From 604a02683cd5a058c0a444478903075b30b76e87 Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Sat, 25 May 2024 16:27:53 +0200
Subject: [PATCH] feat: allow tenant admin to create child token with its own
 permissions

---
 admin_approle.tf                  | 2 +-
 policies/tenant-admins.policy.hcl | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/admin_approle.tf b/admin_approle.tf
index dd41eb7..6205a8a 100644
--- a/admin_approle.tf
+++ b/admin_approle.tf
@@ -22,5 +22,5 @@ resource "vault_identity_entity" "tenant_admin" {
 
 resource "vault_policy" "tenant_admin" {
   name   = "${var.tenant_name}-admin"
-  policy = var.tenant_admin_policy_file == null ? file("${path.module}/policies/tenant-admins.policy.hcl") : file(var.tenant_admin_policy_file)
+  policy = var.tenant_admin_policy_file == null ? templatefile("${path.module}/policies/tenant-admins.policy.hcl", { tenant_name = var.tenant_name }) : templatefile(var.tenant_admin_policy_file, { tenant_name = var.tenant_name })
 }
diff --git a/policies/tenant-admins.policy.hcl b/policies/tenant-admins.policy.hcl
index a0b93de..1b1a02c 100644
--- a/policies/tenant-admins.policy.hcl
+++ b/policies/tenant-admins.policy.hcl
@@ -5,3 +5,10 @@ path "{{identity.entity.metadata.prefix}}/*" {
 path "sys/mounts/{{identity.entity.metadata.prefix}}/*" {
   capabilities = ["create", "update", "read", "delete", "list"]
 }
+
+path "auth/token/create" {
+  capabilities = ["create", "update", "delete"]
+  allowed_parameters = {
+    policies = ["${tenant_name}-admin"]
+  }
+}