syd1"].vault_kubernetes_secret_backend.kubernetes
}

moved {
  from = vault_kubernetes_secret_backend_role.cluster_admin
  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_admin"].vault_kubernetes_secret_backend_role.role
}

moved {
  from = vault_kubernetes_secret_backend_role.cluster_operator
  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_operator"].vault_kubernetes_secret_backend_role.role
}

moved {
  from = vault_kubernetes_secret_backend_role.cluster_root
  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/cluster_root"].vault_kubernetes_secret_backend_role.role
}

moved {
  from = vault_kubernetes_secret_backend_role.media_apps_operator
  to   = module.kubernetes_secret_backend_role["kubernetes/au/syd1/media_apps_operator"].vault_kubernetes_secret_backend_role.role
}

# Kubernetes Backend

moved {
  from = vault_auth_backend.kubernetes
  to   = module.auth_kubernetes_backend["k8s/au/syd1"].vault_auth_backend.kubernetes
}

moved {
  from = vault_kubernetes_auth_backend_config.config
  to   = module.auth_kubernetes_backend["k8s/au/syd1"].vault_kubernetes_auth_backend_config.config
}

# Kubernetes Roles (7 roles)
moved {
  from = vault_kubernetes_auth_backend_role.ceph-csi
  to   = module.auth_kubernetes_role["k8s/au/syd1/ceph-csi"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.cert_manager_issuer
  to   = module.auth_kubernetes_role["k8s/au/syd1/cert_manager_issuer"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.default
  to   = module.auth_kubernetes_role["k8s/au/syd1/default"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.externaldns
  to   = module.auth_kubernetes_role["k8s/au/syd1/externaldns"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.huntarr-default
  to   = module.auth_kubernetes_role["k8s/au/syd1/huntarr-default"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.media-apps
  to   = module.auth_kubernetes_role["k8s/au/syd1/media-apps"].vault_kubernetes_auth_backend_role.role
}

moved {
  from = vault_kubernetes_auth_backend_role.repoflow
  to   = module.auth_kubernetes_role["k8s/au/syd1/repoflow"].vault_kubernetes_auth_backend_role.role
}

# KV Backends:
moved {
  from = vault_mount.kv
  to   = module.kv_secret_backend["kv"].vault_mount.kv
}

moved {
  from = vault_mount.rundeck
  to   = module.kv_secret_backend["rundeck"].vault_mount.kv
}

# SSH CA:
moved {
  from = vault_mount.sshca
  to   = module.ssh_secret_backend["sshca"].vault_mount.ssh
}

moved {
  from = vault_ssh_secret_backend_ca.ssh_ca
  to   = module.ssh_secret_backend["sshca"].vault_ssh_secret_backend_ca.ssh_ca[0]
}

moved {
  from = vault_ssh_secret_backend_role.signhost
  to   = module.ssh_secret_backend_role["sshca/signhost"].vault_ssh_secret_backend_role.role
}

# Transit:
moved {
  from = vault_mount.transit
  to   = module.transit_secret_backend["transit"].vault_mount.transit
}

moved {
  from = vault_transit_secret_backend_key.key
  to   = module.transit_secret_backend_key["transit/au-syd1-k8s-vso"].vault_transit_secret_backend_key.key
}

# Policy Migrations
moved {
  from = vault_policy.policies["auth/approle/approle_role_admin"]
  to   = module.vault_policy["auth/approle/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/approle/approle_role_login"]
  to   = module.vault_policy["auth/approle/login"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/kubernetes/k8s_auth_admin"]
  to   = module.vault_policy["auth/k8s/au/syd1/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/ldap/ldap_admin"]
  to   = module.vault_policy["auth/ldap/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/token/auth_token_create"]
  to   = module.vault_policy["auth/token/create"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/token/auth_token_lookup"]
  to   = module.vault_policy["auth/token/lookup"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/token/auth_token_renew"]
  to   = module.vault_policy["auth/token/renew"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/token/auth_token_roles_admin"]
  to   = module.vault_policy["auth/token/roles/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["auth/token/auth_token_self"]
  to   = module.vault_policy["auth/token/self"].vault_policy.this
}

moved {
  from = vault_policy.policies["default_access"]
  to   = module.vault_policy["global-root"].vault_policy.this
}

