terraform-vault/environments/au/syd1/terragrunt.hcl

include "root" {
  path   = find_in_parent_folders("root.hcl")
  expose = true
}

include "config" {
  path   = "${get_repo_root()}/config/config.hcl"
  expose = true
}

include "policies" {
  path   = "${get_repo_root()}/policies/policies.hcl"
  expose = true
}

include "resources" {
  path   = "${get_repo_root()}/resources/resources.hcl"
  expose = true
}

locals {
  # Extract country and region from path
  path_parts = split("/", dirname(get_terragrunt_dir()))
  country    = basename(dirname(get_terragrunt_dir())) # "au"
  region     = basename(get_terragrunt_dir())          # "syd1"

  # Include configuration from config.hcl
  config = include.config.locals.config

  # Include policies from policies.hcl
  policies = include.policies.locals

  # Include resources from resources.hcl
  resources = include.resources.locals

  # Create sanitized backend name mapping for Consul providers
  # Provider aliases can't contain slashes, so replace them with underscores
  consul_backend_aliases = {
    for backend_name, _ in local.config.consul_secret_backend :
    backend_name => replace(backend_name, "/", "_")
  }
}

terraform {
  source = "../../../modules/vault_cluster"
}

inputs = {
  country = local.country
  region  = local.region

  # Pass configuration maps to vault_cluster module
  auth_approle_backend           = local.config.auth_approle_backend
  auth_approle_role              = local.config.auth_approle_role
  auth_ldap_backend              = local.config.auth_ldap_backend
  auth_ldap_group                = local.config.auth_ldap_group
  auth_kubernetes_backend        = local.config.auth_kubernetes_backend
  auth_kubernetes_role           = local.config.auth_kubernetes_role
  kv_secret_backend              = local.config.kv_secret_backend
  transit_secret_backend         = local.config.transit_secret_backend
  transit_secret_backend_key     = local.config.transit_secret_backend_key
  ssh_secret_backend             = local.config.ssh_secret_backend
  ssh_secret_backend_role        = local.config.ssh_secret_backend_role
  pki_secret_backend             = local.config.pki_secret_backend
  pki_secret_backend_role        = local.config.pki_secret_backend_role
  consul_secret_backend          = local.config.consul_secret_backend
  consul_secret_backend_role     = local.config.consul_secret_backend_role
  kubernetes_secret_backend      = local.config.kubernetes_secret_backend
  kubernetes_secret_backend_role = local.config.kubernetes_secret_backend_role
  pki_mount_only                 = local.config.pki_mount_only

  # Pass policy maps to vault_cluster module
  policy_auth_map  = local.policies.policy_auth_map
  policy_rules_map = local.policies.policy_rules_map

  # Pass sanitized consul backend aliases for provider configuration
  consul_backend_aliases = local.consul_backend_aliases
}