# =============================================================================
# VAULT POLICY CONFIGURATION SYSTEM
# =============================================================================
#
# This file automatically discovers and processes all YAML policy files from
# subdirectories, creating a unified policy configuration for Vault.
#
# HOW IT WORKS:
# 1. Scans all subdirectories for *.yaml files
# 2. Parses each YAML file to extract policy rules and auth assignments
# 3. Creates mappings for auth methods -> roles -> assigned policies
#
# YAML STRUCTURE:
# Each policy YAML file should contain:
#   - rules: List of Vault policy rules (path + capabilities)
#   - auth: Map of auth methods to roles that should have this policy
#
# EXAMPLE YAML FILE (policies/kv/service/myapp/read.yaml):
# ```yaml
# rules:
#   - path: "kv/data/service/myapp/*"
#     capabilities:
#       - read
#
# auth:
#   approle:
#     - myapp-service
#   k8s/au/syd1:
#     - myapp-pod
# ```
#
# This creates a policy that allows reading secrets under kv/service/myapp/
# and assigns it to:
# - AppRole role "myapp-service" in the "approle" mount
# - Kubernetes role "myapp-pod" in the "k8s/au/syd1" mount
#
# GENERATED OUTPUTS:
# - policy_rules_map: policy_name -> [rules]
# - policy_auth_map: auth_mount -> role_name -> [policy_names]
#
# =============================================================================

locals {
  # Find all YAML files in subdirectories
  policy_files = fileset(".", "**/*.yaml")

  # Create a flat map of all files with their content
  all_policies = {
    for file_path in local.policy_files :
    trimsuffix(file_path, ".yaml") => yamldecode(file(file_path))
  }

  # Create a map of just the rules for each policy
  policy_rules_map = {
    for file_path in local.policy_files :
    trimsuffix(file_path, ".yaml") => yamldecode(file(file_path)).rules
  }

  # Create a map of auth mounts -> auth roles -> policy names
  policy_auth_map = {
    for auth_mount in distinct(flatten([
      for file_path in local.policy_files : [
        for auth_type, roles in yamldecode(file(file_path)).auth : auth_type
      ]
      ])) : auth_mount => {
      for auth_role in distinct(flatten([
        for file_path in local.policy_files : [
          for role in try(yamldecode(file(file_path)).auth[auth_mount], []) : role
        ]
        ])) : auth_role => [
        for file_path in local.policy_files : trimsuffix(file_path, ".yaml")
        if contains(try(yamldecode(file(file_path)).auth[auth_mount], []), auth_role)
      ]
    }
  }
}