moved {
  from = vault_policy.policies["kubernetes/au/config_admin"]
  to   = module.vault_policy["kubernetes/au/config_admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/glauth/services/svc_vault_read"]
  to   = module.vault_policy["kv/service/glauth/services/svc_vault/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/incus/incus-cluster-join-tokens"]
  to   = module.vault_policy["kv/service/incus/cluster-join-tokens/crud"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"]
  to   = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-cephfs-secret/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"]
  to   = module.vault_policy["kv/service/kubernetes/au/syd1/csi/ceph-rbd-secret/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/kubernetes/au/syd1/externaldns/tsig/read"]
  to   = module.vault_policy["kv/service/kubernetes/au/syd1/externaldns/tsig/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/kubernetes/au/syd1/service_account_jwt/read"]
  to   = module.vault_policy["kv/service/kubernetes/au/syd1/service_account_jwt/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"]
  to   = module.vault_policy["kv/service/kubernetes/au/syd1/token_reviewer_jwt/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/media-apps/radarr/read"]
  to   = module.vault_policy["kv/service/media-apps/radarr/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/media-apps/sonarr/read"]
  to   = module.vault_policy["kv/service/media-apps/sonarr/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/packer/packer_builder"]
  to   = module.vault_policy["kv/service/packer/builder/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/puppet/certificates/terraform_puppet_cert"]
  to   = module.vault_policy["kv/service/puppet/certificates/ca/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/puppetapi/puppetapi_read_tokens"]
  to   = module.vault_policy["kv/service/puppetapi/tokens/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/terraform/incus"]
  to   = module.vault_policy["kv/service/terraform/incus"].vault_policy.this
}

moved {
  from = vault_policy.policies["kv/service/terraform/nomad"]
  to   = module.vault_policy["kv/service/terraform/nomad"].vault_policy.this
}


moved {
  from = vault_policy.policies["rundeck/rundeck"]
  to   = module.vault_policy["rundeck/rundeck"].vault_policy.this
}

moved {
  from = vault_policy.policies["sshca/sshca_roles_admin"]
  to   = module.vault_policy["sshca/roles/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["sshca/sshca_signhost"]
  to   = module.vault_policy["sshca/sign/host"].vault_policy.this
}

moved {
  from = vault_policy.policies["sys/sys_audit_read"]
  to   = module.vault_policy["sys/audit/read"].vault_policy.this
}

moved {
  from = vault_policy.policies["sys/sys_auth_admin"]
  to   = module.vault_policy["sys/auth/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["sys/sys_mounts_admin"]
  to   = module.vault_policy["sys/mounts/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["sys/sys_policy_admin"]
  to   = module.vault_policy["sys/policy/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["transit/decrypt/au-syd1-k8s-vso"]
  to   = module.vault_policy["transit/decrypt/au-syd1-k8s-vso"].vault_policy.this
}

moved {
  from = vault_policy.policies["transit/encrypt/au-syd1-k8s-vso"]
  to   = module.vault_policy["transit/encrypt/au-syd1-k8s-vso"].vault_policy.this
}

moved {
  from = vault_policy.policies["transit/keys/admin"]
  to   = module.vault_policy["transit/keys/admin"].vault_policy.this
}

# PKI Mount Only Migrations
moved {
  from = vault_mount.pki_root
  to   = module.pki_mount_only["pki_root"].vault_mount.pki
}

moved {
  from = vault_mount.pki_int
  to   = module.pki_mount_only["pki_int"].vault_mount.pki
}

moved {
  from = vault_pki_secret_backend_config_urls.pki_root_urls
  to   = module.pki_mount_only["pki_root"].vault_pki_secret_backend_config_urls.config_urls
}

# PKI Role Migrations
moved {
  from = vault_pki_secret_backend_role.pki_root_2024_servers
  to   = module.pki_secret_backend_role["pki_root/2024-servers"].vault_pki_secret_backend_role.role
}

moved {
  from = vault_pki_secret_backend_role.servers_default
  to   = module.pki_secret_backend_role["pki_int/servers_default"].vault_pki_secret_backend_role.role
}

# PKI Policy Migrations (keep original names where policies exist)
moved {
  from = vault_policy.policies["pki_int/certmanager"]
  to   = module.vault_policy["pki_int/certmanager"].vault_policy.this
}

moved {
  from = vault_policy.policies["pki_int/issue/servers_default"]
  to   = module.vault_policy["pki_int/issue/servers_default"].vault_policy.this
}

moved {
  from = vault_policy.policies["pki_int/pki_int_roles_admin"]
  to   = module.vault_policy["pki_int/roles/admin"].vault_policy.this
}

moved {
  from = vault_policy.policies["pki_int/sign/servers_default"]
  to   = module.vault_policy["pki_int/sign/servers_default"].vault_policy.this
}

moved {
  from = vault_policy.policies["pki_root/pki_root_roles_admin"]
  to   = module.vault_policy["pki_root/roles/admin"].vault_policy.this
}