feat: move every approle role to dedicated backend, and add group to pass metadata along

README.md

@@ -39,6 +39,9 @@ No modules.
 | [vault_auth_backend.approle](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/auth_backend) | resource |
 | [vault_identity_entity.extra_roles](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
 | [vault_identity_entity.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_entity) | resource |
+| [vault_identity_group.tenant_group](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
+| [vault_identity_group.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group) | resource |
+| [vault_identity_group_alias.this](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/identity_group_alias) | resource |
 | [vault_policy.extra_policies](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 | [vault_policy.tenant_admin](https://registry.terraform.io/providers/hashicorp/vault/latest/docs/resources/policy) | resource |
 

admin_role.tf

@@ -1,5 +1,5 @@
 resource "vault_approle_auth_backend_role" "tenant_admin" {
-  backend        = var.global_approle_mount
+  backend        = vault_auth_backend.approle.path
   role_name      = "${var.tenant_name}-admin"
   token_policies = ["default", vault_policy.tenant_admin.name]
 }
@@ -7,11 +7,16 @@ resource "vault_approle_auth_backend_role" "tenant_admin" {
 resource "random_uuid" "tenant_admin_secret_id" {}
 
 resource "vault_approle_auth_backend_role_secret_id" "tenant_admin" {
-  backend   = var.global_approle_mount
+  backend   = vault_auth_backend.approle.path
   role_name = vault_approle_auth_backend_role.tenant_admin.role_name
   secret_id = random_uuid.tenant_admin_secret_id.result
 }
 
+resource "vault_identity_group" "tenant_group" {
+  name = var.tenant_name
+  type = "internal"
+}
+
 resource "vault_identity_entity" "tenant_admin" {
   name = "${var.tenant_prefix}-admin"
   metadata = {

approle_auth.tf

@@ -0,0 +1,23 @@
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+  path = "${var.tenant_prefix}-approle"
+  tune {
+    default_lease_ttl = "3600s"
+    max_lease_ttl     = "14400s"
+  }
+}
+
+resource "vault_identity_group" "this" {
+  name = var.tenant_name
+  type = "internal"
+  metadata = {
+    tenant = var.tenant_name
+    prefix = var.tenant_prefix
+  }
+}
+
+resource "vault_identity_group_alias" "this" {
+  name           = var.tenant_name
+  mount_accessor = vault_auth_backend.approle.accessor
+  canonical_id   = vault_identity_group.this.id
+}

extra_policies.tf

@@ -1,12 +1,3 @@
-resource "vault_auth_backend" "approle" {
-  type = "approle"
-  path = "${var.tenant_prefix}-approle"
-  tune {
-    default_lease_ttl = "3600s"
-    max_lease_ttl     = "14400s"
-  }
-}
-
 resource "vault_approle_auth_backend_role" "extra_roles" {
   for_each = var.tenant_additional_roles