-approle) including all the roles declared in this variable.
The variable should look like:
tenant_additional_roles = {
devs = {
policy_file = "/some/path/to/policy.hcl"
}
admins = {...}
} | map(object({
policy_file = string
}))
| `{}` | no |
-| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | n/a | yes |
+| [tenant_admin_policy_file](#input_tenant_admin_policy_file) | The path to the admin policy file for this tenant | `string` | `"./policies/tenant-admins.policy.hcl"` | no |
| [tenant_name](#input_tenant_name) | The name of the tenant you want to create | `string` | n/a | yes |
| [tenant_prefix](#input_tenant_prefix) | The prefix to use for the tenant in vault (this will prefix mount points, policies, etc..) | `string` | n/a | yes |
diff --git a/extra_policies.tf b/extra_policies.tf
index 634f8c1..4695fdb 100644
--- a/extra_policies.tf
+++ b/extra_policies.tf
@@ -1,10 +1,3 @@
-resource "vault_policy" "extra_policies" {
- for_each = var.tenant_additional_roles
-
- name = "${var.tenant_prefix}-${each.key}"
- policy = file(each.value.policy_file)
-}
-
resource "vault_auth_backend" "approle" {
type = "approle"
path = "${var.tenant_prefix}-approle"
@@ -41,3 +34,10 @@ resource "vault_identity_entity" "extra_roles" {
prefix = var.tenant_prefix
}
}
+
+resource "vault_policy" "extra_policies" {
+ for_each = var.tenant_additional_roles
+
+ name = "${var.tenant_prefix}-${each.key}"
+ policy = file(each.value.policy_file)
+}
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
new file mode 100644
index 0000000..a0b93de
--- /dev/null
+++ b/policies/tenant-admins.policy.hcl
@@ -0,0 +1,7 @@
+path "{{identity.entity.metadata.prefix}}/*" {
+ capabilities = ["create", "update", "read", "delete", "list"]
+}
+
+path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
+ capabilities = ["create", "update", "read", "delete", "list"]
+}
diff --git a/variables.tf b/variables.tf
index 90cd9cb..3d060c9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -20,6 +20,7 @@ variable "tenant_prefix" {
variable "tenant_admin_policy_file" {
type = string
+ default = "./policies/tenant-admins.policy.hcl"
description = "The path to the admin policy file for this tenant"
}